How to get DNS replication working properly?

Mon Jun 25 03:03:19 MDT 2012

On 06/25/2012 01:01 AM, Andrew Bartlett wrote:
> On Sun, 2012-06-24 at 19:43 +0200, Morten Kramer wrote:
>> On 06/24/2012 04:07 PM, Morten Kramer wrote:
>>> On 06/24/2012 02:49 PM, Andrew Bartlett wrote:
>>>> On Sun, 2012-06-24 at 14:43 +0200, Morten Kramer wrote:
>>>>> On 06/24/2012 09:35 AM, Andrew Bartlett wrote:
>>>>>> On Fri, 2012-06-22 at 17:32 +0200, Morten Kramer wrote:
>>>>>>> Hi all,
>>>>>>>
>>>>>>>
>>>>>>> I've been trying to get DNS replication to work for a few days now.
>>>>>>>
>>>>>>>
>>>>>>> What I've done:
>>>>>>> - Compile Samba (Beta1/Beta2/recent git pull) under Centos 6.2 x64
>>>>>>> Any help will be greatly appreciated!
>>>>>> Could you both please try
>>>>>>
>>>>>> git://git.samba.org/abartlet/samba.git fix-dns-replication
>>>>>>
>>>>>> If you start with that, for a new join, it should do the
>>>>>> replication of
>>>>>> the DNS partitions.  Otherwise, follow the steps you took.
>>>>>>
>>>>>> Please let me know if this works, so I can get this in to master to
>>>>>> assist others.
>>>>>>
>>>>>> Andrew Bartlett
>>>>>>
>>>>> I tried git clone git://git.samba.org/abartlet/samba.git
>>>>> fix-dns-replication
>>>>> But it looks like it's missing the netcmd/ subdirectory and e.g.
>>>>> domain.py you patched?
>>>> You need to check out the fix-dns-replication branch, eg
>>>>
>>>> cd fix-dns-replication
>>>> git checkout abartlet/fix-dns-replication -b fix-dns-replication
>>>> make
>>>>
>>>> Andrew Bartlett
>>>>
>>> Checked out the branch, it all compiled fine.
>>>
>>> Joined Samba to the Windows 2008R2 domain.
>>>
>>> I got a few of those:
>>>
>>> Schema update now failed: Invalid DN syntax
>>> Commit failed: Invalid DN syntax
>>> Failed to commit objects:
>>> WERR_DS_INTERNAL_FAILURE/NT_STATUS_INVALID_NETWORK_RESPONSE
>>>
>>> After repadmine /kcc, replication succeeded.
>>>
>>> I ran samba_upgradedns with SAMBA_INTERNAL as backend.
>>> I started samba again, and then something scary happened:
>>>
>>> My win2k8 DC become Unavailable, the Windows DNS server stopped
>>> working (connection timeout). All the .msc management tools telling
>>> me, that naming information are unavailable. I'm not sure if the whole
>>> DC failed, or just DNS?
>>>
>>> Since this is productive i quickly had to revert to the snapshot i did
>>> before the join.
>>>
>>> Any ideas?
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>> Just trying again, this time with the DLZ plugin.
>>
>> Getting this error though:
>>
>> Jun 24 19:36:16 SambaDC named[1308]: samba_dlz: Failed to configure zone
>> '..TrustAnchors'
>> Jun 24 19:36:16 SambaDC named[1308]: loading configuration: empty label
>>
>> I'm assuming this is because of the '..' in the zone name?
>> Any idea how to fix this?
> If you look into source4/dns_server/dlz_samba.c you can change the error
> for that statement to a 'continue;' like the other tests above. it.
>
>> Is this zone even required?
> I'm not sure, but can you work out how windows presents this zone?  If
> we learn that bind9 simply can't present the zone, we need to work out
> why (and if we can relax some rules in the named.conf) or skip them
> until we can get them to be loaded.
>
> Thanks,
>
> Andrew Bartlett
>

I ended up deleting the zone via samba-tool.

Afterwards, Bind started and samba_dnsupdate would find all entries in 
the local bind!

I'm not sure what exactly TrustAnchros does.
Seems to be about DNS Secruity, (encrypted) Dynamic Updates?

It's located on the same level as the realm under Forward Lookup Zones 
and has the Type 'Active Directory-Integrated Primary' (same type as realm).

See http://technet.microsoft.com/en-us/library/ee649277%28WS.10%29.aspx

Even with the deleted zone, it would kind a work.

I still get

Schema update now failed: Invalid DN syntax
Commit failed: Invalid DN syntax
Failed to commit objects:
WERR_DS_INTERNAL_FAILURE/NT_STATUS_INVALID_NETWORK_RESPONSE

And samba-tool drs showrepl tells me that Inbound Schema replication fails.

I prepared a client with the Samba IP as secondary DNS. I shut down the 
Windows DC. The user was still able to login through Samba (after some 
while, since it first tried the primary, Windows, DNS).

Again, one weird thing happened to the Windows DC, after booting it up 
again, the Windows DNS would not come up. Only after i started the Samba 
DC, it almost magically came to life. Any idea what this is about?
Since i plan to discard the Windows DC as soon as Samba runs fine, this 
is probably nothing to worry about for me, but it's still weird.