DNS partitions replication on secondary DC is not full

Amitay Isaacs amitay at gmail.com
Tue May 8 03:00:40 MDT 2012 

Hi Daniele,

Thanks for testing the secondary DNS server set up. Most of the
secondary DNS server issues arise due to the problems of replication
(more details below). The solution is to fix the replication problems
for application partitions. Unfortunately, I have not been able to
spend much time on DNS/Replication work lately.

Amitay.

On Tue, May 8, 2012 at 5:48 PM, Daniele Dario <d.dario76 at gmail.com> wrote:
> On Mon, 2012-05-07 at 16:46 +0200, Daniele Dario wrote:
>> On Mon, 2012-05-07 at 11:42 +0200, Daniele Dario wrote:
>> > Hi samba team,
>> > I've some problems with the dns of the secondary DC.
>> >
>> > I have 2 samba4 DCs: kdc01 and kdc02 (respectively Version
>> > 4.0.0alpha21-GIT-7b55ec2 and Version 4.0.0alpha21-GIT-8026550).
>> > I have successfully joined the secondary DC and replication seems to be
>> > working fine.
>> >
>> > As said in another thread I see that replication between DNS zones is
>> > not full:
>> >
>> > [root at kdc02:/usr/local/samba/private]# samba-tool dns query kdc01
>> > _msdcs.saitelitalia.local @ ALL -U administrator
>> > ...
>> >   Name=, Records=2, Children=0
>> >     NS: kdc01.saitelitalia.local. (flags=600000f0, serial=1, ttl=900)
>> >     SOA: serial=147, refresh=900, retry=600, expire=86400,
>> > ns=kdc01.saitelitalia.local., email=hostmaster.saitelitalia.local.
>> > (flags=600000f0, serial=146, ttl=3600)
>> >   Name=06f11708-b11c-4848-879d-565d72adfaf3, Records=1, Children=0
>> >     CNAME: kdc02.saitelitalia.local. (flags=f0, serial=284, ttl=900)
>> >   Name=bdbaecef-ace9-4314-b65e-54933ac8b660, Records=1, Children=0
>> >     CNAME: kdc01.saitelitalia.local. (flags=f0, serial=1, ttl=900)
>> >   Name=dc, Records=0, Children=2
>> >   Name=domains, Records=0, Children=1
>> >   Name=gc, Records=0, Children=2
>> >   Name=kdc01, Records=1, Children=0
>> >     NS: 192.168.12.5. (flags=f0, serial=62, ttl=900)
>> >   Name=pdc, Records=0, Children=1
>> >
>> > [root at kdc02:/usr/local/samba/private]# samba-tool dns query kdc02
>> > _msdcs.saitelitalia.local @ ALL -U administrator
>> > ...
>> >   Name=, Records=0, Children=0
>> >   Name=06f11708-b11c-4848-879d-565d72adfaf3, Records=0, Children=0
>> >   Name=bdbaecef-ace9-4314-b65e-54933ac8b660, Records=0, Children=0
>> >   Name=dc, Records=0, Children=2
>> >   Name=domains, Records=0, Children=1
>> >   Name=gc, Records=0, Children=2
>> >   Name=kdc01, Records=0, Children=0
>> >   Name=pdc, Records=0, Children=1
>> >
>> > If I shutdown kdc01, kdc02 is not able to keep things working (no _ldap,
>> > _kerberos and other records are present in secondary DNS).
>> >
>> > samba_dnsupdate --verbose works fine on secondary DC while primary is on
>> > but if I remove from resolv.conf the address of the primary DC/DNS and
>> > leave just the address of the secondary DC/DNS it (takes a long time)
>> > says that all records are missing and when it tries to auth to krb it
>> > fails (again no _kerberos.udp... record present).
>> >
>> > I tried to add these records by hand to see if something goes better but
>> > if I try to add records on secondary DC, samba-tool fails always saying:
>> > [root at kdc02:/usr/local/samba/private]# samba-tool dns add kdc02
>> > saitelitalia.local kdc01 A 192.168.12.5 -U administrator
>> > ...
>> > ERROR(runtime): uncaught exception - (1383, 'WERR_INTERNAL_DB_ERROR')
>> >   File
>> > "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py",
>> > line 160, in _run
>> >     return self.run(*args, **kwargs)
>> >   File
>> > "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/dns.py", line
>> > 1055, in run
>> >     None)
>> >
>> > while it works fine on primary.
>> >
>> > I'm a little bit confused by the error message because
>> > WERR_INTERNAL_DB_ERROR seems to be related to an error in adding the
>> > record to the DB but in line 1055 of .../samba/netcmd/dns.py it seems
>> > that the problem is related to some missing/wrong argument to the update
>> > record call.
>> >
>> > Am I doing something wrong?
>> >
>> > I'll be happy to contribute but need to be addressed how.
>> >
>> > Thanks,
>> > Daniele.
>> >
>>
>> After some other tries, I've seen that an update (or for linux boxes
>> with fixed addresses a delete+add) of records on the zones of the
>> primary DC/DNS, records have appeared also on secondary DC/DNS.
>>
>> Next step I'll try to stop primary DC/DNS to see if secondary keeps the
>> domain up.
>>
>> Daniele.
>>
> Just an update to my tests:
>     1. changed order of nameserver in resolv.conf of secondary DC
>        (first will be secondary DC itself)
>     2. run samba_nsupdate --verbose to see which records were missing
>        on secondary DC
>     3. updated all records on primary DC/DNS (using W2k3 tools from a
>        joined WXP box)
>
> After that, all records appeared on zones of the secondary DC/DNS and
> samba_dnsupdate works successfully (because nsupdate does not have to
> update any record).
>
> Any update performed on secondary DC (with nsupdate and/or with
> samba-tool dns add) will fail.
>
> samba-tool dns add kdc02 12.168.192.in-addr.arpa 220 PTR
> alaska.saitelitalia.local. -U administrator
> GENSEC backend 'gssapi_spnego' registered
> GENSEC backend 'gssapi_krb5' registered
> GENSEC backend 'gssapi_krb5_sasl' registered
> GENSEC backend 'schannel' registered
> GENSEC backend 'spnego' registered
> GENSEC backend 'ntlmssp' registered
> GENSEC backend 'krb5' registered
> GENSEC backend 'fake_gssapi_krb5' registered
> Using binding ncacn_ip_tcp:kdc02[,sign]
> Password for [SAITELITALIA\administrator]:
> ERROR(runtime): uncaught exception - (1383, 'WERR_INTERNAL_DB_ERROR')
>  File
> "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py",
> line 160, in _run
>    return self.run(*args, **kwargs)
>  File
> "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/dns.py", line
> 1055, in run
>    None)
>
> Using nsupdate -g just tells SERVFAIL but looking in named log I've
> found
>
> database: error: samba_dlz: failed to modify
> DC=@,DC=12.168.192.in-addr.arpa,CN=MicrosoftDNS,DC=DomainDnsZones,DC=saitelitalia,DC=local - cannot change replicated attribute on partial replica at ../source4/dsdb/samdb/ldb_modules/repl_meta_data.c:1400
>
> So while for "DC=saitelitalia,DC=local"
> "CN=Configuration,DC=saitelitalia,DC=local" and
> "CN=Schema,CN=Configuration,DC=saitelitalia,DC=local" partitions I have
> full replica and I'm able to add users groups (I'll try to join a box)
> on secondary DC and the changes are replicated to primary as well as
> doing it on primary, DNS partitions appear to be a partial replica and
> only primary will be able to modify them.

The main cause for this is the replication not working *correctly* for
DNS partitions. May be a replication expert can comment on why there
is an issue with replicating application partitions. The interim fix
is to *disallow* any updates if we don't have a full Replica of DNS
partitions. At least that will report correct information to the user.

> BTW, once samba_dnsupdate --verbose finds all required records on
> secondary DC/DNS I stopped primary DC/DNS and users have been able to
> login to the domain, see network shares so krb, ldap and other stuff
> worked fine.
>
> Hope these tests help to solve the problem.
>
> Regards,
> Daniele
>
>

More information about the samba-technical mailing list