DNS server issues after replication from old Windows DC
Morten Kramer
node1011 at googlemail.com
Thu Apr 4 09:08:51 MDT 2013
Hello,
About 8months ago we switched to Samba4 as an replacement for our
Windows 2008 R2 domain controller.
There were some issues, but after a while it started working.
In the beginning, the samba DC was joined to the Windows domain and then
replicated everything.
After that, I transferred all fsmo roles to the Samba DC and removed the
Windows 2008 DC from the domain. Using ntdsutil, it still shows all fsmo
roles residing at Voyager (name of the Samba DC).
Now, after updating Samba a few times, the internal DNS stopped working
properly.
If I try to use the Windows DNS administration tool, it will say the
Active Directory service is unavailable.
Dynamic DNS updates do fail if there is not at least one IP present for
a given host. E.g. I can add a new entry and then remove the old via
nsupdate, but not first remove it and then add the new one, it will give
back a SERVFAIL.
./samba-tool does outputs this error msg on every dns command:
[root at voyager bin]# ./samba-tool dns zonelist voyager.aeriagames.local
Password for [administrator at AERIAGAMES.LOCAL]:
ERROR(runtime): uncaught exception - (9717, 'WERR_DNS_ERROR_DS_UNAVAILABLE')
File
"/usr/local/samba/lib64/python2.6/site-packages/samba/netcmd/__init__.py",
line 175, in _run
return self.run(*args, **kwargs)
File
"/usr/local/samba/lib64/python2.6/site-packages/samba/netcmd/dns.py",
line 812, in run
request_filter)
Dnsupdate shows this:
[root at voyager sbin]# ./samba_dnsupdate --verbose
IPs: ['fe80::f499:3ff:fe36:314f%eth0', '172.25.15.2']
Looking for DNS entry A aeriagames.local 172.25.15.2 as aeriagames.local.
Looking for DNS entry A voyager.aeriagames.local 172.25.15.2 as
voyager.aeriagames.local.
Looking for DNS entry A gc._msdcs.aeriagames.local 172.25.15.2 as
gc._msdcs.aeriagames.local.
Looking for DNS entry CNAME
4b8a02a6-364c-4c22-a205-0040c29e26f4._msdcs.aeriagames.local
voyager.aeriagames.local as
4b8a02a6-364c-4c22-a205-0040c29e26f4._msdcs.aeriagames.local.
Looking for DNS entry SRV _kpasswd._tcp.aeriagames.local
voyager.aeriagames.local 464 as _kpasswd._tcp.aeriagames.local.
Checking 0 100 464 coruscant.aeriagames.local. against SRV
_kpasswd._tcp.aeriagames.local voyager.aeriagames.local 464
Checking 0 100 464 voyager.aeriagames.local. against SRV
_kpasswd._tcp.aeriagames.local voyager.aeriagames.local 464
Looking for DNS entry SRV _kpasswd._udp.aeriagames.local
voyager.aeriagames.local 464 as _kpasswd._udp.aeriagames.local.
Checking 0 100 464 coruscant.aeriagames.local. against SRV
_kpasswd._udp.aeriagames.local voyager.aeriagames.local 464
Checking 0 100 464 voyager.aeriagames.local. against SRV
_kpasswd._udp.aeriagames.local voyager.aeriagames.local 464
Looking for DNS entry SRV _kerberos._tcp.aeriagames.local
voyager.aeriagames.local 88 as _kerberos._tcp.aeriagames.local.
Checking 0 100 88 coruscant.aeriagames.local. against SRV
_kerberos._tcp.aeriagames.local voyager.aeriagames.local 88
Checking 0 100 88 voyager.aeriagames.local. against SRV
_kerberos._tcp.aeriagames.local voyager.aeriagames.local 88
Looking for DNS entry SRV _kerberos._tcp.dc._msdcs.aeriagames.local
voyager.aeriagames.local 88 as _kerberos._tcp.dc._msdcs.aeriagames.local.
Checking 0 100 88 coruscant.aeriagames.local. against SRV
_kerberos._tcp.dc._msdcs.aeriagames.local voyager.aeriagames.local 88
Checking 0 100 88 voyager.aeriagames.local. against SRV
_kerberos._tcp.dc._msdcs.aeriagames.local voyager.aeriagames.local 88
Looking for DNS entry SRV
_kerberos._tcp.berlinoffice._sites.aeriagames.local
voyager.aeriagames.local 88 as
_kerberos._tcp.berlinoffice._sites.aeriagames.local.
Checking 0 100 88 coruscant.aeriagames.local. against SRV
_kerberos._tcp.berlinoffice._sites.aeriagames.local
voyager.aeriagames.local 88
Checking 0 100 88 voyager.aeriagames.local. against SRV
_kerberos._tcp.berlinoffice._sites.aeriagames.local
voyager.aeriagames.local 88
Looking for DNS entry SRV
_kerberos._tcp.berlinoffice._sites.dc._msdcs.aeriagames.local
voyager.aeriagames.local 88 as
_kerberos._tcp.berlinoffice._sites.dc._msdcs.aeriagames.local.
Checking 0 100 88 coruscant.aeriagames.local. against SRV
_kerberos._tcp.berlinoffice._sites.dc._msdcs.aeriagames.local
voyager.aeriagames.local 88
Checking 0 100 88 voyager.aeriagames.local. against SRV
_kerberos._tcp.berlinoffice._sites.dc._msdcs.aeriagames.local
voyager.aeriagames.local 88
Looking for DNS entry SRV _kerberos._udp.aeriagames.local
voyager.aeriagames.local 88 as _kerberos._udp.aeriagames.local.
Checking 0 100 88 coruscant.aeriagames.local. against SRV
_kerberos._udp.aeriagames.local voyager.aeriagames.local 88
Checking 0 100 88 voyager.aeriagames.local. against SRV
_kerberos._udp.aeriagames.local voyager.aeriagames.local 88
Looking for DNS entry SRV _ldap._tcp.aeriagames.local
voyager.aeriagames.local 389 as _ldap._tcp.aeriagames.local.
Checking 0 100 389 coruscant.aeriagames.local. against SRV
_ldap._tcp.aeriagames.local voyager.aeriagames.local 389
Checking 0 100 389 voyager.aeriagames.local. against SRV
_ldap._tcp.aeriagames.local voyager.aeriagames.local 389
Looking for DNS entry SRV _ldap._tcp.dc._msdcs.aeriagames.local
voyager.aeriagames.local 389 as _ldap._tcp.dc._msdcs.aeriagames.local.
Checking 0 100 389 coruscant.aeriagames.local. against SRV
_ldap._tcp.dc._msdcs.aeriagames.local voyager.aeriagames.local 389
Checking 0 100 389 voyager.aeriagames.local. against SRV
_ldap._tcp.dc._msdcs.aeriagames.local voyager.aeriagames.local 389
Looking for DNS entry SRV _ldap._tcp.gc._msdcs.aeriagames.local
voyager.aeriagames.local 3268 as _ldap._tcp.gc._msdcs.aeriagames.local.
Checking 0 100 3268 coruscant.aeriagames.local. against SRV
_ldap._tcp.gc._msdcs.aeriagames.local voyager.aeriagames.local 3268
Checking 0 100 3268 voyager.aeriagames.local. against SRV
_ldap._tcp.gc._msdcs.aeriagames.local voyager.aeriagames.local 3268
Looking for DNS entry SRV _ldap._tcp.pdc._msdcs.aeriagames.local
voyager.aeriagames.local 389 as _ldap._tcp.pdc._msdcs.aeriagames.local.
Checking 0 100 389 coruscant.aeriagames.local. against SRV
_ldap._tcp.pdc._msdcs.aeriagames.local voyager.aeriagames.local 389
Checking 0 100 389 voyager.aeriagames.local. against SRV
_ldap._tcp.pdc._msdcs.aeriagames.local voyager.aeriagames.local 389
Looking for DNS entry SRV
_ldap._tcp.berlinoffice._sites.aeriagames.local voyager.aeriagames.local
389 as _ldap._tcp.berlinoffice._sites.aeriagames.local.
Checking 0 100 389 coruscant.aeriagames.local. against SRV
_ldap._tcp.berlinoffice._sites.aeriagames.local voyager.aeriagames.local 389
Checking 0 100 389 voyager.aeriagames.local. against SRV
_ldap._tcp.berlinoffice._sites.aeriagames.local voyager.aeriagames.local 389
Looking for DNS entry SRV
_ldap._tcp.berlinoffice._sites.dc._msdcs.aeriagames.local
voyager.aeriagames.local 389 as
_ldap._tcp.berlinoffice._sites.dc._msdcs.aeriagames.local.
Checking 0 100 389 coruscant.aeriagames.local. against SRV
_ldap._tcp.berlinoffice._sites.dc._msdcs.aeriagames.local
voyager.aeriagames.local 389
Checking 0 100 389 voyager.aeriagames.local. against SRV
_ldap._tcp.berlinoffice._sites.dc._msdcs.aeriagames.local
voyager.aeriagames.local 389
Looking for DNS entry SRV
_ldap._tcp.berlinoffice._sites.gc._msdcs.aeriagames.local
voyager.aeriagames.local 3268 as
_ldap._tcp.berlinoffice._sites.gc._msdcs.aeriagames.local.
Checking 0 100 3268 coruscant.aeriagames.local. against SRV
_ldap._tcp.berlinoffice._sites.gc._msdcs.aeriagames.local
voyager.aeriagames.local 3268
Checking 0 100 3268 voyager.aeriagames.local. against SRV
_ldap._tcp.berlinoffice._sites.gc._msdcs.aeriagames.local
voyager.aeriagames.local 3268
Looking for DNS entry SRV
_ldap._tcp.59c177b5-4fa0-4af8-9af3-f2d7eb47e593.domains._msdcs.aeriagames.local
voyager.aeriagames.local 389 as
_ldap._tcp.59c177b5-4fa0-4af8-9af3-f2d7eb47e593.domains._msdcs.aeriagames.local.
Checking 0 100 389 coruscant.aeriagames.local. against SRV
_ldap._tcp.59c177b5-4fa0-4af8-9af3-f2d7eb47e593.domains._msdcs.aeriagames.local
voyager.aeriagames.local 389
Checking 0 100 389 voyager.aeriagames.local. against SRV
_ldap._tcp.59c177b5-4fa0-4af8-9af3-f2d7eb47e593.domains._msdcs.aeriagames.local
voyager.aeriagames.local 389
Looking for DNS entry SRV _gc._tcp.aeriagames.local
voyager.aeriagames.local 3268 as _gc._tcp.aeriagames.local.
Checking 0 100 3268 coruscant.aeriagames.local. against SRV
_gc._tcp.aeriagames.local voyager.aeriagames.local 3268
Checking 0 100 3268 voyager.aeriagames.local. against SRV
_gc._tcp.aeriagames.local voyager.aeriagames.local 3268
Looking for DNS entry SRV _gc._tcp.berlinoffice._sites.aeriagames.local
voyager.aeriagames.local 3268 as
_gc._tcp.berlinoffice._sites.aeriagames.local.
Checking 0 100 3268 coruscant.aeriagames.local. against SRV
_gc._tcp.berlinoffice._sites.aeriagames.local voyager.aeriagames.local 3268
Checking 0 100 3268 voyager.aeriagames.local. against SRV
_gc._tcp.berlinoffice._sites.aeriagames.local voyager.aeriagames.local 3268
No DNS updates needed
[root at voyager sbin]#
As you can see, it still checks for coruscant.aeriagames.local., which
is the old Windows DC. It can't really find the DC within the domain
though, I spent hours looking through the database with ADSI, but could
not find promising entries. 'Active Directory Sites and Services' only
shows VOYAGER under Servers.
nsupdate run in debug mode gives back this:
> server voyager.aeriagames.local
> debug
> update add ws011.aeriagames.local 7200 A 172.25.16.33
> send
Reply from SOA query:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 26679
;; flags: qr; QUESTION: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;ws011.aeriagames.local. IN SOA
Reply from SOA query:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10643
;; flags: qr aa ra; QUESTION: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;aeriagames.local. IN SOA
;; ANSWER SECTION:
aeriagames.local. 3600 IN SOA coruscant.aeriagames.local.
hostmaster.aeriagames.local. 466457 900 600 86400 3600
Found zone name: aeriagames.local
The master is: coruscant.aeriagames.local
Sending update to 172.25.15.2#53
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 53811
;; flags:; ZONE: 1, PREREQ: 0, UPDATE: 1, ADDITIONAL: 0
;; UPDATE SECTION:
ws011.aeriagames.local. 7200 IN A 172.25.16.33
Reply from update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 53811
;; flags: qr ra; ZONE: 1, PREREQ: 0, UPDATE: 1, ADDITIONAL: 0
;; ZONE SECTION:
;aeriagames.local. IN SOA
;; UPDATE SECTION:
ws011.aeriagames.local. 7200 IN A 172.25.16.33
---> The master is: coruscant.aeriagames.local
This really worries me. The old DC should not be master of anything!
Any ideas on how to fix this?
Regards,
Morten
More information about the samba-technical
mailing list