[Samba] no DNS functionality on second subnet

L.P.H. van Belle belle at bazuin.nl
Fri Aug 30 10:20:04 UTC 2019 

What for OS is the server and windows clients? 

The VPN tunnel, are you lowering MTU sizes? 
Something like:
-A FORWARD -m policy --pol ipsec --dir in -s 192.168.0.0/24 -o eth1 -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1361:1536 -j TCPMSS --set-mss 1360 

On the client PC's, have you checkout the windows firewall and are you allowing the remote subnets. 

The samba server on the remote site, check if replicatiosn is correct. 
Are the "remote" zones in the AD-DC's DNS configured? 

Try adding 
option edns0 to resolv.conf 

So few things more to checkout. 

I also suggest on a pc local and remote. 
Run: ipconfig /all 
Checkout the primary dns suffix and search suffixes

So far, lunch time.. 

Greetz, 

Louis




> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Andreas Habel via samba
> Verzonden: vrijdag 30 augustus 2019 11:38
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] no DNS functionality on second subnet
> 
> > -----Original Message-----
> > From: samba <samba-bounces at lists.samba.org> On Behalf Of 
> Rowland penny via
> > samba
> > Sent: fredag 30. august 2019 11:17
> > To: samba at lists.samba.org
> > Subject: Re: [Samba] no DNS functionality on second subnet
> > 
> > On 30/08/2019 09:42, Andreas Habel via samba wrote:
> > >
> > >> -----Original Message-----
> > >> From: samba <samba-bounces at lists.samba.org> On Behalf Of Rowland
> > >> penny via samba
> > >> Sent: fredag 30. august 2019 09:57
> > >> To: samba at lists.samba.org
> > >> Subject: Re: [Samba] no DNS functionality on second subnet
> > >>
> > >> On 30/08/2019 07:00, Andreas Habel via samba wrote:
> > >>> -----Original Message-----
> > >>> From: samba <samba-bounces at lists.samba.org> On Behalf Of Rowland
> > >>> penny via samba
> > >>> Sent: torsdag 29. august 2019 16:33
> > >>> To: samba at lists.samba.org
> > >>> Subject: Re: [Samba] no DNS functionality on second subnet
> > >>>
> > >>> On 29/08/2019 13:50, Andreas Habel via samba wrote:
> > >>>> Hi,  > > we have successfully installed our samba4 AD 
> domain with
> > >>>> AD DC,
> > >>> smb > file server and Windows/Linux clients in the same 
> subnet. > >
> > >>> Now we try to add a couple of Windows PCs to the domain 
> that are >
> > >>> located in a different subnet. As soon as the AD DC is 
> added as the
> > >>> > DNS server on the Windows clients it is no longer possible to
> > >>> resolve
> > >>>> ip addresses. In other words, for those PCs DNS is not 
> working. > >
> > >>> We added - the new clients to our DNS using samba-tool 
> dns add > - a
> > >>> new reverse lookup zone for the new subnet and filled it > using
> > >>> samba-tool dns add - a new subnet in RSAT Active > 
> Directory Sites
> > >>> and Services > > Routing seems to be OK - we can run 
> telnet <IP of
> > >>> AD DC>
> > >>> 53 from one > of the "new" Windows clients and a 
> connection will be
> > >>> established. > However, analyses from wireshark/tshark 
> show that on
> > >>> DNS requests > there is never an answer from our AD DC. 
> > > It seems
> > >>> that we are missing something here - any help would be 
> > appreciated.
> > >>>>> Andreas [[AH:]]
> > >>> Does 'telnet <DC short hostname> 53' work ?
> > >>>
> > >>> Rowland
> > >>>
> > >>> No, neither short name or FQDN work:
> > >>>
> > >>> C:\Users\Administrator>telnet smbdc 53 Connecting To 
> smbdc...Could
> > >>> not open connection to the host, on port 53: Connect failed
> > >>>
> > >>> C:\Users\Administrator>telnet smbdc.ier.ux.uis.no 53 
> Connecting To
> > >>> smbdc.ier.ux.uis.no...Could not open connection to the 
> host, on port
> > >>> 53: Connect failed
> > >>>
> > >>>
> > >>> Andreas
> > >> Then you have DNS problems, is a firewall running 
> blocking port 53 ?
> > >>
> > >> Do dns lookup commands on the client work ?
> > >>
> > > No, all kind of lookups (to the DC, intern or external 
> hosts) fail with
> > a timeout. This applies to clients on the "new" subnet. 
> Lookups work on
> > clients that are on the same subnet as the DC.
> > >
> > > Andreas
> > >
> > This sounds more and more like a dns problem, are the 
> clients set to use
> > the DC as their nameserver ?
>  
> Yes
> 
> > Until you get basic dns commands working, AD will not work.
> > 
> > Are you using a router ?
> > 
> 
> Yes -- all ip traffic to and from the DC is allowed. 
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
>

More information about the samba mailing list