ForestDnsZones partition and TrustAnchors zone problem
Matthieu Patou
mat at samba.org
Mon Oct 1 19:37:59 MDT 2012
On 10/01/2012 03:35 PM, Samuel Cabrero wrote:
> Hi,
>
> I have found a problem related to the ForestDnsZones partition
> replication when using BIND9_DLZ as backend in samba4 rc1.
>
> If the "TrustAnchors" zone exists in the windows server, it is
> replicated to samba4 and named daemon exits with the following error
> when trying to load it:
>
> named[10704]: samba_dlz: Failed to configure zone '..TrustAnchors'
> named[10704]: loading configuration: empty label
> named[10704]: exiting (due to fatal error)
>
> As soon the zone is deleted in the windows server (dnscmd /zonedelete
> TrustAnchors /DsDel) and the change is replicated to samba, named
> starts without problems.
>
> This issue is more annoying than it seems because this TrustAnchors
> zone is automatically created each time that the server properties
> window is opened in the windows DNS management tool. If you right
> click in the server name and select properties, then select the Trust
> Anchors tab and click Ok button without make any changes, the zone is
> created again, replicated to samba4 and the problem is back.
>
> I don't know if it is related, but the zone have two dots prepended to
> the name when replicated to samba:
>
> root at s4dc1:/home/zen# samba-tool dns zonelist s4dc1.kernevil.lan
> 3 zone(s) found
>
> pszZoneName : kernevil.lan
> Flags : DNS_RPC_ZONE_DSINTEGRATED
> DNS_RPC_ZONE_UPDATE_SECURE
> ZoneType : DNS_ZONE_TYPE_PRIMARY
> Version : 50
> dwDpFlags : DNS_DP_AUTOCREATED
> DNS_DP_DOMAIN_DEFAULT DNS_DP_ENLISTED
> pszDpFqdn : DomainDnsZones.kernevil.lan
>
> pszZoneName : _msdcs.kernevil.lan
> Flags : DNS_RPC_ZONE_DSINTEGRATED
> DNS_RPC_ZONE_UPDATE_SECURE
> ZoneType : DNS_ZONE_TYPE_PRIMARY
> Version : 50
> dwDpFlags : DNS_DP_AUTOCREATED
> DNS_DP_FOREST_DEFAULT DNS_DP_ENLISTED
> pszDpFqdn : ForestDnsZones.kernevil.lan
>
> pszZoneName : ..TrustAnchors
> Flags : DNS_RPC_ZONE_DSINTEGRATED
> DNS_RPC_ZONE_UPDATE_SECURE
> ZoneType : DNS_ZONE_TYPE_PRIMARY
> Version : 50
> dwDpFlags : DNS_DP_AUTOCREATED
> DNS_DP_FOREST_DEFAULT DNS_DP_ENLISTED
> pszDpFqdn : ForestDnsZones.kernevil.lan
>
>
> root at s4dc1:/home/zen# samba-tool dns zonelist windc1.kernevil.lan
> 3 zone(s) found
>
> pszZoneName : _msdcs.kernevil.lan
> Flags : DNS_RPC_ZONE_DSINTEGRATED
> DNS_RPC_ZONE_UPDATE_SECURE
> ZoneType : DNS_ZONE_TYPE_PRIMARY
> Version : 50
> dwDpFlags : DNS_DP_AUTOCREATED
> DNS_DP_FOREST_DEFAULT DNS_DP_ENLISTED
> pszDpFqdn : ForestDnsZones.kernevil.lan
>
> pszZoneName : kernevil.lan
> Flags : DNS_RPC_ZONE_DSINTEGRATED
> DNS_RPC_ZONE_UPDATE_SECURE
> ZoneType : DNS_ZONE_TYPE_PRIMARY
> Version : 50
> dwDpFlags : DNS_DP_AUTOCREATED
> DNS_DP_DOMAIN_DEFAULT DNS_DP_ENLISTED
> pszDpFqdn : DomainDnsZones.kernevil.lan
>
> pszZoneName : TrustAnchors
> Flags : DNS_RPC_ZONE_DSINTEGRATED
> ZoneType : DNS_ZONE_TYPE_PRIMARY
> Version : 50
> dwDpFlags : DNS_DP_AUTOCREATED
> DNS_DP_FOREST_DEFAULT DNS_DP_ENLISTED
> pszDpFqdn : ForestDnsZones.kernevil.lan
>
>
I did a small search on my server and I have this:
./bin/ldbsearch -H ldap://172.16.100.49 -Uadministrator%totoTATA123 -b
DC=ForestDnsZones,DC=w2k12,DC=home,DC=matws,DC=net dn | grep -i trust
dn:
DC=..TrustAnchors,CN=MicrosoftDNS,DC=ForestDnsZones,DC=w2k12,DC=home,DC=matws,DC=net
dn:
DC=@,DC=..TrustAnchors,CN=MicrosoftDNS,DC=ForestDnsZones,DC=w2k12,DC=home,DC=matws,DC=net
mat at mpatou-t420:/usr/local/src/samba$ ./bin/samba-tool dns zonelist
172.16.100.49
Password for [WORKGROUP\mat]:
Interrupted by signal.
mat at mpatou-t420:/usr/local/src/samba$ ./bin/samba-tool dns zonelist
172.16.100.49 -Uadministrator%totoTATA123
3 zone(s) found
pszZoneName : _msdcs.w2k12.home.matws.net
Flags : DNS_RPC_ZONE_DSINTEGRATED
DNS_RPC_ZONE_UPDATE_SECURE
ZoneType : DNS_ZONE_TYPE_PRIMARY
Version : 50
dwDpFlags : DNS_DP_AUTOCREATED
DNS_DP_FOREST_DEFAULT DNS_DP_ENLISTED
pszDpFqdn : ForestDnsZones.w2k12.home.matws.net
pszZoneName : TrustAnchors
Flags : DNS_RPC_ZONE_DSINTEGRATED
ZoneType : DNS_ZONE_TYPE_PRIMARY
Version : 50
dwDpFlags : DNS_DP_AUTOCREATED
DNS_DP_FOREST_DEFAULT DNS_DP_ENLISTED
pszDpFqdn : ForestDnsZones.w2k12.home.matws.net
pszZoneName : w2k12.home.matws.net
Flags : DNS_RPC_ZONE_DSINTEGRATED
DNS_RPC_ZONE_UPDATE_SECURE
ZoneType : DNS_ZONE_TYPE_PRIMARY
Version : 50
dwDpFlags : DNS_DP_AUTOCREATED
DNS_DP_DOMAIN_DEFAULT DNS_DP_ENLISTED
pszDpFqdn : DomainDnsZones.w2k12.home.matws.net
The server is Windows 2012 server, so it means that in the database the
record are saved in the ..TrustAnchors format but that windows in
returning them cleaned.
> I would be happy to provide as much debug info as you need to help to
> solve this issue.
>
Can you try to create another zone with the windows tools (ie
foobar.lan) wait for it to be replicated to samba and then restart bind.
If everything is ok then it means that we "just" to have to skip the
trustanchors from being loaded + fix the samba-tool dns output.
--
Matthieu Patou
Samba Team
http://samba.org
More information about the samba-technical
mailing list