[Samba] AD RODC not being used because of missing DNS entries?
tomict
samba at iucn.nl
Sat Oct 20 10:36:46 UTC 2018
> Obviously there is something wrong with the dns updates on DC2. Any
> ideas?
>
> Tom
>
>The problem is (as far as I understand it), you cannot write to an
>RODC, it forwards write actions to a writeable DC, which then replicates
>them back.
>From the above, it is timing out, is there a firewall or similar in the
>way ? Can you ping a DC from the RODC ?
>
>Rowland
SELinux and Firewall were paused already, ping is ok. The read only constraint seem a likely candidate.
Therefore, I updated the DNS on DC1 manually. However, some dns entries seem misplaced.
First set of commands gave problems:
samba-tool dns add DC1 ad.example.nl _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.ad.example.nl SRV 'DC2.ad.example.nl 389 0 100'
samba-tool dns add DC1 ad.example.nl _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.ad.example.nl SRV 'DC2.ad.example.nl 88 0 100'
These commands were successful, records were added to the dns of DC1, and replicated to DC2. This can be checked in the DNS manager tool in Windows.
However, there are problems
-samba_dnsupdate on DC2 still complains about failing updates for these two, the "dc._msdcs." records. It apparently 'misses' them although it can not fix them because of the read only constraint.
-Queries for these records return only one value.
# host -t SRV _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.ad.example.nl
_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.ad.example.nl has SRV record 0 100 88 DC1.ad.example.nl.
I am confused about where in de DNS 'tree' in the windows dns manager these entries should be found. They seems to show up in the wrong place.
There are two paths in the Windows DNS manager tree that look alike:
DNS > DC1 > Forward Lookup Zones > _msdcs.ad.example.nl > dc > _sites > Default-First-Site-Name > _tcp
DNS > DC1 > Forward Lookup Zones > ad.example.nl > _msdcs > dc > _sites > Default-First-Site-Name > _tcp
The first path is where the DC1 entries are, and where I would expect my new DC2 entries.
The second path is where my DC2 entries show up
Is this correct/a bug?
Second set of commands (without problems):
samba-tool dns add DC1 ad.example.nl _ldap._tcp.Default-First-Site-Name._sites.ad.example.nl SRV 'DC2.ad.example.nl 389 0 100'
samba-tool dns add DC1 ad.example.nl _kerberos._tcp.Default-First-Site-Name._sites.ad.example.nl SRV 'DC2.ad.example.nl 88 0 100'
These commands were also successfull, records were added to the dns of DC1, replicated to DC2, and present in the Windows DNS manager.
The DC2 entries show up alongside the DC1 entries in the Windows DNS manager.
SRV record queries for (_ldap/_kerberos)._tcp.Default-First-Site-Name._sites.ad.example.nl return values for both domain servers, on both DC's:
# host -t SRV _ldap._tcp.Default-First-Site-Name._sites.ad.example.nl
_ldap._tcp.Default-First-Site-Name._sites.ad.example.nl has SRV record 0 100 389 DC1.ad.example.nl.
_ldap._tcp.Default-First-Site-Name._sites.ad.example.nl has SRV record 0 100 389 DC2.ad.example.nl.
Tom
More information about the samba
mailing list