[Samba] Win Clients and DNS

[Viktor Trojanovic]

I have an AD with 1 Samba DC and 5 Windows 10 clients. The DC and the
clients all have a fixed IPv4 address.

In the windows event viewer, I constantly see the following warning:

Event 8019, DNS Client Events
------------------------------------------
The system failed to register host (A or AAA) resource records (RRs) for
network adapter with settings:

Adapter Name: {someGUID}
Host Name: Client-PC
Primary Domain Suffix: SAMDOM.COM
DNS Server list:
192.168.0.1
Sent update to server: <?>
IP Addresses:
192.168.0.15
------------------------------------------

Is it necessary to manually make some entries in DNS for the client
machines? I didn't see anything about that in the Wiki.

I'm trying to figure out if this is connected to another problem I'm
facing. A machine based GPO is not executed because "the file
\\SAMDOM.COM\SysVol\[...]\gpt.ini from a domain controller could not be
read", and as one of the possible reasons for the error, name resolution
is mentioned. I can access the file just fine once I'm logged in so I
really don't know what the issue is here.

Thanks,
Viktor

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

[Ole Traupe]

Viktor, can you manually check whether you have DNS records for your Win
clients?

In the DNS settings for your Win clients' network adapters you can
uncheck that the current address shall be registered in DNS.

Ole

[L.P.H. van Belle]

I guest,

incorrect rights on you sysvol,
Try : samba-tool ntacl sysvolreset
And check the share rights.

By default this should work out of the box.
Did you change the sysvol rights?


Greetz,

Louis


> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-...@lists.samba.org] Namens Ole Traupe
> Verzonden: maandag 16 november 2015 9:25
> Aan: sa...@lists.samba.org
> Onderwerp: Re: [Samba] Win Clients and DNS

[Rowland Penny]

Is there anything in syslog on the DC, it may be that whilst your
clients are trying to update their dns records in AD, they are being denied.
If the clients were Unix based, you would have to add their records to
AD manually, It is probably the same for fixed window clients.
There is something on the wiki about adding dns records, but it is a bit
unclear as to why you would need to do this:

https://wiki.samba.org/index.php/DNS_administration#Adding_new_records

Rowland

[Viktor Trojanovic]

Hi Ole,

I am using Samba DNS. I didn't manually create records for the clients
so they are not there. Are they necessary? Are A records enough?

And thanks about the tip with the DNS settings for the clients, I will
uncheck the box.

Viktor

[Viktor Trojanovic]

Yes, I read that, and I'm not clear either on why the clients need
registration and what the disadvantages would be if they aren't. But
Ole's tip to remove the "Register DNS" checkbox from the network
interface on Win Clients does seem like valuable information for the wiki.

Viktor

[Viktor Trojanovic]

Hi Louis,

I never touched the sysvol rights, neither from Windows nor from Linux,
and they seem to be intact. The share rights are correct, too, and on a
separate server by the way.

As I said, I can easily access them myself, it's just that error in the
event log which makes it seem as if, during the startup phase, there is
a problem to access certain information.

Thanks,
Viktor

[L.P.H. van Belle]

Hai,

I suggest you dont remove the "Register DNS" checkbox from the network" option.

If you setup if correct, when you join a computer to the domain,
It wil automatily registere the computer en the AD DNS.
And todo so you need the "Register DNS" checkbox from the network"

For example, i use for now an dhcp server
! the DHCP server i use it NOT in any of the MS domains and/or Samba AD !
So its just a dhcp server, not linked to any domain.
And i have 3 MS domains here.

If i join the domain with an pc with dhcp ip, it is registered as it should.
And same with pc's that have a dedicated IP.

So,
or the dhcp server is giving the wrong options to the pc.
or your missing the reverse DNS zone.

This should work out of the box, without any registry modification etc..

Greetz,

Louis



> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-...@lists.samba.org] Namens Viktor Trojanovic
> Verzonden: maandag 16 november 2015 10:47
> Aan: Rowland Penny; sa...@lists.samba.org

> Onderwerp: Re: [Samba] Win Clients and DNS
>
>
>

[Viktor Trojanovic]

Hi Louis,

I don't use DHCP so most of what you wrote doesn't apply in my case.

As for the reverse zone: I followed the wiki in this respect and do have
a reverse lookup zone for the network, pointing to the DC.

RLZ: 0.168.192.in-addr.arpa
PTR 192.168.0.1
NS dc samdom.com
SOA [2], dc.samdom.com, hostmaster.samdom.com

Let me know if you see any issues in this configuration, thanks.

Viktor

[Viktor Trojanovic]

So I ran a samba-tool ntacl sysvolcheck, and the following error message
came up:

--------------------snip--------------------
ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception -
ProvisioningError: DB ACL on GPO directory
/var/lib/samba/sysvol/samdom.com/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Scripts/Startup
O:BAG:DUD:(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;;0x001f01ff;;;BA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
does not match expected value
O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
from GPO object
File "/usr/lib/python2.7/site-packages/samba/netcmd/__init__.py",
line 175, in _run
return self.run(*args, **kwargs)
File "/usr/lib/python2.7/site-packages/samba/netcmd/ntacl.py", line
249, in run
lp)
File "/usr/lib/python2.7/site-packages/samba/provision/__init__.py",
line 1733, in checksysvolacl
direct_db_access)
File "/usr/lib/python2.7/site-packages/samba/provision/__init__.py",
line 1684, in check_gpos_acl
domainsid, direct_db_access)
File "/usr/lib/python2.7/site-packages/samba/provision/__init__.py",
line 1650, in check_dir_acl
raise ProvisioningError('%s ACL on GPO directory %s %s does not
match expected value %s from GPO object' % (acl_type(direct_db_access),
os.path.join(root, name), fsacl_sddl, acl))
--------------------snip--------------------

The GPO directory in question is the Default Domain Policy.

Any idea what happened here? I never touched the DDD, it's still on
version 0, and I never did any changes to those files either. I manually
checked the ACL, without having made a diff on it, it looks pretty much
the same like the ACL on the other containers.

Is it safe to run sysvolreset?

Viktor

On 16.11.2015 09:34, L.P.H. van Belle wrote:

[Rowland Penny]

Firstly, have you changed anything on the DC after provision? I don't
mean adding users or groups, but anything else?

I think if you examine what samba-tool thinks is different, you will
find that it is only these:

O:BAG:DUD and O:DAG:DAD

To turn these into English :-)

O = owner
BA = BUILTIN\Administrators
G = group
DU = Domain Users
DA = Domain Administrators

BA becoming DA is fairly common and I don't think is relevant
But somehow DA has become DU

That is why I asked if you have changed anything.

Now as for do your computers A and PTR records need to be added to AD,
try this on the DC:

ping -c1 member1

where 'member1' is the hostname of one of your workstations, it should
return something like this:

PING member1.samdom.example.com (192.168.0.2) 56(84) bytes of data.
64 bytes from 192.168.0.2: icmp_seq=1 ttl=64 time=0.261 ms

--- member1.samdom.example.com ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.261/0.261/0.261/0.000 ms

Not like this:

ping: unknown host member1

If you get the later, you need to add the records manually.

Rowland

[Ole Traupe]

Viktor, install Windows RSAT tools on one of your Win clients. Check the
ADUC and DNS console. In ADUC, the machine object (usually under
Computers) should have a correct DNS entry. In the DNS console, there
should be a Host (A) record for each of your clients.

IF that is the case and IF you can reach your clients (resolv the hosts)
AND Windows still unsuccessfully tries to register the addresses, the
try to uncheck this checkbox.

Also, I use static IPs for my Win clients with the DNS servers being my
DCs. This should be set before domain join.

Ole

[Viktor Trojanovic]

See replies below

Yes, those are the ACL's I see, BA is the owner, DA has full rights, DU
can read.

> That is why I asked if you have changed anything.
>

No, I haven't. Please also check my new thread about the ACL issue.

> Now as for do your computers A and PTR records need to be added to AD,
> try this on the DC:
>
> ping -c1 member1
>
> where 'member1' is the hostname of one of your workstations, it should
> return something like this:
>
> PING member1.samdom.example.com (192.168.0.2) 56(84) bytes of data.
> 64 bytes from 192.168.0.2: icmp_seq=1 ttl=64 time=0.261 ms
>
>
>

This is making things even more confusing.. if I enter the DNS records,
then the command nslookup clientname will provide the correct IP
address. Ping doesn't work for half of the clients but it doesn't work
even using the IP address. Seems like the firewall is blocking it which
is again really weird because I didn't make any changes and all clients
are exactly the same.

[Viktor Trojanovic]

Off topic but some of my Win 10 clients have ICMP echo blocked in the
domain, some allow it. And I never even touched this setting.

[L.P.H. van Belle]

More explained..

Only my laptops get a DHCP IP.
All my other computers have static ip.

After the AD join, it does not matter if
1) a desktop pc, when a static IP changes for a computer.
2) a laptop gets a different IP.
The PC always updates its A and PTR

So, in both cases my A and PTR records are changed in the DNS.

Maybe an firewall setting on you pc is blocking the update to the dns server or on the server you now allowing the dns updates.

Can you have a look into that?

Greetz,

Louis







> -----Oorspronkelijk bericht-----
> Van: Viktor Trojanovic [mailto:vik...@troja.ch]
> Verzonden: maandag 16 november 2015 12:02
> Aan: L.P.H. van Belle; sa...@lists.samba.org

[Ole Traupe]

To my knowledge, ping requires File and Printer Sharing on Windows. Is
it activated on all your clients?

[Rowland Penny]

OK, if ping is a problem, try 'nslookup member1' on the DC, it should
return something like this:

Server: 192.168.0.6
Address: 192.168.0.6#53

Name: member1.samdom.example.com
Address: 192.168.0.2

If it returns this:

Server: 192.168.0.6
Address: 192.168.0.6#53

** server can't find member1: NXDOMAIN

Then your DNS is up the spout, probably because the record for 'member1'
isn't in AD.

Rowland

[L.P.H. van Belle]

You know need icmp echo the make this work.
Icmp echo is off also in my lan.

Greetz,

Louis


> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-...@lists.samba.org] Namens Ole Traupe

> Verzonden: maandag 16 november 2015 14:25

> Aan: sa...@lists.samba.org
> Onderwerp: Re: [Samba] Win Clients and DNS
>
>
>

[Viktor Trojanovic]

It returns the expected result for all domain members, no issue here.

[Rowland Penny]

OK, one final test, is the computers record in AD?

ldbsearch -H /usr/local/samba/private/sam.ldb -b
'DC=DomainDnsZones,DC=samdom,DC=example,DC=com' -s sub
'(&(objectclass=dnsNode)(dc=member1))' --cross-ncs --show-binary

this (after changing the obvious) should show the dns record for 'member1'

Rowland

[Viktor Trojanovic]

On 16.11.2015 14:22, L.P.H. van Belle wrote:
> More explained..
>
> Only my laptops get a DHCP IP.
> All my other computers have static ip.
>
> After the AD join, it does not matter if
> 1) a desktop pc, when a static IP changes for a computer.
> 2) a laptop gets a different IP.
> The PC always updates its A and PTR
>
> So, in both cases my A and PTR records are changed in the DNS.
>
> Maybe an firewall setting on you pc is blocking the update to the dns server or on the server you now allowing the dns updates.
>
> Can you have a look into that?
>
> Greetz,
>
> Louis
>

OK, so my situation is as follow:

- NDS A and PTR are manually set on the Samba DNS for all domain members
- All clients have fixed IP addresses and are in the same subnet as the
Samba server
- I disabled the Windows Firewall just to make sure there is no block on
the PC either

==> No change, I still get the same error message in the windows event
viewer.

If I look at the error message, one line which seems wrong is

----> Sent update to server: <?>

It does give the correct IP address in the following line but is this
how it should look?

Viktor

[L.P.H. van Belle]

Victor,

Do a simple test.
From the pc which is not working correctly.

Ping member1
Ping member1.fqdn

Do both resolve? Or only 1 and if 1 which one.


Greetz,

Louis



> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-...@lists.samba.org] Namens Rowland Penny
> Verzonden: maandag 16 november 2015 15:08

> Aan: sa...@lists.samba.org
> Onderwerp: Re: [Samba] Win Clients and DNS
>

[Rowland Penny]

OK, just had a thought, is the DC the *only* dns server in the Samba
domain ?

Rowland

[Viktor Trojanovic]

On 16.11.2015 15:19, L.P.H. van Belle wrote:
> Victor,
>
> Do a simple test.
> From the pc which is not working correctly.
>
> Ping member1
> Ping member1.fqdn
>
> Do both resolve? Or only 1 and if 1 which one.
>
>
> Greetz,
>
> Louis

Just as a side note, I am getting the DNS register warning message on
*all* win clients, not just that one.

And yes, both pings resolve.

Viktor

[Rowland Penny]

On 16/11/15 14:38, Viktor Trojanovic wrote:

> Yes, that works and returns one record.
>
> # record 1
> dn:
> DC=member1,DC=samdom.example.com,CN=MicrosoftDNS,DC=DomainDnsZones,DC=samdom,DC=example,DC=com
> objectClass: top
> objectClass: dnsNode
> instanceType: 4
> whenCreated: 20151116123628.0Z
> whenChanged: 20151116123628.0Z
> uSNCreated: 4232
> uSNChanged: 4232
> showInAdvancedViewOnly: TRUE
> name: bh-client-3
> objectGUID: 664b9068-66ad-44b3-b88f-1a1a5909827f
> dnsRecord: NDR: struct dnsp_DnssrvRpcRecord
> wDataLength : 0x0004 (4)
> wType : DNS_TYPE_A (1)
> version : 0x05 (5)
> rank : DNS_RANK_ZONE (240)
> flags : 0x0000 (0)
> dwSerial : 0x00000006 (6)
> dwTtlSeconds : 0x00000e10 (3600)
> dwReserved : 0x00000000 (0)
> dwTimeStamp : 0x00377de4 (3636708)
> data : union dnsRecordData(case 1)
> ipv4 : 192.168.0.13
>
> objectCategory:
> CN=Dns-Node,CN=Schema,CN=Configuration,DC=samdom,DC=example,DC=com
> dc: member1
> distinguishedName:
> DC=member1,DC=samdom.example.com,CN=MicrosoftDNS,DC=DomainDnsZones,DC=samdom,DC=example,DC=com
>
> # returned 1 records
> # 1 entries
> # 0 referrals
>
>
> Viktor

well, that proves that dns is not the problem

[Viktor Trojanovic]

[Viktor Trojanovic]

Yes, absolutely.

On another topic, you saw my thread on sysvolreset. It's driving me
nuts. Everytime I run sysvolreset (which takes ages), and subsequently
run sysvolcheck, the error message names a different folder than the
sysvolcheck before. What's up with that? Is that normal? How often am I
supposed to run sysvolreset to make it work? Mind you, I only have 8
policies, no scripts or other files, and it's the only DC. And the DB
check command ran with 0 errors.

Viktor

[L.P.H. van Belle]

Ok,

> I am getting the DNS register warning message on
> *all* win clients, not just that one.

Good info, so, this confirms its not a bug but an incorrect setting.

Type ipconfig /all on a pc.
Post the output, i suspect, incorrect dnsdomain or dns search domain.

Also.
Check if the PTR records are set to the correct server ips.
This does not change on its own.

Ldbsearch from below gives 192.168.0.13
Which is different as other outputs.

And check your /etc/hosts file.

Greetz,

Louis



> -----Oorspronkelijk bericht-----
> Van: Viktor Trojanovic [mailto:vik...@troja.ch]
> Verzonden: maandag 16 november 2015 15:45
> Aan: L.P.H. van Belle; sa...@lists.samba.org

[L.P.H. van Belle]

There is nothing wrong with your policies.

Test if it all works and if it does, ignore these messages.

I having the same message. ( samba 4.2.5 )

Gr.

Louis


> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-...@lists.samba.org] Namens Viktor Trojanovic
> Verzonden: maandag 16 november 2015 15:54
> Aan: Rowland Penny; sa...@lists.samba.org

> Onderwerp: Re: [Samba] Win Clients and DNS
>
>
>

[L.P.H. van Belle]

Othere thing.

IF you domain name is like
domain.tld

By default, Windows does not send updates to top-level domains.
If thats the case you should change it to a single-lable dns.

https://support.microsoft.com/en-us/kb/300684

Greetz,

Louis

> -----Oorspronkelijk bericht-----

> Van: Viktor Trojanovic [mailto:vik...@troja.ch]
> Verzonden: maandag 16 november 2015 15:45

> Aan: L.P.H. van Belle; sa...@lists.samba.org

[Viktor Trojanovic]

On 16.11.2015 15:53, L.P.H. van Belle wrote:
> Ok,
>> I am getting the DNS register warning message on
>> *all* win clients, not just that one.
> Good info, so, this confirms its not a bug but an incorrect setting.
>
> Type ipconfig /all on a pc.
> Post the output, i suspect, incorrect dnsdomain or dns search domain.
>
> Also.
> Check if the PTR records are set to the correct server ips.
> This does not change on its own.
>
> Ldbsearch from below gives 192.168.0.13
> Which is different as other outputs.
>
> And check your /etc/hosts file.
>
> Greetz,
>
> Louis
>

ipconfig /all is returning

Hostname: member1
Primary DNS-Suffix: samdom.example.com
Node type: hybrid
IP Routing Enabled: no
WINS Proxy Enabled: no
DNS Suffix Search list: samdom.example.com

Ethernet adapter Ethernet:

Connection-specific DNS suffix: (empty)
Autoconf enabled: Yes

The rest is not relevant so I will omit it here. Just one thing: My
standard gateway is set to the router (192.168.0.2) and is therefore
different from my Samba DC (192.168.0.1). But I guess that shouldn't be
an issue.

Viktor

[Viktor Trojanovic]

On 16.11.2015 15:59, L.P.H. van Belle wrote:
> There is nothing wrong with your policies.
>
> Test if it all works and if it does, ignore these messages.
>
> I having the same message. ( samba 4.2.5 )
>
> Gr.
>
> Louis

I'm actually not sure about that. These are error, not warning messages
in the windows event viewer, and the concerned GP folder is the same
that sysvolcheck returns an error on. So, as sysvolcheck on Linux
returns the error on another folder, so does the event viewer in Windows
return an error on the same folder and not the other one anymore.

Something really strange is happening here.

[Viktor Trojanovic]

On 16.11.2015 16:02, L.P.H. van Belle wrote:
> Othere thing.
>
> IF you domain name is like
> domain.tld
>
> By default, Windows does not send updates to top-level domains.
> If thats the case you should change it to a single-lable dns.
>
> https://support.microsoft.com/en-us/kb/300684
>
> Greetz,
>
> Louis

I might be misunderstanding you. But the page from the link you sent me
says that single-label should not be used.

So, my domain does have a tld. My AD domain looks like this:
samdom.example.com, with exactly those three components (just different
naming, ofc).

Viktor

[Ole Traupe]

Interesting, me too, on both my DCs.

But sysvolreset shouldn't take that long, imho.

Ole

[Ole Traupe]

Is this your first-and-only DC ever for that domain?

Did you try to re-join the Win clients with deleting the client objects
after the 'leave'?

Ole

[Ole Traupe]

Viktor, reading your original post again, I find that the "Primary
Domain Suffix" there is given as "SAMDOM.COM" while you claim that your
domain name actually has the form of "samdom.example.com". Is this a
typo, or does this actually differ?

I am asking, because you can (at least in Win7) - in the system
properties right where you give the domain name for the join - specify a
"Primary DNS suffix for this computer". And if that has a typo, it might
cause some problems.

Ole



Am 16.11.2015 um 16:26 schrieb Viktor Trojanovic:
>
>

[Viktor Trojanovic]

On 16.11.2015 16:54, Ole Traupe wrote:
> Is this your first-and-only DC ever for that domain?
>
> Did you try to re-join the Win clients with deleting the client
> objects after the 'leave'?
>
> Ole
>

Yes, first and only. As I said, it's more or less a lab setup that I was
planning to deploy on a very small scale.

Re-join the win clients after deletion: I'm not sure what you mean.
Leaving the domain, then deleting the computer accounts in the AD? What
would the purpose of that be?

Rowland and I came to the conclusion that it can't be a DNS issue. And I
checked the AD db, there are no errors there either.

Viktor

[James]

Is this with Samba internal DNS? What version of Samba? Your original OP
stated this to be the issue.

"The system failed to register host (A or AAA) resource records (RRs)
for network adapter with settings:"

This doesn't necessarily mean something is wrong. Are you using secure
or non-secure updates? Even though you are using static IP's, you will
find these entries if one of the following was to happen and dns updates
failed.

* A IP address was added or removed from the TCP/IP properties in Windows
* Enforcing ipconfig /registerdns from a elevated command prompt
* At startup

Based on what you have said. It appears all A records belonging to the
workstations are registered in DNS?


--
-James

[Viktor Trojanovic]

On 16.11.2015 17:06, Ole Traupe wrote:
> Viktor, reading your original post again, I find that the "Primary
> Domain Suffix" there is given as "SAMDOM.COM" while you claim that
> your domain name actually has the form of "samdom.example.com". Is
> this a typo, or does this actually differ?
>
> I am asking, because you can (at least in Win7) - in the system
> properties right where you give the domain name for the join - specify
> a "Primary DNS suffix for this computer". And if that has a typo, it
> might cause some problems.
>
> Ole
>
>

Good eye! :) No, that's just a mistake I made in my normalization
efforts. It's samdom.example.com

Viktor

[Rowland Penny]

You are probably right James, the OP initially gave the impression that
he didn't have the workstations records in DNS, this has been proven to
be incorrect, they are there. He also muddied the waters with saying
they are all fixed IPs, so it seems that everbody focussed in on DNS
problems, totally missing that it is a WINDOWS problem, see here:

http://support.simpledns.com/kb/a182/system-failed-to-register-host-resource-records-rrs-network-adapter___-warning-windows-event-log.aspx

So, to fix his problem, stop the windows machines from trying to
register their address in DNS.

A quick google found this, first on the list.

Rowland

[Rowland Penny]

On 16/11/15 17:18, Viktor Trojanovic wrote:

> Rowland, it might be that the linked page explains why the register
> fails but it doesn't say to solve the problem by stopping the machines
> to try to register their address. As you might have seen later in the
> discussion thread, there were differing opinions whether it is ok to
> uncheck that box or not. If dynamic registration is not
> needed/possible with Samba DNS and that box should be unchecked, then
> this might be something worth knowing, and maybe should be part of the
> wiki.
>
> Thanks for the help.
>
> Viktor
>

Dynamic updates are possible with Samba DNS but are not required if you
are using fixed IPs, if you do use DHCP, then you need to set up Samba
to allow dynamic updates.

I did ask if there was anything in syslog on the DC, but you didn't post
anything.

[Viktor Trojanovic]

Rowland, it might be that the linked page explains why the register
fails but it doesn't say to solve the problem by stopping the machines
to try to register their address. As you might have seen later in the
discussion thread, there were differing opinions whether it is ok to
uncheck that box or not. If dynamic registration is not needed/possible
with Samba DNS and that box should be unchecked, then this might be
something worth knowing, and maybe should be part of the wiki.

Thanks for the help.

[James]

This doesn't sound like a issue but the intended behavior of windows.

It's OK to uncheck that box if assigning IP addresses to workstations.
However I would advise against it. IP's would never get updated in DNS
if you needed to make a change to one of the workstations. You would
have to re enable this check box and most importantly, remember to do
this manually. Opens room for headaches and additional administration.
A better solution would be to create a GPO to prevent dynamic updates.
This "error" can be safely ignored if you don't require dynamic updates.

Dynamic registration is required if not using static IP's. It's also
possible with Samba. This depends on the Samba version you are using and
if you're using the internal or bind solution.



--
-James

[Viktor Trojanovic]

Hi James,

You might have seen from the thread with Rowland that we excluded DNS as
an error source, so moved to other checks. But thanks!

[L.P.H. van Belle]

AH.. a clue..

> Dynamic registration is required if not using static IP's. It's also
> possible with Samba. This depends on the Samba version you are using and
> if you're using the internal or bind solution.

Im using bind9 as dns, victor, your using internal dns?




> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-...@lists.samba.org] Namens James
> Verzonden: maandag 16 november 2015 18:43
> Aan: sa...@lists.samba.org

> Onderwerp: Re: [Samba] Win Clients and DNS
>

[James]

You might have also have seen where Rowland indicated I may be right?

--
-James

[Viktor Trojanovic]

Maybe I'm too tired but I have trouble understanding. So you're saying
that if I leave the check there, and some time down the road decide to
change an IP, it will register the correct IP back to the computer name.
But didn't we just establish that this update is not happening? Or are
there multiple types of DNS registration, such as dynamic and non-dynamic?

And thanks for the advice about the GPO, I will look into that.

By the way, just to be on the safe side: I'm using Samba internal DNS,
without any customizations, version 4.31.

[Viktor Trojanovic]

I completely missed that. I was following journalctl all the time but
there are no errors. It seems that I have to change some setting in
order for Samba to log there too, but I checked those logs now and there
isn't much, just a few of these:

dnsserver: Invalid zone operation IsSigned

That happened once, 8 hours ago, so probably not relevant. No other
error logs.

OK, since I have static IP's, register DNS seems not relevant for me. I
just wasn't aware that I have to register the clients manually.

Thanks,

[Viktor Trojanovic]

On 16.11.2015 18:57, L.P.H. van Belle wrote:
> AH.. a clue..
>> Dynamic registration is required if not using static IP's. It's also
>> possible with Samba. This depends on the Samba version you are using and
>> if you're using the internal or bind solution.
> Im using bind9 as dns, victor, your using internal dns?
>

Yes, and I think I mentioned that over and over again. :)

[James]

This is your problem

*I'm using Samba internal DNS, without any customizations, version 4.31.


*It's a bug that causes signed secure updates to fail. Either enable non
secure updates( I wouldn't advise) or switch to bind. I would do neither
as you are currently using static IP's. Disregard the error in event
viewer until a update or patch has been released.


Now to answer your questions

*Maybe I'm too tired but I have trouble understanding. So you're saying

that if I leave the check there, and some time down the road decide to

change an IP, it will register the correct IP back to the computer name?

*Yes.*

**But didn't we just establish that this update is not happening?

*Yes..*BUT *the update succeeds during join. It's on the subsequent
update attempts that fail. See above bug.

*Or are there multiple types of DNS registration, such as dynamic and
non-dynamic?

*You have dynamic and non dynamic updates. Dynamic meaning it's done for
your by workstation/DHCP server. Non-dynamic meaning by the Administrator.

--
-James

[Rowland Penny]

The bug shouldn't affect him, he isn't using DHCP!

>
>
> Now to answer your questions
>
> *Maybe I'm too tired but I have trouble understanding. So you're
> saying that if I leave the check there, and some time down the road
> decide to change an IP, it will register the correct IP back to the
> computer name?
>
> *Yes.*
>
> **But didn't we just establish that this update is not happening?
>
> *Yes..*BUT *the update succeeds during join. It's on the subsequent
> update attempts that fail. See above bug.
>
> *Or are there multiple types of DNS registration, such as dynamic and
> non-dynamic?
>
> *You have dynamic and non dynamic updates. Dynamic meaning it's done
> for your by workstation/DHCP server. Non-dynamic meaning by the
> Administrator.
>

Another word for dynamic could be 'automatic' , this means that
something without intervention of any person tries to update your dns
records. This is something that is not required if you use FIXED IPs, so
either turn them off on each individual windows client or use a GPO.

Rowland

[Viktor Trojanovic]

Thanks James, now it's a lot clearer. And very good to know about the bug.

Viktor

[James]

It doesn't matter if he isn't using DHCP. Windows clients by default
will attempt to register their A record with DNS upon start up. Whether
assigned dynamically or statically.This is what Viktor stated.

*As I said, I can easily access them myself, it's just that error in the
event log which makes it seem as if, during the startup phase, there is
a problem to access certain information.

*I'm taking this to believe he is seeing these errors in event viewer
"during the startup phase".


--
-James

[Viktor Trojanovic]

Yes, that's correct James. Thanks for clarifying this once more.