Verifying and Creating a DC DNS Record

From SambaWiki
Revision as of 14:50, 3 September 2016 by Mmuehlfeld (talk | contribs) (Mmuehlfeld moved page Check and fix DNS entries on DC joins to Verify and Create DC DNS Entries: Rename to a more suitable title)
The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.

Introduction

When you join a new Domain Controller to the domain, Samba currently doesn't create two important DNS records (Bug #10928). This documentation shows how to check, if the records exist and if not, how to add them manually.


Server information

This documentation uses the following configuration/settings: 

DNS Server, authorative for the AD domain:  DC1 (10.99.0.1)
New DC, that was joined to the domain:      DC2 (10.99.0.2)
DNS domain name:                            samdom.example.com
Domain Administrator:                       Administrator
Domain Administrator Password:              passw0rd



Resolve the A record of the new joined Domain Controller

# host -t A DC2.samdom.example.com.
DC2.samdom.example.com has address 10.99.0.2

If the record could not be resolved to its IP, you will receive the following output instead: 

# host -t A DC2.samdom.example.com.
Host DC2.samdom.example.com. not found: 3(NXDOMAIN)

In this case, you have to add the record manually to the AD DNS zone: 

# samba-tool dns add DC1 samdom.example.com DC2 A 10.99.0.2 -Uadministrator
Password for [SAMDOM\administrator]: passw0rd
Record added successfully

Re-check afterwards again!



Resolve the objectGUID CNAME record of the new joined Domain Controller

  • First, you have to find out the objectGUID of the new joined Domain Controller:
# ldbsearch -H /usr/local/samba/private/sam.ldb '(invocationId=*)' --cross-ncs objectguid
# record 1
dn: CN=NTDS Settings,CN=DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com
objectGUID: df4bdd8c-abc7-4779-b01e-4dd4553ca3e9

# record 2
dn: CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com
objectGUID: 4a6bd92a-6612-4b15-aa8c-9ec371e8994f

# returned 2 records
# 2 entries
# 0 referrals
  • Query the CNAME of the objectGUID in the _msdcs.samdom.example.com zone. It must be an alias to the hostname of the new joined DC:
# host -t CNAME df4bdd8c-abc7-4779-b01e-4dd4553ca3e9._msdcs.samdom.example.com.
df4bdd8c-abc7-4779-b01e-4dd4553ca3e9._msdcs.samdom.example.com is an alias for DC2.samdom.example.com.
  • If the record could not be resolved, you will receive:
# host -t CNAME df4bdd8c-abc7-4779-b01e-4dd4553ca3e9._msdcs.samdom.example.com.
Host df4bdd8c-abc7-4779-b01e-4dd4553ca3e9._msdcs.samdom.example.com. not found: 3(NXDOMAIN)
  • In this case, you have to add the record manually to the AD DNS zone:
# samba-tool dns add DC1 _msdcs.samdom.example.com df4bdd8c-abc7-4779-b01e-4dd4553ca3e9 CNAME DC2.samdom.example.com -Uadministrator
Password for [SAMDOM\administrator]: passw0rd
Record added successfully
  • Re-check afterwards again!
Retrieved from "https://wiki.samba.org/index.php?title=Verifying_and_Creating_a_DC_DNS_Record&oldid=11873"