[Samba] DC replacement and DNS issue

L.P.H. van Belle belle at bazuin.nl
Fri Oct 23 12:17:03 UTC 2015 

Hai, 

If you just upgrade / changed the samba servers, then most probily replication is in progress..   

Depanding on the numbers of objects this can take some time, so dont be to quick with checking. 

So take some time and wait... get koffie (maybe beer)  ;-) 
Get this script , if needed change it and run it  

https://secure.bazuin.nl/scripts/samba-check-db-repl.sh 
it check up to 10 domain controllers for database replication. 
It explains itself. 

And for the needed dns records, see my previous mail.  ;-) 


Greetz, 

Louis


> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens mathias dufresne
> Verzonden: vrijdag 23 oktober 2015 14:03
> Aan: samba
> Onderwerp: [Samba] DC replacement and DNS issue
> 
> Hi all,
> 
> I posted on both mailing as this seems to be (to me) an internal issue.
> 
> As the 4.3.1 went out I decided to switch my DC from 4.3.0 to this new
> version.
> 
> The process was to install Samba 4.3.1 on new systems, joining these Samba
> as DC, seizing FSMO roles, demote all 4.3.0.
> 
> The few I tested until now is working except for DNS entries:
> samba_dnsupdate is not working as it tries to update DNS zone on removed
> DC.
> 
> This is the beginning of samba_dnsupdate result. This was run on the 7
> FSMO
> owner.
> This new FSMO owner is m700 with IP set to 10.156.248.216.
> The old FSMO owner is m707 with IP set to 10.156.248.238, this one was
> running 4.3.0.
> 
> --------------------------------------------------------------------------
> ------
>  ldbsearch -H $sam -b 'OU=Domain controllers,DC=AD,DC=DOMAIN,DC=TLD'
> '(objectclass=computer)' dn
> # record 1
> dn: CN=M700,OU=Domain Controllers,DC=ad,DC=domain,DC=tld
> 
> # record 2
> dn: CN=M701,OU=Domain Controllers,DC=ad,DC=domain,DC=tld
> 
> # record 3
> dn: CN=M702,OU=Domain Controllers,DC=ad,DC=domain,DC=tld
> 
> # returned 3 records
> # 3 entries
> # 0 referrals
> --------------------------------------------------------------------------
> ------
> shows only the 3 DC using 4.3.1.
> 
> All the FSMO are owned by m700.
> --------------------------------------------------------------------------
> ------
> samba-tool fsmo show
> SchemaMasterRole owner: CN=NTDS
> Settings,CN=M700,CN=Servers,CN=Default-First-Site-
> Name,CN=Sites,CN=Configuration,DC=ad,DC=domain,DC=tld
> InfrastructureMasterRole owner: CN=NTDS
> Settings,CN=M700,CN=Servers,CN=Default-First-Site-
> Name,CN=Sites,CN=Configuration,DC=ad,DC=domain,DC=tld
> RidAllocationMasterRole owner: CN=NTDS
> Settings,CN=M700,CN=Servers,CN=Default-First-Site-
> Name,CN=Sites,CN=Configuration,DC=ad,DC=domain,DC=tld
> PdcEmulationMasterRole owner: CN=NTDS
> Settings,CN=M700,CN=Servers,CN=Default-First-Site-
> Name,CN=Sites,CN=Configuration,DC=ad,DC=domain,DC=tld
> DomainNamingMasterRole owner: CN=NTDS
> Settings,CN=M700,CN=Servers,CN=Default-First-Site-
> Name,CN=Sites,CN=Configuration,DC=ad,DC=domain,DC=tld
> DomainDnsZonesMasterRole owner: CN=NTDS
> Settings,CN=M700,CN=Servers,CN=Default-First-Site-
> Name,CN=Sites,CN=Configuration,DC=ad,DC=domain,DC=tld
> ForestDnsZonesMasterRole owner: CN=NTDS
> Settings,CN=M700,CN=Servers,CN=Default-First-Site-
> Name,CN=Sites,CN=Configuration,DC=ad,DC=ad,DC=domain,DC=tld
> --------------------------------------------------------------------------
> ------
> 
> 
> --------------------------------------------------------------------------
> ------
> samba_dnsupdate --all-names  --verbose --all-interfaces
> IPs: ['10.156.248.216']
> Calling nsupdate for A m700.ad.domain.tld 10.156.248.216 (add)
> Outgoing update query:
> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
> ;; UPDATE SECTION:
> m700.ad.domain.tld. 900 IN  A       10.156.248.216
> 
> ; Communication with 10.156.248.238#53 failed: operation canceled
> could not talk to any default name server
> Failed nsupdate: 1
> Calling nsupdate for A ad.domain.tld 10.156.248.216 (add)
> Outgoing update query:
> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
> ;; UPDATE SECTION:
> ad.domain.tld. 900  IN      A       10.156.248.216
> .....
> --------------------------------------------------------------------------
> ------
> 
> As samba_dnsupdate shows it tries to contact the old FSMO owner as it is
> declared as SOA for that AD DNS zone:
> --------------------------------------------------------------------------
> ------
> host -t SOA ad.domain.tld
> ad.domain.tld has SOA record m707.ad.domain.tld. hostmaster.ad.domain.tld.
> 1 900 600 86400 3600
> --------------------------------------------------------------------------
> ------
> 
> And this leads to:
> --------------------------------------------------------------------------
> ------
> host -t SRV _ldap._tcp.gc._msdcs.ad.domain.tld
> _ldap._tcp.gc._msdcs.ad.domain.tld has SRV record 0 100 3268
> m709.ad.domain.tld.
> _ldap._tcp.gc._msdcs.ad.domain.tld has SRV record 0 100 3268
> m700.ad.domain.tld.
> _ldap._tcp.gc._msdcs.ad.domain.tld has SRV record 0 100 3268
> m708.ad.domain.tld.
> _ldap._tcp.gc._msdcs.ad.domain.tld has SRV record 0 100 3268
> m707.ad.domain.tld.
> --------------------------------------------------------------------------
> ------
> 
> m707, m708 and m709 are removed DC.
> m700, m701 and m702 are new DC.
> 
> So during demote no DC was removed from DNS zone, at least for that
> specific record.
> During join only one DC was added, perhaps it was during seizing, no real
> idea as I trusted Samba to perform relevant changes into DNS zone.
> During fsmo seizing SOA was not changed.
> 
> I tried to use samba-tool dns update to modify SOA but without success so
> I
> used RSAT.
> I did update SOA for both zones AD.DOMAIN.TLD and _msdcs.AD.DOMAIN.TLD
> 
> samba_dnsupdate was not working really better following that, it stopped
> showing lines like that:
> ; Communication with 10.156.248.238#53 failed: operation canceled
> but that the only relevant change I saw (note: I'm ill today so I can have
> been easily lacking attention).
> 
> Still using RSAT i removed manually all entries I spotted regarding all 3
> old DC.
> 
> Now on FSMO owner running samba_dnsupdate without option gives no errors.
> With --all-names I've got these two errors:
> couldn't get address for 'm707.ad.domain.tld': not found (10 times)
> ; TSIG error with server: tsig verify failure (17 times)
> 
> and finished with:
> Failed update of 27 entries
> 
> On the two others DC
>  samba_dnsupdate
> response to GSS-TSIG query was unsuccessful
> response to GSS-TSIG query was unsuccessful
> response to GSS-TSIG query was unsuccessful
> response to GSS-TSIG query was unsuccessful
> response to GSS-TSIG query was unsuccessful
> response to GSS-TSIG query was unsuccessful
> response to GSS-TSIG query was unsuccessful
> response to GSS-TSIG query was unsuccessful
> Failed update of 8 entries
> 
> Finally as adding --verbose gives what entry this tool was supposed to add
> I wrote an awk script to extract that information to re-run the "samba-
> tool
> dns add" command.
> 
> Perhaps it is because I performed this update on the FSMO owner rather
> than
> on current DC (using <server> from help equal to FSMO owner name) that all
> the missing were added.
> 
> In attachment is the awk script I used to solved that. TO run it:
> samba_dnsupdate --verbose | awk -f dnsupdate.awk
> 
> What shows all that is there is still some real issues with DNS entries.
> 
> I'll try to get time to retry the whole process soon: creating a domain
> with several DC with 4.3.0, adding DC using 4.3.1, removing all DC using
> 4.3.0 after seizing FSMO roles.
> 
> Hoping I was clear enough...
> 
> Best regards,
> 
> mathias
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list