[Samba] DNS issues after FSMO seize

L.P.H. van Belle belle at bazuin.nl
Tue Apr 5 13:46:05 UTC 2016

Ok Mathias.. 

I hoop this helps a bit. 

now type : 
nslookup -type=soa internal.domain.tld 
nslookup -debug -type=soa internal.domain.tld 
and look at 
nslookup -debug -type=soa internal.domain.tld ip_of_a_NS1-server.
nslookup -debug -type=soa internal.domain.tld ip_of_a_NS2-server.

And see..  

The soa record contains only 1 ! MNAME record. 
The MNAME is (always/should_be) the primary dns server. 
( see RFC/links below its in there)
( primary = first in this example ) 

In DNS with AD integrated zone, which has multi-master replication, 
There is still only 1 MNAME field in SOA since there is only 1 SOA per zone. 

! Often the server with FSMO roles, because its the first installed server. 
But if you split the FSMO roles per server this can be different. 
The MNAME field in the SOA record, "should" be the primary dns server. 
but this is often ignored. 

Well, to explain DNS.. you need the dns list.. and this is the samba list. 
sorry but it is, we are welkom to helpout, so try to keep it nice. 
But i know.. you want to learn and understand and there is nothing wrong with that. 

Some good info here. 

This one is most usefull imo, but its a lot to handle. 



> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Rowland penny
> Verzonden: dinsdag 5 april 2016 15:12
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] DNS issues after FSMO seize
> On 05/04/16 13:48, lingpanda101 at gmail.com wrote:
> > On 4/5/2016 8:17 AM, mathias dufresne wrote:
> >> For me:
> >> - SOA means where updates can be sent.
> >> - SOA can be one or several.
> >> - NS is a record to help non-authoritative name servers to find a valid
> >> name server for the zone they receive a request and they don't know
> >> anything about that zone.
> >> - SOA is often declared as NS, I agree. I explained this is not
> >> mandatory.
> >>
> >> There is no link between these two notions except they share a zone.
> >>
> >> You are two to tell that's absurd. What I want is to understand things,
> >> things includes DNS protocol and its usage into an AD. So if you have
> >> anything to _*explain*_ me why these concepts are really linked, please
> >> tell me. Develop your argumentation because I'm really thick.
> >>
> >> Then we could go back to define the role of SOA and NS.
> >> For me, again:
> >> - SOA where to write
> >> - NS where to ask
> >>
> >> Again, if you do not agree with that, explain, develop, be clear, I'm
> >> still
> >> thick.
> >>
> >> And please don't come back to tell me NS stands for name server and SOA
> >> stands for Start of authority. If I wouldn't be able to find these
> >> information I would have nothing to do in IT world, not designing an
> >> AD for
> >> a large company at least.
> >>
> >> And please accept my apologizes about the tone, I really hate people
> >> who do
> >> not explain. We are here to understand, to grow up together. Telling
> >> someone "you're wrong" and stop there is a non-sense, that won't help
> >> the
> >> guy to understand his error, where not what he misunderstood.
> >>
> >>
> >>
> >> 2016-04-05 12:01 GMT+02:00 L.P.H. van Belle <belle at bazuin.nl>:
> >>
> > I'll throw my two cents in. I noted this from a Mircosoft technet
> > article for a 2003 server I jotted down.
> >
> > "The SOA RR identifies a primary DNS name server for the zone as the
> > best source of information for the data within that zone and as an
> > entity processing the updates for the zone. "
> >
> > "A name within a zone can also be delegated to a different zone that
> > is hosted on a different DNS server. Delegation is a process of
> > assigning responsibility for a portion of a DNS namespace to a DNS
> > server owned by a separate entity. This separate entity could be
> > another organization, department or workgroup within your company.
> > Such delegation is represented by the NS resource record that
> > specifies the delegated zone and the DNS name of the server
> > authoritative for that zone."
> >
> > "The name server (NS) RRs facilitate delegation by identifying DNS
> > servers for each zone and the NS RRs appear in all zones. Whenever a
> > DNS server needs to cross a delegation in order to resolve a name, it
> > will refer to the NS RRs for DNS servers in the target zone."
> >
> > "If multiple NS records exist for a delegated zone identifying
> > multiple DNS servers available for querying, the Windows Server 2003
> > DNS Server service will be able to select the closest DNS server based
> > on the round trip intervals measured over time for every DNS server."
> >
> > The above is how I view the SOA and NS RR's. This is difficult for
> > many, due to users using Samba Internal DNS or Bind. Both exhibit
> > different behavior with respect to the SOA and NS records. With that
> > said, the above is how the SOA and NS RR's records should behave (if
> > things have changed, please advise).
> >
> > The biggest issue facing the Samba Internal DNS, is it only reports
> > one server as SOA. Bind does not have this limitation, as Rowland has
> > attested to with several threads showing his findings. Each server
> > should report itself as SOA.
> >
> >  When I had to seize FSMO roles, I had to update the SOA to a
> > different DC, as it still pointed to the removed DC. This is using
> > internal DNS. I'm not sure if using bind, if when seizing you still
> > need to do this.
> >
> This is the problem I found with the internal dns, you only get one SOA
> record, even if you add other DC NS & A records to the SOA. Bind works
> differently, you still have to add DC NS & A records to the SOA, but
> then every DC claims to have a SOA.
> Rowland
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list