Verifying and Creating a DC DNS Record: Difference between revisions

From SambaWiki
m (Mmuehlfeld moved page Verify and Create DC DNS Entries to Verifying and Creating a DC DNS Record without leaving a redirect: Fix wording in title.)
(Rewrote the page. Better wording. Clearer examples.)
Line 1: Line 1:
= Introduction =
= Introduction =


When you join a new Domain Controller to the domain, Samba currently doesn't create two important DNS records ([https://bugzilla.samba.org/show_bug.cgi?id=10928 Bug #10928]). This documentation shows how to check, if the records exist and if not, how to add them manually.
Samba currently does not create two important DNS records when you join a domain controller (DC) to a Samba AD. These records are required for the directory replication to work properly.


For more details, see [https://bugzilla.samba.org/show_bug.cgi?id=10928 Bug #10928].




== Server information ==


This documentation uses the following configuration/settings:


DNS Server, authorative for the AD domain: DC1 (10.99.0.1)
New DC, that was joined to the domain: DC2 (10.99.0.2)
DNS domain name: samdom.example.com
Domain Administrator: Administrator
Domain Administrator Password: passw0rd


= Domain Controller A Record =


To verify that the A record for domain controller (DC) "DC2" using the IP address "10.99.0.2" is created in the "samdom.example.com" DNS zone, run on a domain member:


# host -t A <u>DC2</u>.samdom.example.com.
DC2.samdom.example.com has address 10.99.0.2


If the record is missing, the following error is displayed:


# host -t A <u>DC2</u>.samdom.example.com.
= Resolve the A record of the new joined Domain Controller =

# '''host -t A <u>DC2</u>.samdom.example.com.'''
<u>DC2</u>.samdom.example.com has address <u>10.99.0.2</u>

If the record could not be resolved to its IP, you will receive the following output instead:

# '''host -t A <u>DC2</u>.samdom.example.com.'''
Host DC2.samdom.example.com. not found: 3(NXDOMAIN)
Host DC2.samdom.example.com. not found: 3(NXDOMAIN)


In this case, you have to add the record manually to the AD DNS zone:
To manually add the A record for "DC2" to the DNS server running on "DC1", run:


# '''samba-tool dns add DC1 samdom.example.com <u>DC2</u> A <u>10.99.0.2</u> -Uadministrator'''
# samba-tool dns add DC1 samdom.example.com <u>DC2</u> A <u>10.99.0.2</u> -Uadministrator
Password for [SAMDOM\administrator]: passw0rd
Password for [SAMDOM\administrator]:
Record added successfully
Record added successfully


The directory replication automatically distributes the new record to all DCs.
Re-check afterwards again!




Line 41: Line 33:




= Resolve the objectGUID CNAME record of the new joined Domain Controller =
= The objectGUID CNAME Record =


== Determining a DCs objectGUID ==
* First, you have to find out the objectGUID of the new joined Domain Controller:


To determine the objectGUID value of the joined domain controller "DC2", run on an existing DC:
# '''ldbsearch -H /usr/local/samba/private/sam.ldb '(invocationId=*)' --cross-ncs objectguid'''

# ldbsearch -H /usr/local/samba/private/sam.ldb '(invocationId=*)' --cross-ncs objectguid
# record 1
# record 1
dn: CN=NTDS Settings,CN=<u>DC2</u>,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com
dn: CN=NTDS Settings,CN=<u>DC2</u>,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com
Line 58: Line 52:
# 0 referrals
# 0 referrals


Locate the objectGUID of the DC in the output.
* Query the CNAME of the objectGUID in the _msdcs.samdom.example.com zone. It must be an alias to the hostname of the new joined DC:



== Verifying and Creating the objectGUID Record ==

To verify that the CNAME objectGUID record for domain controller (DC) "DC2" exists in the "_msdcs.samdom.example.com" DNS zone, run on a domain member:


# '''host -t CNAME <u>df4bdd8c-abc7-4779-b01e-4dd4553ca3e9</u>._msdcs.samdom.example.com.'''
# host -t CNAME <u>df4bdd8c-abc7-4779-b01e-4dd4553ca3e9</u>._msdcs.samdom.example.com.
df4bdd8c-abc7-4779-b01e-4dd4553ca3e9._msdcs.samdom.example.com is an alias for <u>DC2</u>.samdom.example.com.
df4bdd8c-abc7-4779-b01e-4dd4553ca3e9._msdcs.samdom.example.com is an alias for DC2.samdom.example.com.


:* If the record could not be resolved, you will receive:
If the record is missing, the following error is displayed:


# '''host -t CNAME <u>df4bdd8c-abc7-4779-b01e-4dd4553ca3e9</u>._msdcs.samdom.example.com.'''
# host -t CNAME <u>df4bdd8c-abc7-4779-b01e-4dd4553ca3e9</u>._msdcs.samdom.example.com.
Host df4bdd8c-abc7-4779-b01e-4dd4553ca3e9._msdcs.samdom.example.com. not found: 3(NXDOMAIN)
Host df4bdd8c-abc7-4779-b01e-4dd4553ca3e9._msdcs.samdom.example.com. not found: 3(NXDOMAIN)


To manually add the objectGUID CNAME record to the DNS server running on "DC1", use the objectGUID determined in section [[#Determining_a_DCs_objectGUID|Determining a DCs objectGUID]] and run:
:* In this case, you have to add the record manually to the AD DNS zone:


# '''samba-tool dns add DC1 _msdcs.samdom.example.com <u>df4bdd8c-abc7-4779-b01e-4dd4553ca3e9</u> CNAME <u>DC2</u>.samdom.example.com -Uadministrator'''
# samba-tool dns add DC1 _msdcs.samdom.example.com <u>df4bdd8c-abc7-4779-b01e-4dd4553ca3e9</u> CNAME <u>DC2</u>.samdom.example.com -Uadministrator
Password for [SAMDOM\administrator]: passw0rd
Password for [SAMDOM\administrator]:
Record added successfully
Record added successfully


The directory replication automatically distributes the new record to all DCs.
:* Re-check afterwards again!

Revision as of 15:18, 3 September 2016

Introduction

Samba currently does not create two important DNS records when you join a domain controller (DC) to a Samba AD. These records are required for the directory replication to work properly.

For more details, see Bug #10928.



Domain Controller A Record

To verify that the A record for domain controller (DC) "DC2" using the IP address "10.99.0.2" is created in the "samdom.example.com" DNS zone, run on a domain member:

# host -t A DC2.samdom.example.com.
DC2.samdom.example.com has address 10.99.0.2

If the record is missing, the following error is displayed:

# host -t A DC2.samdom.example.com.
Host DC2.samdom.example.com. not found: 3(NXDOMAIN)

To manually add the A record for "DC2" to the DNS server running on "DC1", run:

# samba-tool dns add DC1 samdom.example.com DC2 A 10.99.0.2 -Uadministrator
Password for [SAMDOM\administrator]: 
Record added successfully

The directory replication automatically distributes the new record to all DCs.



The objectGUID CNAME Record

Determining a DCs objectGUID

To determine the objectGUID value of the joined domain controller "DC2", run on an existing DC:

# ldbsearch -H /usr/local/samba/private/sam.ldb '(invocationId=*)' --cross-ncs objectguid
# record 1
dn: CN=NTDS Settings,CN=DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com
objectGUID: df4bdd8c-abc7-4779-b01e-4dd4553ca3e9

# record 2
dn: CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com
objectGUID: 4a6bd92a-6612-4b15-aa8c-9ec371e8994f

# returned 2 records
# 2 entries
# 0 referrals

Locate the objectGUID of the DC in the output.


Verifying and Creating the objectGUID Record

To verify that the CNAME objectGUID record for domain controller (DC) "DC2" exists in the "_msdcs.samdom.example.com" DNS zone, run on a domain member:

# host -t CNAME df4bdd8c-abc7-4779-b01e-4dd4553ca3e9._msdcs.samdom.example.com.
df4bdd8c-abc7-4779-b01e-4dd4553ca3e9._msdcs.samdom.example.com is an alias for DC2.samdom.example.com.

If the record is missing, the following error is displayed:

# host -t CNAME df4bdd8c-abc7-4779-b01e-4dd4553ca3e9._msdcs.samdom.example.com.
Host df4bdd8c-abc7-4779-b01e-4dd4553ca3e9._msdcs.samdom.example.com. not found: 3(NXDOMAIN)

To manually add the objectGUID CNAME record to the DNS server running on "DC1", use the objectGUID determined in section Determining a DCs objectGUID and run:

# samba-tool dns add DC1 _msdcs.samdom.example.com df4bdd8c-abc7-4779-b01e-4dd4553ca3e9 CNAME DC2.samdom.example.com -Uadministrator
Password for [SAMDOM\administrator]: 
Record added successfully

The directory replication automatically distributes the new record to all DCs.