[Samba] AD RODC not being used because of missing DNS entries?
tomict
samba at iucn.nl
Fri Oct 19 20:09:27 UTC 2018
Hi All,
Is it correct that my RODC domain controller (DC2.ad.example.nl) has only one entry in the (internal) DNS on domain controller DC1?
It seems to me that because of missing dns entries it is not used by clients in the ad domain
I recently installed a second Domain Controller (DC2) along the smooth running first domain controller DC1.
Samba version 4.8.5, Centos 7 Linux, further config files below.
The command used to join the DC2 as RODC:
# samba-tool domain join ad.example.nl RODC -U "ad.example.nl\Administrator" (see https://wiki.samba.org/index.php/Join_a_domain_as_a_RODC)
This seemed to run OK, DC2 was joined to the domain.
Before I restarted the samba-ad service, I set the uidNumber of DC2 because I use idmap backend = ad on the other domain members.
Machine and user accounts are replicated to DC2.
The A record entry for DC2.ad.example was added to the dns on DC1, but nothing more.
I see no entries voor ldap, kerberos etc. For example:
# host -t SRV _ldap._tcp.dc._msdcs.ad.example.nl
returns:
_ldap._tcp.dc._msdcs.ad.example.nl has SRV record 0 100 389 DC1.ad.example.nl.
and
# host ad.example.nl
returns:
ad.example.nl has address 192.168.223.100
which is the address of DC1. I thought it should also return a second ip address for DC2.
in the /var/log/samba/log.samba I see truckloads of this:
[2018/10/19 21:51:05.039345, 0] ../source4/dsdb/dns/dns_update.c:330(dnsupdate_nameupdate_done)
../source4/dsdb/dns/dns_update.c:330: Failed DNS update - with error code 4
Should I add the records manually? Should they have been added when I joined the RODC to the domain?
Or am I wrong about something else (very likely)?
regards,
Tom Welter
Below are config file for both DC's.
Sysvol is replicated from DC1 to DC2 via rsync
Samba Version:
Version 4.8.5-SerNet-RedHat-11.el7
content of //DC1/etc/samba/smb.conf
[global]
workgroup = EXAMPLENL
realm = AD.EXAMPLE.NL
netbios name = DC1
server role = active directory domain controller
dns forwarder = 192.168.223.117
idmap_ldb:use rfc2307 = yes
allow dns updates = nonsecure
ldap server require strong auth = no
log level = 0
[netlogon]
path = /var/lib/samba/sysvol/ad.example.nl/scripts
read only = No
[sysvol]
path = /var/lib/samba/sysvol
read only = No
content of //DC2/etc/samba/smb.conf
[global]
netbios name = DC2
realm = AD.EXAMPLE.NL
server role = active directory domain controller
workgroup = EXAMPLENL
[netlogon]
path = /var/lib/samba/sysvol/ad.example.com/scripts
read only = No
[sysvol]
path = /var/lib/samba/sysvol
read only = No
for completeness:
samba-tool dns zoneinfo dc1.ad.example.nl ad.example.nl -U administrator
outputs:
dwZoneType : DNS_ZONE_TYPE_PRIMARY
fReverse : FALSE
fAllowUpdate : DNS_ZONE_UPDATE_SECURE
fPaused : FALSE
fShutdown : FALSE
fAutoCreated : FALSE
fUseDatabase : TRUE
pszDataFile : None
aipMasters : []
fSecureSecondaries : DNS_ZONE_SECSECURE_NO_XFER
fNotifyLevel : DNS_ZONE_NOTIFY_LIST_ONLY
aipSecondaries : []
aipNotify : []
fUseWins : FALSE
fUseNbstat : FALSE
fAging : FALSE
dwNoRefreshInterval : 168
dwRefreshInterval : 168
dwAvailForScavengeTime : 0
aipScavengeServers : []
dwRpcStructureVersion : 0x2
dwForwarderTimeout : 0
fForwarderSlave : 0
aipLocalMasters : []
dwDpFlags : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT DNS_DP_ENLISTED
pszDpFqdn : DomainDnsZones.ad.example.nl
pwszZoneDn : DC=ad.example.nl,CN=MicrosoftDNS,DC=DomainDnsZones,DC=ad,DC=example,DC=nl
dwLastSuccessfulSoaCheck : 0
dwLastSuccessfulXfr : 0
fQueuedForBackgroundLoad : FALSE
fBackgroundLoadInProgress : FALSE
fReadOnlyZone : FALSE
dwLastXfrAttempt : 0
dwLastXfrResult : 0
More information about the samba
mailing list