subdomain with domain

classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|

subdomain with domain

Jeff Sadowski
The other day I found that my secondary name servers running bind
where not dishing out

_msdcs.<domain> SRV records

This was causing join issues. It turned out that the Domain controller
had 2 different scopes one for

_msdcs.<domain>
and one for
<domain>

so I shared the second _msdcs.<domain> scope with all my bind secondary servers.

All servers are running Fedora 21 with
bind.i686 32:9.9.6-8.P1.fc21

I had

zone "<domain>" {
 type slave;
# the ip address of my dc
 masters {192.168.1.2;};
 file "data/db.192.168.1.2.slave";
};

entry in all my secondary name servers. Now I have

zone "_msdcs.<domain>" {
 type slave;
# the ip address of my dc
 masters {192.168.1.2;};
 file "data/db.192.168.1.2.slave";
};
zone "<domain>" {
 type slave;
# the ip address of my dc
 masters {192.168.1.2;};
 file "data/db.192.168.1.2.slave";
};

entries on all my secondary name servers. I restarted named on all my
secondary name servers and half of my secondary servers are
working(explained below) half are not. I am certain that I allowed
zone transfers to all of my secondary name servers and that I am
pushing changes to my secondary servers.

Working being that they dish out the _msdcs entries.

examples:

nslookup -type=SRV _ldap._tcp.dc._msdcs.<domain> 192.168.1.254
Server:         192.168.1.254
Address:        192.168.1.254#53

_ldap._tcp.dc._msdcs.<domain>     service = 0 100 389 pdc.<domain>.

nslookup -type=SRV _ldap._tcp.dc._msdcs.<domain> 192.168.2.254
Server:         192.168.2.254
Address:        192.168.2.254#53

** server can't find _ldap._tcp.dc._msdcs.<domain>: SERVFAIL


nslookup -type=SRV _ldap._tcp.dc._msdcs.<domain> 192.168.3.254
Server:         192.168.3.254
Address:        192.168.3.254#53

_ldap._tcp.dc._msdcs.<domain>     service = 0 100 389 pdc.<domain>.

nslookup -type=SRV _ldap._tcp.dc._msdcs.<domain> 192.168.4.254
Server:         192.168.4.254
Address:        192.168.4.254#53

** server can't find _ldap._tcp.dc._msdcs.<domain>: SERVFAIL

All servers still dish out records in the old scope. I have more
secondaries and there doesn't seem to be rime or reason to why half
work and half do not.
I made certain that 192.168.1.254 and 192.168.2.254 both had all the
same packages and double checked all named config files where
Identical.

If anyone could give me a clue on what to check next it would be
greatly appreciated.
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: subdomain with domain

Graham Clinch
> zone "_msdcs.<domain>" {
> [..]
>  file "data/db.192.168.1.2.slave";
> };
> zone "<domain>" {
> [..]
>  file "data/db.192.168.1.2.slave";
> };

Both zones are being backed by the same file, so one will be overwriting
the other.  This may not be the cause of the half-working situation, but
it won't be helping.  Do the bind logs (not sure where Fedora puts them
though - /var/log/messages?) contain any errors?

Unless <domain> is really '192.168.1.2', I would suggest naming your
file after the zone that it is going to contain - e.g.

file "data/db._msdcs.<domain>";
and
file  "data/db.<domain>";

Graham
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

RE: subdomain with domain

Lightner, Jeffrey
You can do subdomains with the one zone file rather than having separate zones you just have to put a new ORIGIN for the subdomain.

In the domain file for <domain> after the SOA and existing records (NS, A, CNAME etc...) add a line:

$ORIGIN _msdcs.<domain>.        ; New subdomain
Then add the records (A, CNAME, SRV etc...) that you want for that subdomain.   (You don't need to add SOA, NS etc... unless they're different for the subdomain)





Jeffrey C. Lightner
Sr. UNIX Administrator
 
DS Services of America, Inc.
2300 Windy Ridge
Suite 600 N
Atlanta, GA  30339
 
P: 770-933-1400 ext.3516
C: 678-772-0018
F: 678-460-3603
E: [hidden email]

-----Original Message-----
From: [hidden email] [mailto:[hidden email]] On Behalf Of Graham Clinch
Sent: Wednesday, April 01, 2015 11:56 AM
To: Jeff Sadowski; [hidden email]
Subject: Re: subdomain with domain

> zone "_msdcs.<domain>" {
> [..]
>  file "data/db.192.168.1.2.slave";
> };
> zone "<domain>" {
> [..]
>  file "data/db.192.168.1.2.slave";
> };

Both zones are being backed by the same file, so one will be overwriting the other.  This may not be the cause of the half-working situation, but it won't be helping.  Do the bind logs (not sure where Fedora puts them though - /var/log/messages?) contain any errors?

Unless <domain> is really '192.168.1.2', I would suggest naming your file after the zone that it is going to contain - e.g.

file "data/db._msdcs.<domain>";
and
file  "data/db.<domain>";

Graham
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Recall: subdomain with domain

Lightner, Jeffrey
In reply to this post by Jeff Sadowski
Lightner, Jeff would like to recall the message, "subdomain with domain".
CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sole use of the intended recipient(s). If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you


_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: subdomain with domain

Barry S. Finkel
In reply to this post by Jeff Sadowski
On 4/1/2015, Jeff Sadowski <[hidden email]> wrote

> The other day I found that my secondary name servers running bind
> where not dishing out
>
> _msdcs.<domain> SRV records
>
> This was causing join issues. It turned out that the Domain controller
> had 2 different scopes one for
>
> _msdcs.<domain>
> and one for
> <domain>
>
> so I shared the second _msdcs.<domain> scope with all my bind secondary servers.

It would be a good idea to also have the other Active Directory
"underscore" zones:

      __sites.<domain>
      _tcp.<domain>
      _udp.<domain>

on your slave server.

--Barry Finkel
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: subdomain with domain

Vinícius Ferrão
Remember to put check-names ignore to use underlined zones.

> On Apr 1, 2015, at 4:53 PM, Barry S. Finkel <[hidden email]> wrote:
>
> On 4/1/2015, Jeff Sadowski <[hidden email]> wrote
>> The other day I found that my secondary name servers running bind
>> where not dishing out
>>
>> _msdcs.<domain> SRV records
>>
>> This was causing join issues. It turned out that the Domain controller
>> had 2 different scopes one for
>>
>> _msdcs.<domain>
>> and one for
>> <domain>
>>
>> so I shared the second _msdcs.<domain> scope with all my bind secondary servers.
>
> It would be a good idea to also have the other Active Directory
> "underscore" zones:
>
>     __sites.<domain>
>     _tcp.<domain>
>     _udp.<domain>
>
> on your slave server.
>
> --Barry Finkel
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>
> bind-users mailing list
> [hidden email]
> https://lists.isc.org/mailman/listinfo/bind-users

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: subdomain with domain

Steven Carr
In reply to this post by Barry S. Finkel
On 1 April 2015 at 20:53, Barry S. Finkel <[hidden email]> wrote:
> It would be a good idea to also have the other Active Directory
> "underscore" zones:
>
>      __sites.<domain>
>      _tcp.<domain>
>      _udp.<domain>
>
> on your slave server.

From what I've seen in the field, in most AD installations those
aren't actual subdomains, Microsoft just uses dotted host names in the
main domain. The only subdomain that is always created is the _msdcs
subdomain, the rest usually need manual intervention to create them.
(The MMC tricks you as it shows folders for subdomains on the dotted
host names when they don't actually exist.)

To see what domains you actually have configured in Microsoft DNS use
"dnscmd /enumzones", then replicate those in your secondary.

Steve
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: subdomain with domain

Bob Harold
In reply to this post by Lightner, Jeffrey
Jeff,
   That only works on the master zone server, without dynamic updates.  Any slave zones or zones with dynamic updates will have problems because the zone file will be overwritten with one zone each time it is updated.



--
Bob Harold
hostmaster, UMnet, ITcom
Information and Technology Services (ITS)
[hidden email]
734-647-6524 desk

On Wed, Apr 1, 2015 at 3:08 PM, Lightner, Jeff <[hidden email]> wrote:
You can do subdomains with the one zone file rather than having separate zones you just have to put a new ORIGIN for the subdomain.

In the domain file for <domain> after the SOA and existing records (NS, A, CNAME etc...) add a line:

$ORIGIN _msdcs.<domain>.        ; New subdomain
Then add the records (A, CNAME, SRV etc...) that you want for that subdomain.   (You don't need to add SOA, NS etc... unless they're different for the subdomain)





Jeffrey C. Lightner
Sr. UNIX Administrator
 
DS Services of America, Inc.
2300 Windy Ridge
Suite 600 N
Atlanta, GA  30339
 
P: <a href="tel:770-933-1400%20ext.3516" value="+17709331400">770-933-1400 ext.3516
C: <a href="tel:678-772-0018" value="+16787720018">678-772-0018
F: <a href="tel:678-460-3603" value="+16784603603">678-460-3603
E: [hidden email]

-----Original Message-----
From: [hidden email] [mailto:[hidden email]] On Behalf Of Graham Clinch
Sent: Wednesday, April 01, 2015 11:56 AM
To: Jeff Sadowski; [hidden email]
Subject: Re: subdomain with domain

> zone "_msdcs.<domain>" {
> [..]
>  file "data/db.192.168.1.2.slave";
> };
> zone "<domain>" {
> [..]
>  file "data/db.192.168.1.2.slave";
> };

Both zones are being backed by the same file, so one will be overwriting the other.  This may not be the cause of the half-working situation, but it won't be helping.  Do the bind logs (not sure where Fedora puts them though - /var/log/messages?) contain any errors?

Unless <domain> is really '192.168.1.2', I would suggest naming your file after the zone that it is going to contain - e.g.

file "data/db._msdcs.<domain>";
and
file  "data/db.<domain>";

Graham
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users


_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: subdomain with domain

Grant Taylor
In reply to this post by Jeff Sadowski
On 04/01/2015 08:51 PM, Steven Carr wrote
> (The MMC tricks you as it shows folders for subdomains on the dotted
> host names when they don't actually exist.)

They are indeed sub-domains.  They just are not delegated.  Thus they
are part of the same (parent) zone.



--
Grant. . . .
unix || die
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users