[Samba] Provisioning new AD Domain Controller

Mark Foley mfoley at novatec-inc.com
Sun Jan 21 01:31:31 UTC 2024


On Sat Jan 20 16:28:14 2024 Rowland Penny via samba <samba at lists.samba.org> wrote:
>
> On Sat, 20 Jan 2024 15:44:18 -0500
> Mark Foley via samba <samba at lists.samba.org> wrote:
>
> > After provisioning and testing my new DC offline, I now want to move
> > it into production. This means changing IPs.
> > 
> > DC FQDN: mail.hprs.local
> > 
> > IPs for setup/testing:
> > 
> > DC: 192.168.1.60
> > Gateway: 192.168.1.1   (Netgear router)
> > DNS: 192.168.1.60      (/etc/resolv.conf)
> > /etc/hosts: 192.168.1.60  mail.hprs.local mail
> > smb.conf, dns forwarder: 192.168.1.1
> > 
> > Production IPs:
> > 
> > DC: 192.168.0.2
> > Gateway: 192.168.0.1   (SonicWall firewall/router)
> > DNS: 192.168.0.2       (/etc/resolv.conf)
> > /etc/hosts: 192.168.0.2  mail.hprs.local mail
> > smb.conf, dns forwarder: 192.168.0.1
> > 
> > I've restarted the network and samba to use these new IPs.
> > 
> > The A record looks good:
> > 
> > # host -t A mail.hprs.local
> > mail.hprs.local has address 192.168.0.2
> > 
> > I also created a new reverse dns record:
> > 
> > # samba-tool dns zonecreate mail.hprs.local 0.168.192.in-addr.arpa
> > 
> > # samba-tool dns zonelist mail
> >   pszZoneName                 : 0.168.192.in-addr.arpa
> >   Flags                       : DNS_RPC_ZONE_DSINTEGRATED
> > DNS_RPC_ZONE_UPDATE_SECURE ZoneType                    :
> > DNS_ZONE_TYPE_PRIMARY Version                     : 50
> >   dwDpFlags                   : DNS_DP_AUTOCREATED
> > DNS_DP_DOMAIN_DEFAULT DNS_DP_ENLISTED pszDpFqdn                   :
> > DomainDnsZones.hprs.local
> > 
> > Two problems ...
> > 
> > I'm not resolving any public or local hostnames, so it appears that
> > samba is not acting as the dns server. I can access public and local
> > hosts by IP.
>
> Is Samba running ?
> Is /etc/resolv.conf set correctly ?
>
> It should be:
>
> search hprs.local
> nameserver 192.168.0.2

Yes samba is running.

Yes that is my /etc/resolv.conf

>
> > 
> > Why?
> > 
> > Second, more minor problem, I cannot figure out how to delete the old
> > reverse dns record 1.168.192.in-addr.arpa.
>
> That could be because you will not have the reverse record
> '1.168.192.in-addr.arpa', or if you do, you have really messed up your
> dns.
>
> > I've tried numerous
> > combinations of the command to do so with no luck including;
> > 
> > # samba-tool dns delete mail hprs.local mail PTR
> > 1.168.192.in-addr.arpa Password for [administrator at HPRS.LOCAL]:
> > ERROR(runtime): The record does not exist
> > [WERR_DNS_ERROR_RECORD_DOES_NOT_EXIST] - (9701,
> > 'WERR_DNS_ERROR_RECORD_DOES_NOT_EXIST')
> > 
> > What am I doing wrong?
>
> You are not using the correct command, the usage is:
>
> samba-tool dns delete <server> <zone> <name> PTR <data>
>
> Where, in your case, <server> is 'mail', <zone> is
> '0.168.192.in-addr.arpa', <name> is the DCs existing IP '2' and <data>
> is the DCs FQDN 'mail.hprs.local'
>
> OR
>
> samba-tool dns delete mail 0.168.192.in-addr.arpa 2 PTR mail.hprs.local
>
> Rowland

Actually, 0.168.192.in-addr.arpa is the one I want to keep. Right now I have both:

# samba-tool dns zonelist mail

  pszZoneName                 : 0.168.192.in-addr.arpa
  Flags                       : DNS_RPC_ZONE_DSINTEGRATED DNS_RPC_ZONE_UPDATE_SECURE
  ZoneType                    : DNS_ZONE_TYPE_PRIMARY
  Version                     : 50
  dwDpFlags                   : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT DNS_DP_ENLISTED
  pszDpFqdn                   : DomainDnsZones.hprs.local

  <snip>

  pszZoneName                 : 1.168.192.in-addr.arpa
  Flags                       : DNS_RPC_ZONE_DSINTEGRATED DNS_RPC_ZONE_UPDATE_SECURE
  ZoneType                    : DNS_ZONE_TYPE_PRIMARY
  Version                     : 50
  dwDpFlags                   : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT DNS_DP_ENLISTED
  pszDpFqdn                   : DomainDnsZones.hprs.local

I want to get rid of the 1.168.192.in-addr.arpa entry. Your suggestion didn't work:

# samba-tool dns delete mail 1.168.192.in-addr.arpa 2 PTR mail.hprs.local
Password for [administrator at HPRS.LOCAL]:
ERROR(runtime): The record does not exist [WERR_DNS_ERROR_RECORD_DOES_NOT_EXIST] - (9701, 'WERR_DNS_ERROR_RECORD_DOES_NOT_EXIST')

I also tried with the full IP 192.168.0.2 instead of just '2' for the <name>

I must still be doing something wrong.

As to the main problem, not resolving public or internal domain names, part of
that problem may be something up with the SonicWall 192.168.0.1).  I'm checking
that.  When I bypass the SonicWall and use my ISP's nameserver as the "dns
forwarder" in the DC, I can resolve external domain names. 

I still cannot resolve domain hosts:

# host webserver
(nothing)

# host webserver.hprs.local
Host webserver.hprs.local not found: 3(NXDOMAIN)

However, webserver (a Linux host) can now resolve public domain names with
192.168.0.2 in resolv.conf, and can resolve the DC (on webserver):

$ host mail
mail.hprs.local has address 192.168.0.2

So, why can the DC resolve <host>.hprs.local? Does each host on the domain need
to have an A record added on the DC? I.e. these are not resolved automatically?

Thanks --Mark



More information about the samba mailing list