How does a 10.5 client register with AD DNS?

[djfake]

While I have no problems with 10.6 clients, How does a 10.5 client register with AD DNS?

[djfake]

Specifically, when our 10.6 clients bind to AD, they get forward and reverse lookup on the AD DNS.
[code]
phyb-m-2143-c2s:~ admin$ nslookup ANAT-M-581-II.ad.xxx.edu
Server: 131.193.68.141
Address: 131.193.68.141#53

Name: ANAT-M-581-II.ad.xxx.edu
Address: 10.134.25.13

phyb-m-2143-c2s:~ admin2$ nslookup 10.134.25.13
Server: 131.193.68.141
Address: 131.193.68.141#53

13.25.134.10.in-addr.arpa name = anat-m-581-ii.ad.xxx.edu.
[/code]

But the 10.5 clients, don’t seem to register….

[code]
phyb-m-2143-c2s:~ admin$ nslookup ANAT-M-7048-05.ad.xxx.edu
Server: 131.193.68.141
Address: 131.193.68.141#53

Name: ANAT-M-7048-05.ad.xxx.edu
Address: 10.134.25.242

phyb-m-2143-c2s:~ admin$ nslookup 10.134.25.242
Server: 131.193.68.141
Address: 131.193.68.141#53

** server can’t find 242.25.134.10.in-addr.arpa.: NXDOMAIN
[/code]

Does anyone know why there’s a difference? How do I get the 10.5 clients to register with the AD DNS?

[djfake]

[QUOTE][u]Quote by: MacTroll[/u][p]The AD plugin was updated to handle this. I thought the functionality went as far back as 10.5… but your experience leads me to believe that my memory is wrong and it only started doing this with 10.6.

So the short answer is… 10.6 got new functionality to do this, and it won’t work out of the box for you on 10.5.

It’s feasible to cook something up on your own, but it would probably be more effort than it’s worth.[/p][/QUOTE]

Is it a bug? The problem I have is the clients become unresponsive for a period of time – maybe they’re trying to renew kerberos? – but I’m sure it’s a DNS issue.

Only thing I can think of is to manually register them in DNS.

c

[Macleod]

Trust your memory Joel. Its good here. 🙂
10.5 began the registration of machines into DNS. I thought it was actually the SMB side of the house that did it though, but I didn’t see anything in the conf file to support that.
My logs on 10.5 have entries from com.apple.DirectoryServices that say “successfully registered hostname with DNS”, or the negative if they can’t.
Don’t know what could be the issue that would have a 10.6 machine registering, and a 10.5 not, but at least you know they should be.

–DH

[Stephen Buckley]

The DNS registration is done automatically by Samba as of 10.5. not necessarily desirable if you have a server with multiple NICs for XSAN or because of having a Virtualisation platform installed.

There is a technote here discussing how to modify this behavior here:

http://support.apple.com/kb/HT3169

Under 10.6 I have found this to behave as expected. under 10.5 I found that samba did not honor changed made to smb.conf as discussed in the technote.

Smarter people than myself eventually got a workaround and figured out what was going on. Essentially the version of samba on 10.5 ignores the configuration changes discussed in the technote and registers ALL interfaces with the AD DNS regardless, you can hack around it by replacing the /usr/bin/net command with a script which throws away any requests to register an interface with AD DNS, this restores the 10.4 behavior. Or you can build and install a newer version of samba. The former of these methods can get trampled on by OS/Security updates, I haven’t tried the latter.

Here are some links.

Hacking it:
http://discussions.apple.com/thread.jspa?threadID=1953509

Whats actually going on and rebuilding Samba.
http://www.briandwells.com/main/Blog/Entries/2009/12/11_DDNS_Registration_for_Mac_OS_X_Server_v10.5.html

Whilst I was wrestling with this I also found that by using restrictive ACLs on the AD DNS entries I was able to prevent new registrations from adding the second IP to the record, this wasn’t really a solution more of test to see if I could stop the registration, but might be something to check with your AD admins in the light that you are not seeing registration from 10.5 machines.

I would also mention a caveat I experienced when using the hacked /usr/bin/net command on client machines, occasionaly in my MagicTriangle setup, The OS would boot and DirectoryService would bombard the script that replaced the net command with requests which the script couldn’t parse (I forget the errors now) and then give up. This would leave DirectoryService in a state where it wouldn’t be able to authenticate directory users at the Login window, killing DirectoryService brought things back to life, but in the end i just left the hack on my servers and lived with the clients registering both their NICs.

[Author]

Posts