[Samba] AD RODC not being used because of missing DNS entries?

Rowland Penny rpenny at samba.org
Fri Oct 19 21:03:10 UTC 2018


On Fri, 19 Oct 2018 22:09:27 +0200 (CEST)
tomict via samba <samba at lists.samba.org> wrote:

> Hi All, 
> 
> Is it correct that my RODC domain controller (DC2.ad.example.nl) has
> only one entry in the (internal) DNS on domain controller DC1? It
> seems to me that because of missing dns entries it is not used by
> clients in the ad domain 
> 
> I recently installed a second Domain Controller (DC2) along the
> smooth running first domain controller DC1. Samba version 4.8.5,
> Centos 7 Linux, further config files below. 
> 
> The command used to join the DC2 as RODC: 
> # samba-tool domain join ad.example.nl RODC -U
> "ad.example.nl\Administrator" (see
> https://wiki.samba.org/index.php/Join_a_domain_as_a_RODC) This seemed
> to run OK, DC2 was joined to the domain. 
> 
> Before I restarted the samba-ad service, I set the uidNumber of DC2
> because I use idmap backend = ad on the other domain members. 
> 
> Machine and user accounts are replicated to DC2. 
> The A record entry for DC2.ad.example was added to the dns on DC1,
> but nothing more. 
> 
> I see no entries voor ldap, kerberos etc. For example: 
> # host -t SRV _ldap._tcp.dc._msdcs.ad.example.nl 
> returns: 
> _ldap._tcp.dc._msdcs.ad.example.nl has SRV record 0 100 389
> DC1.ad.example.nl. 
> 
> and 
> # host ad.example.nl 
> returns: 
> ad.example.nl has address 192.168.223.100 
> which is the address of DC1. I thought it should also return a second
> ip address for DC2. 
> 
> in the /var/log/samba/log.samba I see truckloads of this: 
> [2018/10/19 21:51:05.039345,
> 0] ../source4/dsdb/dns/dns_update.c:330(dnsupdate_nameupdate_done) ../source4/dsdb/dns/dns_update.c:330:
> Failed DNS update - with error code 4 
> 
> 
> Should I add the records manually? Should they have been added when I
> joined the RODC to the domain? Or am I wrong about something else
> (very likely)? 
> 

Never ran an RODC (yet), but this all sounds like the problems that
used to occur when joining a second DC, try reading this:

https://wiki.samba.org/index.php/Verifying_and_Creating_a_DC_DNS_Record

You could try restarting Samba, there is a script 'samba_dnsupdate',
which uses a file 'dns_update list' to create missing dns entries. The
script is run at start up.

Rowland



More information about the samba mailing list