Author Topic: DNS records of domain machines doesn't update  (Read 428 times)

Maekar

  • Zen Monk
  • **
  • Posts: 51
  • Karma: +1/-0
    • View Profile
DNS records of domain machines doesn't update
« on: December 12, 2019, 11:00:09 am »
We continue with DNS problems, I regret the day we updated the old Zentyal Server from 3.5...

All the devices in our network have dynamic IP.
The DHCP server is not the Zentyal machine, because we have arround 1500 devices and only 100 are in the domain.
So, the domain clients have dynamic IP except manually the Zentyal server as their primary DNS.

Now I noted nslookup answers are not updated with the actual IP for a couple of computers I recently replace, and that is the reason they can't connect to a shared printer.

How can I force the update of these records?

Thanks in advance

« Last Edit: December 12, 2019, 11:01:43 am by Maekar »

Maekar

  • Zen Monk
  • **
  • Posts: 51
  • Karma: +1/-0
    • View Profile
Re: DNS records of domain machines doesn't update
« Reply #1 on: December 12, 2019, 01:13:49 pm »
I think Dynamic DNS is not working, according to this: https://wiki.samba.org/index.php/BIND9_DLZ_DNS_Back_End#Updating_the_DNS_Fails:_NOTAUTH

If I test dynamic DNS with samba_dnsupdate --verbose --all-names I get the NOTAUTH error. "If BIND uses incorrect Kerberos settings on the Samba Active Directory (AD) domain controller (DC), dynamic DNS updates fail".

Any way to fix this without broke anything else? For the momment, I add a static IP in the affected computers, but its not a solution...

PS: Zentyal is in 6.1.1

« Last Edit: December 12, 2019, 02:35:44 pm by Maekar »

doncamilo

  • Zen Samurai
  • ****
  • Posts: 392
  • Karma: +112/-1
    • View Profile
Re: DNS records of domain machines doesn't update
« Reply #2 on: December 12, 2019, 06:02:11 pm »
 :)

Are all your zentyal packages updated? Did you check APT looking for broken packages?

Code: [Select]
dpkg -l | grep -Ev '^(ii|rc)'
[code]

Did you check /var/log/zentyal/zentyal.log, etc?

Cheers!
"Tanta salud goces como bondad abrigues en tu corazón"

Don Camilo.

"That place... is strong with the
dark side of the Force.  A domain
of evil it is.  In you must go."

Yoda.

Maekar

  • Zen Monk
  • **
  • Posts: 51
  • Karma: +1/-0
    • View Profile
Re: DNS records of domain machines doesn't update
« Reply #3 on: December 14, 2019, 05:32:28 pm »
Hi, I did it and nothing seems wrong to me.
No broken packages, all are updated, no errors in zentyal.log...
I repeat the samba_dnsupdate test and this time does not return errors.

Our environmet is really simple. We did a clean installation of Zentyal 6.0 last summer and configured the domain from scratch, without restore any backup. Then, updated to 6.1 from dashboard without errors and all those problems come.

Dynamic DNS updates are not working at all for domain clients.

And what is worst: I'm having again complains with DNS and Youtube for clients machines, I wonder if is related: https://forum.zentyal.org/index.php/topic,34793.0.html

Thanks!

« Last Edit: December 14, 2019, 05:40:25 pm by Maekar »

doncamilo

  • Zen Samurai
  • ****
  • Posts: 392
  • Karma: +112/-1
    • View Profile
Re: DNS records of domain machines doesn't update
« Reply #4 on: December 16, 2019, 03:18:01 pm »
 :)

Hi Maekar,

Dynamic DNS issues have been fixed in Zentyal 6.1. You can view the changes introduced here https://github.com/zentyal/zentyal/commit/5196c981bc077e148118180dd29587d603f89264

Cheers!
"Tanta salud goces como bondad abrigues en tu corazón"

Don Camilo.

"That place... is strong with the
dark side of the Force.  A domain
of evil it is.  In you must go."

Yoda.

Maekar

  • Zen Monk
  • **
  • Posts: 51
  • Karma: +1/-0
    • View Profile
Re: DNS records of domain machines doesn't update
« Reply #5 on: December 18, 2019, 10:55:26 am »
Hi,

Our Zentyal is updated (even today to version 6.1.2) and as I said before, there is no broken package or anything similar.

It may not be the same problem with the Dynamic DNS that was fixed in the previous update.

Normally we use RSAT to remove clients from the domain before being replaced with new computers, which have the same hostname of the olders. Thats the only use of RSAT we do.
Is it possible that this may be related to the Dynamic DNS malfunction?
As I say, clients IP are not updated if the DHCP server assigns them a different one, the Zentyal Server resolve always with the old ones.

Thanks for the help @doncamilo

doncamilo

  • Zen Samurai
  • ****
  • Posts: 392
  • Karma: +112/-1
    • View Profile
Re: DNS records of domain machines doesn't update
« Reply #6 on: December 18, 2019, 03:26:22 pm »
 :)

Do you have apparmor enabled? I have found some little issue with the existent apparmor profile for dhcpd.

Check the /var/log/syslog and paste here the dynamic dns related records.

Cheers!
"Tanta salud goces como bondad abrigues en tu corazón"

Don Camilo.

"That place... is strong with the
dark side of the Force.  A domain
of evil it is.  In you must go."

Yoda.

Maekar

  • Zen Monk
  • **
  • Posts: 51
  • Karma: +1/-0
    • View Profile
Re: DNS records of domain machines doesn't update
« Reply #7 on: December 19, 2019, 01:02:31 pm »
Hi,

DHCP module is not even installed in our Zentyal. The DHCP server in our network is another server (OPNSense).

We have detected two major issues with DNS and Zentyal right now:

1) Zentyal doesn't update DNS records for domain clients. There are clients with Windows 7 and clients with Windows 10. There are clients that where in the old domain (from which we do not restore anything)and there are clients that are completely new machines.

2) Many clients have a DNS error when browse to Youtube. Apparently this error is random. Sometimes Youtube work well, sometimes don't. It only happens in domain clients. When this error is happening, if I change the primary DNS to everything else, the problem disappears... and return if I put Zentyal as primary DNS resolver again. I tried with rdnc flush" and reload commands you suggested in the other topic, but if it works, it doen't last long. I read about "forward only;" parameter in Bind instead "forward first;" but I don't know how that will affect Zentyal or the domain.

In /var/log/syslog I can see this:

Dec 19 12:47:15 zserver named[1517]: samba_dlz: starting transaction on zone XXXXXXXXXX.lan
Dec 19 12:47:15 zserver named[1517]: client @0x7f296804f880 10.0.7.191#65371: update 'XXXXXXXXX.lan/IN' denied
Dec 19 12:47:15 zserver named[1517]: samba_dlz: cancelling transaction on zone XXXXXXXXXXXX.lan


And some others like this:

Dec 19 13:12:40 zserver named[1517]: samba_dlz: starting transaction on zone XXXXXXXX.lan
Dec 19 13:12:40 zserver named[1517]: samba_dlz: disallowing update of signer=XXXXX\$\@XXXXXXX.LAN name=XXXXX.XXXXXX.lan type=AAAA error=insufficient access rights
Dec 19 13:12:40 zserver named[1517]: client @0x7f296c04cfa0 10.0.3.62#64916/key XXXXXX\$\@XXXXXXXXX.LAN: updating zone 'XXXXXXXXX.lan/NONE': update failed: rejected by secure update (REFUSED)
Dec 19 13:12:40 zserver named[1517]: samba_dlz: cancelling transaction on zone XXXXXXXXX.lan



I don't know where to look. As I said before, we don't configure nothing rare or advanced. The configuration is quiet simple: just a domain controller, set from scratch last summer with a clean Zentyal 6.0 image. Now, updated to 6.1.2.


Thanks



« Last Edit: December 19, 2019, 01:43:29 pm by Maekar »

doncamilo

  • Zen Samurai
  • ****
  • Posts: 392
  • Karma: +112/-1
    • View Profile
Re: DNS records of domain machines doesn't update
« Reply #8 on: December 19, 2019, 04:13:11 pm »
 :)

You don't use the Zentyal dhcp server. As a consequence Zentyal doesn't  creates the dhcpd-user who manages the dynamic dns updates. You have to create in the domain the "XXXXX\$\@XXXXXXX.LAN" user and grant him the needed rights.
Let me know if it fixes your issue.

Cheers!
"Tanta salud goces como bondad abrigues en tu corazón"

Don Camilo.

"That place... is strong with the
dark side of the Force.  A domain
of evil it is.  In you must go."

Yoda.