[Samba] DNS Issues when joining a Domain as a DC [SOLVED]
Rowland Penny
rowlandpenny at googlemail.com
Thu Oct 16 07:46:08 MDT 2014
On 16/10/14 14:40, Thomas Kempf wrote:
> Hi,
> sorry for the noise, but i have one more question on this topic. The
> initial problem is solved and the dns-information resolves the same
> names in both dns-servers but samba-tool shows me an Error when doing
> ldapcmp on dnsdomain and dnsforest.
>
> root at dns1:~# samba-tool ldapcmp ldap://dns1.ad.hueper.de
> ldap://dns2.ad.hueper.de dnsdomain
>
> * Comparing [DNSDOMAIN] context...
>
> * Objects to be compared: 73
>
> Comparing:
> 'DC=DomainDnsZones,DC=ad,DC=hueper,DC=de' [ldap://dns1.ad.hueper.de]
> 'DC=DomainDnsZones,DC=ad,DC=hueper,DC=de' [ldap://dns2.ad.hueper.de]
> Attributes found only in ldap://dns2.ad.hueper.de:
> msDS-NcType
> FAILED
>
> * Result for [DNSDOMAIN]: FAILURE
>
> SUMMARY
> ---------
>
> Attributes found only in ldap://dns2.ad.hueper.de:
>
> msDS-NcType
> ERROR: Compare failed: -1
>
>
>
>
> And when comparing dnsforest
>
> root at dns1:~# samba-tool ldapcmp ldap://dns1.ad.hueper.de
> ldap://dns2.ad.hueper.de dnsforest
>
> * Comparing [DNSFOREST] context...
>
> * Objects to be compared: 20
>
> Comparing:
> 'DC=ForestDnsZones,DC=ad,DC=hueper,DC=de' [ldap://dns1.ad.hueper.de]
> 'DC=ForestDnsZones,DC=ad,DC=hueper,DC=de' [ldap://dns2.ad.hueper.de]
> Attributes found only in ldap://dns2.ad.hueper.de:
> msDS-NcType
> FAILED
>
> * Result for [DNSFOREST]: FAILURE
>
> SUMMARY
> ---------
>
> Attributes found only in ldap://dns2.ad.hueper.de:
>
> msDS-NcType
> ERROR: Compare failed: -1
> root at dns1:~#
>
>
>
> Are the missing Attributes something which is intended on a secondary
> DC ?
>
> Kind Regards
> Tom
>
>
>
>
>
>
>
>
>
>
>
>
> Am 16.10.2014 um 13:58 schrieb Thomas Kempf:
>> O.k. The problem is solved. I read through Louis scripts and found this
>>
>> ># Fixes for sernet samba missing rights
>> >if [ -d /var/lib/samba/private ]; then
>> >echo "enable-ing access for bind in private"
>> >chmod 755 /var/lib/samba/private
>> >chown root:bind /var/lib/samba/private/dns.keytab
>> >fi
>>
>> I checked the rights on the keytab and found the dns.keytab like this
>>
>> -rw------- 1 root root 742 Okt 15 17:45 dns.keytab
>>
>> changed it to this
>>
>> -rw-r----- 1 root bind 742 Okt 15 17:45 dns.keytab
>>
>> restarted bind and samba and here we go
>>
>> root at dns1:~# host -t A dns1.ad.hueper.de 192.168.0.1
>> Using domain server:
>> Name: 192.168.0.1
>> Address: 192.168.0.1#53
>> Aliases:
>>
>> dns1.ad.hueper.de has address 192.168.0.1
>>
>> Thank you all for your help guys!
>>
>> Kind regards
>> Tom
>>
>>
>>
>> Am 16.10.2014 um 13:26 schrieb L.P.H. van Belle:
>>> the debian version os samba in backports 4.1.11
>>> does not create the DC Hostname not correcly in the DNS.
>>> the first DC is ok, but every other join is missing important dns
>>> settings.
>>>
>>> I advice to use sernet samba version 4.1.12 which works perfect for
>>> the DC Servers.
>>> A member server can be samba backports.
>>>
>>> i have tested this a week ago.
>>>
>>> you may want to try my scripts or have a look in the scripts what is
>>> done there.
>>>
>>> https://secure.bazuin.nl/scripts/
>>>
>>> Greetz,
>>>
>>> Louis
>>>
>>>
>>>> -----Oorspronkelijk bericht-----
>>>> Van: listen at hueper.de [mailto:samba-bounces at lists.samba.org]
>>>> Namens Thomas Kempf
>>>> Verzonden: donderdag 16 oktober 2014 11:35
>>>> Aan: samba at lists.samba.org
>>>> Onderwerp: [Samba] DNS Issues when joining a Domain as a DC
>>>>
>>>> Hi,
>>>> yesterday i tried to join a domain as a DC with bind9 as
>>>> dns-backend on
>>>> Debian Wheezy with samba 4.1.11 from backports. I followed the
>>>> tutorial
>>>> in the wiki https://wiki.samba.org/index.php/Join_a_domain_as_a_DC but
>>>> didn' find the instruction completely clear, so perhaps i made
>>>> a mistake
>>>> during the join.
>>>> It is written there:
>>>> "If you choose BIND as DNS backend, instead of the internal DNS, then
>>>> you, of course, have to finish this before you continue"
>>>> I could not figure out how to finish configuring bind as a
>>>> backend, when
>>>> the keytab file and the other bind-related files get created after
>>>> joining the domain.
>>>> So i ran the join command first, and with the files created in this
>>>> step, i was able to get the DC up and running...
>>>> I had to manually create the A and CNAME records on the old DC like it
>>>> is written in the wiki in the part "Check required DNS entries of the
>>>> new host". my guess was, that those entries should be replicated later
>>>> on to the new DC seems not to work.
>>>> When i check the name resolving of the A record on the newly joined DC
>>>> it does not resolve whereas on the old one it works fine.
>>>>
>>>> AD-Domain is ad.hueper.de
>>>> old DC is dns2.ad.hueper.de
>>>> new DC is dns1.ad.hueper.de
>>>>
>>>> dns1:~# host -t A dns1.ad.hueper.de dns2.ad.hueper.de
>>>> Using domain server:
>>>> Name: dns2.ad.hueper.de
>>>> Address: 192.168.0.2#53
>>>> Aliases:
>>>>
>>>> dns1.ad.hueper.de has address 192.168.0.1
>>>>
>>>> dns1:~# host -t A dns1.ad.hueper.de dns1.ad.hueper.de
>>>> Using domain server:
>>>> Name: dns1.ad.hueper.de
>>>> Address: 192.168.0.1#53
>>>> Aliases:
>>>>
>>>> Host dns1.ad.hueper.de not found: 3(NXDOMAIN)
>>>>
>>>> When i look at the servers using RSAT DNS-Manager i can see
>>>> the A-Record
>>>> on both DNS-Servers, so i wonder why doesn't it resolve on the new
>>>> DC ?
>>>> Is it save to delete the A and CNAME Records and recreate them
>>>> using RSAT ?
>>>>
>>>> kind regards
>>>> Tom
>>>>
>>>>
>>>>
>>>> --
>>>> To unsubscribe from this list go to the following URL and read the
>>>> instructions: https://lists.samba.org/mailman/options/samba
>>>>
>>>>
>>>
>>
>
This came up a short while ago and a patch was supplied, the attributes
that are failing for you should be ignored as they are not replicated ;-)
Rowland
More information about the samba
mailing list