On Thu, Dec 3, 2009 at 9:34 AM, Casey Allen Shobe <[email protected]> wrote:
> On Thu, Dec 3, 2009 at 10:55 AM, Robert LeBlanc <[email protected]>wrote: > >> When you use net ads join to join the computer to the domain, it should >> register the machine in DNS as well. >> > > Well, prior to reading this I actually got things changed over to use > security = ads insead of domain, and re-joined the domain using kerberos. > The DNS issue was exactly the same. > > Since you say that the machine object shows the name in lowercase, I assume >> you did not create the object previously. >> > > No, I did not. I deleted it using active directory users and groups before > rejoining with kerberos also. > > >> If looking in DNS management does not show you machine in the forward >> zone, >> > > How can I check for sure? wbinfo -I and -N work, btw, but not DNS > resolution. I do not have any access to the Windows DNS stuff as it runs on > servers I cannot log in to. Well, actually, I have a non-admin login right > on one of them, but I don't think I can do anything useful with that. > I don't have login access to our DCs, but have been granted access to DNS. I open up DNS management on my Windows XP workstation, then select one of the DCs as the DNS server, I can then do any DNS work without having to login to the DC. If this is still not an option, then I would make heavy use of the dig command on Linux. > try on the Samba server "sudo net ads dns register -P" That will try to >> register the machine again in DNS. >> > > That command hung for long time, then finally returned: > "DNS update failed!" > I wonder if this may have to do with the domain requiring secure updates, it seems that this would work since you have Kerberos working correctly. I would look through the logs, maybe bumping up the debug level while running the above command. You won't need to disjoin or rejoin to see the DNS errors. I haven't had to do much in the way of DNS debugging here as it works just fine in our environment. > I'm not sure if pre-creating the object will cause problems as I have not >> pre-created objects in my domain. >> > > I deleted the computer from AD, and pre-created it using uppercase letters, > then re-joined the domain using net ads join. Now DNS resolution seems to > work! > This seems fishy and doesn't make sense, as we don't have to so this here. I would try some of the above things as it may help pinpoint the real problem and fix it for future Samba installs. > > If you need additional IP's or CNAMEs, you may have to enter those > > manually in DNS management. > > I'm assuming this is something on the Windows DC that is outside of my > control. Is it possible to set up a (linux-based) DNS server for our site > that can resolve some custom things I put in, but passes anything it doesn't > know an answer for (e.g. any Windows hostname) to the Windows DNS? > > Please see my above comment, you AD admin may feel comfortable delegating certian DNS rights to get your job done. I would much prefer that over a split horizon DNS, or delegated zone if your site has it's own sub-domain. It get too difficult to manage multiple DNS servers. We have a delegated DNS zone for our AD domain, and our clients all use our Linux DNS servers by default. The reason, that DNS was set-up a long time ago and not everyone on campus uses the Active Directory. Client | Linux DNS (school.edu, delegates school.local to AD DCs) | Windows DNS (school.local) Robert LeBlanc Life Sciences & Undergraduate Education Computer Support Brigham Young University -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
