UCS DNS Issues

dns

#1

Hello All,

I have two issues I’m presently encountering with deploying UCS, and it is all centered around DNS.

First:

My domain say example.com has a name server with glue records et al. But I want users connected to the DOmain Controller to think all the name server they have is DC’s hostname and any other back up DC I provide and not see the organisation’s Name server. Every A record entered on the nameserver would be entered on the PDC so there won’t be any break as far as reaching records in the example.com domain. Also all queries my DC does not know about would be forwarded to the Name Server of the organisation.
This is presently set up, but anytime I do a nslookup on computers connected to the DC, I see my organisation’s nameserver instead of the PDC. Has anyone experienced this before?

Please help!

Second:

I get this error message:

DNS Check
Caution! The DNS service record for the UCS Master was not found in the DNS server.
Details are explained in the Support Database.

I have gone through the support database which says:

No domaincontroller_master SRV record and how to create it in the AD DNS
To join a domain, UCS systems lookup the hostname of the UCS Master from the DNS service record _domaincontroller_master._tcp. In case a UCS server is joind into an Active Directory domain by means of the Active Directory Connection setup, this service (SRV) record needs to be present in the DNS Server running on the responsible Active Directory DC. The record can be created manually by executing the following steps on the system running the DNS server:

Open the DNS Manager
In the navigation tree open the Forward Lookup Zones open the DNS zone of the domain
Below the DNS forward zone of the domain open the folder branch named _tcp, right click on it and select Other New Records
In the new dialog select Service Location and click on Create Record
In the Service field, enter _domaincontroller_master
In the Protocol field, enter _tcp
In the fields Priority, Weight and Port number choose 0
In the Host offering this service field, enter the fully qualified domain name of the UCS Master
Confirm by clicking OK

And I can confirm I have the record in my DNS Manager. Can anyone explain why I keep getting this error message?

Thanks in Advance.


#2

Hi,

maybe I am not completely able to understand your approach but it looks to me like you are trying to set up UCS in/for the same DNS-domain “example.com” which is already configured on another NS.
I would try to avoid this if possible and use a subdomain or something else for UCS or completely switch to UCS-provided DNS for this domain.

Best Regards,
Dirk Ahrnke


#3

Hello Dirk,

My use case does not “permit” me using a sub domain. I need to break the dns (systems connected to the DC seeing just the DC) and others seeing organisation’s dns server as their name server. Any ideas on how to approach this?


#4

Hi,

the only explanation for the behaviour mentioned in your first post is that at some point the external DNS for “example.com” is contacted.
Given that your clients are configured in a way to contact the UCS DNS only there is a chance that you can control this on the UCS.

I would first try to switch off all forwarders and check that the domain is resolved as expected. Local tests done on the command line on the server by using “dig” will give the best informations.
Once you are sure that this works you can enable the forwarders or set “dns/fakeroot=no” to use the internal DNS traversal.

Best regards,
Dirk


#5

I can confirm right now a 3rd time, that this happen. No AD machine, Windows and Linux can login.
The records appear as described to enter within the DNS settings


#6

It was working well some weeks, this error came suddenly over night


#7

As far as I can see the original post in this thread was dealing with a specific DNS setup and I have provided some ideas for a workaround. I dont know what “this happens” means in this context and how your problem “no … machine … can login” is related.


#8

Ok, thx for the reminder. It was a bit short
Yes, we we already had 3 times “lost” our domain controller. No specific reason identified.

When following the procedure:
NS Check
Caution! The DNS service record for the UCS Master was not found in the DNS server.
Details are explained in the Support Database.

The entry was there, same as described.

The first 2 times, we had to setup new to fix it.
The 3rd time, I was found within the registry, when entering our subnet 192.168.1 some strange results like 192.168.1.23, an IP we not have for DNS servers.
After correcting those and networking restart, the error was gone and new machines could join the AD again.

MfG
Olaf Schutze


#9

Hard to say what exactly leads to the problem but I’ll try to provide some pointers where to look next time.

The first thing is the local DNS-resolver as this is most likely being used by the health check. The /etc/resolv.conf is using the UCR-variables nameserver1 to nameserver3. I’d only specify UCS-based nameservers here.
Check all listed nameservers in resolv.conf.
example:

root@ucs-5084:/# dig +short -t SRV _domaincontroller_master._tcp.mydomain.intranet @192.168.133.168
0 0 0 ucs-5084.mydomain.intranet.

All servers should provide the same result.
For AD-based services there are additional SRV-records like _kerberos._tcp… and _ldap._tcp… to check.

Always check who is answering, especially when using “dig”, “host” or even “nslookup” without specifying a dedicated server to ask.

I dont know if external forwarders (UCRV: dns/forwarder1 …) can be taken into account too, but in case they are also providing partial DNS-informations, especially SRV-records for the domain, I’d check them too.

hth,
Dirk