[Samba] Problems after DC upgrade

Stephen Brandli steve at brandli.com
Mon Feb 10 15:39:10 UTC 2025 

I appreciate your help!  I'm using, and have used, the internal dns.

Okay, I changed resolv.conf per the below.  It is now:

nameserver 10.65.187.8
options edns0 trust-ad
search domain.brandli.com

where the IP address is that of this server, and domain.brandli.com is my ads domain.  Now, I can ping other hosts on the domain with short names, but not on any other domain (as you would expect with this configuration).   I can ping anything with fully qualified names.  I don't think this changed anything, frankly.

I rebooted.  Still getting the dnsupdate error and no others.   Replication still working.

	Steve

-----Original Message-----
From: samba <samba-bounces at lists.samba.org> On Behalf Of Rowland Penny via samba
Sent: Monday, February 10, 2025 7:30 AM
To: samba at lists.samba.org
Cc: Rowland Penny <rpenny at samba.org>
Subject: Re: [Samba] Problems after DC upgrade

On Mon, 10 Feb 2025 14:56:02 +0000
Stephen Brandli <steve at brandli.com> wrote:

> It was systemd-resolved.  I disabled that.  Now samba is binding to 
> the port.
> 
> But I'm still getting the dnsupdate failure.
> 
> And, I can't ping anything.  I get the "unknown host or service"
> error.  So names are not getting resolved on the machine.  I have to 
> admit to complete ignorance about how this part of linux works.  When 
> running systemd-networkd, what normally does name resolution?  Or can 
> systemd-networkd do it without listening on port 53?  This works on my 
> older dc's, which are not running system-resolved.

On a Samba AD DC, it is the DC that is authoritative for the AD dns domain, that is, every DC must use itself as its nameserver, so if your dns domain is 'samdom.example.com' and the DC IP address is 192.168.1.2, then /etc/resolv.conf should just contain this:

search samdom.example,com
nameserver 192.168.1.2

If you are using the Samba internal dns server, you will require a line like 'dns forwarder = 8.8.8.8' in the DCs smb.conf file (other internet nameservers are available). If using Bind9, you require a similar line in its named.conf file.

You should only run either Bind9 or the Samba internal dns server on a Samba AD DC, they are the only ones able to 'talk' to the DNS records stored in AD.

Rowland

PS Please do not 'CC' me, just reply to the list.

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list