Samba4 BDC with Samba4 PDC
Mike Howard
mike at dewberryfields.co.uk
Wed Jun 6 12:16:54 MDT 2012
On 05/06/2012 21:39, Daniele Dario wrote:
> On Tue, 2012-06-05 at 13:20 +0100, Mike Howard wrote:
>> On 04/06/2012 19:44, Christian Huldt wrote:
>>> Hi Mike
>>>
>>> On 2012-06-04 09:44, Mike Howard wrote:
>>>> I'll start again today and report all steps and outputs upto the
>>>> point of failure. I know there are others (thread Re: redundant DNS
>>>> setup with bind_dlz possible ?) who are trying to get a similar setup
>>>> so maybe we can get there in the end.
>>>>
>>>> Btw, I did try without a samba DNS backend but, as you implied, it
>>>> was not good.
>>> I have an alpha17 installation that I'm going to upgrade and add a
>>> bdc, so your notes to the mailing list are most appreciated. The
>>> alpha17 installation never got automatic dns updates working...
>>>
>> Hi Christian,
>>
>> In a simple domain environment with a single PDC the 'automatic dns
>> updates' seems to work fine for MS Windows clients when using the
>> default 'BIND9_DLZ' backend. For linux clients, an external script
>> 'hooked' to the dhcp server is the way to go. All works well here.
>>
>> Using the 'SAMBA_INTERNAL' as the backend, automatic updates work for
>> linux and Windows clients out of the box, even devices such as printers
>> and my Sonos music system components get updated, which is great. I did
>> struggle with 'SAMBA_INTERNAL' though, it kept dying, for no apparent
>> reason and frequently, only rebooting would get it back up, so I went
>> back to using BIND9_DLZ.
>>
>> From the BDC point of view, still no joy for me, though I am going to
>> try again today. Here is hat I tried yesterday (apologies to all for the
>> length);
>>
>> 1. Have a working Samba4 as the PDC running Bind9.9 and Samba4
>> provisioned with BIND9_DLZ.
>>
>> 2. A fresh Samba4 install on a potential BDC, has Bind9.9 and Samba4
>> but but bind not yet running.
>>
>> 3. BDC has a krb5.conf from one of my linux clients, no smb.conf and
>> resolv.conf pointing to PDC as the nameserver.
>>
>> 4. On the BDC successfully ran;
>> kinit Administrator at mydomain.CO.UK
>> Password for Administrator at MYDOMAIN.CO.UK:
>>
>> 5. On the BDC successfully joined the domain with the following
>> command and output;
>> samba-tool domain join mydomain.co.uk DC -UAdministrator
>> --realm=mydomain.co.uk
>> Finding a writeable DC for domain 'mydomain.co.uk'
>> Found DC ns.mydomain.co.uk
>> Password for [WORKGROUP\Administrator]:
>> workgroup is MYDOMAIN
>> realm is mydomain.co.uk
>> checking sAMAccountName
>> Adding CN=SHEEVA,OU=Domain Controllers,DC=mydomain,DC=co,DC=uk
>> Adding
>> CN=SHEEVA,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=co,DC=uk
>> Adding CN=NTDS
>> Settings,CN=SHEEVA,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=co,DC=uk
>> Adding SPNs to CN=SHEEVA,OU=Domain Controllers,DC=mydomain,DC=co,DC=uk
>> Setting account password for SHEEVA$
>> Enabling account
>> Calling bare provision
>> No IPv6 address will be assigned
>> Provision OK for domain DN DC=mydomain,DC=co,DC=uk
>> Starting replication
>> Schema-DN[CN=Schema,CN=Configuration,DC=mydomain,DC=co,DC=uk]
>> objects[402/1550] linked_values[0/0]
>> Schema-DN[CN=Schema,CN=Configuration,DC=mydomain,DC=co,DC=uk]
>> objects[804/1550] linked_values[0/0]
>> Schema-DN[CN=Schema,CN=Configuration,DC=mydomain,DC=co,DC=uk]
>> objects[1206/1550] linked_values[0/0]
>> Schema-DN[CN=Schema,CN=Configuration,DC=mydomain,DC=co,DC=uk]
>> objects[1550/1550] linked_values[0/0]
>> Analyze and apply schema objects
>> Partition[CN=Configuration,DC=mydomain,DC=co,DC=uk] objects[402/1614]
>> linked_values[0/0]
>> Partition[CN=Configuration,DC=mydomain,DC=co,DC=uk] objects[804/1614]
>> linked_values[0/0]
>> Partition[CN=Configuration,DC=mydomain,DC=co,DC=uk] objects[1206/1614]
>> linked_values[0/0]
>> Partition[CN=Configuration,DC=mydomain,DC=co,DC=uk] objects[1608/1614]
>> linked_values[0/0]
>> Partition[CN=Configuration,DC=mydomain,DC=co,DC=uk] objects[1614/1614]
>> linked_values[26/0]
>> Replicating critical objects from the base DN of the domain
>> Partition[DC=mydomain,DC=co,DC=uk] objects[98/98] linked_values[24/0]
>> Partition[DC=mydomain,DC=co,DC=uk] objects[330/232] linked_values[32/0]
>> Committing SAM database
>> Sending DsReplicateUpdateRefs for all the partitions
>> Setting isSynchronized and dsServiceName
>> Setting up secrets database
>> Joined domain mydomain (SID S-1-5-21-2874647136-1364824720-2698236840)
>> as a DC
>>
>> 6. On BDC created smb.conf as per PDC except for;
>> corrected netbios name
>> added preferred master = no
>> set log level to 3
>>
>> 7. On BDC started samba;
>> samba
>>
>> 8. On BDC waited for logs to stop churning then stopped samba;
>> killall samba
>>
>> 9. On BDC started samba;
>> samba
>>
>> 10. On PDC ran;
>> samba-tool drs kcc -Uadministrator
>> Password for [MYDOMAIN\administrator]:
>> Consistency check on ns.mydomain.co.uk successful.
>>
>> 11. On BDC ran;
>> ldbsearch -H /usr/local/samba/private/sam.ldb -b
>> "DC=mydomain,DC=co,DC=uk" "(objectClass=dnsZone)"
>> GENSEC backend 'gssapi_spnego' registered
>> GENSEC backend 'gssapi_krb5' registered
>> GENSEC backend 'gssapi_krb5_sasl' registered
>> GENSEC backend 'sasl-DIGEST-MD5' registered
>> GENSEC backend 'schannel' registered
>> GENSEC backend 'spnego' registered
>> GENSEC backend 'ntlmssp' registered
>> GENSEC backend 'krb5' registered
>> GENSEC backend 'fake_gssapi_krb5' registered
>> # record 1
>> dn: DC=RootDNSServers,CN=MicrosoftDNS,CN=System,DC=mydomain,DC=co,DC=uk
>> objectClass: top
>> objectClass: dnsZone
>> cn: Zone
>> instanceType: 4
>> whenCreated: 20120528125235.0Z
>> whenChanged: 20120528125235.0Z
>> uSNCreated: 3312
>> uSNChanged: 3312
>> showInAdvancedViewOnly: TRUE
>> name: RootDNSServers
>> objectGUID: 08eb598c-3db2-4eeb-9416-2fb0abc138b8
>> objectCategory:
>> CN=Dns-Zone,CN=Schema,CN=Configuration,DC=mydomain,DC=co,DC=uk
>> dNSProperty:: BAAAAAAAAAAAAAAAAQAAAAEAAAAAAAAAAAAAAA==
>> dNSProperty:: AQAAAAAAAAAAAAAAAQAAAAIAAAAAAAAAAA==
>> dNSProperty:: CAAAAAAAAAAAAAAAAQAAAAgAAAAAAAAAAAAAAAAAAAA=
>> dNSProperty:: BAAAAAAAAAAAAAAAAQAAABAAAAAAAAAAAAAAAA==
>> dNSProperty:: BAAAAAAAAAAAAAAAAQAAACAAAAAAAAAAAAAAAA==
>> dNSProperty:: BAAAAAAAAAAAAAAAAQAAAEAAAAAAAAAAAAAAAA==
>> dNSProperty:: BAAAAAAAAAAAAAAAAQAAABIAAAAAAAAAAAAAAA==
>> dc: RootDNSServers
>> distinguishedName:
>> DC=RootDNSServers,CN=MicrosoftDNS,CN=System,DC=mydomain,DC=co,DC=uk
>>
>> # Referral
>> ref: ldap://mydomain.co.uk/CN=Configuration,DC=mydomain,DC=co,DC=uk
>>
>> # returned 2 records
>> # 1 entries
>> # 1 referrals
>> # Still on BDC
>> ldbsearch -H /usr/local/samba/private/sam.ldb -b
>> "DC=mydomain,DC=co,DC=uk" "(objectClass=dnsNode)"
>> GENSEC backend 'gssapi_spnego' registered
>> GENSEC backend 'gssapi_krb5' registered
>> GENSEC backend 'gssapi_krb5_sasl' registered
>> GENSEC backend 'sasl-DIGEST-MD5' registered
>> GENSEC backend 'schannel' registered
>> GENSEC backend 'spnego' registered
>> GENSEC backend 'ntlmssp' registered
>> GENSEC backend 'krb5' registered
>> GENSEC backend 'fake_gssapi_krb5' registered
>> # record 1
>> dn:
>> DC=a.root-servers.net,DC=RootDNSServers,CN=MicrosoftDNS,CN=System,DC=mydomain,DC=co,DC=uk
>> objectClass: top
>> objectClass: dnsNode
>> instanceType: 4
>> whenCreated: 20120528125238.0Z
>> whenChanged: 20120528125238.0Z
>> uSNCreated: 3398
>> uSNChanged: 3398
>> showInAdvancedViewOnly: TRUE
>> name: a.root-servers.net
>> objectGUID: 583c756c-c933-4b27-b421-0b214604c733
>> dnsRecord:: BAABAAUIAAAAAAAAAAAAAAAAAAAAAAAAxikABA==
>> objectCategory:
>> CN=Dns-Node,CN=Schema,CN=Configuration,DC=mydomain,DC=co,DC=uk
>> dc: a.root-servers.net
>> distinguishedName:
>> DC=a.root-servers.net,DC=RootDNSServers,CN=MicrosoftDNS,CN=System,DC=mydomain,DC=co,DC=uk
>>
>> # record 2
>> dn:
>> DC=b.root-servers.net,DC=RootDNSServers,CN=MicrosoftDNS,CN=System,DC=mydomain,DC=co,DC=uk
>> objectClass: top
>> objectClass: dnsNode
>> instanceType: 4
>> whenCreated: 20120528125236.0Z
>> whenChanged: 20120528125236.0Z
>> uSNCreated: 3391
>> uSNChanged: 3391
>> showInAdvancedViewOnly: TRUE
>> name: b.root-servers.net
>> objectGUID: ae538c92-d71c-4c94-99ef-4c4980153175
>> dnsRecord:: BAABAAUIAAAAAAAAAAAAAAAAAAAAAAAAwORPyQ==
>> objectCategory:
>> CN=Dns-Node,CN=Schema,CN=Configuration,DC=mydomain,DC=co,DC=uk
>> dc: b.root-servers.net
>> distinguishedName:
>> DC=b.root-servers.net,DC=RootDNSServers,CN=MicrosoftDNS,CN=System,DC=mydomain,DC=co,DC=uk
>>
>> # record 3
>> dn:
>> DC=c.root-servers.net,DC=RootDNSServers,CN=MicrosoftDNS,CN=System,DC=mydomain,DC=co,DC=uk
>> objectClass: top
>> objectClass: dnsNode
>> instanceType: 4
>> whenCreated: 20120528125239.0Z
>> whenChanged: 20120528125239.0Z
>> uSNCreated: 3400
>> uSNChanged: 3400
>> showInAdvancedViewOnly: TRUE
>> name: c.root-servers.net
>> objectGUID: ed77344b-3e55-40f3-9234-c8439093a8b0
>> dnsRecord:: BAABAAUIAAAAAAAAAAAAAAAAAAAAAAAAwCEEDA==
>> objectCategory:
>> CN=Dns-Node,CN=Schema,CN=Configuration,DC=mydomain,DC=co,DC=uk
>> dc: c.root-servers.net
>> distinguishedName:
>> DC=c.root-servers.net,DC=RootDNSServers,CN=MicrosoftDNS,CN=System,DC=mydomain,DC=co,DC=uk
>>
>> # record 4
>> dn:
>> DC=d.root-servers.net,DC=RootDNSServers,CN=MicrosoftDNS,CN=System,DC=mydomain,DC=co,DC=uk
>> objectClass: top
>> objectClass: dnsNode
>> instanceType: 4
>> whenCreated: 20120528125238.0Z
>> whenChanged: 20120528125238.0Z
>> uSNCreated: 3396
>> uSNChanged: 3396
>> showInAdvancedViewOnly: TRUE
>> name: d.root-servers.net
>> objectGUID: c2ee7d3f-493d-4e1d-8d4f-5095660dbc0e
>> dnsRecord:: BAABAAUIAAAAAAAAAAAAAAAAAAAAAAAAgAgKWg==
>> objectCategory:
>> CN=Dns-Node,CN=Schema,CN=Configuration,DC=mydomain,DC=co,DC=uk
>> dc: d.root-servers.net
>> distinguishedName:
>> DC=d.root-servers.net,DC=RootDNSServers,CN=MicrosoftDNS,CN=System,DC=mydomain,DC=co,DC=uk
>>
>> # record 5
>> dn:
>> DC=e.root-servers.net,DC=RootDNSServers,CN=MicrosoftDNS,CN=System,DC=mydomain,DC=co,DC=uk
>> objectClass: top
>> objectClass: dnsNode
>> instanceType: 4
>> whenCreated: 20120528125237.0Z
>> whenChanged: 20120528125237.0Z
>> uSNCreated: 3395
>> uSNChanged: 3395
>> showInAdvancedViewOnly: TRUE
>> name: e.root-servers.net
>> objectGUID: 0f009cc8-3fcd-47f6-8a3a-1297944413bd
>> dnsRecord:: BAABAAUIAAAAAAAAAAAAAAAAAAAAAAAAwMvmCg==
>> objectCategory:
>> CN=Dns-Node,CN=Schema,CN=Configuration,DC=mydomain,DC=co,DC=uk
>> dc: e.root-servers.net
>> distinguishedName:
>> DC=e.root-servers.net,DC=RootDNSServers,CN=MicrosoftDNS,CN=System,DC=mydomain,DC=co,DC=uk
>>
>> # record 6
>> dn:
>> DC=f.root-servers.net,DC=RootDNSServers,CN=MicrosoftDNS,CN=System,DC=mydomain,DC=co,DC=uk
>> objectClass: top
>> objectClass: dnsNode
>> instanceType: 4
>> whenCreated: 20120528125236.0Z
>> whenChanged: 20120528125236.0Z
>> uSNCreated: 3390
>> uSNChanged: 3390
>> showInAdvancedViewOnly: TRUE
>> name: f.root-servers.net
>> objectGUID: 5c713998-56d0-481f-87de-f4ef7b7948c0
>> dnsRecord:: BAABAAUIAAAAAAAAAAAAAAAAAAAAAAAAwAUF8Q==
>> objectCategory:
>> CN=Dns-Node,CN=Schema,CN=Configuration,DC=mydomain,DC=co,DC=uk
>> dc: f.root-servers.net
>> distinguishedName:
>> DC=f.root-servers.net,DC=RootDNSServers,CN=MicrosoftDNS,CN=System,DC=mydomain,DC=co,DC=uk
>>
>> # record 7
>> dn:
>> DC=g.root-servers.net,DC=RootDNSServers,CN=MicrosoftDNS,CN=System,DC=mydomain,DC=co,DC=uk
>> objectClass: top
>> objectClass: dnsNode
>> instanceType: 4
>> whenCreated: 20120528125238.0Z
>> whenChanged: 20120528125238.0Z
>> uSNCreated: 3399
>> uSNChanged: 3399
>> showInAdvancedViewOnly: TRUE
>> name: g.root-servers.net
>> objectGUID: a5c856c7-c175-413f-8b44-e7c7f83fe47d
>> dnsRecord:: BAABAAUIAAAAAAAAAAAAAAAAAAAAAAAAwHAkBA==
>> objectCategory:
>> CN=Dns-Node,CN=Schema,CN=Configuration,DC=mydomain,DC=co,DC=uk
>> dc: g.root-servers.net
>> distinguishedName:
>> DC=g.root-servers.net,DC=RootDNSServers,CN=MicrosoftDNS,CN=System,DC=mydomain,DC=co,DC=uk
>>
>> # record 8
>> dn:
>> DC=h.root-servers.net,DC=RootDNSServers,CN=MicrosoftDNS,CN=System,DC=mydomain,DC=co,DC=uk
>> objectClass: top
>> objectClass: dnsNode
>> instanceType: 4
>> whenCreated: 20120528125235.0Z
>> whenChanged: 20120528125235.0Z
>> uSNCreated: 3389
>> uSNChanged: 3389
>> showInAdvancedViewOnly: TRUE
>> name: h.root-servers.net
>> objectGUID: f1b41241-709e-43c0-a422-9650b17192c0
>> dnsRecord:: BAABAAUIAAAAAAAAAAAAAAAAAAAAAAAAgD8CNQ==
>> objectCategory:
>> CN=Dns-Node,CN=Schema,CN=Configuration,DC=mydomain,DC=co,DC=uk
>> dc: h.root-servers.net
>> distinguishedName:
>> DC=h.root-servers.net,DC=RootDNSServers,CN=MicrosoftDNS,CN=System,DC=mydomain,DC=co,DC=uk
>>
>> # record 9
>> dn:
>> DC=i.root-servers.net,DC=RootDNSServers,CN=MicrosoftDNS,CN=System,DC=mydomain,DC=co,DC=uk
>> objectClass: top
>> objectClass: dnsNode
>> instanceType: 4
>> whenCreated: 20120528125237.0Z
>> whenChanged: 20120528125237.0Z
>> uSNCreated: 3394
>> uSNChanged: 3394
>> showInAdvancedViewOnly: TRUE
>> name: i.root-servers.net
>> objectGUID: 6a2916fa-2db3-45be-8af0-4e5cc93d4875
>> dnsRecord:: BAABAAUIAAAAAAAAAAAAAAAAAAAAAAAAwCSUEQ==
>> objectCategory:
>> CN=Dns-Node,CN=Schema,CN=Configuration,DC=mydomain,DC=co,DC=uk
>> dc: i.root-servers.net
>> distinguishedName:
>> DC=i.root-servers.net,DC=RootDNSServers,CN=MicrosoftDNS,CN=System,DC=mydomain,DC=co,DC=uk
>>
>> # record 10
>> dn:
>> DC=j.root-servers.net,DC=RootDNSServers,CN=MicrosoftDNS,CN=System,DC=mydomain,DC=co,DC=uk
>> objectClass: top
>> objectClass: dnsNode
>> instanceType: 4
>> whenCreated: 20120528125239.0Z
>> whenChanged: 20120528125239.0Z
>> uSNCreated: 3401
>> uSNChanged: 3401
>> showInAdvancedViewOnly: TRUE
>> name: j.root-servers.net
>> objectGUID: 8eca69f2-6abe-43bd-81f3-24abba8340ee
>> dnsRecord:: BAABAAUIAAAAAAAAAAAAAAAAAAAAAAAAwDqAHg==
>> objectCategory:
>> CN=Dns-Node,CN=Schema,CN=Configuration,DC=mydomain,DC=co,DC=uk
>> dc: j.root-servers.net
>> distinguishedName:
>> DC=j.root-servers.net,DC=RootDNSServers,CN=MicrosoftDNS,CN=System,DC=mydomain,DC=co,DC=uk
>>
>> # record 11
>> dn:
>> DC=k.root-servers.net,DC=RootDNSServers,CN=MicrosoftDNS,CN=System,DC=mydomain,DC=co,DC=uk
>> objectClass: top
>> objectClass: dnsNode
>> instanceType: 4
>> whenCreated: 20120528125238.0Z
>> whenChanged: 20120528125238.0Z
>> uSNCreated: 3397
>> uSNChanged: 3397
>> showInAdvancedViewOnly: TRUE
>> name: k.root-servers.net
>> objectGUID: db90a50c-d358-45b2-954b-a63845852cf6
>> dnsRecord:: BAABAAUIAAAAAAAAAAAAAAAAAAAAAAAAwQAOgQ==
>> objectCategory:
>> CN=Dns-Node,CN=Schema,CN=Configuration,DC=mydomain,DC=co,DC=uk
>> dc: k.root-servers.net
>> distinguishedName:
>> DC=k.root-servers.net,DC=RootDNSServers,CN=MicrosoftDNS,CN=System,DC=mydomain,DC=co,DC=uk
>>
>> # record 12
>> dn:
>> DC=l.root-servers.net,DC=RootDNSServers,CN=MicrosoftDNS,CN=System,DC=mydomain,DC=co,DC=uk
>> objectClass: top
>> objectClass: dnsNode
>> instanceType: 4
>> whenCreated: 20120528125237.0Z
>> whenChanged: 20120528125237.0Z
>> uSNCreated: 3393
>> uSNChanged: 3393
>> showInAdvancedViewOnly: TRUE
>> name: l.root-servers.net
>> objectGUID: bc7abdc3-f495-40ea-997b-94d98f6c54a3
>> dnsRecord:: BAABAAUIAAAAAAAAAAAAAAAAAAAAAAAAxwdTKg==
>> objectCategory:
>> CN=Dns-Node,CN=Schema,CN=Configuration,DC=mydomain,DC=co,DC=uk
>> dc: l.root-servers.net
>> distinguishedName:
>> DC=l.root-servers.net,DC=RootDNSServers,CN=MicrosoftDNS,CN=System,DC=mydomain,DC=co,DC=uk
>>
>> # record 13
>> dn:
>> DC=m.root-servers.net,DC=RootDNSServers,CN=MicrosoftDNS,CN=System,DC=mydomain,DC=co,DC=uk
>> objectClass: top
>> objectClass: dnsNode
>> instanceType: 4
>> whenCreated: 20120528125236.0Z
>> whenChanged: 20120528125236.0Z
>> uSNCreated: 3392
>> uSNChanged: 3392
>> showInAdvancedViewOnly: TRUE
>> name: m.root-servers.net
>> objectGUID: 1c3ee104-cfc7-41e6-bea0-e52411a1343e
>> dnsRecord:: BAABAAUIAAAAAAAAAAAAAAAAAAAAAAAAygwbIQ==
>> objectCategory:
>> CN=Dns-Node,CN=Schema,CN=Configuration,DC=mydomain,DC=co,DC=uk
>> dc: m.root-servers.net
>> distinguishedName:
>> DC=m.root-servers.net,DC=RootDNSServers,CN=MicrosoftDNS,CN=System,DC=mydomain,DC=co,DC=uk
>>
>> # record 14
>> dn: DC=@,DC=RootDNSServers,CN=MicrosoftDNS,CN=System,DC=mydomain,DC=co,DC=uk
>> objectClass: top
>> objectClass: dnsNode
>> instanceType: 4
>> whenCreated: 20120528125235.0Z
>> whenChanged: 20120528125235.0Z
>> uSNCreated: 3388
>> uSNChanged: 3388
>> showInAdvancedViewOnly: TRUE
>> name: @
>> objectGUID: 9679d37a-19fe-495a-8678-b1f0792e4a51
>> dnsRecord:: FgACAAUIAAAAAAAAAAAAAAAAAAAAAAAAFAMBaAxyb290LXNlcnZlcnMDbmV0AA==
>> dnsRecord:: FgACAAUIAAAAAAAAAAAAAAAAAAAAAAAAFAMBZgxyb290LXNlcnZlcnMDbmV0AA==
>> dnsRecord:: FgACAAUIAAAAAAAAAAAAAAAAAAAAAAAAFAMBYgxyb290LXNlcnZlcnMDbmV0AA==
>> dnsRecord:: FgACAAUIAAAAAAAAAAAAAAAAAAAAAAAAFAMBbQxyb290LXNlcnZlcnMDbmV0AA==
>> dnsRecord:: FgACAAUIAAAAAAAAAAAAAAAAAAAAAAAAFAMBbAxyb290LXNlcnZlcnMDbmV0AA==
>> dnsRecord:: FgACAAUIAAAAAAAAAAAAAAAAAAAAAAAAFAMBaQxyb290LXNlcnZlcnMDbmV0AA==
>> dnsRecord:: FgACAAUIAAAAAAAAAAAAAAAAAAAAAAAAFAMBZQxyb290LXNlcnZlcnMDbmV0AA==
>> dnsRecord:: FgACAAUIAAAAAAAAAAAAAAAAAAAAAAAAFAMBZAxyb290LXNlcnZlcnMDbmV0AA==
>> dnsRecord:: FgACAAUIAAAAAAAAAAAAAAAAAAAAAAAAFAMBawxyb290LXNlcnZlcnMDbmV0AA==
>> dnsRecord:: FgACAAUIAAAAAAAAAAAAAAAAAAAAAAAAFAMBYQxyb290LXNlcnZlcnMDbmV0AA==
>> dnsRecord:: FgACAAUIAAAAAAAAAAAAAAAAAAAAAAAAFAMBZwxyb290LXNlcnZlcnMDbmV0AA==
>> dnsRecord:: FgACAAUIAAAAAAAAAAAAAAAAAAAAAAAAFAMBYwxyb290LXNlcnZlcnMDbmV0AA==
>> dnsRecord:: FgACAAUIAAAAAAAAAAAAAAAAAAAAAAAAFAMBagxyb290LXNlcnZlcnMDbmV0AA==
>> objectCategory: CN=Dns-Node,CN=Schema,CN=Configuration,DC=mydomain,DC=co
>> ,DC=uk
>> dc: @
>> distinguishedName:
>> DC=@,DC=RootDNSServers,CN=MicrosoftDNS,CN=System,DC=mydomain,DC=co,DC=uk
>>
>> # Referral
>> ref: ldap://mydomain.co.uk/CN=Configuration,DC=mydomain,DC=co,DC=uk
>>
>> # returned 15 records
>> # 14 entries
>> # 1 referrals
>>
>> 12. On PDC ran;
>> samba-tool drs showrepl
>> Default-First-Site-Name\NS
>> DSA Options: 0x00000001
>> DSA object GUID: e4d9db40-494e-4d3a-9bb1-e49a1a039a68
>> DSA invocationId: 4d9f874b-965e-4e14-afe2-a440e106895e
>>
>> ==== INBOUND NEIGHBORS ====
>>
>> DC=mydomain,DC=co,DC=uk
>> Default-First-Site-Name\SHEEVA via RPC
>> DSA object GUID: 6250209e-3520-4b41-981f-e6e611599adf
>> Last attempt @ Mon Jun 4 09:26:15 2012 BST failed,
>> result 2 (WERR_BADFILE)
>> 5 consecutive failure(s).
>> Last success @ NTTIME(0)
>>
>> CN=Schema,CN=Configuration,DC=mydomain,DC=co,DC=uk
>> Default-First-Site-Name\SHEEVA via RPC
>> DSA object GUID: 6250209e-3520-4b41-981f-e6e611599adf
>> Last attempt @ Mon Jun 4 09:26:16 2012 BST failed,
>> result 2 (WERR_BADFILE)
>> 5 consecutive failure(s).
>> Last success @ NTTIME(0)
>>
>> CN=Configuration,DC=mydomain,DC=co,DC=uk
>> Default-First-Site-Name\SHEEVA via RPC
>> DSA object GUID: 6250209e-3520-4b41-981f-e6e611599adf
>> Last attempt @ Mon Jun 4 09:26:16 2012 BST failed,
>> result 2 (WERR_BADFILE)
>> 5 consecutive failure(s).
>> Last success @ NTTIME(0)
>>
>> ==== OUTBOUND NEIGHBORS ====
>>
>> DC=mydomain,DC=co,DC=uk
>> Default-First-Site-Name\SHEEVA via RPC
>> DSA object GUID: 6250209e-3520-4b41-981f-e6e611599adf
>> Last attempt @ Mon Jun 4 09:29:22 2012 BST failed,
>> result 2 (WERR_BADFILE)
>> 303 consecutive failure(s).
>> Last success @ NTTIME(0)
>>
>> CN=Schema,CN=Configuration,DC=mydomain,DC=co,DC=uk
>> Default-First-Site-Name\SHEEVA via RPC
>> DSA object GUID: 6250209e-3520-4b41-981f-e6e611599adf
>> Last attempt @ Mon Jun 4 09:29:22 2012 BST failed,
>> result 2 (WERR_BADFILE)
>> 302 consecutive failure(s).
>> Last success @ NTTIME(0)
>>
>> CN=Configuration,DC=mydomain,DC=co,DC=uk
>> Default-First-Site-Name\SHEEVA via RPC
>> DSA object GUID: 6250209e-3520-4b41-981f-e6e611599adf
>> Last attempt @ Mon Jun 4 09:29:23 2012 BST failed,
>> result 2 (WERR_BADFILE)
>> 302 consecutive failure(s).
>> Last success @ NTTIME(0)
>>
>> ==== KCC CONNECTION OBJECTS ====
>>
>> Connection --
>> Connection name: 9d6192cb-3382-42b7-be9a-6c1b1aaa00d9
>> Enabled : TRUE
>> Server DNS name : ns.mydomain.co.uk
>> Server DN name : CN=NTDS
>> Settings,CN=SHEEVA,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=co,DC=uk
>> TransportType: RPC
>> options: 0x00000001
>> Warning: No NC replicated for Connection!
>>
>> 13. On BDC ran;
>> samba-tool drs showrepl
>> ldb_wrap open of secrets.ldb
>> GENSEC backend 'gssapi_spnego' registered
>> GENSEC backend 'gssapi_krb5' registered
>> GENSEC backend 'gssapi_krb5_sasl' registered
>> GENSEC backend 'sasl-DIGEST-MD5' registered
>> GENSEC backend 'schannel' registered
>> GENSEC backend 'spnego' registered
>> GENSEC backend 'ntlmssp' registered
>> GENSEC backend 'krb5' registered
>> GENSEC backend 'fake_gssapi_krb5' registered
>> Using binding ncacn_ip_tcp:sheeva.dewberryfields.co.uk[,seal]
>> Server ldap/SHEEVA.DEWBERRYFIELDS.CO.UK at DEWBERRYFIELDS.CO.UK is not
>> registered with our KDC: Miscellaneous failure (see text): Server
>> (ldap/SHEEVA.DEWBERRYFIELDS.CO.UK at DEWBERRYFIELDS.CO.UK) unknown
>> SPNEGO(gssapi_krb5) creating NEG_TOKEN_INIT failed:
>> NT_STATUS_INVALID_PARAMETER
>> Got challenge flags:
>> Got NTLMSSP neg_flags=0x60898235
>> NTLMSSP: Set final flags:
>> Got NTLMSSP neg_flags=0x60088235
>> NTLMSSP Sign/Seal - Initialising with flags:
>> Got NTLMSSP neg_flags=0x60088235
>> Server ldap/sheeva.dewberryfields.co.uk at DEWBERRYFIELDS.CO.UK is not
>> registered with our KDC: Miscellaneous failure (see text): Server
>> (ldap/sheeva.dewberryfields.co.uk at DEWBERRYFIELDS.CO.UK) unknown
>> SPNEGO(gssapi_krb5) creating NEG_TOKEN_INIT failed:
>> NT_STATUS_INVALID_PARAMETER
>> Got challenge flags:
>> Got NTLMSSP neg_flags=0x60898205
>> NTLMSSP: Set final flags:
>> Got NTLMSSP neg_flags=0x60088205
>> Default-First-Site-Name\SHEEVA
>> DSA Options: 0x00000001
>> DSA object GUID: 6250209e-3520-4b41-981f-e6e611599adf
>> DSA invocationId: 35659ded-1952-4064-b73d-d83f58f01be1
>>
>> ==== INBOUND NEIGHBORS ====
>>
>> CN=Configuration,DC=dewberryfields,DC=co,DC=uk
>> Default-First-Site-Name\NS via RPC
>> DSA object GUID: e4d9db40-494e-4d3a-9bb1-e49a1a039a68
>> Last attempt @ Mon Jun 4 09:26:43 2012 BST failed,
>> result 2 (WERR_BADFILE)
>> 6 consecutive failure(s).
>> Last success @ NTTIME(0)
>>
>> CN=Schema,CN=Configuration,DC=dewberryfields,DC=co,DC=uk
>> Default-First-Site-Name\NS via RPC
>> DSA object GUID: e4d9db40-494e-4d3a-9bb1-e49a1a039a68
>> Last attempt @ Mon Jun 4 09:26:43 2012 BST failed,
>> result 2 (WERR_BADFILE)
>> 6 consecutive failure(s).
>> Last success @ NTTIME(0)
>>
>> DC=dewberryfields,DC=co,DC=uk
>> Default-First-Site-Name\NS via RPC
>> DSA object GUID: e4d9db40-494e-4d3a-9bb1-e49a1a039a68
>> Last attempt @ Mon Jun 4 09:26:44 2012 BST failed,
>> result 2 (WERR_BADFILE)
>> 5 consecutive failure(s).
>> Last success @ NTTIME(0)
>>
>> ==== OUTBOUND NEIGHBORS ====
>>
>> ==== KCC CONNECTION OBJECTS ====
>>
>> Connection --
>> Connection name: c5b916a7-3c82-410b-b3b8-e85233c1c27a
>> Enabled : TRUE
>> Server DNS name : SHEEVA.dewberryfields.co.uk
>> Server DN name : CN=NTDS
>> Settings,CN=NS,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=dewberryfields,DC=co,DC=uk
>> TransportType: RPC
>> options: 0x00000001
>> Warning: No NC replicated for Connection!
>>
>> 14. On BDC ran;
>> samba-tool dns query 127.0.0.1 dewberryfields.co.uk @ ALL
>> -UAdministrator
>> GENSEC backend 'gssapi_spnego' registered
>> GENSEC backend 'gssapi_krb5' registered
>> GENSEC backend 'gssapi_krb5_sasl' registered
>> GENSEC backend 'sasl-DIGEST-MD5' registered
>> GENSEC backend 'schannel' registered
>> GENSEC backend 'spnego' registered
>> GENSEC backend 'ntlmssp' registered
>> GENSEC backend 'krb5' registered
>> GENSEC backend 'fake_gssapi_krb5' registered
>> Using binding ncacn_ip_tcp:127.0.0.1[,sign]
>> Cannot do GSSAPI to an IP address
>> Got challenge flags:
>> Got NTLMSSP neg_flags=0x60898215
>> NTLMSSP: Set final flags:
>> Got NTLMSSP neg_flags=0x60088215
>> NTLMSSP Sign/Seal - Initialising with flags:
>> Got NTLMSSP neg_flags=0x60088215
>> ERROR(runtime): uncaught exception - (9717, 'WERR_DNS_ERROR_DS_UNAVAILABLE')
>> File
>> "/usr/local/samba/lib/python2.6/site-packages/samba/netcmd/__init__.py",
>> line 160, in _run
>> return self.run(*args, **kwargs)
>> File
>> "/usr/local/samba/lib/python2.6/site-packages/samba/netcmd/dns.py", line
>> 967, in run
>> None)
>>
>> 15. On BDC attempt to manually start replication (which ends with a
>> success message?);
>> samba-tool drs replicate sheeva ns
>> DC=DomainDnsZones,DC=mydomain,DC=co,DC=uk -UAdministrator
>> GENSEC backend 'gssapi_spnego' registered
>> GENSEC backend 'gssapi_krb5' registered
>> GENSEC backend 'gssapi_krb5_sasl' registered
>> GENSEC backend 'sasl-DIGEST-MD5' registered
>> GENSEC backend 'schannel' registered
>> GENSEC backend 'spnego' registered
>> GENSEC backend 'ntlmssp' registered
>> GENSEC backend 'krb5' registered
>> GENSEC backend 'fake_gssapi_krb5' registered
>> Using binding ncacn_ip_tcp:sheeva[,seal]
>> Password for [MYDOMAIN\Administrator]:
>> Server ldap/SHEEVA at MYDOMAIN.CO.UK is not registered with our KDC:
>> Miscellaneous failure (see text): Server (ldap/SHEEVA at MYDOMAIN.CO.UK)
>> unknown
>> SPNEGO(gssapi_krb5) creating NEG_TOKEN_INIT failed:
>> NT_STATUS_INVALID_PARAMETER
>> Got challenge flags:
>> Got NTLMSSP neg_flags=0x60898235
>> NTLMSSP: Set final flags:
>> Got NTLMSSP neg_flags=0x60088235
>> NTLMSSP Sign/Seal - Initialising with flags:
>> Got NTLMSSP neg_flags=0x60088235
>> Server ldap/sheeva at MYDOMAIN.CO.UK is not registered with our KDC:
>> Miscellaneous failure (see text): Server (ldap/sheeva at MYDOMAIN.CO.UK)
>> unknown
>> SPNEGO(gssapi_krb5) creating NEG_TOKEN_INIT failed:
>> NT_STATUS_INVALID_PARAMETER
>> Got challenge flags:
>> Got NTLMSSP neg_flags=0x60898205
>> NTLMSSP: Set final flags:
>> Got NTLMSSP neg_flags=0x60088205
>> Replicate from ns to sheeva was successful.
>>
>> 16. On PDC (just for the halibut!), attempt to manually start
>> replication and ran;
>> samba-tool drs replicate ns sheeva
>> DC=DomainDnsZones,DC=mydomain,DC=co,DC=uk -UAdministrator
>> Password for [MYDOMAIN\Administrator]:
>> ERROR(<class 'samba.drs_utils.drsException'>): DsReplicaSync failed -
>> drsException: DsReplicaSync failed (2, 'WERR_BADFILE')
>> File
>> "/usr/local/samba/lib/python2.6/site-packages/samba/netcmd/drs.py", line
>> 331, in run
>> drs_utils.sendDsReplicaSync(self.drsuapi, self.drsuapi_handle,
>> source_dsa_guid, NC, req_options)
>> File
>> "/usr/local/samba/lib/python2.6/site-packages/samba/drs_utils.py", line
>> 83, in sendDsReplicaSync
>> raise drsException("DsReplicaSync failed %s" % estr)
>>
>> 17. Finally (more in despeation than in hope) run samba_ugradedns;
>> samba_upgradedns --verbose
>> lpcfg_load: refreshing parameters from /usr/local/samba/etc/smb.conf
>> params.c:pm_process() - Processing configuration file
>> "/usr/local/samba/etc/smb.conf"
>> Reading domain information
>> lpcfg_load: refreshing parameters from /usr/local/samba/etc/smb.conf
>> params.c:pm_process() - Processing configuration file
>> "/usr/local/samba/etc/smb.conf"
>> Looking up IPv4 addresses
>> IPv4 addresses: 192.168.1.98
>> Looking up IPv6 addresses
>> DNS accounts already exist
>> No zone file /usr/local/samba/private/dns/mydomain.co.uk.zone
>> DNS records will be automatically created
>> DNS partitions already exist
>> Updating msDS-hasMasterNCs and hasPartialReplicaNCs attributes
>> Traceback (most recent call last):
>> File "/usr/local/samba/sbin/samba_upgradedns", line 420, in<module>
>> ldbs.sam.modify(m)
>> _ldb.LdbError: (32, 'Unable to find GUID for DN
>> DC=ForestDnsZones,DC=mydomain,DC=co,DC=uk\n')
>>
>>
>> So, no dns folder created, no idea what's causing the. The output 'No
>> zone file /usr/local/samba/private/dns/mydomain.co.uk.zone' seems
>> strange to me as I'm not using flatfile zones but that could be a red
>> herring.
>>
>> At various stages of the above, bind dies on the PDC for some reason.
>>
>> Don'd have any ideas as to where to go from here except to wait and
>> continue to pay Bill :)
>>
>> Cheers,
>> Mike.
>>
> Hi Mike,
> I've seen that in points 12 and 13 you have errors in replication of
> basic partitions:
> - DC=dewberryfields,DC=co,DC=uk
> - CN=Configuration,DC=dewberryfields,DC=co,DC=uk
> - CN=Schema,CN=Configuration,DC=dewberryfields,DC=co,DC=uk
>
> As said in other threads by Amitay and A. Bartlett, first thing to
> succeed is to have basic replication working.
>
> I've found that if I joined a samba4 AD DC and than demoted it, when
> tried to re-join it there where issues related to some records which
> probably where not properly removed during demotion.
>
> To get replication correctly working I had to find them with ldbsearch
> and manually remove them. I don't remember which records I deleted but I
> followed this rule:
> - demote the BDC
> - search for BDC hostname in DomainDnsZones, ForestDnsZones and in
> sam.ldb without DN
>
> Once I removed all records related to the demoted BDC, I successfully
> joined it again and replication worked. This is what I can see from BDC
> side:
>
> [root at kdc02:~]# samba-tool drs showrepl
> ldb_wrap open of secrets.ldb
> GENSEC backend 'gssapi_spnego' registered
> GENSEC backend 'gssapi_krb5' registered
> GENSEC backend 'gssapi_krb5_sasl' registered
> GENSEC backend 'schannel' registered
> GENSEC backend 'spnego' registered
> GENSEC backend 'ntlmssp' registered
> GENSEC backend 'krb5' registered
> GENSEC backend 'fake_gssapi_krb5' registered
> Using binding ncacn_ip_tcp:kdc02.saitelitalia.local[,seal]
> Default-First-Site-Name\KDC02
> DSA Options: 0x00000001
> DSA object GUID: 06f11708-b11c-4848-879d-565d72adfaf3
> DSA invocationId: 366cd42e-d507-4f35-a16b-24c38c901734
>
> ==== INBOUND NEIGHBORS ====
>
> DC=ForestDnsZones,DC=saitelitalia,DC=local
> Default-First-Site-Name\KDC01 via RPC
> DSA object GUID: bdbaecef-ace9-4314-b65e-54933ac8b660
> Last attempt @ Tue Jun 5 22:04:55 2012 CEST was successful
> 0 consecutive failure(s).
> Last success @ Tue Jun 5 22:04:55 2012 CEST
>
> DC=DomainDnsZones,DC=saitelitalia,DC=local
> Default-First-Site-Name\KDC01 via RPC
> DSA object GUID: bdbaecef-ace9-4314-b65e-54933ac8b660
> Last attempt @ Tue Jun 5 22:04:55 2012 CEST was successful
> 0 consecutive failure(s).
> Last success @ Tue Jun 5 22:04:55 2012 CEST
>
> DC=saitelitalia,DC=local
> Default-First-Site-Name\KDC01 via RPC
> DSA object GUID: bdbaecef-ace9-4314-b65e-54933ac8b660
> Last attempt @ Tue Jun 5 22:04:56 2012 CEST was successful
> 0 consecutive failure(s).
> Last success @ Tue Jun 5 22:04:56 2012 CEST
>
> CN=Schema,CN=Configuration,DC=saitelitalia,DC=local
> Default-First-Site-Name\KDC01 via RPC
> DSA object GUID: bdbaecef-ace9-4314-b65e-54933ac8b660
> Last attempt @ Tue Jun 5 22:04:56 2012 CEST was successful
> 0 consecutive failure(s).
> Last success @ Tue Jun 5 22:04:56 2012 CEST
>
> CN=Configuration,DC=saitelitalia,DC=local
> Default-First-Site-Name\KDC01 via RPC
> DSA object GUID: bdbaecef-ace9-4314-b65e-54933ac8b660
> Last attempt @ Tue Jun 5 22:04:57 2012 CEST was successful
> 0 consecutive failure(s).
> Last success @ Tue Jun 5 22:04:57 2012 CEST
>
> ==== OUTBOUND NEIGHBORS ====
>
> DC=ForestDnsZones,DC=saitelitalia,DC=local
> Default-First-Site-Name\KDC01 via RPC
> DSA object GUID: bdbaecef-ace9-4314-b65e-54933ac8b660
> Last attempt @ NTTIME(0) was successful
> 0 consecutive failure(s).
> Last success @ NTTIME(0)
>
> DC=DomainDnsZones,DC=saitelitalia,DC=local
> Default-First-Site-Name\KDC01 via RPC
> DSA object GUID: bdbaecef-ace9-4314-b65e-54933ac8b660
> Last attempt @ NTTIME(0) was successful
> 0 consecutive failure(s).
> Last success @ NTTIME(0)
>
> DC=saitelitalia,DC=local
> Default-First-Site-Name\KDC01 via RPC
> DSA object GUID: bdbaecef-ace9-4314-b65e-54933ac8b660
> Last attempt @ NTTIME(0) was successful
> 0 consecutive failure(s).
> Last success @ NTTIME(0)
>
> CN=Schema,CN=Configuration,DC=saitelitalia,DC=local
> Default-First-Site-Name\KDC01 via RPC
> DSA object GUID: bdbaecef-ace9-4314-b65e-54933ac8b660
> Last attempt @ NTTIME(0) was successful
> 0 consecutive failure(s).
> Last success @ NTTIME(0)
>
> CN=Configuration,DC=saitelitalia,DC=local
> Default-First-Site-Name\KDC01 via RPC
> DSA object GUID: bdbaecef-ace9-4314-b65e-54933ac8b660
> Last attempt @ NTTIME(0) was successful
> 0 consecutive failure(s).
> Last success @ NTTIME(0)
>
> ==== KCC CONNECTION OBJECTS ====
>
> Connection --
> Connection name: bf1d8327-c3f5-42f7-b7bf-914e66c04f04
> Enabled : TRUE
> Server DNS name : KDC02.saitelitalia.local
> Server DN name : CN=NTDS
> Settings,CN=KDC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=saitelitalia,DC=local
> TransportType: RPC
> options: 0x00000001
> Warning: No NC replicated for Connection!
>
> As you said, even restarting samba more than once (for me both PDC and
> BDC), replication does not start automatically for DNS partitions.
> I started it manually using samba-tool drs replicate as you did.
>
> The idea for me was to start replication from PDC both for
> DomainDnsZones and ForestDnsZones and wait until drs showrepl said that
> replication in that direction was good (I waited for half an hour to
> allow replication to be completed and recalled some times). Than I
> started replication from BDC to PDC.
>
> As you can see from the logs above DNS partitions are correctly
> replicated.
>
> At this point, using samba_upgradedns will be able to create the
> private/dns partition and unce got is bind will start without problems.
>
> A query on the forward zone to the PDC DNS:
>
> [root at kdc02:~]# samba-tool dns query kdc01 saitelitalia.local @ ALL -U
> administrator
> GENSEC backend 'gssapi_spnego' registered
> GENSEC backend 'gssapi_krb5' registered
> GENSEC backend 'gssapi_krb5_sasl' registered
> GENSEC backend 'schannel' registered
> GENSEC backend 'spnego' registered
> GENSEC backend 'ntlmssp' registered
> GENSEC backend 'krb5' registered
> GENSEC backend 'fake_gssapi_krb5' registered
> Using binding ncacn_ip_tcp:kdc01[,sign]
> Password for [SAITELITALIA\administrator]:
> Name=, Records=5, Children=0
> NS: kdc01.saitelitalia.local. (flags=600000f0, serial=1, ttl=900)
> A: 192.168.12.5 (flags=600000f0, serial=1, ttl=900)
> A: 192.168.12.2 (flags=600000f0, serial=254, ttl=900)
> NS: kdc02.saitelitalia.local. (flags=600000f0, serial=297, ttl=900)
> SOA: serial=356, refresh=900, retry=600, expire=86400,
> ns=kdc01.saitelitalia.local., email=hostmaster.saitelitalia.local.
> (flags=600000f0, serial=355, ttl=3600)
> Name=_msdcs, Records=0, Children=0
> Name=_sites, Records=0, Children=1
> Name=_tcp, Records=0, Children=4
> Name=_udp, Records=0, Children=2
> Name=activity, Records=1, Children=0
> A: 192.168.12.12 (flags=f0, serial=356, ttl=1200)
> Name=alaska, Records=1, Children=0
> A: 192.168.12.157 (flags=f0, serial=136, ttl=0)
> Name=amm01, Records=1, Children=0
> A: 192.168.12.57 (flags=f0, serial=356, ttl=1200)
> Name=amm02, Records=1, Children=0
> A: 192.168.12.58 (flags=f0, serial=356, ttl=1200)
> Name=antoniodm, Records=1, Children=0
> A: 192.168.12.209 (flags=f0, serial=356, ttl=1200)
> Name=DomainDnsZones, Records=0, Children=2
> Name=filesrv01, Records=1, Children=0
> A: 192.168.12.6 (flags=f0, serial=304, ttl=900)
> Name=ForestDnsZones, Records=0, Children=2
> Name=kdc01, Records=1, Children=0
> A: 192.168.12.5 (flags=f0, serial=300, ttl=900)
> Name=kdc02, Records=1, Children=0
> A: 192.168.12.2 (flags=f0, serial=302, ttl=900)
> ...
>
> Same query on BDC DNS:
>
> [root at kdc02:~]# samba-tool dns query kdc02 saitelitalia.local @ ALL -U
> administrator
> GENSEC backend 'gssapi_spnego' registered
> GENSEC backend 'gssapi_krb5' registered
> GENSEC backend 'gssapi_krb5_sasl' registered
> GENSEC backend 'schannel' registered
> GENSEC backend 'spnego' registered
> GENSEC backend 'ntlmssp' registered
> GENSEC backend 'krb5' registered
> GENSEC backend 'fake_gssapi_krb5' registered
> Using binding ncacn_ip_tcp:kdc02[,sign]
> Password for [SAITELITALIA\administrator]:
> Name=, Records=5, Children=0
> NS: kdc01.saitelitalia.local. (flags=600000f0, serial=1, ttl=900)
> A: 192.168.12.5 (flags=600000f0, serial=1, ttl=900)
> A: 192.168.12.2 (flags=600000f0, serial=254, ttl=900)
> NS: kdc02.saitelitalia.local. (flags=600000f0, serial=297, ttl=900)
> SOA: serial=356, refresh=900, retry=600, expire=86400,
> ns=kdc01.saitelitalia.local., email=hostmaster.saitelitalia.local.
> (flags=600000f0, serial=355, ttl=3600)
> Name=_msdcs, Records=0, Children=0
> Name=_sites, Records=0, Children=1
> Name=_tcp, Records=0, Children=4
> Name=_udp, Records=0, Children=2
> Name=activity, Records=1, Children=0
> A: 192.168.12.12 (flags=f0, serial=356, ttl=1200)
> Name=alaska, Records=0, Children=0
> Name=amm01, Records=1, Children=0
> A: 192.168.12.57 (flags=f0, serial=356, ttl=1200)
> Name=amm02, Records=1, Children=0
> A: 192.168.12.58 (flags=f0, serial=356, ttl=1200)
> Name=antoniodm, Records=1, Children=0
> A: 192.168.12.209 (flags=f0, serial=356, ttl=1200)
> Name=DomainDnsZones, Records=0, Children=2
> Name=filesrv01, Records=1, Children=0
> A: 192.168.12.6 (flags=f0, serial=304, ttl=900)
> Name=ForestDnsZones, Records=0, Children=2
> Name=kdc01, Records=1, Children=0
> A: 192.168.12.5 (flags=f0, serial=300, ttl=900)
> Name=kdc02, Records=1, Children=0
> A: 192.168.12.2 (flags=f0, serial=302, ttl=900)
> ...
>
> At this point I found these problems:
> 1. To be able to join to the domain, resolv.conf first nameserver
> have to be PDC. Now, if you change the order adding as first BDC
> itself, samba_dnsupdate will fail because DNS zones replication
> have issues (on BDC I have only partial replica not full don't
> know why) and we are not able to update directly the records.
> 2. As you can see, some records in the zone on BDC are not
> complete: (alaska is missing the contents). I've seen that
> records which are updated on PDC will be fully replicated to BDC
> but the others will be created but not replicated.
> 3. Adding all records which are not present on BDC (using
> samba_dnsupdate with resolv.conf with BDC as first nameserver I
> found missing records), if I stop PDC, users are still able to
> log in to the domain, use network shares and so on. The problem
> is that all clients which try to update DNS zones won't be able
> to do that.
>
> I've also seen that you mentioned something for linux DHCP clients to be
> able to update their records on DNS zones. Can you please point me to
> the right way to do that?
>
> I hope this helps you to go on and please tell me if for you some issues
> I've found are solved.
>
> Regards,
> Daniele.
>
>
Hi Daniele,
Thanks for your input, I'll certainly study the above and try running
through it.
I'm currently running through another iteration (taking out specific
hardware - just in case and also firewall considerations) of the process
to see if that works for me.
With regards to linux clients updating dns when using the BIND9_DLZ
backend, what I did was to create with samba_tool a reverse dns zone,
create a user called 'dhcpduser' on windows, add that user to
dnsadmins & dnsproxyupdate groups in windows (not sure if that was
absolutely necessary) and used a script that I modified from here
http://blog.michael.kuron-germany.de/2011/02/isc-dhcpd-dynamic-dns-updates-against-secure-microsoft-dns/
, to do the updates. I modified a combination of the blogger's original
script and the updated script hosted there to provide TXT records too.
It works well for me. If you need specifics, let me know.
Cheers,
Mike.
--
More information about the samba-technical
mailing list