[Samba] Server GC/name.dom/dom is not registered with our KDC: Miscellaneous failure (see text): Server (GC/name/dom at DOM) unknown

Rowland Penny rpenny at samba.org
Sun Sep 10 13:25:17 UTC 2017

On Fri, 8 Sep 2017 14:31:21 +0200
Sven Schwedas via samba <samba at lists.samba.org> wrote:

> On 2017-09-08 14:21, Rowland Penny via samba wrote:
> > OK, you have convinced me ;-)
> If you know any other part of AD DNS that is tricky, I'd be interested
> to know before AD blows up again. ;-)
> > Seeing how you seem to know the required 'magic', do you feel up to
> > sharing it, if you do I will add a page to the Samba wiki.
> What magic? How to set up dnsmasq as caching proxy? Sure, I can make a
> commented example config file.

Hi Sven, I have been playing around with dnsmasq on a Unix domain
member running in a VM and I just don't understand the value of it in
a Samba AD.

I run two DCs in my small test domain, both using Bind9 instead of the
internal DNS server.

As far as I can see, dnsmasq on the test Unix domain member does not
cache the AD SRV records, it requests them from a DC every time. I
have found that you can add the SRV records to the dnsmasq conf file,
but that, in my opinion, defeats the whole point of using dnsmasq as
a caching nameserver.

Bind9 on the DCs also acts a caching nameserver, if I 'dig'
www.google.com on the Unix domain member (not using dnsmasq) I get:
';; Query time: 105 msec' the first time I run it and:
';; Query time: 8 msec' the second time onwards 

If I 'dig' for the AD domain, I get a similar time as the 'cached'
google record.

So, I cannot actually see any point in running dnsmasq on a Unix domain
member if you are using Bind9 on the DC and, if you are using multiple
DCs, you are probably better off running Bind9  on the DCs.


More information about the samba mailing list