[Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline
James
lingpanda101 at gmail.com
Fri Nov 27 18:03:42 UTC 2015
On 11/27/2015 10:43 AM, Rowland Penny wrote:
> On 27/11/15 15:24, mathias dufresne wrote:
>>
>>
>> 2015-11-27 15:49 GMT+01:00 Rowland Penny
>> <rowlandpenny241155 at gmail.com <mailto:rowlandpenny241155 at gmail.com>>:
>>
>> On 27/11/15 14:30, James wrote:
>>
>> On 11/27/2015 9:16 AM, Rowland Penny wrote:
>>
>> On 27/11/15 13:23, James wrote:
>>
>> On 11/26/2015 11:12 AM, Ole Traupe wrote:
>>
>>
>> Then you re-run your test with only DC2 up
>> and running.
>> Note DNS have need time to be updated if
>> you are using others DNS servers between
>> clients and AD DCs.
>>
>> The SOA RR identifies a primary DNS name
>> server for the zone as the best source of
>> information for the data within that zone and
>> as a entity processing the updates for the zone.
>>
>> The NS resource record is used to notate which
>> DNS servers are designated as authoritative
>> for the zone. Listing a server in the NS RR,
>> it becomes known to others as an authoritative
>> server for the zone. This means that any
>> server specified in the NS RR is to be
>> considered an authoritative source by others,
>> and is able to answer with certainty any
>> queries made for names included in the zone.
>>
>> Much of the above was taken almost verbatim
>> from online Microsoft tech documents. I don't
>> believe that DC's create NS records by default.
>>
>>
>> You mean Samba DCs or DCs in general?
>>
>> I am not sure I understand the above. Do you
>> suggest to create another NS record for the
>> Second_DC, or not to?
>>
>> In the resolv.conf on my member servers both DCs
>> are listed as DNS servers. I like to think that
>> the member servers eventually ask the second DNS
>> server, if the first won't respond. This seems to
>> be reflected by ping taking more than 5 s for the
>> first packet to arrive.
>>
>> BUT what does the second DNS server (Second_DC)
>> reply? Which logon server does it announce?
>>
>>
>> DNS can be very confusing. You do not need to create a
>> NS record for your second DC if the zone is directory
>> integrated. By default the DC is authoritative for
>> that zone.
>>
>>
>> Probably with windows it is, but not with Samba AD, you
>> only get one NS and one SOA. The only authoritative Samba
>> AD DC is the first one, when you join a second DC, it runs
>> the same code that created the SOA during the first DCs
>> provision and because the SOA already exists, it fails.
>>
>> Rowland
>>
>>
>> Yikes! Are you saying DC's with directory integrated zones are
>> not authoritative for them? That means a NS record needs to be
>> created manually for each DC added.
>>
>>
>> Yes, that's about the size of it. no matter how many DCs you join,
>> you only have one NS, the original DC.
>>
>> I have been trying to alter the code, but I am struggling to get
>> another NS record added during the join, it doesn't help that I
>> have no idea what a windows DC SOA record looks like, does each DC
>> have a separate SOA record? or is it like the Samba SOA record and
>> there is only one with multiple NS records?
>>
>> Yes each Windows has SOA record. In fact I expect there is no SOA
>> record really on MS AD. I expect SOA management is something like
>> when a DC receive request for SOA it replies "I am SOA".
>> On MS AD all DC have a NS record. My second mail about that thread
>> from Sunday the 22nd of November is showing different DNS queries I
>> did on MS AD domain (a 2008 r2 domain with only 2 DC, Microsoft DC).
>>
>> Finally I would look into samba_dnsupdate to add creation of NS
>> record. I expect this tool is run when samba starts.
>> Unfortunately I did not find the right option to add to
>> samba_dnsupdate for it really creates DNS entries. Even with kerberos
>> ticket already created before running that command. I received a mail
>> recently about another Samba user using internal DNS for his AD
>> hosted by Samba. This person was facing same issue has me (missing
>> DNS entries, samba_dnsupdate not adding entries). To workaround that
>> issue he modified samba_dnsupdate and he commented that line (line 413):
>> os.unlink(tmpfile)
>>
>> Doing that samba_dnsupdate does not remove tmp file. This tmp file
>> contains nsupdate commands which are launched by samba_dnsupdate.
>> Finally he uses these nsupdate commands from tmp files without -g
>> option and he's DNS entries are now created.
>> I must say I did yet try that process.
>>
>
> If you follow the 'join' code, you end up at 'add_at_record' in
> sambadns.py. This is run by the initial provision and again when any
> DCs are joined. I have tried adding a check to see if the SOA exists
> and only creating it if it doesn't, otherwise just add the NS records
> etc, I can add the A record for the subsequent DC bit not its NS
> record. This is what the initial SOA record looks like:
>
> dn:
> DC=@,DC=samdom.example.com,CN=MicrosoftDNS,DC=DomainDnsZones,DC=samdom,DC=example,DC=com
> objectClass: top
> objectClass: dnsNode
> instanceType: 4
> whenCreated: 20151106115624.0Z
> uSNCreated: 3657
> showInAdvancedViewOnly: TRUE
> name: @
> objectGUID: 7ad014c4-c1e9-4cb4-9f0d-96d0272af23d
> objectCategory:
> CN=Dns-Node,CN=Schema,CN=Configuration,DC=samdom,DC=example,DC=com
> dc: @
> whenChanged: 20151122115408.0Z
> dnsRecord: NDR: struct dnsp_DnssrvRpcRecord
> wDataLength : 0x004f (79)
> wType : DNS_TYPE_SOA (6)
> version : 0x05 (5)
> rank : DNS_RANK_ZONE (240)
> flags : 0x0000 (0)
> dwSerial : 0x00000062 (98)
> dwTtlSeconds : 0x00000e10 (3600)
> dwReserved : 0x00000000 (0)
> dwTimeStamp : 0x00377e73 (3636851)
> data : union dnsRecordData(case 6)
> soa: struct dnsp_soa
> serial : 0x00000063 (99)
> refresh : 0x00000384 (900)
> retry : 0x00000258 (600)
> expire : 0x00015180 (86400)
> minimum : 0x00000e10 (3600)
> mname : dc1.samdom.example.com
> rname : hostmaster.samdom.example.com
>
> dnsRecord: NDR: struct dnsp_DnssrvRpcRecord
> wDataLength : 0x001a (26)
> wType : DNS_TYPE_NS (2)
> version : 0x05 (5)
> rank : DNS_RANK_ZONE (240)
> flags : 0x0000 (0)
> dwSerial : 0x00000062 (98)
> dwTtlSeconds : 0x00000384 (900)
> dwReserved : 0x00000000 (0)
> dwTimeStamp : 0x00000000 (0)
> data : union dnsRecordData(case 2)
> ns : dc1.samdom.example.com
>
> dnsRecord: NDR: struct dnsp_DnssrvRpcRecord
> wDataLength : 0x0004 (4)
> wType : DNS_TYPE_A (1)
> version : 0x05 (5)
> rank : DNS_RANK_ZONE (240)
> flags : 0x0000 (0)
> dwSerial : 0x00000062 (98)
> dwTtlSeconds : 0x00000384 (900)
> dwReserved : 0x00000000 (0)
> dwTimeStamp : 0x00000000 (0)
> data : union dnsRecordData(case 1)
> ipv4 : 192.168.0.5
>
> uSNChanged: 29974
> distinguishedName:
> DC=@,DC=samdom.example.com,CN=MicrosoftDNS,DC=DomainDnsZones,DC=samdom,DC=example,DC=com
>
>
> I can add the NS record for the second DC with samba-tool, but not by
> modifying the 'add_at_record' code.
>
> I tried doing an internet search, but cannot find anything that shows
> the SOA objects in AD for a windows server, so I don't know if windows
> uses separate SOA object records for each DC, or is it just one SOA
> object record (like Samba uses) with an NS record added for each DC.
>
> Rowland
>
Rowland,
This is what I have been able to dig up but nothing concrete.
https://www.petri.com/forums/forum/microsoft-networking-services/active-directory/18697-ad-zones-and-dns-soa-records
and
http://www.dell.com/support/article/us/en/19/SLN156678/en
Both state that each DC should have it's own SOA if it's directory
integrated. However looking here
http://blogs.msmvps.com/acefekay/2013/04/30/dns-zone-types-explained-and-their-significance-in-active-directory/
says that the SOA should rotate.
--
-James
More information about the samba
mailing list