DNS server issues after replication from old Windows DC

Morten Kramer node1011 at googlemail.com
Thu Apr 4 09:08:51 MDT 2013 

Hello,


About 8months ago we switched to Samba4 as an replacement for our 
Windows 2008 R2 domain controller.

There were some issues, but after a while it started working.


In the beginning, the samba DC was joined to the Windows domain and then 
replicated everything.
After that, I transferred all fsmo roles to the Samba DC and removed the 
Windows 2008 DC from the domain. Using ntdsutil, it still shows all fsmo 
roles residing at Voyager (name of the Samba DC).



Now, after updating Samba a few times, the internal DNS stopped working 
properly.

If I try to use the Windows DNS administration tool, it will say the 
Active Directory service is unavailable.

Dynamic DNS updates do fail if there is not at least one IP present for 
a given host. E.g. I can add a new entry and then remove the old via 
nsupdate, but not first remove it and then add the new one, it will give 
back a SERVFAIL.


./samba-tool does outputs this error msg on every dns command:


[root at voyager bin]# ./samba-tool dns zonelist voyager.aeriagames.local
Password for [administrator at AERIAGAMES.LOCAL]:
ERROR(runtime): uncaught exception - (9717, 'WERR_DNS_ERROR_DS_UNAVAILABLE')
   File 
"/usr/local/samba/lib64/python2.6/site-packages/samba/netcmd/__init__.py", 
line 175, in _run
     return self.run(*args, **kwargs)
   File 
"/usr/local/samba/lib64/python2.6/site-packages/samba/netcmd/dns.py", 
line 812, in run
     request_filter)




Dnsupdate shows this:


[root at voyager sbin]# ./samba_dnsupdate --verbose
IPs: ['fe80::f499:3ff:fe36:314f%eth0', '172.25.15.2']
Looking for DNS entry A aeriagames.local 172.25.15.2 as aeriagames.local.
Looking for DNS entry A voyager.aeriagames.local 172.25.15.2 as 
voyager.aeriagames.local.
Looking for DNS entry A gc._msdcs.aeriagames.local 172.25.15.2 as 
gc._msdcs.aeriagames.local.
Looking for DNS entry CNAME 
4b8a02a6-364c-4c22-a205-0040c29e26f4._msdcs.aeriagames.local 
voyager.aeriagames.local as 
4b8a02a6-364c-4c22-a205-0040c29e26f4._msdcs.aeriagames.local.
Looking for DNS entry SRV _kpasswd._tcp.aeriagames.local 
voyager.aeriagames.local 464 as _kpasswd._tcp.aeriagames.local.
Checking 0 100 464 coruscant.aeriagames.local. against SRV 
_kpasswd._tcp.aeriagames.local voyager.aeriagames.local 464
Checking 0 100 464 voyager.aeriagames.local. against SRV 
_kpasswd._tcp.aeriagames.local voyager.aeriagames.local 464
Looking for DNS entry SRV _kpasswd._udp.aeriagames.local 
voyager.aeriagames.local 464 as _kpasswd._udp.aeriagames.local.
Checking 0 100 464 coruscant.aeriagames.local. against SRV 
_kpasswd._udp.aeriagames.local voyager.aeriagames.local 464
Checking 0 100 464 voyager.aeriagames.local. against SRV 
_kpasswd._udp.aeriagames.local voyager.aeriagames.local 464
Looking for DNS entry SRV _kerberos._tcp.aeriagames.local 
voyager.aeriagames.local 88 as _kerberos._tcp.aeriagames.local.
Checking 0 100 88 coruscant.aeriagames.local. against SRV 
_kerberos._tcp.aeriagames.local voyager.aeriagames.local 88
Checking 0 100 88 voyager.aeriagames.local. against SRV 
_kerberos._tcp.aeriagames.local voyager.aeriagames.local 88
Looking for DNS entry SRV _kerberos._tcp.dc._msdcs.aeriagames.local 
voyager.aeriagames.local 88 as _kerberos._tcp.dc._msdcs.aeriagames.local.
Checking 0 100 88 coruscant.aeriagames.local. against SRV 
_kerberos._tcp.dc._msdcs.aeriagames.local voyager.aeriagames.local 88
Checking 0 100 88 voyager.aeriagames.local. against SRV 
_kerberos._tcp.dc._msdcs.aeriagames.local voyager.aeriagames.local 88
Looking for DNS entry SRV 
_kerberos._tcp.berlinoffice._sites.aeriagames.local 
voyager.aeriagames.local 88 as 
_kerberos._tcp.berlinoffice._sites.aeriagames.local.
Checking 0 100 88 coruscant.aeriagames.local. against SRV 
_kerberos._tcp.berlinoffice._sites.aeriagames.local 
voyager.aeriagames.local 88
Checking 0 100 88 voyager.aeriagames.local. against SRV 
_kerberos._tcp.berlinoffice._sites.aeriagames.local 
voyager.aeriagames.local 88
Looking for DNS entry SRV 
_kerberos._tcp.berlinoffice._sites.dc._msdcs.aeriagames.local 
voyager.aeriagames.local 88 as 
_kerberos._tcp.berlinoffice._sites.dc._msdcs.aeriagames.local.
Checking 0 100 88 coruscant.aeriagames.local. against SRV 
_kerberos._tcp.berlinoffice._sites.dc._msdcs.aeriagames.local 
voyager.aeriagames.local 88
Checking 0 100 88 voyager.aeriagames.local. against SRV 
_kerberos._tcp.berlinoffice._sites.dc._msdcs.aeriagames.local 
voyager.aeriagames.local 88
Looking for DNS entry SRV _kerberos._udp.aeriagames.local 
voyager.aeriagames.local 88 as _kerberos._udp.aeriagames.local.
Checking 0 100 88 coruscant.aeriagames.local. against SRV 
_kerberos._udp.aeriagames.local voyager.aeriagames.local 88
Checking 0 100 88 voyager.aeriagames.local. against SRV 
_kerberos._udp.aeriagames.local voyager.aeriagames.local 88
Looking for DNS entry SRV _ldap._tcp.aeriagames.local 
voyager.aeriagames.local 389 as _ldap._tcp.aeriagames.local.
Checking 0 100 389 coruscant.aeriagames.local. against SRV 
_ldap._tcp.aeriagames.local voyager.aeriagames.local 389
Checking 0 100 389 voyager.aeriagames.local. against SRV 
_ldap._tcp.aeriagames.local voyager.aeriagames.local 389
Looking for DNS entry SRV _ldap._tcp.dc._msdcs.aeriagames.local 
voyager.aeriagames.local 389 as _ldap._tcp.dc._msdcs.aeriagames.local.
Checking 0 100 389 coruscant.aeriagames.local. against SRV 
_ldap._tcp.dc._msdcs.aeriagames.local voyager.aeriagames.local 389
Checking 0 100 389 voyager.aeriagames.local. against SRV 
_ldap._tcp.dc._msdcs.aeriagames.local voyager.aeriagames.local 389
Looking for DNS entry SRV _ldap._tcp.gc._msdcs.aeriagames.local 
voyager.aeriagames.local 3268 as _ldap._tcp.gc._msdcs.aeriagames.local.
Checking 0 100 3268 coruscant.aeriagames.local. against SRV 
_ldap._tcp.gc._msdcs.aeriagames.local voyager.aeriagames.local 3268
Checking 0 100 3268 voyager.aeriagames.local. against SRV 
_ldap._tcp.gc._msdcs.aeriagames.local voyager.aeriagames.local 3268
Looking for DNS entry SRV _ldap._tcp.pdc._msdcs.aeriagames.local 
voyager.aeriagames.local 389 as _ldap._tcp.pdc._msdcs.aeriagames.local.
Checking 0 100 389 coruscant.aeriagames.local. against SRV 
_ldap._tcp.pdc._msdcs.aeriagames.local voyager.aeriagames.local 389
Checking 0 100 389 voyager.aeriagames.local. against SRV 
_ldap._tcp.pdc._msdcs.aeriagames.local voyager.aeriagames.local 389
Looking for DNS entry SRV 
_ldap._tcp.berlinoffice._sites.aeriagames.local voyager.aeriagames.local 
389 as _ldap._tcp.berlinoffice._sites.aeriagames.local.
Checking 0 100 389 coruscant.aeriagames.local. against SRV 
_ldap._tcp.berlinoffice._sites.aeriagames.local voyager.aeriagames.local 389
Checking 0 100 389 voyager.aeriagames.local. against SRV 
_ldap._tcp.berlinoffice._sites.aeriagames.local voyager.aeriagames.local 389
Looking for DNS entry SRV 
_ldap._tcp.berlinoffice._sites.dc._msdcs.aeriagames.local 
voyager.aeriagames.local 389 as 
_ldap._tcp.berlinoffice._sites.dc._msdcs.aeriagames.local.
Checking 0 100 389 coruscant.aeriagames.local. against SRV 
_ldap._tcp.berlinoffice._sites.dc._msdcs.aeriagames.local 
voyager.aeriagames.local 389
Checking 0 100 389 voyager.aeriagames.local. against SRV 
_ldap._tcp.berlinoffice._sites.dc._msdcs.aeriagames.local 
voyager.aeriagames.local 389
Looking for DNS entry SRV 
_ldap._tcp.berlinoffice._sites.gc._msdcs.aeriagames.local 
voyager.aeriagames.local 3268 as 
_ldap._tcp.berlinoffice._sites.gc._msdcs.aeriagames.local.
Checking 0 100 3268 coruscant.aeriagames.local. against SRV 
_ldap._tcp.berlinoffice._sites.gc._msdcs.aeriagames.local 
voyager.aeriagames.local 3268
Checking 0 100 3268 voyager.aeriagames.local. against SRV 
_ldap._tcp.berlinoffice._sites.gc._msdcs.aeriagames.local 
voyager.aeriagames.local 3268
Looking for DNS entry SRV 
_ldap._tcp.59c177b5-4fa0-4af8-9af3-f2d7eb47e593.domains._msdcs.aeriagames.local 
voyager.aeriagames.local 389 as 
_ldap._tcp.59c177b5-4fa0-4af8-9af3-f2d7eb47e593.domains._msdcs.aeriagames.local.
Checking 0 100 389 coruscant.aeriagames.local. against SRV 
_ldap._tcp.59c177b5-4fa0-4af8-9af3-f2d7eb47e593.domains._msdcs.aeriagames.local 
voyager.aeriagames.local 389
Checking 0 100 389 voyager.aeriagames.local. against SRV 
_ldap._tcp.59c177b5-4fa0-4af8-9af3-f2d7eb47e593.domains._msdcs.aeriagames.local 
voyager.aeriagames.local 389
Looking for DNS entry SRV _gc._tcp.aeriagames.local 
voyager.aeriagames.local 3268 as _gc._tcp.aeriagames.local.
Checking 0 100 3268 coruscant.aeriagames.local. against SRV 
_gc._tcp.aeriagames.local voyager.aeriagames.local 3268
Checking 0 100 3268 voyager.aeriagames.local. against SRV 
_gc._tcp.aeriagames.local voyager.aeriagames.local 3268
Looking for DNS entry SRV _gc._tcp.berlinoffice._sites.aeriagames.local 
voyager.aeriagames.local 3268 as 
_gc._tcp.berlinoffice._sites.aeriagames.local.
Checking 0 100 3268 coruscant.aeriagames.local. against SRV 
_gc._tcp.berlinoffice._sites.aeriagames.local voyager.aeriagames.local 3268
Checking 0 100 3268 voyager.aeriagames.local. against SRV 
_gc._tcp.berlinoffice._sites.aeriagames.local voyager.aeriagames.local 3268
No DNS updates needed
[root at voyager sbin]#


As you can see, it still checks for coruscant.aeriagames.local., which 
is the old Windows DC. It can't really find the DC within the domain 
though, I spent hours looking through the database with ADSI, but could 
not find promising entries. 'Active Directory Sites and Services' only 
shows VOYAGER under Servers.


nsupdate run in debug mode gives back this:


 > server voyager.aeriagames.local
 > debug
 > update add ws011.aeriagames.local 7200 A 172.25.16.33
 > send
Reply from SOA query:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 26679
;; flags: qr; QUESTION: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;ws011.aeriagames.local.        IN    SOA

Reply from SOA query:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10643
;; flags: qr aa ra; QUESTION: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;aeriagames.local.        IN    SOA

;; ANSWER SECTION:
aeriagames.local.    3600    IN    SOA coruscant.aeriagames.local. 
hostmaster.aeriagames.local. 466457 900 600 86400 3600

Found zone name: aeriagames.local
The master is: coruscant.aeriagames.local
Sending update to 172.25.15.2#53
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 53811
;; flags:; ZONE: 1, PREREQ: 0, UPDATE: 1, ADDITIONAL: 0
;; UPDATE SECTION:
ws011.aeriagames.local.    7200    IN    A    172.25.16.33


Reply from update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 53811
;; flags: qr ra; ZONE: 1, PREREQ: 0, UPDATE: 1, ADDITIONAL: 0
;; ZONE SECTION:
;aeriagames.local.        IN    SOA

;; UPDATE SECTION:
ws011.aeriagames.local.    7200    IN    A    172.25.16.33




---> The master is: coruscant.aeriagames.local
This really worries me. The old DC should not be master of anything!




Any ideas on how to fix this?




Regards,
Morten

More information about the samba-technical mailing list