[Samba] 2 AD DNS questions
Rowland penny
rpenny at samba.org
Fri Feb 19 19:28:57 UTC 2021
On 19/02/2021 18:58, Dale via samba wrote:
> (1) I've had very little success in getting a 2nd DC to take over when
> the 1st DC is down. While searching for possible causes, I discovered
> in RSAT that the reverse zone has only the 1st DC listed on the
> nameserver tab of both DC's, unlike the forward zone, where both are
> listed. Additionally RSAT does not allow me to add the 2nd DC to the
> nameserver tab, instead yielding a "Validation error, please try again
> later" error message. I assume there is a corresponding samba-tool
> command to accomplish this, but I have not been able to find it.
It should have both:
root at dc4:~# ldbsearch --cross-ncs --show-binary -H
/var/lib/samba/private/sam.ldb -b
'DC=0.168.192.in-addr.arpa,CN=MicrosoftDNS,DC=DomainDnsZones,DC=samdom,DC=example,DC=com'
-s sub '(&(objectClass=dnsNode)(name=@))'
# record 1
dn:
DC=@,DC=0.168.192.in-addr.arpa,CN=MicrosoftDNS,DC=DomainDnsZones,DC=samdom,DC=example,DC=com
objectClass: top
objectClass: dnsNode
instanceType: 4
whenCreated: 20190726140900.0Z
uSNCreated: 594342
showInAdvancedViewOnly: TRUE
name: @
objectGUID: 89654d6c-f05b-4fd2-9c80-5640d465cbfe
objectCategory:
CN=Dns-Node,CN=Schema,CN=Configuration,DC=samdom,DC=example,DC=com
dc: @
dnsRecord: NDR: struct dnsp_DnssrvRpcRecord
wDataLength : 0x004f (79)
wType : DNS_TYPE_SOA (6)
version : 0x05 (5)
rank : DNS_RANK_ZONE (240)
flags : 0x0000 (0)
dwSerial : 0x00036bab (224171)
dwTtlSeconds : 0x00000e10 (3600)
dwReserved : 0x00000000 (0)
dwTimeStamp : 0x00000000 (0)
data : union dnsRecordData(case 6)
soa: struct dnsp_soa
serial : 0x00036bab (224171)
refresh : 0x00000384 (900)
retry : 0x00000258 (600)
expire : 0x00015180 (86400)
minimum : 0x00000e10 (3600)
mname : dc4.samdom.example.com
rname : hostmaster.samdom.example.com
dnsRecord: NDR: struct dnsp_DnssrvRpcRecord
wDataLength : 0x001a (26)
wType : DNS_TYPE_NS (2)
version : 0x05 (5)
rank : DNS_RANK_ZONE (240)
flags : 0x0000 (0)
dwSerial : 0x0000006e (110)
dwTtlSeconds : 0x00000e10 (3600)
dwReserved : 0x00000000 (0)
dwTimeStamp : 0x00000000 (0)
data : union dnsRecordData(case 2)
ns : dc4.samdom.example.com
dnsRecord: NDR: struct dnsp_DnssrvRpcRecord
wDataLength : 0x001b (27)
wType : DNS_TYPE_NS (2)
version : 0x05 (5)
rank : DNS_RANK_ZONE (240)
flags : 0x0000 (0)
dwSerial : 0x00036b34 (224052)
dwTtlSeconds : 0x00000384 (900)
dwReserved : 0x00000000 (0)
dwTimeStamp : 0x00000000 (0)
data : union dnsRecordData(case 2)
ns : dc01.samdom.example.com
whenChanged: 20210210114634.0Z
uSNChanged: 1518469
distinguishedName:
DC=@,DC=0.168.192.in-addr.arpa,CN=MicrosoftDNS,DC=DomainDnsZones,DC=samdom,DC=example,DC=com
>
> (2) Also, I seem to recall it being stated on this list that in AD,
> each DC was supposed to be the SOA of its DNS records. For me, the
> SOA of both the forward and reverse zones on the 2nd DC is still the
> first DC, just like a non-AD BIND9 server. I'm just asking for
> clarification of what the correct value should be for the SOA on each DC.
>
Yes both DC's should show as being authoritative:
root at dc01:~# host -t soa samdom.example.com
samdom.example.com has SOA record dc01.samdom.example.com.
hostmaster.samdom.example.com. 245335 900 600 86400 3600
root at dc4:~# host -t soa samdom.example.com
samdom.example.com has SOA record dc4.samdom.example.com.
hostmaster.samdom.example.com. 245335 900 600 86400 3600
Rowland
More information about the samba
mailing list