nslookup query

Question

nslookup query

We have main file server running OSXS 10.5.7 bound to our AD domain (Win2K2003 Server SP2).

We also have a .Net application that runs on Win2K3 SP3 box and is bound to our AD AD domain.

Authentication on all boxes and client binding/authentication works.

We have experienced problems on the .Net App box where connecting using "\\192.168.254.111" in Windows Explorer does not work (whereas it has in the past and has intermittently.)

Anyway, troubleshooting DirectoryServices and AD PLug-In I've been reading Apple's DirServ Course manual and the troubleshooting tips.

See p126-7.

What I found did not work and I could not determine if I got something wrong was:

nslookup -sil
host -t SRV kerberos.tcp.ouraddomain.co.uk

Which returned:

;; Got SERVFAIL reply from x.x.x.dnsipaddr, trying next server
...

Is this correct or should it find the AD server that it is bound to for Kerberos authentication services?

Regards
C

MacBook Pro 15" 2.16GHz Intel Core 2 Duo, Mac OS X (10.5)

Posted on Jun 3, 2009 4:29 AM

Reply

Answer 1

Jun 3, 2009 7:36 AM in response to Craig Roberts1

What does

dig @<yourprimarydnsip> -x 192.168.254.111

return?

Reply

Answer 2

Jun 5, 2009 4:47 AM in response to Mabel O'Farrell

You're suggesting i check dns of the main file server (x.x.x.111) from the file server (x.x.x.111) using our DNS.

It works!

Reply

Answer 3

Jun 5, 2009 9:58 AM in response to Craig Roberts1

You are getting 'SERVFAIL' from your DNS. This return code is usually because the server doesn't have correct zone information. This could be caused by several things, but most likely it is a failed registration or configuration. Since you're running an AD server, that server is probably your DNS, also. On a AD bound Windows box, open a 'cmd' shell and do do:
nslookup set type=all kerberos.tcp.youraddomain.co.uk
It should return something like this:
Server: <servername> Address: <yourdnsipaddress> kerberos.tcp.youraddomain.co.uk SRV service location: priority = 0 weight = 100 port = 389 srv hostname = ServerName.Domain_NameServerName.youraddomain.co.uk internet address = <yourdnsipaddress>
Or, on an AD bound Mac, in Terminal.app do:
dig -t ALL kerberos.tcp.youraddomain.co.uk
That should return the SRV Service Location information for that record -in this case it should be your AD server. You can also try this:
dig -t SRV <yourdnsipaddress>
That should return all the SRV record types supplied by your DNS.

If you're not getting that, the first thing to look at would be configuration.

Reply

Answer 4

Jun 6, 2009 1:01 AM in response to Mabel O'Farrell

Hi and thanks for the follow up.

On Windows AD bound server:
Server: dc001.domain.com
Address: x.x.x.237

kerberos.tcp.domain.com SRV service location:
priority= 0
weight = 100
port = 88
svr hostname = dc001.domain.com
kerberos.tcp.domain.com SRV service location:
priority= 0
weight = 100
port = 88
svr hostname = dc002.domain.com
kerberos.tcp.domain.com SRV service location:
priority= 0
weight = 100
port = 88
svr hostname = dc003.domain.com
dc001.domain.com internet address = x.x.x.237
dc003.domain.com internet address = x.x.x.236

Dig on AD bound MacOS X Server returns same values but in different format:
....
;; ANSWER SECTION:
kerberos.tcp.domain.com. 600 IN SRV 0 100 88 dc001.domain.com.
kerberos.tcp.domain.com. 600 IN SRV 0 100 88 dc002.domain.com.
kerberos.tcp.domain.com. 600 IN SRV 0 100 88 dc003.domain.com.

;; ADDITIONAL SECTION:
dc001.domain.com. 3600 IN A x.x.x.237
dc002.domain.com. 3600 IN A x.x.x.236
....

The thing that strikes me here and might be of relevance is that we no longer had a dc002. It became dc003 after a reinstall. Do you think that this could be the problem?

I do not know anything about Kerberos on Windows I am afraid so don't know how to update the information so it is correct.

What do you think?

regards
Craig.

Reply