[Samba] DNS and DC replication clarification
Rowland Penny
rpenny at samba.org
Mon Mar 6 16:59:36 UTC 2017
On Mon, 6 Mar 2017 16:30:48 +0000 (UTC)
Mircea Husz via samba <samba at lists.samba.org> wrote:
> All,
>
> I configured two DCs (Samba version 4.5.5) replicating ad.corp.com in
> two sites (
>
> https://wiki.samba.org/index.php/Active_Directory_Sites)
>
> Following 'DNS configuration on Domain Controllers' section from this
> wiki
> https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory
>
> If I configure nameserver DC1 to be the first resolver for DC2,
> samba_dnsupdate --verbose --all-names fails with '
> tkey query failed: GSSAPI error: Major = Unspecified GSS failure.
> Minor code may provide more information, Minor = Server not found in
> Kerberos database.'
>
> The failure makes sense because each DC has keys only for itself in
> dns.keytab, as shown by 'klist
> -k /usr/local/samba/private/dns.keytab'. It makes no sense
> functionally for one DC to update another's DNS directly.
>
> Seems to me the failure from 'samba_dnsupdate --verbose --all-names'
> can be ignored when another DC's nameserver is listed first. Unless
> I'm missing something ?
>
> -Mike
>
This is all down to the mythical 'islanding' problem. I personally
think that each DC should use its own ipaddress as the first nameserver
in /etc/resolv.conf and another DC as the second.
Rowland
More information about the samba
mailing list