[Samba] DNS Issues when joining a Domain as a DC

Thomas Kempf listen at hueper.de
Thu Oct 16 05:36:39 MDT 2014


Am 16.10.2014 um 13:12 schrieb Daniel Müller:
> My /etc/krb5.conf  on both of my DCs
> [logging]
>   default = FILE:/var/log/krb5libs.log
>   kdc = FILE:/var/log/krb5kdc.log
>   admin_server = FILE:/var/log/kadmind.log
>
> [libdefaults]
>          default_realm = TPLK.LOC
>          dns_lookup_realm = true
>          dns_lookup_kdc = true
>          ticket_lifetime = 24h
>           renew_lifetime = 7d
>          forwardable = true
>
> [realms]
>   TPLK.LOC = {
>    kdc = first-dc second-dc
>    admin_server = first-dc.TPLK.LOC second-dc.TPLK.LOC
>   }
>
> [domain_realm]
>   .tplk.loc = TPLK.LOC
>   tplk.loc = TPLK.LOC
>
> So I think you did :
> ldbsearch -H /usr/local/samba/private/sam.ldb '(invocationid=*)' --cross-ncs
> objectguid---and steps too.
>

Yes on the master DC


> So if you remove the entry from resolv.conf on your new DC which points to
> your first dc nothing get resolved?
Here are is a list of dns-entries.
(I removed the standard-hosts entries from the list)

#########################################
With DNS from the NEW DC (192.168.0.1)
#########################################
root at dns1:~# host -l ad.hueper.de 192.168.0.1
Using domain server:
Name: 192.168.0.1
Address: 192.168.0.1#53
Aliases:

ad.hueper.de name server dns2.ad.hueper.de.
ad.hueper.de has address 192.168.0.2
dns2.ad.hueper.de has address 192.168.0.2
_msdcs.ad.hueper.de name server dns2.ad.hueper.de.
ForestDnsZones.ad.hueper.de has address 192.168.0.2
DomainDnsZones.ad.hueper.de has address 192.168.0.2
root at dns1:~#

##########################################
With DNS from the Master DC (192.168.0.2)
##########################################
root at dns1:~# host -l ad.hueper.de 192.168.0.2
Using domain server:
Name: 192.168.0.2
Address: 192.168.0.2#53
Aliases:

ad.hueper.de name server dns2.ad.hueper.de.
ad.hueper.de has address 192.168.0.2
ad.hueper.de has address 192.168.0.1
dns2.ad.hueper.de has address 192.168.0.2
DNS1.ad.hueper.de has address 192.168.0.1
_msdcs.ad.hueper.de name server dns2.ad.hueper.de.
ForestDnsZones.ad.hueper.de has address 192.168.0.2
DomainDnsZones.ad.hueper.de has address 192.168.0.2
root at dns1:~#




> And you do on your new dc: nslookup ex:
> nslookup
>> s4slave
> Server:         192.168.135.253
> Address:        192.168.135.253#53
>
> Name:   s4slave.tplk.loc
> Address: 172.17.1.2
> Name:   s4slave.tplk.loc
> Address: 192.168.135.253
> Name:   s4slave.tplk.loc
> Address: 192.168.132.241
>
> This should point you to the first nameserver in your resolv.conf
> (Server:your.new.dc!?)
> EDV Daniel Müller
>
> Leitung EDV
> Tropenklinik Paul-Lechler-Krankenhaus
> Paul-Lechler-Str. 24
> 72076 Tübingen
> Tel.: 07071/206-463, Fax: 07071/206-499
> eMail: mueller at tropenklinik.de
> Internet: www.tropenklinik.de
>
>
>
> -----Ursprüngliche Nachricht-----
> Von: samba-bounces at lists.samba.org [mailto:samba-bounces at lists.samba.org] Im
> Auftrag von Thomas Kempf
> Gesendet: Donnerstag, 16. Oktober 2014 12:45
> An: samba at lists.samba.org
> Betreff: Re: [Samba] DNS Issues when joining a Domain as a DC
>
> Hi Daniel,
>
> Am 16.10.2014 um 12:12 schrieb Daniel Müller:
>> Is your first DC a Samba4 host?
> Yes 4.1.11 too
>
>> Did you: samba-tool domain join YOURDOMAIN DC -Uadministrator
>> --realm=your.realm --dns-backend=BIND9_DLZ
> Yes, but i had to add the options "interfaces=127.0.01,192.168.0.1" and
> "bind interfaces only=yes" because i have more interfaces on that machine
>
>> samba-tool dns add your.master.dc your.realm YOUR.NEW.DC A
>> your.new.dc.ip -Uadministrator
> yes
>
>> host -t A YOUR.NEW.DC.  must show no errors!!
> it does not show errors as long as the nameserver is the Master DC.
> when i use the nameserver on the new DC it does not get resolved.
>
>> What about your krb5.conf?
> On the new DC:
> dns1:~# cat /etc/krb5.conf
> [libdefaults]
>           default_realm = AD.HUEPER.DE
>           dns_lookup_realm = true
>           dns_lookup_kdc = true
>
> On the master DC:
> dns2:~# cat /etc/krb5.conf
> [libdefaults]
>           default_realm = AD.HUEPER.DE
>           dns_lookup_realm = false
>           dns_lookup_kdc = true
>
>> What about : samba-tool drs kcc -Uadministrator Your.domain.controllers  ?
> I did not run that command initially. I thought this was only necessary when
> joining a MS-DC.
> Just ran it at the moment
>
> dns1:~# samba-tool drs kcc -Uadministrator Password for
> [HUEPER\administrator]:
> Consistency check on dns1.ad.hueper.de successful.
>
> dns1:~# samba-tool drs kcc -Uadministrator dns2.ad.hueper.de Password for
> [HUEPER\administrator]:
> Consistency check on dns2.ad.hueper.de successful.
>
>
>
>
>> Ex:
>> samba-tool drs kcc -Uadministrator s4master.tplk.loc Password for
>> [TPLK\administrator]:
>> Consistency check on s4master.tplk.loc successful.
>>
>> EDV Daniel Müller
>>
>> Leitung EDV
>> Tropenklinik Paul-Lechler-Krankenhaus
>> Paul-Lechler-Str. 24
>> 72076 Tübingen
>> Tel.: 07071/206-463, Fax: 07071/206-499
>> eMail: mueller at tropenklinik.de
>> Internet: www.tropenklinik.de
>>
>>
>>
>>
>>
>> -----Ursprüngliche Nachricht-----
>> Von: samba-bounces at lists.samba.org
>> [mailto:samba-bounces at lists.samba.org] Im Auftrag von Thomas Kempf
>> Gesendet: Donnerstag, 16. Oktober 2014 11:35
>> An: samba at lists.samba.org
>> Betreff: [Samba] DNS Issues when joining a Domain as a DC
>>
>> Hi,
>> yesterday i tried to join a domain as a DC with bind9 as dns-backend
>> on Debian Wheezy with samba 4.1.11 from backports. I followed the
>> tutorial in the wiki
> https://wiki.samba.org/index.php/Join_a_domain_as_a_DC but didn'
>> find the instruction completely clear, so perhaps i made a mistake
>> during the join.
>> It is written there:
>> "If you choose BIND as DNS backend, instead of the internal DNS, then
>> you, of course, have to finish this before you continue"
>> I could not figure out how to finish configuring bind as a backend,
>> when the keytab file and the other bind-related files get created
>> after joining the domain.
>> So i ran the join command first, and with the files created in this
>> step, i was able to get the DC up and running...
>> I had to manually create the A and CNAME records on the old DC like it
>> is written in the wiki in the part "Check required DNS entries of the
>> new host". my guess was, that those entries should be replicated later
>> on to the new DC seems not to work.
>> When i check the name resolving of the A record on the newly joined DC
>> it does not resolve whereas on the old one it works fine.
>>
>> AD-Domain is ad.hueper.de
>> old DC is dns2.ad.hueper.de
>> new DC is dns1.ad.hueper.de
>>
>> dns1:~# host -t A dns1.ad.hueper.de dns2.ad.hueper.de Using domain server:
>> Name: dns2.ad.hueper.de
>> Address: 192.168.0.2#53
>> Aliases:
>>
>> dns1.ad.hueper.de has address 192.168.0.1
>>
>> dns1:~# host -t A dns1.ad.hueper.de dns1.ad.hueper.de Using domain server:
>> Name: dns1.ad.hueper.de
>> Address: 192.168.0.1#53
>> Aliases:
>>
>> Host dns1.ad.hueper.de not found: 3(NXDOMAIN)
>>
>> When i look at the servers using RSAT DNS-Manager i can see the
>> A-Record on both DNS-Servers, so i wonder why doesn't it resolve on the
> new DC ?
>> Is it save to delete the A and CNAME Records and recreate them using RSAT
> ?
>>
>> kind regards
>> Tom
>>
>>
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>



More information about the samba mailing list