Odd Behavior of DNS forwarding with SRV record resolution


I'm running into a weird problem while setting up a new SAMBA AD DC on my network. I've got the DC itself up and running and checked on the server that I am able to resolve the DNS name of the server, along with the Kerberos and ldap SRV records. I have its Internal DNS set to forward to my network's gateway, and all my client computers are configured to point their Primary DNS to the DC (I do not have any secondary DNS entries on the client computers).

The odd thing is, that from the clients, I can ping the DC from its IP address, NetBIOS name, or FQDN and all map to the correct IP address. But when I go to add the clients to the domain, I get an error complaining that the DC could not be contacted, with the following detail in the error box:

The following error occurred when DNS was queried for the service location (SRV) resource record used to locate an Active Directory Domain Controller (AD DC) for domain "local.foobar.com":

The error was: "DNS name does not exist." (error code 0x0000232B RCODE_NAME_ERROR)

The query was for the SRV record for _ldap._tcp.dc._msdcs.local.foobar.com

But if I SSH into the server and run:

$ host -t SRV _ldap._tcp.local.foobar.com
_ldap._tcp.local.foobar.com has SRV record 0 100 389 dc1.local.foobar.com.

I'm beginning to wonder if maybe I'm misunderstanding how the DNS Forwarder works. My understanding was that the clients (which are all pointing to the DC's DNS) would reference it first for DNS information, and then get forwarded along to the gateway's DNS if they don't find the entries they need. But it seems like they are not finding the existing SRV records In the DC's DNS (or they are just getting forwarded directly to the gateway, which I definitely did not add the entries too.... What do you think could be the problem here? Do I need to manually add the SRV records to the gateway or should the DC's internal DNS be responding to these requests?

P.S. As an aside, I did try entering the NetBIOS Domain name "LOCAL" and it seems to find the server and prompt me to enter the Administrator credentials and it lets me join the domain. I didn't go through with adding them this way though, as there is apparently a deeper issue here, but just wanted to mention this in case it could shine any light on the situation.

asked on Server Fault Dec 17, 2018 by Jason O

1 Answer


OK, I figured out what was causing the problem. My client computers get their IP addresses via DHCP from the gateway, which is configured to pass along the DC's IP address for the primary DNS.

However, for the IPv6 address, that was getting the wrong DNS address for the server, which (I believe) caused the DNS on the computer to default to the gateway. Anyway, my solution for now is to simply disable the IPv6 protocol for the client computers, which then allows the computer to find and join the network. The only thing is this seems a bit hacky. I want to find a way to setup the gateway to properly configure the IPv6 settings, but will post about this in a separate post.

answered on Server Fault Dec 17, 2018 by Jason O

User contributions licensed under CC BY-SA 3.0