[Samba] AD RODC not being used because of missing DNS entries?

Julien Ropé jrope at linagora.com
Mon Oct 22 05:57:23 UTC 2018 

Hi,

We have encountered these timeout issues with Samba 4.7 as an RODC too. 
We created a ticket about it here :

https://bugzilla.samba.org/show_bug.cgi?id=13502


One thing is that even after the timeouts got resolved, I still get a 
weird behaviour with two entries that keeps trying to update themselves 
when I run "samba_dnsupdate". The call succeeds, but the entries are 
actually NOT updated.

Here is what I'm seeing:

> # samba_dnsupdate --verbose
> IPs: ['192.168.57.3']
> Looking for DNS entry A sambarodc.mondomaine.lan 192.168.57.3 as sambarodc.mondomaine.lan.
> Looking for DNS entry CNAME 7648bfe6-0ad3-4924-b055-d229546e0284._msdcs.mondomaine.lan sambarodc.mondomaine.lan as 7648bfe6-0ad3-4924-b055-d229546e0284._msdcs.mondomaine.lan.
> Looking for DNS entry SRV _ldap._tcp.Secondary._sites.mondomaine.lan sambarodc.mondomaine.lan 389 as _ldap._tcp.Secondary._sites.mondomaine.lan.
> Checking 0 100 389 sambarodc.mondomaine.lan. against SRV _ldap._tcp.Secondary._sites.mondomaine.lan sambarodc.mondomaine.lan 389
> Looking for DNS entry SRV _ldap._tcp.Secondary._sites.dc._msdcs.mondomaine.lan sambarodc.mondomaine.lan 389 as _ldap._tcp.Secondary._sites.dc._msdcs.mondomaine.lan.
> Checking 0 100 389 sambarodc.mondomaine.lan. against SRV _ldap._tcp.Secondary._sites.dc._msdcs.mondomaine.lan sambarodc.mondomaine.lan 389
> Looking for DNS entry SRV _kerberos._tcp.Secondary._sites.mondomaine.lan sambarodc.mondomaine.lan 88 as _kerberos._tcp.Secondary._sites.mondomaine.lan.
> Checking 0 100 88 sambarodc.mondomaine.lan. against SRV _kerberos._tcp.Secondary._sites.mondomaine.lan sambarodc.mondomaine.lan 88
> Looking for DNS entry SRV _kerberos._tcp.Secondary._sites.dc._msdcs.mondomaine.lan sambarodc.mondomaine.lan 88 as _kerberos._tcp.Secondary._sites.dc._msdcs.mondomaine.lan.
> Checking 0 100 88 sambarodc.mondomaine.lan. against SRV _kerberos._tcp.Secondary._sites.dc._msdcs.mondomaine.lan sambarodc.mondomaine.lan 88
> Looking for DNS entry SRV _gc._tcp.Secondary._sites.mondomaine.lan sambarodc.mondomaine.lan 3268 as _gc._tcp.Secondary._sites.mondomaine.lan.
> The DNS entry SRV _gc._tcp.Secondary._sites.mondomaine.lan sambarodc.mondomaine.lan 3268, queried as _gc._tcp.Secondary._sites.mondomaine.lan. does not exist
> need update: SRV _gc._tcp.Secondary._sites.mondomaine.lan sambarodc.mondomaine.lan 3268
> Looking for DNS entry SRV _ldap._tcp.Secondary._sites.gc._msdcs.mondomaine.lan sambarodc.mondomaine.lan 3268 as _ldap._tcp.Secondary._sites.gc._msdcs.mondomaine.lan.
> The DNS entry SRV _ldap._tcp.Secondary._sites.gc._msdcs.mondomaine.lan sambarodc.mondomaine.lan 3268, queried as _ldap._tcp.Secondary._sites.gc._msdcs.mondomaine.lan. does not exist
> need update: SRV _ldap._tcp.Secondary._sites.gc._msdcs.mondomaine.lan sambarodc.mondomaine.lan 3268
> 2 DNS updates and 0 DNS deletes needed
> Successfully obtained Kerberos ticket to DNS/sambarwdc.mondomaine.lan as SAMBARODC$
> update (rodc): SRV _gc._tcp.Secondary._sites.mondomaine.lan sambarodc.mondomaine.lan 3268
> update (rodc): SRV _ldap._tcp.Secondary._sites.gc._msdcs.mondomaine.lan sambarodc.mondomaine.lan 3268
>
> # host -t SRV _gc._tcp.Secondary._sites.mondomaine.lan
> Host _gc._tcp.Secondary._sites.mondomaine.lan not found: 3(NXDOMAIN)
>
> # host -t SRV _gc._tcp.Secondary._sites.mondomaine.lan
> Host _gc._tcp.Secondary._sites.mondomaine.lan not found: 3(NXDOMAIN)


Is it something you can see on your environment too?


Note that on my environment, the failed updates got resolved by 
themselves, as if the timeout was hiding the fact that the update 
finally succeeded. Now on other systems, updates had to be done manually 
as you did... We're still trying to understand what's different between 
the two.





Le 20/10/2018 à 21:59, tomict via samba a écrit :
>>> BTW how did you make this tree view?
>> I have lots of time, so I typed it ;-)
>
> Thanks for your time! :-)
>
>
>>> There seem to be two problems with my RODC  DC2:
>>> 1) DNS records were not generated when joining the domain. This is
>>> perhaps caused by some kind of timeout problem.
>> Not sure about this, but you could be correct.
>
> I can live with that. I only needed to input 4 entries manually (although I made that a challenge as well, see below)
>
>
>>> 2) manual addition of the "_msdcs" records
>>> resulted in a wrong path (see below)
>> The 'wrong path' is because you gave it the wrong path ;-)
> Aaaagh! @#!%@%!
>
>
>> If you run 'samba-tool dns zonelist 127.0.0.1 -U Administrator' it will
>> show your DNS zones, one of which should start with '_msdcs'.
>> So, your commands:
> <....>
>> Should have been:
>> samba-tool dns add DC1 _msdcs.ad.example.nl _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.ad.example.nl SRV 'DC2.ad.example.nl 389 0 100'
>> samba-tool dns add DC1 _msdcs.ad.example.nl _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.ad.example.nl SRV 'DC2.ad.example.nl 88 0 100'
>> Delete the wrong entries.
>> Rowland
>
> Thanks for pointing that out. _msdcs is a zone! I did not realize that when I got the entries from the file /var/lib/samba/dns_update_list. The records are in place now.
>
> I suppose the DNS entries in the other locations are not necessary for domain control on my RODC? I will know next week if DC2 starts being used.
>
> To make my RODC ready for duty should DC1 fail I added, using the windows DNS manager:
> 1) a NS record pointing to my RODC (DC2) as name server in the AD.
> 2) a A record in ad.example.nl with blank hostname ('same as parent folder') pointing to the ip address of DC2
> And I will preload user en computer accounts.
>
> @Rowland: thank you very much for the help, much appreciated!
>
>   
> regards,
>
>   Tom
>
>
>
>
--
Message envoyé grâce à OBM, la Communication Libre par Linagora

More information about the samba mailing list