OD, Kerberos and DNS

Similar Messages

• OD, LDAP and DNS

  I am new to LDAP and I believe I have everything setup correctly on the server (everything under Open Directory in SA says "Running", logs don't show any errors). However, I can not access the LDAP server from a client machine using Directory Access. I suspect that client machines still can not "see" my LDAP server.
  I believe the issue may be with DNS and I am trying to understand the interaction between DNS and OD, etc. First off, I do not have DNS turned on for my Mac OS X Server since my ISP has always hosted our DNS. Is this a problem? Do I need DNS activated on the same server that I am running this LDAP server? I have tried entering the IP and DNS name on the client server using Directory Access and neither worked.

  The requirement is that references using your server's Fully Qualified Domain Name look up to its IP Address and its IP Address looks up to its Fully Qualified Domain Name. If your ISP does that for you, and does it correctly, Merry Christmas!
  All others must set up their own tiny DNS service to do the lookups. If you are behind an NAT firewall, you can Make Up whatever names you like and look them up locally, because they are invisible from the Internet.
  Remember that each workstation must have the address of the DNS available to it. It needs to be configured in the TCP/IP setup or dispensed via DHCP. If you use your own DNS (highly recommended) you must also dispense or configure the next upstream DNS (your ISP's DNS Address).
  "An Open Directory master requires properly configured DNS so it can provide single sign-on Kerberos authentication.
  Make sure DNS service is configured to resolve fully qualified DNS names and provide corresponding reverse lookups.
  DNS must resolve the fully qualified DNS name and provide reverse lookups for the Open Directory master server, all replica servers, and other servers that are members of the Kerberos realm.
  You can use the Lookup pane of Network Utility (in /Applications/Utilities/) to do a DNS lookup of a server's DNS name and a reverse lookup of the server's IP address.
  For instructions on setting up DNS service, browse Network Services Overview."
  -- from Server Admin 10.4 Help: Kerberos is Stopped on an Open Directory Master or Replica
  Message was edited by: Grant Bennet-Alder

• Kerberos and 10.5.8

  Hello all,
  I'm in the process of binding the Macintoshes to the AD environment and I'm running into a bit of an anomaly. I have the process scripted and I'm using local MCX settings with a LaunchD that determines the users OU at login and then will run the appropriate script, depending upon their department that will do a mount of the network drive. This works fine, except for a couple of 10.5.8 snow laptops.
  The login and mount script work fine from my machine (10.6.6) but not the users (10.5.8) and then not all 10.5.8 machines are having this issue.
  The command I'm running is this:
  cifs://dns.name.of.server/volume/dept/data
  On 10.6, it simply passes the Kerberos ticket and mounts the network mount. On 10.5.8, I enter the password and it says the password is incorrect.
  I've deleted the keychain, the preferences and have destroyed the current Kerberos ticket and got a new one. I've repaired permissions and I've repaired the keychain.
  Can anyone help me out here?
  Thank you in advanced.

  Try the OS X Server forums. There should be one dealing with directory services, etc. Alternatively, search these forums for Kerberos and SSHD

• IChat 4, Kerberos and login issue

  When using Kerberos I can get a ticket for the connection, but after the ticket exchange I get prompted for another authentication request with ID and password.
  In the iChat server log I get the entry:
  Apr 14 16:47:59 <servername> jabberd/c2s[76194]: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Wrong principal in request)
  Anybody an idea?

  Yes, it is. FQN.
  I think a part of the issue is, that we use DNS Service entries.
  The machine has "server<xyz>" as DNS name. The chatserver uses the DNS service entry "chat<xyz>" with its own ip. "chat<xyz>" is set in the server admin.app, I added a xmpp/chat<xyz> princial to kerberos and the ticket is issued when I try to connect with ichat.
  Usernames used are <username>@chat<xyz>. These usernames work when kerberos is turned of (normal connection to 5223/ssl).
  Now, if I turn kerberos on, and leave the ichat server setting in ical client to chat<xyz> and but switch the usernames to <username>@server<xyz> I can log in via Kerberos. (In the case that I add chat<xyz> and server<xyz> to the ichat server Host Domains in server admin.app.
  Bit confusing.

• I am trying to setup Microsoft office mail and need assistance  - I am receiving the error, unable to find server and DNS setting in the Network

  I am trying to setup Microsoft office mail and need assistance  - I am receiving the error, unable to find server and DNS setting in the Network

  Which version of OSX and what email provider are you using.

• Unable to access gateway and DNS via VPN (L2TP) with Snow Leopard Server

  Summary:
  After rebooting my VPN server, i am able to establish a VPN (L2TP) connection from outside my private network. I am able to connect (ping, SSH, …) the gateway only until the first client disconnects. Then i can perfectly access all the other computers of the private network, but i cannot access the private IP address of the gateway.
  Additionally, during my first VPN connection, my DNS server, which is on the same server, is not working properly with VPN. I can access it with the public IP address of my gateway. I can access it from inside my private network. A port scan indicates me that the port 53 is open, but a dig returns me a timeout.
  Configuration:
  Cluster of 19 Xserve3.1 - Snow Leopard Server 10.6.2
  Private network 192.168.1.0/255.255.255.0 -> domain name: cluster
  -> 1 controller, which act as a gateway for the cluster private network, with the following services activated:
  DHCP, DNS, firewall (allowing all incoming traffic for each groups for test purposes), NAT, VPN, OpenDirectory, web, software update, AFP, NFS and Xgrid controller.
  en0: fixed public IP address -> controller.example.com
  en1: 192.168.1.254 -> controller.cluster
  -> 18 agents with AFP and Xgrid agent activated:
  en1: 192.168.1.x -> nodex.cluster with x between 1 and 18
  VPN (L2TP) server distributes IP addresses between 192.168.1.201 and 192.168.1.210 (-> vpn1.cluster to vpn10.cluster). Client informations contain the private network DNS server informations (192.168.1.254, search domain: cluster).
  _*Detailed problem description:*_
  After rebooting the Xserve, my VPN server works fine except for the DNS. My client receives the correct informations:
  Configure IPv4: Using PPP
  IPv4 address: 192.168.1.201
  Subnet Mask:
  Router: 192.168.1.254
  DNS: 192.168.1.254
  Search domain: cluster
  From my VPN client, i can ping all the Xserve of my cluster (192.168.1.1 to 18 and 192.168.1.254). If i have a look in Server Admin > Settings > Network, i have three interfaces listed: en0, en1 and ppp0 of family IPv4 with address 192.168.1.254 and DNS name controller.cluster.
  The DNS server returns me timeouts when i try to do a dig from my VPN client even if i am able to access it directly from a computer inside or outside my private network.
  After i disconnect, i can see in Server Admin that the IP address of my ppp0 interface has switch to my public IP address.
  Then i can always establish a VPN (L2TP) connection, but the client receives the following informations:
  Configure IPv4: Using PPP
  IPv4 address: 192.168.1.202
  Subnet Mask:
  Router: (Public IP address of my VPN server)
  DNS: 192.168.1.254
  Search domain: cluster
  From my VPN client, i can access all the other computers of my network (192.168.1.1 to 192.168.1.18) but when i ping my gateway (192.168.1.254), it returns me timeouts.
  I have two "lazy" solutions to this problem: 1) Configure VPN and DNS servers on two differents Xserve, 2) Put the public IP address of my gateway as DNS server address, but none of these solutions are acceptable for me…
  Any help is welcome!!!

  I would suggest taking a look at:
  server admin:vpn:settings:client information:network route definitions.
  as I understand your setup it should be something like
  192.168.1.0 255.255.255.0 private.
  at least as a start. I just got done troubleshooting a similar issue but via two subnets:
  http://discussions.apple.com/thread.jspa?threadID=2292827&tstart=0

• Single sign-on using Kerberos and Ldap

  I am currently setting up single sign-on using Kerberos for authentication and Ldap for authorization and information store.
  The setup includes several Solaris 8 & 9 workstations, a couple of SGI's, as well as a M$ terminal server farm, several WinXP desktops and their associated Active Directory.
  I am required to authenticate etc against the AD. (which has M$ SFU3.5 installed)
  I have the Kerberos authentication and part of the Ldap service working via pam & nss.
  ie. I can logon to the solaris worksatations using the AD username and password, mount the home directory from a M$ NFS server.
  BUT...
  id gives:- userID, groupID (primary group only)
  groups :- primary group only. (no secondary groups are listed)
  Question: what additional configuration information do I need in the pam, nss &/or ldap config files, so that I can list the secondary groups.
  Thanks in advance for any help.

  After evaluating (giving up on, and finally throwing out) the Sun Directory server it looks like we are going to endup with a similar solution..
  Sadly enough, the MS AD seems much more stable and easier to handle than Suns DS, kerberos and associated services.
  Anyway, currently we are evaluating a product called vintela ( www.vintela.com ), and it seems very promising; its easy, robust, stable and does what we require it to do, as well as more :) It comes with an additional nss module called 'vas', so you easily can retrieve data like hosts/groups from your AD.
  //M.

• Deleted failed DC from the domain (Server 2012 R2) - Now after doing metadata and DNS cleanup, I can no longer promote a new DC to the domain

  I work for a university and teach IT courses to undergrad and graduate students. The details below are pertaining an isolated lab environment
  I had a storage failure in my lab and the DCs became corrupt. This is a university lab environment so there isn't anything crucial on here. I just would rather avoid rebuilding the domain/forest and would rather use this as a learning experience with my
  students...
  So after the storage failed and was restored, the VMs hosted became corrupt. I did a NTDSUTIL to basically repair the NDTS.dit file but one of my DCs reverted to a state before DC promotion. Naturally, the domain still had this object in AD. After numerous
  failed attempts at trying to reinstall the DC on the server through the server manager wizard in 2012 R2, I decided that a metadata cleanup of the old failed object was necessary.
  Utilizing this article, I removed all references of the failed DC from both AD and DNS (http://www.petri.com/delete_failed_dcs_from_ad.htm) 
  So now that the failed object is removed completely from the domain and the metadata cleanup was successful, I then proceeded to re-install the necessary AD DS role on the server and re-promote to the existing domain. Pre-Requisites pass but generate some
  warning around DNS Delgation, and Dynamic Updates (delegation is ignored because the lab is isolated from external comms, and dynamic updates are in fact enabled on both my _msdcs and root domain zones).
  Upon the promotion process, I get the following error message (also worth mentioning - the account performing these operations is a member of DA, EA, and Schema Admins)
  The operation failed because:
  Active Directory Domain Services could not create the NTDS Settings object for this Active Directory Domain Controller CN=NTDS Settings,CN=domainVMDC1,CN=Servers,CN=Default-
  First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=school,DC=edu on the remote AD DC domainVMDC2. Ensure the provided network credentials have sufficient permissions.
  "While processing a change to the DNS Host Name for an object, the Service Principal Name values could not be kept in sync."
  As you can see, this error seems odd considering. Now that I'm down to a single DC and DNS server, the sync should be corrected. I've run a repadmin /syncall and it completed successfully. Since then, I've run dcdiags and dumped those to a text as well and
  here are my results...
  Directory Server Diagnosis
  Performing initial setup:
     Trying to find home server...
     Home Server = domainVMDC2
     * Identified AD Forest. 
     Done gathering initial info.
  Doing initial required tests
     Testing server: Default-First-Site-Name\domainVMDC2
        Starting test: Connectivity
           ......................... domainVMDC2 passed test Connectivity
  Doing primary tests
     Testing server: Default-First-Site-Name\domainVMDC2
        Starting test: Advertising
           ......................... domainVMDC2 passed test Advertising
        Starting test: FrsEvent
           ......................... domainVMDC2 passed test FrsEvent
        Starting test: DFSREvent
           ......................... domainVMDC2 passed test DFSREvent
        Starting test: SysVolCheck
           ......................... domainVMDC2 passed test SysVolCheck
        Starting test: KccEvent
           ......................... domainVMDC2 passed test KccEvent
        Starting test: KnowsOfRoleHolders
           ......................... domainVMDC2 passed test KnowsOfRoleHolders
        Starting test: MachineAccount
           ......................... domainVMDC2 passed test MachineAccount
        Starting test: NCSecDesc
           ......................... domainVMDC2 passed test NCSecDesc
        Starting test: NetLogons
           ......................... domainVMDC2 passed test NetLogons
        Starting test: ObjectsReplicated
           ......................... domainVMDC2 passed test ObjectsReplicated
        Starting test: Replications
           ......................... domainVMDC2 passed test Replications
        Starting test: RidManager
           ......................... domainVMDC2 passed test RidManager
        Starting test: Services
           ......................... domainVMDC2 passed test Services
        Starting test: SystemLog
           A warning event occurred.  EventID: 0x00001795
              Time Generated: 12/18/2014   00:35:03
              Event String:
              The program lsass.exe, with the assigned process ID 476, could not authenticate locally by using the target name ldap/domainvmdc2.domain.school.edu. The target name used is not valid. A target name should
  refer to one of the local computer names, for example, the DNS host name.
           ......................... domainVMDC2 passed test SystemLog
        Starting test: VerifyReferences
           ......................... domainVMDC2 passed test VerifyReferences
     Running partition tests on : ForestDnsZones
        Starting test: CheckSDRefDom
              For the partition
              (DC=ForestDnsZones,DC=domain,DC=school,DC=edu) we encountered
              the following error retrieving the cross-ref's
              (CN=3098109a-ff99-41d4-8926-0e814ac8efde,CN=Partitions,CN=Configuration,DC=domain,DC=school,DC=edu)
               information: 
                 LDAP Error 0x52e (1326). 
           ......................... ForestDnsZones failed test CheckSDRefDom
        Starting test: CrossRefValidation
              For the partition
              (DC=ForestDnsZones,DC=domain,DC=school,DC=edu) we encountered
              the following error retrieving the cross-ref's
              (CN=3098109a-ff99-41d4-8926-0e814ac8efde,CN=Partitions,CN=Configuration,DC=domain,DC=school,DC=edu)
               information: 
                 LDAP Error 0x52e (1326). 
           ......................... ForestDnsZones failed test
           CrossRefValidation
     Running partition tests on : DomainDnsZones
        Starting test: CheckSDRefDom
              For the partition
              (DC=DomainDnsZones,DC=domain,DC=school,DC=edu) we encountered
              the following error retrieving the cross-ref's
              (CN=2f0b8ac0-2630-441a-891f-b5fcb91498a8,CN=Partitions,CN=Configuration,DC=domain,DC=school,DC=edu)
               information: 
                 LDAP Error 0x52e (1326). 
           ......................... DomainDnsZones failed test CheckSDRefDom
        Starting test: CrossRefValidation
              For the partition
              (DC=DomainDnsZones,DC=domain,DC=school,DC=edu) we encountered
              the following error retrieving the cross-ref's
              (CN=2f0b8ac0-2630-441a-891f-b5fcb91498a8,CN=Partitions,CN=Configuration,DC=domain,DC=school,DC=edu)
               information: 
                 LDAP Error 0x52e (1326). 
           ......................... DomainDnsZones failed test
           CrossRefValidation
     Running partition tests on : Schema
        Starting test: CheckSDRefDom
           ......................... Schema passed test CheckSDRefDom
        Starting test: CrossRefValidation
              For the partition
              (CN=Schema,CN=Configuration,DC=domain,DC=school,DC=edu) we
              encountered the following error retrieving the cross-ref's
              (CN=Enterprise Schema,CN=Partitions,CN=Configuration,DC=domain,DC=school,DC=edu)
               information: 
                 LDAP Error 0x52e (1326). 
           ......................... Schema failed test CrossRefValidation
     Running partition tests on : Configuration
        Starting test: CheckSDRefDom
           ......................... Configuration passed test CheckSDRefDom
        Starting test: CrossRefValidation
              For the partition
              (CN=Configuration,DC=domain,DC=school,DC=edu) we encountered
              the following error retrieving the cross-ref's
              (CN=Enterprise Configuration,CN=Partitions,CN=Configuration,DC=domain,DC=school,DC=edu)
               information: 
                 LDAP Error 0x52e (1326). 
           ......................... Configuration failed test CrossRefValidation
     Running partition tests on : domain
        Starting test: CheckSDRefDom
           ......................... domain passed test CheckSDRefDom
        Starting test: CrossRefValidation
              For the partition (DC=domain,DC=school,DC=edu) we encountered
              the following error retrieving the cross-ref's
              (CN=domain,CN=Partitions,CN=Configuration,DC=domain,DC=school,DC=edu)
               information: 
                 LDAP Error 0x52e (1326). 
           ......................... domain failed test CrossRefValidation
     Running enterprise tests on : domain.school.edu
        Starting test: LocatorCheck
           ......................... domain.school.edu passed test
           LocatorCheck
        Starting test: Intersite
           ......................... domain.school.edu passed test Intersite
  From what I can gather, there is a definite DNS issue but I don't have any stale records to the old DC stored anywhere. I've tried this with a new server as well and get similar errors... 
  At this rate I'm ready to rebuild the entire forest over again. I'm just reluctant to do so as I want to make this a learning experience for the students. 
  Any help would be greatly appreciated. Thanks!

  As you can see, there seems to be some errors. The one that I did correct was the one around the _msdcs NS record being unable to resolve. For whatever, reason the name wasn't resolving the IP but all other NS tabs and records were. Just that one _msdcs
  sub-zone. Furthermore, the mentioning of any connections to root hint servers can be viewed as false positives. There is no external comms to this lab so no communication with outside IPs can be expected. Lastly, they mentioned a connectivity issue yet mention
  that I should check the firewall settings. All three profiles are disabled in Windows Firewall (as they have been the entire time). Thank you in advance for your help!
  C:\Windows\system32>dcdiag /test:dns /v
  Directory Server Diagnosis
  Performing initial setup:
     Trying to find home server...
     * Verifying that the local machine domainVMDC2, is a Directory Server.
     Home Server = domainVMDC2
     * Connecting to directory service on server domainVMDC2.
     * Identified AD Forest.
     Collecting AD specific global data
     * Collecting site info.
     Calling ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=domain,DC=school,DC=edu,LDAP_SCOPE_SUBTREE,(objectCategory=ntDSSiteSettings),.......
     The previous call succeeded
     Iterating through the sites
     Looking at base site object: CN=NTDS Site Settings,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=school,DC=edu
     Getting ISTG and options for the site
     * Identifying all servers.
     Calling ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=domain,DC=school,DC=edu,LDAP_SCOPE_SUBTREE,(objectClass=ntDSDsa),.......
     The previous call succeeded....
     The previous call succeeded
     Iterating through the list of servers
     Getting information for the server CN=NTDS Settings,CN=domainVMDC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=school,DC=edu
     objectGuid obtained
     InvocationID obtained
     dnsHostname obtained
     site info obtained
     All the info for the server collected
     * Identifying all NC cross-refs.
     * Found 1 DC(s). Testing 1 of them.
     Done gathering initial info.
  Doing initial required tests
     Testing server: Default-First-Site-Name\domainVMDC2
        Starting test: Connectivity
           * Active Directory LDAP Services Check
           The host
           3a38b19c-4bb3-4542-acb6-9e5e97cc15c4._msdcs.domain.school.edu
           could not be resolved to an IP address. Check the DNS server, DHCP,
           server name, etc.
           Got error while checking LDAP and RPC connectivity. Please check your
           firewall settings.
           ......................... domainVMDC2 failed test Connectivity
  Doing primary tests
     Testing server: Default-First-Site-Name\domainVMDC2
        Test omitted by user request: Advertising
        Test omitted by user request: CheckSecurityError
        Test omitted by user request: CutoffServers
        Test omitted by user request: FrsEvent
        Test omitted by user request: DFSREvent
        Test omitted by user request: SysVolCheck
        Test omitted by user request: KccEvent
        Test omitted by user request: KnowsOfRoleHolders
        Test omitted by user request: MachineAccount
        Test omitted by user request: NCSecDesc
        Test omitted by user request: NetLogons
        Test omitted by user request: ObjectsReplicated
        Test omitted by user request: OutboundSecureChannels
        Test omitted by user request: Replications
        Test omitted by user request: RidManager
        Test omitted by user request: Services
        Test omitted by user request: SystemLog
        Test omitted by user request: Topology
        Test omitted by user request: VerifyEnterpriseReferences
        Test omitted by user request: VerifyReferences
        Test omitted by user request: VerifyReplicas
        Starting test: DNS
           DNS Tests are running and not hung. Please wait a few minutes...
           See DNS test in enterprise tests section for results
           ......................... domainVMDC2 passed test DNS
     Running partition tests on : ForestDnsZones
        Test omitted by user request: CheckSDRefDom
        Test omitted by user request: CrossRefValidation
     Running partition tests on : DomainDnsZones
        Test omitted by user request: CheckSDRefDom
        Test omitted by user request: CrossRefValidation
     Running partition tests on : Schema
        Test omitted by user request: CheckSDRefDom
        Test omitted by user request: CrossRefValidation
     Running partition tests on : Configuration
        Test omitted by user request: CheckSDRefDom
        Test omitted by user request: CrossRefValidation
     Running partition tests on : domain
        Test omitted by user request: CheckSDRefDom
        Test omitted by user request: CrossRefValidation
     Running enterprise tests on : domain.school.edu
        Starting test: DNS
           Test results for domain controllers:
              DC: domainVMDC2
              Domain: domain.school.edu
                 TEST: Authentication (Auth)
                    Authentication test: Successfully completed
                 TEST: Basic (Basc)
                    Error: No LDAP connectivity
                    The OS
                    Microsoft Windows Server 2012 R2 Datacenter (Service Pack level: 0.0)
                    is supported.
                    NETLOGON service is running
                    kdc service is running
                    DNSCACHE service is running
                    DNS service is running
                    DC is a DNS server
                    Network adapters information:
                    Adapter [00000010] vmxnet3 Ethernet Adapter:
                       MAC address is 00:50:56:A2:2C:24
                       IP Address is static
                       IP address: *.*.100.26
                       DNS servers:
                          *.*.100.26 (domainVMDC2) [Valid]
                    No host records (A or AAAA) were found for this DC
                    The SOA record for the Active Directory zone was found
                    The Active Directory zone on this DC/DNS server was found primary
                    Root zone on this DC/DNS server was not found
                 TEST: Forwarders/Root hints (Forw)
                    Recursion is enabled
                    Forwarders are not configured on this DNS server
                    Root hint Information:
                       Name: a.root-servers.net. IP: 198.41.0.4 [Invalid (unreachable)]
                       Name: b.root-servers.net. IP: 192.228.79.201 [Invalid (unreachable)]
                       Name: c.root-servers.net. IP: 192.33.4.12 [Invalid (unreachable)]
                       Name: d.root-servers.net. IP: 199.7.91.13 [Invalid (unreachable)]
                       Name: e.root-servers.net. IP: 192.203.230.10 [Invalid (unreachable)]
                       Name: f.root-servers.net. IP: 192.5.5.241 [Invalid (unreachable)]
                       Name: g.root-servers.net. IP: 192.112.36.4 [Invalid (unreachable)]
                       Name: h.root-servers.net. IP: 128.63.2.53 [Invalid (unreachable)]
                       Name: i.root-servers.net. IP: 192.36.148.17 [Invalid (unreachable)]
                       Name: j.root-servers.net. IP: 192.58.128.30 [Invalid (unreachable)]
                       Name: k.root-servers.net. IP: 193.0.14.129 [Invalid (unreachable)]
                       Name: l.root-servers.net. IP: 199.7.83.42 [Invalid (unreachable)]
                       Name: m.root-servers.net. IP: 202.12.27.33 [Invalid (unreachable)]
                    Error: Both root hints and forwarders are not configured or
                    broken. Please make sure at least one of them works.
                 TEST: Delegations (Del)
                    Delegation information for the zone: domain.school.edu.
                       Delegated domain name: _msdcs.domain.school.edu.
                          Error: DNS server: domainvmdc2. IP:<Unavailable>
                          [Missing glue A record]
                          [Error details: 9714 (Type: Win32 - Description: DNS name does not exist.)]
                 TEST: Dynamic update (Dyn)
                    Test record dcdiag-test-record added successfully in zone domain.school.edu
                    Warning: Failed to delete the test record dcdiag-test-record in zone domain.school.edu
                    [Error details: 13 (Type: Win32 - Description: The data is invalid.)]
                 TEST: Records registration (RReg)
                    Network Adapter [00000010] vmxnet3 Ethernet Adapter:
                       Matching CNAME record found at DNS server *.*.100.26:
                       3a38b19c-4bb3-4542-acb6-9e5e97cc15c4._msdcs.domain.school.edu
                       Matching  SRV record found at DNS server *.*.100.26:
                       _ldap._tcp.domain.school.edu
                       Matching  SRV record found at DNS server *.*.100.26:
                       _ldap._tcp.a9241004-88ea-422d-a71e-df7b622f0d68.domains._msdcs.domain.school.edu
                       Matching  SRV record found at DNS server *.*.100.26:
                       _kerberos._tcp.dc._msdcs.domain.school.edu
                       Matching  SRV record found at DNS server *.*.100.26:
                       _ldap._tcp.dc._msdcs.domain.school.edu
                       Matching  SRV record found at DNS server *.*.100.26:
                       _kerberos._tcp.domain.school.edu
                       Matching  SRV record found at DNS server *.*.100.26:
                       _kerberos._udp.domain.school.edu
                       Matching  SRV record found at DNS server *.*.100.26:
                       _kpasswd._tcp.domain.school.edu
                       Matching  SRV record found at DNS server *.*.100.26:
                       _ldap._tcp.Default-First-Site-Name._sites.domain.school.edu
                       Matching  SRV record found at DNS server *.*.100.26:
                       _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.domain.school.edu
                       Matching  SRV record found at DNS server *.*.100.26:
                       _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.domain.school.edu
                       Matching  SRV record found at DNS server *.*.100.26:
                       _kerberos._tcp.Default-First-Site-Name._sites.domain.school.edu
                       Matching  SRV record found at DNS server *.*.100.26:
                       _ldap._tcp.gc._msdcs.domain.school.edu
                       Matching  SRV record found at DNS server *.*.100.26:
                       _gc._tcp.Default-First-Site-Name._sites.domain.school.edu
                       Matching  SRV record found at DNS server *.*.100.26:
                       _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.domain.school.edu
                       Matching  SRV record found at DNS server *.*.100.26:
                       _ldap._tcp.pdc._msdcs.domain.school.edu
                 Error: Record registrations cannot be found for all the network
                 adapters
           Summary of test results for DNS servers used by the above domain
           controllers:
              DNS server: 128.63.2.53 (h.root-servers.net.)
                 1 test failure on this DNS server
                 PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 128.63.2.53               
  [Error details: 1460 (Type: Win32 - Description: This operation returned because the timeout period expired.)]
              DNS server: 192.112.36.4 (g.root-servers.net.)
                 1 test failure on this DNS server
                 PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 192.112.36.4               
  [Error details: 1460 (Type: Win32 - Description: This operation returned because the timeout period expired.)]
              DNS server: 192.203.230.10 (e.root-servers.net.)
                 1 test failure on this DNS server
                 PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 192.203.230.10               
  [Error details: 1460 (Type: Win32 - Description: This operation returned because the timeout period expired.)]
              DNS server: 192.228.79.201 (b.root-servers.net.)
                 1 test failure on this DNS server
                 PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 192.228.79.201               
  [Error details: 1460 (Type: Win32 - Description: This operation returned because the timeout period expired.)]
              DNS server: 192.33.4.12 (c.root-servers.net.)
                 1 test failure on this DNS server
                 PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 192.33.4.12               
  [Error details: 1460 (Type: Win32 - Description: This operation returned because the timeout period expired.)]
              DNS server: 192.36.148.17 (i.root-servers.net.)
                 1 test failure on this DNS server
                 PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 192.36.148.17               
  [Error details: 1460 (Type: Win32 - Description: This operation returned because the timeout period expired.)]
              DNS server: 192.5.5.241 (f.root-servers.net.)
                 1 test failure on this DNS server
                 PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 192.5.5.241               
  [Error details: 1460 (Type: Win32 - Description: This operation returned because the timeout period expired.)]
              DNS server: 192.58.128.30 (j.root-servers.net.)
                 1 test failure on this DNS server
                 PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 192.58.128.30               
  [Error details: 1460 (Type: Win32 - Description: This operation returned because the timeout period expired.)]
              DNS server: 193.0.14.129 (k.root-servers.net.)
                 1 test failure on this DNS server
                 PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 193.0.14.129               
  [Error details: 1460 (Type: Win32 - Description: This operation returned because the timeout period expired.)]
              DNS server: 198.41.0.4 (a.root-servers.net.)
                 1 test failure on this DNS server
                 PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 198.41.0.4               
  [Error details: 1460 (Type: Win32 - Description: This operation returned because the timeout period expired.)]
              DNS server: 199.7.83.42 (l.root-servers.net.)
                 1 test failure on this DNS server
                 PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 199.7.83.42               
  [Error details: 1460 (Type: Win32 - Description: This operation returned because the timeout period expired.)]
              DNS server: 199.7.91.13 (d.root-servers.net.)
                 1 test failure on this DNS server
                 PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 199.7.91.13               
  [Error details: 1460 (Type: Win32 - Description: This operation returned because the timeout period expired.)]
              DNS server: 202.12.27.33 (m.root-servers.net.)
                 1 test failure on this DNS server
                 PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 202.12.27.33               
  [Error details: 1460 (Type: Win32 - Description: This operation returned because the timeout period expired.)]
              DNS server: *.*.100.26 (domainVMDC2)
                 All tests passed on this DNS server
                 Name resolution is functional._ldap._tcp SRV record for the forest root domain is registered
           Summary of DNS test results:
                                              Auth Basc Forw Del  Dyn  RReg Ext
              Domain: domain.school.edu
                 domainVMDC2                 PASS FAIL FAIL FAIL WARN FAIL n/a
           ......................... domain.school.edu failed test DNS
        Test omitted by user request: LocatorCheck
        Test omitted by user request: Intersite

• How to setup a static ip address and DNS on airport extreme using the iOS Airport Utility?

  I am at a location that only has wired ethernet.  The ethernet connection has a specific  Static IP address, subnet, gateway, and DNS setting.  I cannot seem to find how to enter DNS settings using the Apple Utility on an iPad. HELP!!!

  First, I am assuming that you are trying to administer your AirPort base station for a static IP address using the iOS version of the AirPort Utility ... correct?
  If so, then to do so:
  Start the AirPort Utility app on the iPad
  Select your base station.
  Select Edit
  Select Internet Connection
  Select Static
  Enter the appropriate IP address information
  Select Done
  Sorry, it does not appear that direct input for DNS IP addresses is an available option with this version of the iOS AirPort Utility app. Not sure why this was not included.

• Defining IP Address and DNS configration on VMWare server?

  plz suggest as mentioned in subject.
  We have SuSe LINUX Version ans wants to define IP Address and DNS setting.
  We get some error which looks like as resulted due to IP or DNS setting.
  Guys..guide me to correct forum if reqd.

  Using VMWare there are two issues to keep in mind.
  a) Which kind of network are you using in VMWare
  b) Set up the IP information in your VMWare guest (SuSe)
  a) There are three network types in VMWare, host only, bridged and NAT.
  Usually I use host-only for my machines as they are used for internal testing.. Bridged will connect to the real network and maybe you get an IP address from there (when DHCP is used). NAT will use you computers IP and translate it.
  b) Setting the IP is easy - just use YAST and configure the IP address of your machine (either fixed or using DHCP). Setting up a DNS server yourself is out of the scope of this posting. Look on the internet for a howto to set up your DNS server. If you just need to configure a DNS server with your IP this can be done with YAST.
  cu
  Andreas

• DHCP Reservation Sync and DNS Host record sync etc shown in IPAM GUI

  Hello all,
  I am aware of the scripts in the TechNet script center to sync DHCP leases etc to IPAM, however my question is about something else -
  If you highlight an IP address (IP address inventory->select an IP), You can see fields that say: "DHCP reservation sync", "DNS PTR record sync" and "DNS host record sync" as below:
  I was curious as to what these are for. Is there some built-in sync functionality for these that I perhaps have not enabled? (Don't see such options any where..)
  thanks,
  -Ravi

  Hi  Ravi ,
  The three columns tell us the information of the synchronization between IPAM server and DNS server (or DHCP server) .
  Here is the detailed guide for using IPAM :
  Using the IPAM Client Console :
  https://technet.microsoft.com/en-us/library/jj878351.aspx#inventory
  IPAM can sync DNS and DHCP records .
  The IPAM database is separate from DHCP and DNS servers on our network ,and full synchronization of hosts and IP addresses between IPAM and managed DNS or DHCP servers does not occur automatically
  unless we have configured automated tasks to perform this synchronization .
  For detailed information ,see
  DNS and DHCP record synchronization chapter in the following link :
  Multi-server Management :
  https://technet.microsoft.com/en-us/library/jj878329.aspx
  Best Regards,
  Leo
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]

• LDAP routing and DNS combination

  for outgoing devilvery is it possible to combine both LDAP Routing and DNS?
  IE. to send out abc.com that exist on LDAP, it will be delivered using LDAP Routing and for domain that is not exists on LDAP, use DNS instead.
  TIA

  If you haven't explicitly enabled it, then SMTP Routes will be used to forward on the mail.
  fyi, this is for our outbond delivery (not incoming). This is what I have just tested.
  domain.com is in our LDAP, and I'd like to usedns instead of LDAP.routing. domain.com mx records should be somewhere in the internet.
  LDAP query test results:
  Query: LDAP.routing
  Address: [email protected]
  Action: reroute
  Reroute to recipients: - (host: servers.cbn.net.id)
  In smtproutes:
  domain.com: usedns
  In mail_logs:
  Wed Nov 7 18:57:44 2007 Info: LDAP: Reroute query LDAP.routing MID 429897525 RID 0 address [email protected] to [('[email protected]', 'servers.cbn.net.id')]
  Wed Nov 7 18:57:44 2007 Info: LDAP: Mailhost query LDAP.routing address [email protected] to servers.cbn.net.id
  Wed Nov 7 18:57:44 2007 Info: MID 429897526 ICID 0 RID 0 To:
  Although I have already specified to usedns, the message still delivered using LDAP.routing.

• Leopard Server Assistant and DNS Name

  I am trying to setup Leopard Server in my home...
  Server assistant launches I fill in the information and everything is fine... except I do not know what to put in the Server DNS name box. If I leave as is the server tools do not start because they cannot resolve the machine name.
  In short what is going on...
  1. How do you change the machine DNS name after server assistant has finished running?
  2. What should I put in the DNS box?
  MACServer.local? or MACSERVER
  3. If I move to Dynamic DNS how do I change this later without having to re-install.
  I have to admit that setting the server up, installing disks was easy but the DNS issue seems to be a real stumbling block for setting up a home server.
  What am I doing wrong?
  Message was edited by: Peter Jarvis
  Message was edited by: Peter Jarvis

  Tony,
  Thanks for the response.
  My concern is that a normal home user will not be able to setup MAC Server 10.5 very easily without knowledge of DNS. (I will walk through a setup later on in the mail)
  My point is that the average user will not be able to setup MAC Server. They will have difficulty filling out the setup wizard correctly - for this reason I cannot recommend it to a rookie. What is needed is a really simple setup scenario script that can be given to user so they can setup a MAC server in the home to support file sharing, intranet web browsing and time machine backups and central storage for users.
  Don't get me wrong a MAC admin will find the changes in 10.5 a significant and fine improvement over past mac server setups and a leap frog over the Windows and Linux setup experience. Don't let anyone persuade you that Microsoft Home Server is a easy either. (Actually corrupts data with certain apps) - great testing Microsoft
  Back to good software...
  MAC Server Setup example: (Newbie the new IT for the household)
  Prior to setting up the server Newbie will need to define his system setup...
  i.e.
  Server Name [email protected]
  IP Address: 192.168.0.100
  Router: 192.168.0.1
  Is the machine going to be a gateway or behind a firewall?
  Will it distribute IP addresses for the home network etc?
  These points are important as the DHCP and DNS go hand in hand. If the router is acting as a DNS relay and handing out IP addresses this may interfere with setting up the server to be primary DNS provider in the home.
  Walkthrough 1: Scenario:
  Setup the server to be a simple server with only file sharing, web server and time machine.
  When asked Newbie enters:
  Domain name: pkjserv.technophobic.com
  Server Name:192.168.0.100 (DHCP) or manual
  Nebie configures the server...
  after setup the first thing that will happen is that Server Preferences will launch it will populate with the above server data...
  Problem: Newbie trys to use server preferences and types in his password and fails to get access...
  Why... because Server preferences expects "pkjserv.technophobic.com" to resolve but DNS is not setup yet...
  OK so Newbie needs to setup DNS...
  Newbie selects Applications/Server/Server Admin.app
  (Newbie uses Magic to find Server Admin)
  First prompt "Are you sure you want to use Server Admin?"
  Newbie selects "Use Server Admin"
  (Newbie uses Magic to know he has to do this)
  Connect to server via IP address 168.192.0.100
  Select DNS add click to box...
  Expand 192.168.0.100 (our server)
  Select DNS
  Select zones...
  Add primary zone / Select example.com
  Change Primary zone to "technophobic.com."
  Select "ns" and Change Nameserver to "pkjserv"
  Under primary domain select machine change machine name to "pkjserv"
  Select IP Addresses and change to 192.168.0.100
  Click "save"
  Newbie should have the following setup displayed:
  Name Type Value
  technophobic.com Primary Zone -
  pkjserv Machine 192.168.0.100
  0.168.192.in-addr.arpa Reverse Zone -
  192.168.0.100 Reverse Mapping pkjserv.technophobic.com
  ------- Start DNS...
  The problem here is that DNS is working but Newbies IP setup is still not referencing the DNS server so newbie will have to add it to the network settings.
  Preferences / Network / advanced / DNS
  once they have done this Newbie should be able to launch your browser and type "pkjserv.technophobic.com" and have it resolve to the web browser on the machine...
  in short - this is difficult... hence my proposal that Apple need to create a simple setup scenario scripted document (fill in blanks) so a user can setup a MAC server in the home. Current docs do not allows an average user to install MAC OSX Server - I want a simple MAC Server that anyone can install...
  Pete
  Message was edited by: Peter Jarvis

• Guest WLAN and DNS tunneling (IP over DNS with iodine, NSTX, etc)

  Hello,
  I'm trying to implement guest WLAN with web authentication on the WLC 2504. L3 for guests WLAN is terminated on ASA 5510 (as subinterface).
  All works pretty fine. Guests clients are prompted to enter login/password, guests are authenticated against ACS and so on.
  But I have a strange idea. How can I prevent unauthorised DNS tunneling from the guest network?
  I think that DNS tunneling can be prevented with dns-guard on ASA and dns inspections, e.g. drop dns packets larger then 512 bytes and perform deep inspection againd packets.
  Any ideas or advices?

  Hello,
  I'm trying to implement guest WLAN with web authentication on the WLC 2504. L3 for guests WLAN is terminated on ASA 5510 (as subinterface).
  All works pretty fine. Guests clients are prompted to enter login/password, guests are authenticated against ACS and so on.
  But I have a strange idea. How can I prevent unauthorised DNS tunneling from the guest network?
  I think that DNS tunneling can be prevented with dns-guard on ASA and dns inspections, e.g. drop dns packets larger then 512 bytes and perform deep inspection againd packets.
  Any ideas or advices?

• Using eDir as backend store for DHCP and DNS

  With SLES9 you can use LDAP as the backend for DHCP and DNS? Can you do
  this against eDIR? How? Do you manage it within iManager or still using
  the YAST2 tools?

  On Mon, 25 Apr 2005 14:29:30 +0000, edbmdave wrote:
  > With SLES9 you can use LDAP as the backend for DHCP and DNS? Can you do
  > this against eDIR? How? Do you manage it within iManager or still using
  > the YAST2 tools?
  Hmm, haven't tried that. I guess that it would be quite tricky. Even if
  you did manage to do it I don't think iManager would be able to see the
  config.
  Mark
  Mark Robinson
  Novell Volunteer SysOp
  One by one the penguins steal my sanity...