[Samba] Provisioning new AD Domain Controller

Rowland Penny rpenny at samba.org
Sun Jan 21 08:07:43 UTC 2024


On Sat, 20 Jan 2024 20:31:31 -0500
Mark Foley via samba <samba at lists.samba.org> wrote:

> On Sat Jan 20 16:28:14 2024 Rowland Penny via samba
> <samba at lists.samba.org> wrote:
> >
> > On Sat, 20 Jan 2024 15:44:18 -0500
> > Mark Foley via samba <samba at lists.samba.org> wrote:
> >
> > > After provisioning and testing my new DC offline, I now want to
> > > move it into production. This means changing IPs.
> > > 
> > > DC FQDN: mail.hprs.local
> > > 
> > > IPs for setup/testing:
> > > 
> > > DC: 192.168.1.60
> > > Gateway: 192.168.1.1   (Netgear router)
> > > DNS: 192.168.1.60      (/etc/resolv.conf)
> > > /etc/hosts: 192.168.1.60  mail.hprs.local mail
> > > smb.conf, dns forwarder: 192.168.1.1
> > > 
> > > Production IPs:
> > > 
> > > DC: 192.168.0.2
> > > Gateway: 192.168.0.1   (SonicWall firewall/router)
> > > DNS: 192.168.0.2       (/etc/resolv.conf)
> > > /etc/hosts: 192.168.0.2  mail.hprs.local mail
> > > smb.conf, dns forwarder: 192.168.0.1
> > > 
> > > I've restarted the network and samba to use these new IPs.
> > > 
> > > The A record looks good:
> > > 
> > > # host -t A mail.hprs.local
> > > mail.hprs.local has address 192.168.0.2
> > > 
> > > I also created a new reverse dns record:
> > > 
> > > # samba-tool dns zonecreate mail.hprs.local 0.168.192.in-addr.arpa
> > > 
> > > # samba-tool dns zonelist mail
> > >   pszZoneName                 : 0.168.192.in-addr.arpa
> > >   Flags                       : DNS_RPC_ZONE_DSINTEGRATED
> > > DNS_RPC_ZONE_UPDATE_SECURE ZoneType                    :
> > > DNS_ZONE_TYPE_PRIMARY Version                     : 50
> > >   dwDpFlags                   : DNS_DP_AUTOCREATED
> > > DNS_DP_DOMAIN_DEFAULT DNS_DP_ENLISTED pszDpFqdn
> > > : DomainDnsZones.hprs.local
> > > 
> > > Two problems ...
> > > 
> > > I'm not resolving any public or local hostnames, so it appears
> > > that samba is not acting as the dns server. I can access public
> > > and local hosts by IP.
> >
> > Is Samba running ?
> > Is /etc/resolv.conf set correctly ?
> >
> > It should be:
> >
> > search hprs.local
> > nameserver 192.168.0.2
> 
> Yes samba is running.
> 
> Yes that is my /etc/resolv.conf
> 
> >
> > > 
> > > Why?
> > > 
> > > Second, more minor problem, I cannot figure out how to delete the
> > > old reverse dns record 1.168.192.in-addr.arpa.
> >
> > That could be because you will not have the reverse record
> > '1.168.192.in-addr.arpa', or if you do, you have really messed up
> > your dns.
> >
> > > I've tried numerous
> > > combinations of the command to do so with no luck including;
> > > 
> > > # samba-tool dns delete mail hprs.local mail PTR
> > > 1.168.192.in-addr.arpa Password for [administrator at HPRS.LOCAL]:
> > > ERROR(runtime): The record does not exist
> > > [WERR_DNS_ERROR_RECORD_DOES_NOT_EXIST] - (9701,
> > > 'WERR_DNS_ERROR_RECORD_DOES_NOT_EXIST')
> > > 
> > > What am I doing wrong?
> >
> > You are not using the correct command, the usage is:
> >
> > samba-tool dns delete <server> <zone> <name> PTR <data>
> >
> > Where, in your case, <server> is 'mail', <zone> is
> > '0.168.192.in-addr.arpa', <name> is the DCs existing IP '2' and
> > <data> is the DCs FQDN 'mail.hprs.local'
> >
> > OR
> >
> > samba-tool dns delete mail 0.168.192.in-addr.arpa 2 PTR
> > mail.hprs.local
> >
> > Rowland
> 
> Actually, 0.168.192.in-addr.arpa is the one I want to keep. Right now
> I have both:
> 
> # samba-tool dns zonelist mail
> 
>   pszZoneName                 : 0.168.192.in-addr.arpa
>   Flags                       : DNS_RPC_ZONE_DSINTEGRATED
> DNS_RPC_ZONE_UPDATE_SECURE ZoneType                    :
> DNS_ZONE_TYPE_PRIMARY Version                     : 50
>   dwDpFlags                   : DNS_DP_AUTOCREATED
> DNS_DP_DOMAIN_DEFAULT DNS_DP_ENLISTED pszDpFqdn                   :
> DomainDnsZones.hprs.local
> 
>   <snip>
> 
>   pszZoneName                 : 1.168.192.in-addr.arpa
>   Flags                       : DNS_RPC_ZONE_DSINTEGRATED
> DNS_RPC_ZONE_UPDATE_SECURE ZoneType                    :
> DNS_ZONE_TYPE_PRIMARY Version                     : 50
>   dwDpFlags                   : DNS_DP_AUTOCREATED
> DNS_DP_DOMAIN_DEFAULT DNS_DP_ENLISTED pszDpFqdn                   :
> DomainDnsZones.hprs.local
> 
> I want to get rid of the 1.168.192.in-addr.arpa entry. Your
> suggestion didn't work:
> 
> # samba-tool dns delete mail 1.168.192.in-addr.arpa 2 PTR
> mail.hprs.local Password for [administrator at HPRS.LOCAL]:
> ERROR(runtime): The record does not exist
> [WERR_DNS_ERROR_RECORD_DOES_NOT_EXIST] - (9701,
> 'WERR_DNS_ERROR_RECORD_DOES_NOT_EXIST')
> 
> I also tried with the full IP 192.168.0.2 instead of just '2' for the
> <name>
> 
> I must still be doing something wrong.

Yes, you didn't say that you you wanted to remove a reversezone, I
thought you wanted to remove the DCs reverse record, which you are
going to have to remove (along with any other PTR records in the
zone) before you can remove the reversezone record.

If you run:

samba-tool dns --help

you get this:

samba-tool dns: missing subcommand

Usage: samba-tool dns <subcommand>

Domain Name Service (DNS) management.


Options:
  -h, --help            show this help message and exit
  --color=always|never|auto
                        use colour if available (default: auto)


Available subcommands:
  add          - Add a DNS record
  cleanup      - Cleanup DNS records for a DNS host.
  delete       - Delete a DNS record
  query        - Query a name.
  roothints    - Query root hints.
  serverinfo   - Query for Server information.
  update       - Update a DNS record
  zonecreate   - Create a zone.
  zonedelete   - Delete a zone.
  zoneinfo     - Query for zone information.
  zonelist     - Query for zones.
  zoneoptions  - Change zone aging options.
For more help on a specific subcommand, please type: samba-tool dns <subcommand> (-h|--help)

Which subcommand do you think is used to delete a zone ?

It certain isn't 'delete', that is for deleting a record from a zone,
not the zone itself.

> 
> As to the main problem, not resolving public or internal domain
> names, part of that problem may be something up with the SonicWall
> 192.168.0.1).  I'm checking that.  When I bypass the SonicWall and
> use my ISP's nameserver as the "dns forwarder" in the DC, I can
> resolve external domain names. 
> 
> I still cannot resolve domain hosts:
> 
> # host webserver
> (nothing)
> 
> # host webserver.hprs.local
> Host webserver.hprs.local not found: 3(NXDOMAIN)
> 
> However, webserver (a Linux host) can now resolve public domain names
> with 192.168.0.2 in resolv.conf, and can resolve the DC (on
> webserver):
> 
> $ host mail
> mail.hprs.local has address 192.168.0.2
> 
> So, why can the DC resolve <host>.hprs.local? Does each host on the
> domain need to have an A record added on the DC? I.e. these are not
> resolved automatically?

Oh, yes, every domain member must have a record stored in AD, remember
it is your DCs that are authoritative for the hprs.local dns domain and
not your sonicwall. If both your AD and your sonicwall are using
hprs.local as their dns domains and there is a dns server running on
the sonicwall, then turn it off. It is either that, or do what the wiki
advises and use something like 'ad.hprs.local' for the AD dns domain.

Active Directory relies on dns and as such, every AD DC is a dns
domain master, it is referred to as 'multi-master'.

Rowland




More information about the samba mailing list