DNS partitions replication on secondary DC is not full

Daniele Dario d.dario76 at gmail.com
Tue May 8 01:48:20 MDT 2012 

On Mon, 2012-05-07 at 16:46 +0200, Daniele Dario wrote:
> On Mon, 2012-05-07 at 11:42 +0200, Daniele Dario wrote:
> > Hi samba team,
> > I've some problems with the dns of the secondary DC.
> > 
> > I have 2 samba4 DCs: kdc01 and kdc02 (respectively Version
> > 4.0.0alpha21-GIT-7b55ec2 and Version 4.0.0alpha21-GIT-8026550).
> > I have successfully joined the secondary DC and replication seems to be
> > working fine.
> > 
> > As said in another thread I see that replication between DNS zones is
> > not full:
> > 
> > [root at kdc02:/usr/local/samba/private]# samba-tool dns query kdc01
> > _msdcs.saitelitalia.local @ ALL -U administrator
> > ...
> >   Name=, Records=2, Children=0
> >     NS: kdc01.saitelitalia.local. (flags=600000f0, serial=1, ttl=900)
> >     SOA: serial=147, refresh=900, retry=600, expire=86400,
> > ns=kdc01.saitelitalia.local., email=hostmaster.saitelitalia.local.
> > (flags=600000f0, serial=146, ttl=3600)
> >   Name=06f11708-b11c-4848-879d-565d72adfaf3, Records=1, Children=0
> >     CNAME: kdc02.saitelitalia.local. (flags=f0, serial=284, ttl=900)
> >   Name=bdbaecef-ace9-4314-b65e-54933ac8b660, Records=1, Children=0
> >     CNAME: kdc01.saitelitalia.local. (flags=f0, serial=1, ttl=900)
> >   Name=dc, Records=0, Children=2
> >   Name=domains, Records=0, Children=1
> >   Name=gc, Records=0, Children=2
> >   Name=kdc01, Records=1, Children=0
> >     NS: 192.168.12.5. (flags=f0, serial=62, ttl=900)
> >   Name=pdc, Records=0, Children=1
> > 
> > [root at kdc02:/usr/local/samba/private]# samba-tool dns query kdc02
> > _msdcs.saitelitalia.local @ ALL -U administrator
> > ...
> >   Name=, Records=0, Children=0
> >   Name=06f11708-b11c-4848-879d-565d72adfaf3, Records=0, Children=0
> >   Name=bdbaecef-ace9-4314-b65e-54933ac8b660, Records=0, Children=0
> >   Name=dc, Records=0, Children=2
> >   Name=domains, Records=0, Children=1
> >   Name=gc, Records=0, Children=2
> >   Name=kdc01, Records=0, Children=0
> >   Name=pdc, Records=0, Children=1
> > 
> > If I shutdown kdc01, kdc02 is not able to keep things working (no _ldap,
> > _kerberos and other records are present in secondary DNS).
> > 
> > samba_dnsupdate --verbose works fine on secondary DC while primary is on
> > but if I remove from resolv.conf the address of the primary DC/DNS and
> > leave just the address of the secondary DC/DNS it (takes a long time)
> > says that all records are missing and when it tries to auth to krb it
> > fails (again no _kerberos.udp... record present).
> > 
> > I tried to add these records by hand to see if something goes better but
> > if I try to add records on secondary DC, samba-tool fails always saying:
> > [root at kdc02:/usr/local/samba/private]# samba-tool dns add kdc02
> > saitelitalia.local kdc01 A 192.168.12.5 -U administrator
> > ...
> > ERROR(runtime): uncaught exception - (1383, 'WERR_INTERNAL_DB_ERROR')
> >   File
> > "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py",
> > line 160, in _run
> >     return self.run(*args, **kwargs)
> >   File
> > "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/dns.py", line
> > 1055, in run
> >     None)
> > 
> > while it works fine on primary.
> > 
> > I'm a little bit confused by the error message because
> > WERR_INTERNAL_DB_ERROR seems to be related to an error in adding the
> > record to the DB but in line 1055 of .../samba/netcmd/dns.py it seems
> > that the problem is related to some missing/wrong argument to the update
> > record call.
> > 
> > Am I doing something wrong?
> > 
> > I'll be happy to contribute but need to be addressed how.
> > 
> > Thanks,
> > Daniele.
> > 
> 
> After some other tries, I've seen that an update (or for linux boxes
> with fixed addresses a delete+add) of records on the zones of the
> primary DC/DNS, records have appeared also on secondary DC/DNS.
> 
> Next step I'll try to stop primary DC/DNS to see if secondary keeps the
> domain up.
> 
> Daniele.
> 
Just an update to my tests:
     1. changed order of nameserver in resolv.conf of secondary DC
        (first will be secondary DC itself)
     2. run samba_nsupdate --verbose to see which records were missing
        on secondary DC
     3. updated all records on primary DC/DNS (using W2k3 tools from a
        joined WXP box)

After that, all records appeared on zones of the secondary DC/DNS and
samba_dnsupdate works successfully (because nsupdate does not have to
update any record).

Any update performed on secondary DC (with nsupdate and/or with
samba-tool dns add) will fail.

samba-tool dns add kdc02 12.168.192.in-addr.arpa 220 PTR
alaska.saitelitalia.local. -U administrator
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'schannel' registered
GENSEC backend 'spnego' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
Using binding ncacn_ip_tcp:kdc02[,sign]
Password for [SAITELITALIA\administrator]:
ERROR(runtime): uncaught exception - (1383, 'WERR_INTERNAL_DB_ERROR')
  File
"/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py",
line 160, in _run
    return self.run(*args, **kwargs)
  File
"/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/dns.py", line
1055, in run
    None)

Using nsupdate -g just tells SERVFAIL but looking in named log I've
found

database: error: samba_dlz: failed to modify
DC=@,DC=12.168.192.in-addr.arpa,CN=MicrosoftDNS,DC=DomainDnsZones,DC=saitelitalia,DC=local - cannot change replicated attribute on partial replica at ../source4/dsdb/samdb/ldb_modules/repl_meta_data.c:1400

So while for "DC=saitelitalia,DC=local"
"CN=Configuration,DC=saitelitalia,DC=local" and
"CN=Schema,CN=Configuration,DC=saitelitalia,DC=local" partitions I have
full replica and I'm able to add users groups (I'll try to join a box)
on secondary DC and the changes are replicated to primary as well as
doing it on primary, DNS partitions appear to be a partial replica and
only primary will be able to modify them.

BTW, once samba_dnsupdate --verbose finds all required records on
secondary DC/DNS I stopped primary DC/DNS and users have been able to
login to the domain, see network shares so krb, ldap and other stuff
worked fine.

Hope these tests help to solve the problem.

Regards,
Daniele

More information about the samba-technical mailing list