[Samba] 2 AD DNS questions

Dale samba at txschroeder.family
Sat Feb 20 01:36:29 UTC 2021


On 2/19/21 1:28 PM, Rowland penny via samba wrote:
> On 19/02/2021 18:58, Dale via samba wrote:
>> (1) I've had very little success in getting a 2nd DC to take over 
>> when the 1st DC is down.  While searching for possible causes, I 
>> discovered in RSAT that the reverse zone has only the 1st DC listed 
>> on the nameserver tab of both DC's, unlike the forward zone, where 
>> both are listed. Additionally RSAT does not allow me to add the 2nd 
>> DC to the nameserver tab, instead yielding a "Validation error, 
>> please try again later" error message.  I assume there is a 
>> corresponding samba-tool command to accomplish this, but I have not 
>> been able to find it.
>
>
> It should have both:
>
> root at dc4:~# ldbsearch --cross-ncs --show-binary -H 
> /var/lib/samba/private/sam.ldb -b 
> 'DC=0.168.192.in-addr.arpa,CN=MicrosoftDNS,DC=DomainDnsZones,DC=samdom,DC=example,DC=com' 
> -s sub '(&(objectClass=dnsNode)(name=@))'
> # record 1
> dn: 
> DC=@,DC=0.168.192.in-addr.arpa,CN=MicrosoftDNS,DC=DomainDnsZones,DC=samdom,DC=example,DC=com
> objectClass: top
> objectClass: dnsNode
> instanceType: 4
> whenCreated: 20190726140900.0Z
> uSNCreated: 594342
> showInAdvancedViewOnly: TRUE
> name: @
> objectGUID: 89654d6c-f05b-4fd2-9c80-5640d465cbfe
> objectCategory: 
> CN=Dns-Node,CN=Schema,CN=Configuration,DC=samdom,DC=example,DC=com
> dc: @
> dnsRecord:     NDR: struct dnsp_DnssrvRpcRecord
>         wDataLength              : 0x004f (79)
>         wType                    : DNS_TYPE_SOA (6)
>         version                  : 0x05 (5)
>         rank                     : DNS_RANK_ZONE (240)
>         flags                    : 0x0000 (0)
>         dwSerial                 : 0x00036bab (224171)
>         dwTtlSeconds             : 0x00000e10 (3600)
>         dwReserved               : 0x00000000 (0)
>         dwTimeStamp              : 0x00000000 (0)
>         data                     : union dnsRecordData(case 6)
>         soa: struct dnsp_soa
>             serial                   : 0x00036bab (224171)
>             refresh                  : 0x00000384 (900)
>             retry                    : 0x00000258 (600)
>             expire                   : 0x00015180 (86400)
>             minimum                  : 0x00000e10 (3600)
>             mname                    : dc4.samdom.example.com
>             rname                    : hostmaster.samdom.example.com
>
> dnsRecord:     NDR: struct dnsp_DnssrvRpcRecord
>         wDataLength              : 0x001a (26)
>         wType                    : DNS_TYPE_NS (2)
>         version                  : 0x05 (5)
>         rank                     : DNS_RANK_ZONE (240)
>         flags                    : 0x0000 (0)
>         dwSerial                 : 0x0000006e (110)
>         dwTtlSeconds             : 0x00000e10 (3600)
>         dwReserved               : 0x00000000 (0)
>         dwTimeStamp              : 0x00000000 (0)
>         data                     : union dnsRecordData(case 2)
>         ns                       : dc4.samdom.example.com
>
> dnsRecord:     NDR: struct dnsp_DnssrvRpcRecord
>         wDataLength              : 0x001b (27)
>         wType                    : DNS_TYPE_NS (2)
>         version                  : 0x05 (5)
>         rank                     : DNS_RANK_ZONE (240)
>         flags                    : 0x0000 (0)
>         dwSerial                 : 0x00036b34 (224052)
>         dwTtlSeconds             : 0x00000384 (900)
>         dwReserved               : 0x00000000 (0)
>         dwTimeStamp              : 0x00000000 (0)
>         data                     : union dnsRecordData(case 2)
>         ns                       : dc01.samdom.example.com
>
> whenChanged: 20210210114634.0Z
> uSNChanged: 1518469
> distinguishedName: 
> DC=@,DC=0.168.192.in-addr.arpa,CN=MicrosoftDNS,DC=DomainDnsZones,DC=samdom,DC=example,DC=com
>
>>
>> (2)  Also, I seem to recall it being stated on this list that in AD, 
>> each DC was supposed to be the SOA of its DNS records.  For me, the 
>> SOA of both the forward and reverse zones on the 2nd DC is still the 
>> first DC, just like a non-AD BIND9 server.  I'm just asking for 
>> clarification of what the correct value should be for the SOA on each 
>> DC.
>>
>
> Yes both DC's should show as being authoritative:
>
> root at dc01:~# host -t soa samdom.example.com
> samdom.example.com has SOA record dc01.samdom.example.com. 
> hostmaster.samdom.example.com. 245335 900 600 86400 3600
>
> root at dc4:~# host -t soa samdom.example.com
> samdom.example.com has SOA record dc4.samdom.example.com. 
> hostmaster.samdom.example.com. 245335 900 600 86400 3600
>
> Rowland

ldbsearch results =>

DC1

# record 1
dn:DC=@,DC=0.168.192.in-addr.arpa,CN=MicrosoftDNS,DC=DomainDnsZones,DC=workgroup,DC=domain,DC=tld
objectClass: top
objectClass: dnsNode
instanceType: 4
whenCreated: 20210111012339.0Z
uSNCreated: 4076
showInAdvancedViewOnly: TRUE
name: @
objectGUID: 633338bc-0428-4847-9aed-9e371831cc32
objectCategory: CN=Dns-Node,CN=Schema,CN=Configuration,DC=workgroup,DC=domain,DC=tld
dc: @
dnsRecord:     NDR: struct dnsp_DnssrvRpcRecord
         wDataLength              : 0x0061 (97)
         wType                    : DNS_TYPE_SOA (6)
         version                  : 0x05 (5)
         rank                     : DNS_RANK_ZONE (240)
         flags                    : 0x0000 (0)
         dwSerial                 : 0x0000021d (541)
         dwTtlSeconds             : 0x00000e10 (3600)
         dwReserved               : 0x00000000 (0)
         dwTimeStamp              : 0x00000000 (0)
         data                     : union dnsRecordData(case 6)
         soa: struct dnsp_soa
             serial                   : 0x0000021d (541)
             refresh                  : 0x00000384 (900)
             retry                    : 0x00000258 (600)
             expire                   : 0x00015180 (86400)
             minimum                  : 0x00000e10 (3600)
             *mname : dc1.workgroup.domain.tld*
             rname                    : hostmaster.workgroup.domain.tld

dnsRecord:     NDR: struct dnsp_DnssrvRpcRecord
         wDataLength              : 0x0023 (35)
         wType                    : DNS_TYPE_NS (2)
         version                  : 0x05 (5)
         rank                     : DNS_RANK_ZONE (240)
         flags                    : 0x0000 (0)
         dwSerial                 : 0x00000148 (328)
         dwTtlSeconds             : 0x00000e10 (3600)
         dwReserved               : 0x00000000 (0)
         dwTimeStamp              : 0x00000000 (0)
         data                     : union dnsRecordData(case 2)
         *ns : dc1.workgroup.domain.tld*

whenChanged: 20210219133113.0Z
uSNChanged: 6656
distinguishedName:DC=@,DC=0.168.192.in-addr.arpa,CN=MicrosoftDNS,DC=DomainDnsZones,DC=workgroup,DC=domain,DC=tld

# returned 1 records
# 1 entries
# 0 referrals

>
>
DC2

# record 1
dn:DC=@,DC=0.168.192.in-addr.arpa,CN=MicrosoftDNS,DC=DomainDnsZones,DC=workgroup,DC=domain,DC=tld
objectClass: top
objectClass: dnsNode
instanceType: 4
whenCreated: 20210111012339.0Z
uSNCreated: 4036
showInAdvancedViewOnly: TRUE
name: @
objectGUID: 633338bc-0428-4847-9aed-9e371831cc32
objectCategory: CN=Dns-Node,CN=Schema,CN=Configuration,DC=workgroup,DC=domain,DC=tld
dc: @
whenChanged: 20210219133113.0Z
uSNChanged: 4952
dnsRecord:     NDR: struct dnsp_DnssrvRpcRecord
         wDataLength              : 0x0061 (97)
         wType                    : DNS_TYPE_SOA (6)
         version                  : 0x05 (5)
         rank                     : DNS_RANK_ZONE (240)
         flags                    : 0x0000 (0)
         dwSerial                 : 0x0000021d (541)
         dwTtlSeconds             : 0x00000e10 (3600)
         dwReserved               : 0x00000000 (0)
         dwTimeStamp              : 0x00000000 (0)
         data                     : union dnsRecordData(case 6)
         soa: struct dnsp_soa
             serial                   : 0x0000021d (541)
             refresh                  : 0x00000384 (900)
             retry                    : 0x00000258 (600)
             expire                   : 0x00015180 (86400)
             minimum                  : 0x00000e10 (3600)
             *mname : dc1.workgroup.domain.tld*
             rname                    : hostmaster.workgroup.domain.tld

dnsRecord:     NDR: struct dnsp_DnssrvRpcRecord
         wDataLength              : 0x0023 (35)
         wType                    : DNS_TYPE_NS (2)
         version                  : 0x05 (5)
         rank                     : DNS_RANK_ZONE (240)
         flags                    : 0x0000 (0)
         dwSerial                 : 0x00000148 (328)
         dwTtlSeconds             : 0x00000e10 (3600)
         dwReserved               : 0x00000000 (0)
         dwTimeStamp              : 0x00000000 (0)
         data                     : union dnsRecordData(case 2)
         *ns : dc1.workgroup.domain.tld*

distinguishedName:DC=@,DC=0.168.192.in-addr.arpa,CN=MicrosoftDNS,DC=DomainDnsZones,DC=workgroup,DC=domain,DC=tld

# returned 1 records
# 1 entries
# 0 referrals


Both show only 1 ns value, that of dc1.  It also looks like the mname 
value for dc2 is incorrect (showing dc1 instead of dc2) when compared to 
Rowland's dc4.  What is the process to fix these two issues?


DC2 host -t soa results =>

workgroup.domain.tld has SOA record dc2.workgroup.domain.tld. hostmaster.workgroup.domain.tld. 710 900 600 86400 3600

0.168.192.in-addr.arpa has SOA record dc2.workgroup.domain.tld. hostmaster.workgroup.domain.tld. 541 900 600 86400 3600


With the "host -t soa" command, both forward and reverse zones show the 
correct values, so perhaps I don't correctly understand what I'm seeing 
in RSAT.  There, on the SOA tab of DC2, I see the following,

(heading) Primary server:
(value) dc1.workgroup.domain.tld

I had presumed the displayed value was supposed to be that of the SOA 
DC, but it looks like that presumption is incorrect.

Dale



More information about the samba mailing list