[Samba] Demoting issue in 4.2.0rc2

Peter Serbe peter at serbe.ch
Sun Oct 19 07:00:24 MDT 2014 

Dear list, 

I tried to replace the AD DC in my home network (all running samba-4.2.0rc2). 
I followed this procedure:

- setup and join DC2 to the domain served by DC1
- transfer FSMO
- demote and switch off DC1
and as there were still remnants of DC1 in the domain:
- wipe out the traces of DC1 in ADUC.

The first issue is, that not all the traces could be 
wiped out. ADUC refuses to do so while complaining about 
missing permissions. 

The second issue was, that bind didn't come up after 
the scrubbing procedure:


Oct 18 20:08:12 DC2 named[1733]: samba_dlz: configured writeable zone 'samdom.samba.org'
Oct 18 20:08:12 DC2 named[1733]: zone _msdcs.samdom.samba.org/NONE: has no NS records
Oct 18 20:08:12 DC2 named[1733]: samba_dlz: Failed to configure zone '_msdcs.samdom.samba.org'
Oct 18 20:08:12 DC2 named[1733]: loading configuration: bad zone
Oct 18 20:08:12 DC2 named[1733]: exiting (due to fatal error)

I could this fix up by doing:

samba-tool dns add DC2 _msdcs.samdom.samba.org @ NS DC2.samdom.samba.org -Uadministrator

- apparently I had deleted the record 
@ IN NS DC1.samdom.samba.org.

I think, that it is a bug, that this entry is on DC2. 
Seen from a BIND9 view, there are two master DNS server 
in the net, which have exactly the same entries in their 
zone files, e.g.:

$TTL 86400
@ IN SOA dns.samdom.samba.org admin.samdom.samba.org. (
     ... -> SOA goes here
@ IN NS DC1.samdom.samba.org.
DC1.samdom.samba.org.         IN A 192.168.1.1
DC2.samdom.samba.org.         IN A 192.168.1.2

But I think, on the second server the zone file should 
look like this:

$TTL 86400
@ IN SOA dns.samdom.samba.org admin.samdom.samba.org. (
     ... -> SOA goes here
@ IN NS DC2.samdom.samba.org.
DC1.samdom.samba.org.         IN A 192.168.1.1
DC2.samdom.samba.org.         IN A 192.168.1.2

, i.e. the NS entry should point to the server itself. 
Then both servers have a valid configuration as master DNS. 
A second option would be to modify the NS record when doing 
a FSMO transfer. But it is definitely a bug, when it points
to a demoted server after demoting. 

And - if I was in the position to express a wish: it would 
be nice, if samba-tool (or some other) could wipe out 
traces of demoted domain controllers. That would really 
be a great thing.

Best regards
Peter


PS: I would be pretty surprised, if this was only a 4.2.0rcx
issue...

More information about the samba mailing list