[Samba] Server GC/name.dom/dom is not registered with our KDC: Miscellaneous failure (see text): Server (GC/name/dom at DOM) unknown

[Rowland Penny]

On Fri, 8 Sep 2017 14:31:21 +0200
Sven Schwedas via samba <samba at lists.samba.org> wrote:

> On 2017-09-08 14:21, Rowland Penny via samba wrote:
> > OK, you have convinced me ;-)
> 
> If you know any other part of AD DNS that is tricky, I'd be interested
> to know before AD blows up again. ;-)
> 
> > Seeing how you seem to know the required 'magic', do you feel up to
> > sharing it, if you do I will add a page to the Samba wiki.
> 
> What magic? How to set up dnsmasq as caching proxy? Sure, I can make a
> commented example config file.
> 

Hi Sven, I have been playing around with dnsmasq on a Unix domain
member running in a VM and I just don't understand the value of it in
a Samba AD.

I run two DCs in my small test domain, both using Bind9 instead of the
internal DNS server.

As far as I can see, dnsmasq on the test Unix domain member does not
cache the AD SRV records, it requests them from a DC every time. I
have found that you can add the SRV records to the dnsmasq conf file,
but that, in my opinion, defeats the whole point of using dnsmasq as
a caching nameserver.

Bind9 on the DCs also acts a caching nameserver, if I 'dig'
www.google.com on the Unix domain member (not using dnsmasq) I get:
';; Query time: 105 msec' the first time I run it and:
';; Query time: 8 msec' the second time onwards 

If I 'dig' for the AD domain, I get a similar time as the 'cached'
google record.

So, I cannot actually see any point in running dnsmasq on a Unix domain
member if you are using Bind9 on the DC and, if you are using multiple
DCs, you are probably better off running Bind9  on the DCs.

Rowland