[Samba] AD RODC not being used because of missing DNS entries?
Rowland Penny
rpenny at samba.org
Sat Oct 20 11:21:40 UTC 2018
On Sat, 20 Oct 2018 12:36:46 +0200 (CEST)
tomict via samba <samba at lists.samba.org> wrote:
>
> > Obviously there is something wrong with the dns updates on DC2. Any
> > ideas?
> >
> > Tom
> >
>
> >The problem is (as far as I understand it), you cannot write to an
> >RODC, it forwards write actions to a writeable DC, which then
> >replicates them back.
> >From the above, it is timing out, is there a firewall or similar in
> >the way ? Can you ping a DC from the RODC ?
> >
> >Rowland
>
> SELinux and Firewall were paused already, ping is ok. The read only
> constraint seem a likely candidate. Therefore, I updated the DNS on
> DC1 manually. However, some dns entries seem misplaced.
>
> First set of commands gave problems:
> samba-tool dns add DC1 ad.example.nl
> _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.ad.example.nl SRV
> 'DC2.ad.example.nl 389 0 100' samba-tool dns add DC1 ad.example.nl
> _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.ad.example.nl
> SRV 'DC2.ad.example.nl 88 0 100'
>
> These commands were successful, records were added to the dns of DC1,
> and replicated to DC2. This can be checked in the DNS manager tool in
> Windows.
>
> However, there are problems
> -samba_dnsupdate on DC2 still complains about failing updates for
> these two, the "dc._msdcs." records. It apparently 'misses' them
> although it can not fix them because of the read only constraint.
> -Queries for these records return only one value. # host -t SRV
> _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.ad.example.nl
> _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.ad.example.nl has
> SRV record 0 100 88 DC1.ad.example.nl.
>
> I am confused about where in de DNS 'tree' in the windows dns manager
> these entries should be found. They seems to show up in the wrong
> place.
>
> There are two paths in the Windows DNS manager tree that look alike:
>
> DNS > DC1 > Forward Lookup Zones > _msdcs.ad.example.nl > dc >
> _sites > Default-First-Site-Name > _tcp DNS > DC1 > Forward Lookup
> Zones > ad.example.nl > _msdcs > dc > _sites >
> Default-First-Site-Name > _tcp The first path is where the DC1
> entries are, and where I would expect my new DC2 entries. The second
> path is where my DC2 entries show up
>
> Is this correct/a bug?
>
>
> Second set of commands (without problems):
> samba-tool dns add DC1 ad.example.nl
> _ldap._tcp.Default-First-Site-Name._sites.ad.example.nl SRV
> 'DC2.ad.example.nl 389 0 100' samba-tool dns add DC1 ad.example.nl
> _kerberos._tcp.Default-First-Site-Name._sites.ad.example.nl SRV
> 'DC2.ad.example.nl 88 0 100'
>
> These commands were also successfull, records were added to the dns
> of DC1, replicated to DC2, and present in the Windows DNS manager.
> The DC2 entries show up alongside the DC1 entries in the Windows DNS
> manager. SRV record queries for
> (_ldap/_kerberos)._tcp.Default-First-Site-Name._sites.ad.example.nl
> return values for both domain servers, on both DC's: # host -t SRV
> _ldap._tcp.Default-First-Site-Name._sites.ad.example.nl
> _ldap._tcp.Default-First-Site-Name._sites.ad.example.nl has SRV
> record 0 100 389 DC1.ad.example.nl.
> _ldap._tcp.Default-First-Site-Name._sites.ad.example.nl has SRV
> record 0 100 389 DC2.ad.example.nl.
>
> Tom
>
Just one thought, where does the nameserver on DC2 point ?
Is it to DC1 ?
or itself, DC2 ?
If it is pointing to itself, try pointing it at DC1
Rowland
More information about the samba
mailing list