[Samba] AD RODC not being used because of missing DNS entries?

tomict samba at iucn.nl
Fri Oct 19 20:09:27 UTC 2018 

Hi All, 

Is it correct that my RODC domain controller (DC2.ad.example.nl) has only one entry in the (internal) DNS on domain controller DC1? 
It seems to me that because of missing dns entries it is not used by clients in the ad domain 

I recently installed a second Domain Controller (DC2) along the smooth running first domain controller DC1. 
Samba version 4.8.5, Centos 7 Linux, further config files below. 

The command used to join the DC2 as RODC: 
# samba-tool domain join ad.example.nl RODC -U "ad.example.nl\Administrator" (see https://wiki.samba.org/index.php/Join_a_domain_as_a_RODC) 
This seemed to run OK, DC2 was joined to the domain. 

Before I restarted the samba-ad service, I set the uidNumber of DC2 because I use idmap backend = ad on the other domain members. 

Machine and user accounts are replicated to DC2. 
The A record entry for DC2.ad.example was added to the dns on DC1, but nothing more. 

I see no entries voor ldap, kerberos etc. For example: 
# host -t SRV _ldap._tcp.dc._msdcs.ad.example.nl 
returns: 
_ldap._tcp.dc._msdcs.ad.example.nl has SRV record 0 100 389 DC1.ad.example.nl. 

and 
# host ad.example.nl 
returns: 
ad.example.nl has address 192.168.223.100 
which is the address of DC1. I thought it should also return a second ip address for DC2. 

in the /var/log/samba/log.samba I see truckloads of this: 
[2018/10/19 21:51:05.039345, 0] ../source4/dsdb/dns/dns_update.c:330(dnsupdate_nameupdate_done) 
../source4/dsdb/dns/dns_update.c:330: Failed DNS update - with error code 4 


Should I add the records manually? Should they have been added when I joined the RODC to the domain? 
Or am I wrong about something else (very likely)? 

regards, 

Tom Welter 


Below are config file for both DC's. 
Sysvol is replicated from DC1 to DC2 via rsync 

Samba Version: 
Version 4.8.5-SerNet-RedHat-11.el7 

content of //DC1/etc/samba/smb.conf 
[global] 
workgroup = EXAMPLENL 
realm = AD.EXAMPLE.NL 
netbios name = DC1 
server role = active directory domain controller 
dns forwarder = 192.168.223.117 
idmap_ldb:use rfc2307 = yes 
allow dns updates = nonsecure 
ldap server require strong auth = no 
log level = 0 

[netlogon] 
path = /var/lib/samba/sysvol/ad.example.nl/scripts 
read only = No 

[sysvol] 
path = /var/lib/samba/sysvol 
read only = No 


content of //DC2/etc/samba/smb.conf 
[global] 
netbios name = DC2 
realm = AD.EXAMPLE.NL 
server role = active directory domain controller 
workgroup = EXAMPLENL 

[netlogon] 
path = /var/lib/samba/sysvol/ad.example.com/scripts 
read only = No 

[sysvol] 
path = /var/lib/samba/sysvol 
read only = No 

for completeness: 
samba-tool dns zoneinfo dc1.ad.example.nl ad.example.nl -U administrator 
outputs: 

dwZoneType : DNS_ZONE_TYPE_PRIMARY 
fReverse : FALSE 
fAllowUpdate : DNS_ZONE_UPDATE_SECURE 
fPaused : FALSE 
fShutdown : FALSE 
fAutoCreated : FALSE 
fUseDatabase : TRUE 
pszDataFile : None 
aipMasters : [] 
fSecureSecondaries : DNS_ZONE_SECSECURE_NO_XFER 
fNotifyLevel : DNS_ZONE_NOTIFY_LIST_ONLY 
aipSecondaries : [] 
aipNotify : [] 
fUseWins : FALSE 
fUseNbstat : FALSE 
fAging : FALSE 
dwNoRefreshInterval : 168 
dwRefreshInterval : 168 
dwAvailForScavengeTime : 0 
aipScavengeServers : [] 
dwRpcStructureVersion : 0x2 
dwForwarderTimeout : 0 
fForwarderSlave : 0 
aipLocalMasters : [] 
dwDpFlags : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT DNS_DP_ENLISTED 
pszDpFqdn : DomainDnsZones.ad.example.nl 
pwszZoneDn : DC=ad.example.nl,CN=MicrosoftDNS,DC=DomainDnsZones,DC=ad,DC=example,DC=nl 
dwLastSuccessfulSoaCheck : 0 
dwLastSuccessfulXfr : 0 
fQueuedForBackgroundLoad : FALSE 
fBackgroundLoadInProgress : FALSE 
fReadOnlyZone : FALSE 
dwLastXfrAttempt : 0 
dwLastXfrResult : 0

More information about the samba mailing list