DNS issues when joining a domain

Ask Fedora
1

[root@fsdm01/etc/pam.d$] net ads join -U Administrator

Enter Administrator's password:
Using short domain name -- HOME
Joined 'FSDM01' to dns domain 'home.test-server.lan'
DNS Update for fsdm01.home.test-server.lan failed: ERROR_DNS_UPDATE_FAILED
DNS update failed: NT_STATUS_UNSUCCESSFUL

[root@fsdm01/etc/pam.d$] nslookup home.test-server.lan

Server:		10.0.0.19
Address:	10.0.0.19#53

Name:	home.test-server.lan
Address: 10.0.0.19

[root@fsdm01/etc/pam.d$] nslookup dc01.home.test-server.lan

Server:		10.0.0.19
Address:	10.0.0.19#53

Name:	dc01.home.test-server.lan
Address: 10.0.0.19

[root@fsdm01/etc/pam.d$] nslookup 10.0.0.19

19.0.0.10.in-addr.arpa	name = home.test-server.lan.

[root@DC01~$] nslookup fsdm01.home.test-server.lan

Server:		10.0.0.1
Address:	10.0.0.1#53

** server can't find fsdm01.home.test-server.lan: SERVFAIL

[root@DC01~$] nslookup 10.0.0.17

** server can't find 17.0.0.10.in-addr.arpa: NXDOMAIN

[root@DC01~$] ping 10.0.0.17

PING 10.0.0.17 (10.0.0.17) 56(84) bytes of data.
64 bytes from 10.0.0.17: icmp_seq=1 ttl=64 time=0.426 ms
64 bytes from 10.0.0.17: icmp_seq=2 ttl=64 time=0.519 ms
^C
--- 10.0.0.17 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1304ms
2

Looks like your DC does not manage the DNS role.
Make sure all domain members use the same DNS controlled by you.
Then create the proper A/AAAA/PTR records on the DNS server.

3

DC01 has a A and PTR record but not AAAA.

[root@DC01/var/log/samba$] dig -x 10.0.0.19

; <<>> DiG 9.16.15-Debian <<>> -x 10.0.0.19
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50729
;; flags: qr aa rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;19.0.0.10.in-addr.arpa.		IN	PTR

;; ANSWER SECTION:
19.0.0.10.in-addr.arpa.	900	IN	PTR	home.test-server.lan.

;; AUTHORITY SECTION:
0.0.10.in-addr.arpa.	3600	IN	SOA	DC01.home.test-server.lan. hostmaster.home.test-server.lan. 3 900 600 86400 3600

;; Query time: 3 msec
;; SERVER: 10.0.0.19#53(10.0.0.19)
;; WHEN: Sun Oct 31 21:18:44 EDT 2021
;; MSG SIZE  rcvd: 126

[root@DC01/var/log/samba$] dig home.test-server.lan ANY +noall +answer

home.test-server.lan.	3600	IN	SOA	DC01.home.test-server.lan. hostmaster.home.test-server.lan. 179 900 600 86400 3600
home.test-server.lan.	900	IN	NS	dc01.home.test-server.lan.
home.test-server.lan.	900	IN	A	10.0.0.19
4

Create the required resource records for host fsdm01 on your DNS server.

5

But isn’t the problem with DC01? It should be updating records, right?

[root@DC01/var/log/samba$] samba_dnsupdate --verbose --all-names

IPs: ['10.0.0.19']
force update: A DC01.home.test-server.lan 10.0.0.19
force update: CNAME f79b5e15-ea2b-4afd-a8ca-bb16e2531521._msdcs.home.test-server.lan DC01.home.test-server.lan
force update: NS home.test-server.lan DC01.home.test-server.lan
force update: NS _msdcs.home.test-server.lan DC01.home.test-server.lan
force update: A home.test-server.lan 10.0.0.19
force update: SRV _ldap._tcp.home.test-server.lan DC01.home.test-server.lan 389
force update: SRV _ldap._tcp.dc._msdcs.home.test-server.lan DC01.home.test-server.lan 389
force update: SRV _ldap._tcp.3cc42946-b7ec-46c9-9760-1d885e427ca9.domains._msdcs.home.test-server.lan DC01.home.test-server.lan 389
force update: SRV _kerberos._tcp.home.test-server.lan DC01.home.test-server.lan 88
force update: SRV _kerberos._udp.home.test-server.lan DC01.home.test-server.lan 88
force update: SRV _kerberos._tcp.dc._msdcs.home.test-server.lan DC01.home.test-server.lan 88
force update: SRV _kpasswd._tcp.home.test-server.lan DC01.home.test-server.lan 464
force update: SRV _kpasswd._udp.home.test-server.lan DC01.home.test-server.lan 464
force update: SRV _ldap._tcp.Default-First-Site-Name._sites.home.test-server.lan DC01.home.test-server.lan 389
force update: SRV _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.home.test-server.lan DC01.home.test-server.lan 389
force update: SRV _kerberos._tcp.Default-First-Site-Name._sites.home.test-server.lan DC01.home.test-server.lan 88
force update: SRV _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.home.test-server.lan DC01.home.test-server.lan 88
force update: SRV _ldap._tcp.pdc._msdcs.home.test-server.lan DC01.home.test-server.lan 389
force update: A gc._msdcs.home.test-server.lan 10.0.0.19
force update: SRV _gc._tcp.home.test-server.lan DC01.home.test-server.lan 3268
force update: SRV _ldap._tcp.gc._msdcs.home.test-server.lan DC01.home.test-server.lan 3268
force update: SRV _gc._tcp.Default-First-Site-Name._sites.home.test-server.lan DC01.home.test-server.lan 3268
force update: SRV _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.home.test-server.lan DC01.home.test-server.lan 3268
force update: A DomainDnsZones.home.test-server.lan 10.0.0.19
force update: SRV _ldap._tcp.DomainDnsZones.home.test-server.lan DC01.home.test-server.lan 389
force update: SRV _ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones.home.test-server.lan DC01.home.test-server.lan 389
force update: A ForestDnsZones.home.test-server.lan 10.0.0.19
force update: SRV _ldap._tcp.ForestDnsZones.home.test-server.lan DC01.home.test-server.lan 389
force update: SRV _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.home.test-server.lan DC01.home.test-server.lan 389
29 DNS updates and 0 DNS deletes needed
Successfully obtained Kerberos ticket to DNS/DC01.home.test-server.lan as DC01$
update(nsupdate): A DC01.home.test-server.lan 10.0.0.19
Calling nsupdate for A DC01.home.test-server.lan 10.0.0.19 (add)
Successfully obtained Kerberos ticket to DNS/DC01.home.test-server.lan as DC01$
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
DC01.home.test-server.lan. 900	IN	A	10.0.0.19

...

; TSIG error with server: tsig indicates error
update failed: NOTAUTH(BADSIG)
Failed nsupdate: 2
update(nsupdate): SRV _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.home.test-server.lan DC01.home.test-server.lan 389
Calling nsupdate for SRV _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.home.test-server.lan DC01.home.test-server.lan 389 (add)
Successfully obtained Kerberos ticket to DNS/DC01.home.test-server.lan as DC01$
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.home.test-server.lan. 900 IN SRV 0 100 389 DC01.home.test-server.lan.

; TSIG error with server: tsig indicates error
update failed: NOTAUTH(BADSIG)
Failed nsupdate: 2
Failed update of 29 entries
6

It depends on how the DNS role is configured in your case.
I used to run Samba AD DC with Dnsmasq a few years ago.

7

Full disclosure. I created 2 Debian vms and 1 Fedora vm and all I did was setup Samba. I didn’t do any DNS configuration. I set one Debian as the DC and the other two are members. The Debian member joined with no problem. Fedora, not so much. I got this:

[root@fsdm01~$] net ads join -U Administrator
Enter Administrator's password:
Using short domain name -- HOME
Joined 'FSDM01' to dns domain 'home.test-server.lan'
DNS Update for fsdm01.home.test-server.lan failed: ERROR_DNS_UPDATE_FAILED
DNS update failed: NT_STATUS_UNSUCCESSFUL

The Debian server joined w/o the DNS errors. So I don’t know if it is the Debian DC or the Fedora DM. The above makes me feel the issue is with Fedora since the Debian DM didn’t give this error. However, those previous DNS errors were from the Debian DC.

8

Try to isolate the issue by switching SELinux to permissive mode and re-joining the domain.

9

[root@fsdm01~$] getenforce

Permissive

It has been in this state from the start.