Verifying and Creating a DC DNS Record

Revision as of 18:02, 20 December 2014 by Mmuehlfeld (talk | contribs) (Moved content to a separate page, because it its valid for all DC joins (Samba + Windows). So it can be referenced in all documentation and hasn't to be maintained twice.)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

Introduction

When you join a new Domain Controller to the domain, Samba currently doesn't create two important DNS records (Bug #10928). This documentation shows how to check, if the records exist and if not, how to add them manually.


Server information

This documentation uses the following configuration/settings:

DNS Server, authorative for the AD domain:  DC1 (10.99.0.1)
New DC, that was joined to the domain:      DC2 (10.99.0.2)
DNS domain name:                            samdom.example.com
Domain Administrator:                       Administrator
Domain Administrator Password:              passw0rd



Resolve the A record of the new joined Domain Controller

# host -t A DC2.samdom.example.com.
DC2.samdom.example.com has address 10.99.0.2

If the record could not be resolved to its IP, you will receive the following output instead:

# host -t A DC2.samdom.example.com.
Host DC2.samdom.example.com. not found: 3(NXDOMAIN)

In this case, you have to add the record manually to the AD DNS zone:

# samba-tool dns add DC1 samdom.example.com DC2 A 10.99.0.2 -Uadministrator
Password for [SAMDOM\administrator]: passw0rd
Record added successfully

Re-check afterwards again!



Resolve the objectGUID CNAME record of the new joined Domain Controller

  • First, you have to find out the objectGUID of the new joined Domain Controller:
# ldbsearch -H /usr/local/samba/private/sam.ldb '(invocationId=*)' --cross-ncs objectguid
# record 1
dn: CN=NTDS Settings,CN=DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com
objectGUID: df4bdd8c-abc7-4779-b01e-4dd4553ca3e9

# record 2
dn: CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com
objectGUID: 4a6bd92a-6612-4b15-aa8c-9ec371e8994f

# returned 2 records
# 2 entries
# 0 referrals
  • Query the CNAME of the objectGUID in the _msdcs.samdom.example.com zone. It must be an alias to the hostname of the new joined DC:
# host -t CNAME df4bdd8c-abc7-4779-b01e-4dd4553ca3e9._msdcs.samdom.example.com.
df4bdd8c-abc7-4779-b01e-4dd4553ca3e9._msdcs.samdom.example.com is an alias for DC2.samdom.example.com.
  • If the record could not be resolved, you will receive:
# host -t CNAME df4bdd8c-abc7-4779-b01e-4dd4553ca3e9._msdcs.samdom.example.com.
Host df4bdd8c-abc7-4779-b01e-4dd4553ca3e9._msdcs.samdom.example.com. not found: 3(NXDOMAIN)
  • In this case, you have to add the record manually to the AD DNS zone:
# samba-tool dns add DC1 _msdcs.samdom.example.com df4bdd8c-abc7-4779-b01e-4dd4553ca3e9 CNAME DC2.samdom.example.com -Uadministrator
Password for [SAMDOM\administrator]: passw0rd
Record added successfully
  • Re-check afterwards again!