[Samba] DC replacement and DNS issue
mathias dufresne
infractory at gmail.com
Mon Oct 26 11:23:44 UTC 2015
Hey,
Thank you Louis for this script, I didn't yet took time to dig in but I'll
do.
I didn't took time neither to perform another test. That should be done
today.
Anyway I waited for DC synchronisation before posting. I joined my DC and
removed the old ones almost at same time then I gave more than 12 hours to
my DC to synchronize. Then I tried to understand what happened, I wrote the
script and posted that message, re and re and re testing samba_dnsupdate
during that hours (hours which took place after the 12 hours for synchro).
So I expect there is something wrong in 4.3.1 DNS entries creation/renaming.
And as I modified SOA by hand using ADUC and samba_dnsupdate was not
working to remove old entries (for removed DC) and was also not working to
add DNS entries for new DC, I expect the issue in samba_dnsupdate (but I
could be completely wrong : )
Cheers,
mathias
2015-10-23 14:17 GMT+02:00 L.P.H. van Belle <belle at bazuin.nl>:
> Hai,
>
> If you just upgrade / changed the samba servers, then most probily
> replication is in progress..
>
> Depanding on the numbers of objects this can take some time, so dont be to
> quick with checking.
>
> So take some time and wait... get koffie (maybe beer) ;-)
> Get this script , if needed change it and run it
>
> https://secure.bazuin.nl/scripts/samba-check-db-repl.sh
> it check up to 10 domain controllers for database replication.
> It explains itself.
>
> And for the needed dns records, see my previous mail. ;-)
>
>
> Greetz,
>
> Louis
>
>
> > -----Oorspronkelijk bericht-----
> > Van: samba [mailto:samba-bounces at lists.samba.org] Namens mathias
> dufresne
> > Verzonden: vrijdag 23 oktober 2015 14:03
> > Aan: samba
> > Onderwerp: [Samba] DC replacement and DNS issue
> >
> > Hi all,
> >
> > I posted on both mailing as this seems to be (to me) an internal issue.
> >
> > As the 4.3.1 went out I decided to switch my DC from 4.3.0 to this new
> > version.
> >
> > The process was to install Samba 4.3.1 on new systems, joining these
> Samba
> > as DC, seizing FSMO roles, demote all 4.3.0.
> >
> > The few I tested until now is working except for DNS entries:
> > samba_dnsupdate is not working as it tries to update DNS zone on removed
> > DC.
> >
> > This is the beginning of samba_dnsupdate result. This was run on the 7
> > FSMO
> > owner.
> > This new FSMO owner is m700 with IP set to 10.156.248.216.
> > The old FSMO owner is m707 with IP set to 10.156.248.238, this one was
> > running 4.3.0.
> >
> >
> --------------------------------------------------------------------------
> > ------
> > ldbsearch -H $sam -b 'OU=Domain controllers,DC=AD,DC=DOMAIN,DC=TLD'
> > '(objectclass=computer)' dn
> > # record 1
> > dn: CN=M700,OU=Domain Controllers,DC=ad,DC=domain,DC=tld
> >
> > # record 2
> > dn: CN=M701,OU=Domain Controllers,DC=ad,DC=domain,DC=tld
> >
> > # record 3
> > dn: CN=M702,OU=Domain Controllers,DC=ad,DC=domain,DC=tld
> >
> > # returned 3 records
> > # 3 entries
> > # 0 referrals
> >
> --------------------------------------------------------------------------
> > ------
> > shows only the 3 DC using 4.3.1.
> >
> > All the FSMO are owned by m700.
> >
> --------------------------------------------------------------------------
> > ------
> > samba-tool fsmo show
> > SchemaMasterRole owner: CN=NTDS
> > Settings,CN=M700,CN=Servers,CN=Default-First-Site-
> > Name,CN=Sites,CN=Configuration,DC=ad,DC=domain,DC=tld
> > InfrastructureMasterRole owner: CN=NTDS
> > Settings,CN=M700,CN=Servers,CN=Default-First-Site-
> > Name,CN=Sites,CN=Configuration,DC=ad,DC=domain,DC=tld
> > RidAllocationMasterRole owner: CN=NTDS
> > Settings,CN=M700,CN=Servers,CN=Default-First-Site-
> > Name,CN=Sites,CN=Configuration,DC=ad,DC=domain,DC=tld
> > PdcEmulationMasterRole owner: CN=NTDS
> > Settings,CN=M700,CN=Servers,CN=Default-First-Site-
> > Name,CN=Sites,CN=Configuration,DC=ad,DC=domain,DC=tld
> > DomainNamingMasterRole owner: CN=NTDS
> > Settings,CN=M700,CN=Servers,CN=Default-First-Site-
> > Name,CN=Sites,CN=Configuration,DC=ad,DC=domain,DC=tld
> > DomainDnsZonesMasterRole owner: CN=NTDS
> > Settings,CN=M700,CN=Servers,CN=Default-First-Site-
> > Name,CN=Sites,CN=Configuration,DC=ad,DC=domain,DC=tld
> > ForestDnsZonesMasterRole owner: CN=NTDS
> > Settings,CN=M700,CN=Servers,CN=Default-First-Site-
> > Name,CN=Sites,CN=Configuration,DC=ad,DC=ad,DC=domain,DC=tld
> >
> --------------------------------------------------------------------------
> > ------
> >
> >
> >
> --------------------------------------------------------------------------
> > ------
> > samba_dnsupdate --all-names --verbose --all-interfaces
> > IPs: ['10.156.248.216']
> > Calling nsupdate for A m700.ad.domain.tld 10.156.248.216 (add)
> > Outgoing update query:
> > ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
> > ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
> > ;; UPDATE SECTION:
> > m700.ad.domain.tld. 900 IN A 10.156.248.216
> >
> > ; Communication with 10.156.248.238#53 failed: operation canceled
> > could not talk to any default name server
> > Failed nsupdate: 1
> > Calling nsupdate for A ad.domain.tld 10.156.248.216 (add)
> > Outgoing update query:
> > ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
> > ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
> > ;; UPDATE SECTION:
> > ad.domain.tld. 900 IN A 10.156.248.216
> > .....
> >
> --------------------------------------------------------------------------
> > ------
> >
> > As samba_dnsupdate shows it tries to contact the old FSMO owner as it is
> > declared as SOA for that AD DNS zone:
> >
> --------------------------------------------------------------------------
> > ------
> > host -t SOA ad.domain.tld
> > ad.domain.tld has SOA record m707.ad.domain.tld.
> hostmaster.ad.domain.tld.
> > 1 900 600 86400 3600
> >
> --------------------------------------------------------------------------
> > ------
> >
> > And this leads to:
> >
> --------------------------------------------------------------------------
> > ------
> > host -t SRV _ldap._tcp.gc._msdcs.ad.domain.tld
> > _ldap._tcp.gc._msdcs.ad.domain.tld has SRV record 0 100 3268
> > m709.ad.domain.tld.
> > _ldap._tcp.gc._msdcs.ad.domain.tld has SRV record 0 100 3268
> > m700.ad.domain.tld.
> > _ldap._tcp.gc._msdcs.ad.domain.tld has SRV record 0 100 3268
> > m708.ad.domain.tld.
> > _ldap._tcp.gc._msdcs.ad.domain.tld has SRV record 0 100 3268
> > m707.ad.domain.tld.
> >
> --------------------------------------------------------------------------
> > ------
> >
> > m707, m708 and m709 are removed DC.
> > m700, m701 and m702 are new DC.
> >
> > So during demote no DC was removed from DNS zone, at least for that
> > specific record.
> > During join only one DC was added, perhaps it was during seizing, no real
> > idea as I trusted Samba to perform relevant changes into DNS zone.
> > During fsmo seizing SOA was not changed.
> >
> > I tried to use samba-tool dns update to modify SOA but without success so
> > I
> > used RSAT.
> > I did update SOA for both zones AD.DOMAIN.TLD and _msdcs.AD.DOMAIN.TLD
> >
> > samba_dnsupdate was not working really better following that, it stopped
> > showing lines like that:
> > ; Communication with 10.156.248.238#53 failed: operation canceled
> > but that the only relevant change I saw (note: I'm ill today so I can
> have
> > been easily lacking attention).
> >
> > Still using RSAT i removed manually all entries I spotted regarding all 3
> > old DC.
> >
> > Now on FSMO owner running samba_dnsupdate without option gives no errors.
> > With --all-names I've got these two errors:
> > couldn't get address for 'm707.ad.domain.tld': not found (10 times)
> > ; TSIG error with server: tsig verify failure (17 times)
> >
> > and finished with:
> > Failed update of 27 entries
> >
> > On the two others DC
> > samba_dnsupdate
> > response to GSS-TSIG query was unsuccessful
> > response to GSS-TSIG query was unsuccessful
> > response to GSS-TSIG query was unsuccessful
> > response to GSS-TSIG query was unsuccessful
> > response to GSS-TSIG query was unsuccessful
> > response to GSS-TSIG query was unsuccessful
> > response to GSS-TSIG query was unsuccessful
> > response to GSS-TSIG query was unsuccessful
> > Failed update of 8 entries
> >
> > Finally as adding --verbose gives what entry this tool was supposed to
> add
> > I wrote an awk script to extract that information to re-run the "samba-
> > tool
> > dns add" command.
> >
> > Perhaps it is because I performed this update on the FSMO owner rather
> > than
> > on current DC (using <server> from help equal to FSMO owner name) that
> all
> > the missing were added.
> >
> > In attachment is the awk script I used to solved that. TO run it:
> > samba_dnsupdate --verbose | awk -f dnsupdate.awk
> >
> > What shows all that is there is still some real issues with DNS entries.
> >
> > I'll try to get time to retry the whole process soon: creating a domain
> > with several DC with 4.3.0, adding DC using 4.3.1, removing all DC using
> > 4.3.0 after seizing FSMO roles.
> >
> > Hoping I was clear enough...
> >
> > Best regards,
> >
> > mathias
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions: https://lists.samba.org/mailman/options/samba
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
More information about the samba
mailing list