What can I do if my administrative client gets the wrong DNS server record

In school environments with both educational and administrative servers clients in the administrative network receive the educational DNS server via DHCP anyway. Since the educational school server must not be reachable from the administrative network, DNS does not work for all the administrative clients.

Cause of this problem is that the DHCP server checks the DHCP-host objects first for DNS server settings, and if no DNS server setting was found, the subnet is checked.

To analyse if DNS does not work because of this issue the following steps are be taken

1.Check if a policy has an effect on a client

univention-ldapsearch cn=011win99-01 dn
univention-policy-result -D $(ucr get ldap/hostdn) -y /etc/machine.secret cn=011win99-01,cn=dhcp,ou=011,dc=schulen,dc=example,dc=org
Policy: cn=ou-default-ucr-policy,cn=policies,ou=011,dc=schulen,dc=example,dc=org
Attribute: univentionRegistry;entry-hex-64686370642f6c6461702f62617365
Value: cn=dhcp,ou=011,dc=schulen,dc=example,dc=org

Policy: cn=dhcp-dns-011,cn=policies,ou=011,dc=schulen,dc=example,dc=org
Attribute: univentionDhcpDomainName
Value: example.org

Policy: cn=dhcp-dns-011,cn=policies,ou=011,dc=schulen,dc=example,dc=org
Attribute: univentionDhcpDomainNameServers
Value: 10.200.43.51

Policy: cn=default-settings,cn=routing,cn=dhcp,cn=policies,dc=example,dc=org
Attribute: univentionDhcpRouters
Value: 10.200.43.1

Policy: cn=default-settings,cn=boot,cn=dhcp,cn=policies,dc=example,dc=org
Attribute: univentionDhcpBootServer
Value: 172.16.100.10

Policy: cn=default-settings,cn=boot,cn=dhcp,cn=policies,dc=example,dc=org
Attribute: univentionDhcpBootFilename
Value: pxelinux.0

2. Get all objects that are effected by the policy

univention-ldapsearch univentionPolicyReference=cn=dhcp-dns-011,cn=policies,cn=dhcp,ou=011,dc=schulen,dc=example,dc=org
dn: cn=dhcp,ou=011,dc=schulen,dc=example,dc=org
objectClass: top
objectClass: organizationalRole
objectClass: univentionObject
objectClass: univentionPolicyReference
univentionObjectType: container/cn
cn: dhcp
univentionPolicyReference: cn=default-settings,cn=boot,cn=dhcp,cn=policies,dc=
 example,dc=org
univentionPolicyReference: cn=default-settings,cn=routing,cn=dhcp,cn=policies,
 dc=example,dc=org
univentionPolicyReference: cn=dhcp-dns-011,cn=policies,ou=011,dc=example,
 dc=org

3. Delete the policy “dhcp-dns-011” via udm

udm dhcp/service modify --dn cn=dhcp,ou=011,dc=schulen,dc=example,dc=org --policy-dereference cn=dhcp-dns-011,cn=policies,cn=dhcp,ou=011,dc=schulen,dc=example,dc=org

Attention:

This will work until the next run of 62ucs-school-slave.inst
In http://docs.software-univention.de/ucsschool-handbuch-4.1R2.html#school:windows:samba there is already a notice on how to deactivate the automatic assignment of the DHCP-DNS policy at the cn=dhcp,ou=… container:

ucr set ucsschool/import/generate/policy/dhcp/dns/set_per_ou=false
Mastodon