[Samba] inconsistent DNS information, windows domain member issues..

Rowland penny rpenny at samba.org
Sun Jun 5 10:48:40 UTC 2016 

On 05/06/16 10:05, Jo wrote:
> I joined a Windows 10 Pro system to my (still experimental) domain. The
> windows system actually hosts DC2 as a VM, and another Windows (Server 2008
> R2) at another location hosts DC1 also as a VM. The two locations are
> connected via a VPN, both systems run only when needed. The windows system
> does not directly use DC2 for DNS but instead talks to a DNS resolver that
> delegates the samba Domain to DC2. DC2 uses itself as nameserver.
>
>   
>
> I am observing the following issues that may be related or not:
>
> *       When I do a nslookup samba.domain DC2 I get the address of DC1,
> nslookup DC2.sambadomain DC2 fails. Nslookup DC1.samba.domain DC2 works.
> When I use dig @DC2 samba.domain it returns DC1 only. Dig samba.domain ANY
> returns
>
> ;; ANSWER SECTION:
>
> samba.domain.   3600    IN      SOA     dc2.samba. domain. hostmaster.samba.
> domain. 1 900 600 86400 3600
>
> samba. domain.   900     IN      NS      dc1.samba. domain.
>
> samba. domain.   900     IN      A       192.168.177.21
>
>   
>
> ;; ADDITIONAL SECTION:
>
> dc1.samba. domain. 900   IN      A       192.168.177.21
>
> Same information @DC2 or the local resolver of the network
>
> *       On windows nslookup -type=ANY samba.domain. (note the .)
>
> Server:  netgear.local
>
> Address:  192.168.15.2
>
>   
>
> samba.domain
>
>          primary name server = dc2.samba. domain
>
>          responsible mail addr = hostmaster.samba.domain
>
>          serial  = 1
>
>          refresh = 900 (15 mins)
>
>          retry   = 600 (10 mins)
>
>          expire  = 86400 (1 day)
>
>          default TTL = 3600 (1 hour)
>
> samba. domain nameserver = dc1.samba. domain
>
> samba. domain              internet address = 192.168.177.21
>
> dc1.samba. domain       internet address = 192.168.177.21
>
> *       windows nslookup -type=ANY samba.domain (without .) looks for
> samba.domain.domain. Is this OK or does it point to a problematic search
> configuration?
>
> *       When I use the DNS mmc snap-in I can see a host record for dc2. I
> can also see a host record for the windows system reflecting the IP address
> before the system moved to the other location. I tried to update that, but
> got an error message (translated from German) like “the database of the
> local security authority is internally inconsistent”. The snap-in is ultra
> slow via VPN, but what makes me more nervous are the to me inconsistent
> views on the DNS – nslookup showing DC2, mmc showing DC1 as the NS.
>
> *       In windows management console, only some of the domain
> users&principals are shown with the name domain\identity, most of them are
> shown S-xxx. With the one use shown domain\user I can logon to the windows
> system however (likely with cached credentials, but don´t dare to change
> them to confirm)
>
> *       When I try to modify folder permissions on the windows system, I get
> a message “Unable to contact Active Directory to access or verify claim
> types”
>
> *       On DC2: kinit Administrator returns “kinit: Cannot contact any KDC
> for realm ‘samba.domain’ while getting initial credentials. This one was
> easy to fix by adding the domain to /etc/krb5.conf. I am putting this in as
> I changed configuration at this point..
>
> *       In an attempt to get Samba return DC2 as a nameserver I tried
> samba-tool dns add dc2 samba.domain @ NS dc2.samba.domain.
>
> Password for [Administrator at SAMBA.DOMAIN]:
>
> ERROR(runtime): uncaught exception - (-1073741643, '{Device Timeout} The
> specified I/O operation on %hs was not completed before the time-out period
> expired.')
>
>    File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line
> 175, in _run
>
>      return self.run(*args, **kwargs)
>
>    File "/usr/lib/python2.7/dist-packages/samba/netcmd/dns.py", line 1062, in
> run
>
>      dns_conn = dns_connect(server, self.lp, self.creds)
>
>    File "/usr/lib/python2.7/dist-packages/samba/netcmd/dns.py", line 40, in
> dns_connect
>
>      dns_conn = dnsserver.dnsserver(binding_str, lp, creds)
>
> in another attempt the command produced “Record added successfully”, but
> using dig or nslookup I cannot find it. It is shown in the DNS mmc snap-in
> (at least now). Restarting bind did not help.
>
> *       Following
> https://wiki.samba.org/index.php/Check_and_fix_DNS_entries_on_DC_joins I
> tried
>
> root at dc2:/etc/bind# samba-tool dns add dc1 samba.domain DC2 A 192.168.15.22
> -UAdministrator
>
> Password for [SAMBA\Administrator]:
>
> ERROR: Record already exists
>
> root at dc2:/etc/bind# samba-tool dns add dc2 samba.domain DC2 A 192.168.15.22
> -UAdministrator
>
> Password for [SAMBA\Administrator]:
>
> ERROR: Record already exists
>
> root at dc2:/etc/bind# host -t A DC2.samba.domain
>
> Host DC2.samba.lindenberg.one not found: 3(NXDOMAIN)
>
>                How should I proceed there?
>
>
>
> I don´t know how to fix the inconsistent DNS entries and get windows to
> work. Please advise.
>
> Thanks, Joachim
>

Is bind9 running on the DCs ? and if so, are you using bind_dlz ?

Your DCs really need to be running at all times, so that replication can 
work properly, also each DC should use the other for their DNS server, 
anything unknown to the DNS servers on the DCs should be forwarded to an 
external DNS that does know or can find out.

Can you please post  /etc/resolv.conf, /etc/hosts and /etc/krb5.conf 
from each DC, can you also post the smb.conf file from each DC.

Rowland

More information about the samba mailing list