[Samba] DNS issues after FSMO seize

lingpanda101 at gmail.com lingpanda101 at gmail.com
Tue Apr 5 14:46:53 UTC 2016 

On 4/5/2016 10:26 AM, mathias dufresne wrote:
> 2016-04-05 15:46 GMT+02:00 L.P.H. van Belle <belle at bazuin.nl>:
>
>> Ok Mathias..
>>
>> I hoop this helps a bit.
>> https://technet.microsoft.com/nl-nl/library/cc816941(v=ws.10).aspx
>>
>> now type :
>> nslookup -type=soa internal.domain.tld
>> or
>> nslookup -debug -type=soa internal.domain.tld
>> and look at
>> nslookup -debug -type=soa internal.domain.tld ip_of_a_NS1-server.
>> nslookup -debug -type=soa internal.domain.tld ip_of_a_NS2-server.
>>
>> And see..
>>
>   mathias at mduf-linux:~$ nslookup -type=soa ad.domain.tld 10.154.102.164
> Server:         10.154.102.164
> Address:        10.154.102.164#53
>
> ad.domain.tld
>          origin = dc100.ad.domain.tld
>          mail addr = hostmaster.ad.domain.tld
>          serial = 463
>          refresh = 900
>          retry = 600
>          expire = 86400
>          minimum = 3600
>
> mathias at mduf-linux:~$ nslookup -type=soa ad.domain.tld 10.154.102.166
> Server:         10.154.102.166
> Address:        10.154.102.166#53
>
> ad.domain.tld
>          origin = dc102.ad.domain.tld
>          mail addr = hostmaster.ad.domain.tld
>          serial = 463
>          refresh = 900
>          retry = 600
>          expire = 86400
>          minimum = 3600
>
> DC100 has IP 10.154.102.164
> DC102 has IP 10.154.102.166
>
> Each DC replies he is the SOA... That's what I see : )
>
> So yes there is one SOA declared but still, with multi-head DNS each name
> server able to modify the zone is acting like SOA (it seems to me that's
> why Bind devs took time to add that feature to their software).
>
> And as we are not speaking about how to write a new DNS RFC but we are
> speaking about how Samba act as DNS server, I don't feel wrong when I say
> AD DNS servers must replies they are all SOA.
> And I don't feel wrong neither when I say a name server with SOA must be
> able to write into the zone.
> I don't feel wrong neither when I say a name server able to modify should
> reply it is SOA. Should only because with large number of DC some can think
> about splitting services with some DC dedicated to DNS service as NS
> (reading the zone, replying clients requests) and some DCs where to push
> updates.
> But to get a robust AD we always need several item of each service,
> including where to push updates.
>
>
>
>> The soa record contains only 1 ! MNAME record.
>>
> Agreed.
>
>
>> The MNAME is (always/should_be) the primary dns server.
>>
> Agreed.
>
>
>> ( see RFC/links below its in there)
>> ( primary = first in this example )
>>
>> In DNS with AD integrated zone, which has multi-master replication,
>> There is still only 1 MNAME field in SOA since there is only 1 SOA per
>> zone.
>>
>> Agreed.
>
>> ! Often the server with FSMO roles, because its the first installed server.
>> But if you split the FSMO roles per server this can be different.
>> The MNAME field in the SOA record, "should" be the primary dns server.
>> but this is often ignored.
>>
>> Agreed.
>
>> Well, to explain DNS.. you need the dns list.. and this is the samba list.
>> sorry but it is, we are welkom to helpout, so try to keep it nice.
>> But i know.. you want to learn and understand and there is nothing wrong
>> with that.
>>
> Agreed too. Except there is a real issue with Samba Internal DNS and IMHO
> the best place to speak about Samba issue is there.
>
>> Some good info here.
>>
>> http://www.rfc-archive.org/getrfc.php?rfc=2181&tag=Clarifications-to-the-DNS-Specification
>>
>> This one is most usefull imo, but its a lot to handle.
>> https://www.isc.org/community/rfcs/dns/
>>
>> And thank you for links ;)
>
>> Greetz,
>>
>> Louis
>>
>>
>>> -----Oorspronkelijk bericht-----
>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Rowland penny
>>> Verzonden: dinsdag 5 april 2016 15:12
>>> Aan: samba at lists.samba.org
>>> Onderwerp: Re: [Samba] DNS issues after FSMO seize
>>>
>>> On 05/04/16 13:48, lingpanda101 at gmail.com wrote:
>>>> On 4/5/2016 8:17 AM, mathias dufresne wrote:
>>>>> For me:
>>>>> - SOA means where updates can be sent.
>>>>> - SOA can be one or several.
>>>>> - NS is a record to help non-authoritative name servers to find a
>> valid
>>>>> name server for the zone they receive a request and they don't know
>>>>> anything about that zone.
>>>>> - SOA is often declared as NS, I agree. I explained this is not
>>>>> mandatory.
>>>>>
>>>>> There is no link between these two notions except they share a zone.
>>>>>
>>>>> You are two to tell that's absurd. What I want is to understand
>> things,
>>>>> things includes DNS protocol and its usage into an AD. So if you have
>>>>> anything to _*explain*_ me why these concepts are really linked,
>> please
>>>>> tell me. Develop your argumentation because I'm really thick.
>>>>>
>>>>> Then we could go back to define the role of SOA and NS.
>>>>> For me, again:
>>>>> - SOA where to write
>>>>> - NS where to ask
>>>>>
>>>>> Again, if you do not agree with that, explain, develop, be clear, I'm
>>>>> still
>>>>> thick.
>>>>>
>>>>> And please don't come back to tell me NS stands for name server and
>> SOA
>>>>> stands for Start of authority. If I wouldn't be able to find these
>>>>> information I would have nothing to do in IT world, not designing an
>>>>> AD for
>>>>> a large company at least.
>>>>>
>>>>> And please accept my apologizes about the tone, I really hate people
>>>>> who do
>>>>> not explain. We are here to understand, to grow up together. Telling
>>>>> someone "you're wrong" and stop there is a non-sense, that won't help
>>>>> the
>>>>> guy to understand his error, where not what he misunderstood.
>>>>>
>>>>>
>>>>>
>>>>> 2016-04-05 12:01 GMT+02:00 L.P.H. van Belle <belle at bazuin.nl>:
>>>>>
>>>> I'll throw my two cents in. I noted this from a Mircosoft technet
>>>> article for a 2003 server I jotted down.
>>>>
>>>> "The SOA RR identifies a primary DNS name server for the zone as the
>>>> best source of information for the data within that zone and as an
>>>> entity processing the updates for the zone. "
>>>>
>>>> "A name within a zone can also be delegated to a different zone that
>>>> is hosted on a different DNS server. Delegation is a process of
>>>> assigning responsibility for a portion of a DNS namespace to a DNS
>>>> server owned by a separate entity. This separate entity could be
>>>> another organization, department or workgroup within your company.
>>>> Such delegation is represented by the NS resource record that
>>>> specifies the delegated zone and the DNS name of the server
>>>> authoritative for that zone."
>>>>
>>>> "The name server (NS) RRs facilitate delegation by identifying DNS
>>>> servers for each zone and the NS RRs appear in all zones. Whenever a
>>>> DNS server needs to cross a delegation in order to resolve a name, it
>>>> will refer to the NS RRs for DNS servers in the target zone."
>>>>
>>>> "If multiple NS records exist for a delegated zone identifying
>>>> multiple DNS servers available for querying, the Windows Server 2003
>>>> DNS Server service will be able to select the closest DNS server based
>>>> on the round trip intervals measured over time for every DNS server."
>>>>
>>>> The above is how I view the SOA and NS RR's. This is difficult for
>>>> many, due to users using Samba Internal DNS or Bind. Both exhibit
>>>> different behavior with respect to the SOA and NS records. With that
>>>> said, the above is how the SOA and NS RR's records should behave (if
>>>> things have changed, please advise).
>>>>
>>>> The biggest issue facing the Samba Internal DNS, is it only reports
>>>> one server as SOA. Bind does not have this limitation, as Rowland has
>>>> attested to with several threads showing his findings. Each server
>>>> should report itself as SOA.
>>>>
>>>>   When I had to seize FSMO roles, I had to update the SOA to a
>>>> different DC, as it still pointed to the removed DC. This is using
>>>> internal DNS. I'm not sure if using bind, if when seizing you still
>>>> need to do this.
>>>>
>>> This is the problem I found with the internal dns, you only get one SOA
>>> record, even if you add other DC NS & A records to the SOA. Bind works
>>> differently, you still have to add DC NS & A records to the SOA, but
>>> then every DC claims to have a SOA.
>>>
>>> Rowland
>>>
>>> --
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions:  https://lists.samba.org/mailman/options/samba
>>
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>
"For standard primary zones, the primary server (owner) returned in the 
SOA query response is fixed and static. It always matches the exact DNS 
name as it appears in the SOA RR stored with the zone. If, however, the 
zone being updated is directory-integrated, any DNS server that is 
running on a domain controller for the Active Directory domain in the 
FQDN can respond and dynamically insert its own name as the primary 
server (owner) of the zone in the SOA query response."

The above was also taken from a technet article I made note of when 
researching DNS behavior in Active Directory. Bind is the only service 
that behaves correctly in a AD environment.  Samba internal does not. 
While technically there is only one SOA. In directory-intergrated zones, 
things behave a bit different.

-- 
-James

More information about the samba mailing list