DNS server issues after replication from old Windows DC

Morten Kramer node1011 at googlemail.com
Sun Apr 7 07:30:30 MDT 2013 

anyone?


On 04/04/2013 05:08 PM, Morten Kramer wrote:
> Hello,
>
>
> About 8months ago we switched to Samba4 as an replacement for our 
> Windows 2008 R2 domain controller.
>
> There were some issues, but after a while it started working.
>
>
> In the beginning, the samba DC was joined to the Windows domain and 
> then replicated everything.
> After that, I transferred all fsmo roles to the Samba DC and removed 
> the Windows 2008 DC from the domain. Using ntdsutil, it still shows 
> all fsmo roles residing at Voyager (name of the Samba DC).
>
>
>
> Now, after updating Samba a few times, the internal DNS stopped 
> working properly.
>
> If I try to use the Windows DNS administration tool, it will say the 
> Active Directory service is unavailable.
>
> Dynamic DNS updates do fail if there is not at least one IP present 
> for a given host. E.g. I can add a new entry and then remove the old 
> via nsupdate, but not first remove it and then add the new one, it 
> will give back a SERVFAIL.
>
>
> ./samba-tool does outputs this error msg on every dns command:
>
>
> [root at voyager bin]# ./samba-tool dns zonelist voyager.aeriagames.local
> Password for [administrator at AERIAGAMES.LOCAL]:
> ERROR(runtime): uncaught exception - (9717, 
> 'WERR_DNS_ERROR_DS_UNAVAILABLE')
>   File 
> "/usr/local/samba/lib64/python2.6/site-packages/samba/netcmd/__init__.py", 
> line 175, in _run
>     return self.run(*args, **kwargs)
>   File 
> "/usr/local/samba/lib64/python2.6/site-packages/samba/netcmd/dns.py", 
> line 812, in run
>     request_filter)
>
>
>
>
> Dnsupdate shows this:
>
>
> [root at voyager sbin]# ./samba_dnsupdate --verbose
> IPs: ['fe80::f499:3ff:fe36:314f%eth0', '172.25.15.2']
> Looking for DNS entry A aeriagames.local 172.25.15.2 as aeriagames.local.
> Looking for DNS entry A voyager.aeriagames.local 172.25.15.2 as 
> voyager.aeriagames.local.
> Looking for DNS entry A gc._msdcs.aeriagames.local 172.25.15.2 as 
> gc._msdcs.aeriagames.local.
> Looking for DNS entry CNAME 
> 4b8a02a6-364c-4c22-a205-0040c29e26f4._msdcs.aeriagames.local 
> voyager.aeriagames.local as 
> 4b8a02a6-364c-4c22-a205-0040c29e26f4._msdcs.aeriagames.local.
> Looking for DNS entry SRV _kpasswd._tcp.aeriagames.local 
> voyager.aeriagames.local 464 as _kpasswd._tcp.aeriagames.local.
> Checking 0 100 464 coruscant.aeriagames.local. against SRV 
> _kpasswd._tcp.aeriagames.local voyager.aeriagames.local 464
> Checking 0 100 464 voyager.aeriagames.local. against SRV 
> _kpasswd._tcp.aeriagames.local voyager.aeriagames.local 464
> Looking for DNS entry SRV _kpasswd._udp.aeriagames.local 
> voyager.aeriagames.local 464 as _kpasswd._udp.aeriagames.local.
> Checking 0 100 464 coruscant.aeriagames.local. against SRV 
> _kpasswd._udp.aeriagames.local voyager.aeriagames.local 464
> Checking 0 100 464 voyager.aeriagames.local. against SRV 
> _kpasswd._udp.aeriagames.local voyager.aeriagames.local 464
> Looking for DNS entry SRV _kerberos._tcp.aeriagames.local 
> voyager.aeriagames.local 88 as _kerberos._tcp.aeriagames.local.
> Checking 0 100 88 coruscant.aeriagames.local. against SRV 
> _kerberos._tcp.aeriagames.local voyager.aeriagames.local 88
> Checking 0 100 88 voyager.aeriagames.local. against SRV 
> _kerberos._tcp.aeriagames.local voyager.aeriagames.local 88
> Looking for DNS entry SRV _kerberos._tcp.dc._msdcs.aeriagames.local 
> voyager.aeriagames.local 88 as _kerberos._tcp.dc._msdcs.aeriagames.local.
> Checking 0 100 88 coruscant.aeriagames.local. against SRV 
> _kerberos._tcp.dc._msdcs.aeriagames.local voyager.aeriagames.local 88
> Checking 0 100 88 voyager.aeriagames.local. against SRV 
> _kerberos._tcp.dc._msdcs.aeriagames.local voyager.aeriagames.local 88
> Looking for DNS entry SRV 
> _kerberos._tcp.berlinoffice._sites.aeriagames.local 
> voyager.aeriagames.local 88 as 
> _kerberos._tcp.berlinoffice._sites.aeriagames.local.
> Checking 0 100 88 coruscant.aeriagames.local. against SRV 
> _kerberos._tcp.berlinoffice._sites.aeriagames.local 
> voyager.aeriagames.local 88
> Checking 0 100 88 voyager.aeriagames.local. against SRV 
> _kerberos._tcp.berlinoffice._sites.aeriagames.local 
> voyager.aeriagames.local 88
> Looking for DNS entry SRV 
> _kerberos._tcp.berlinoffice._sites.dc._msdcs.aeriagames.local 
> voyager.aeriagames.local 88 as 
> _kerberos._tcp.berlinoffice._sites.dc._msdcs.aeriagames.local.
> Checking 0 100 88 coruscant.aeriagames.local. against SRV 
> _kerberos._tcp.berlinoffice._sites.dc._msdcs.aeriagames.local 
> voyager.aeriagames.local 88
> Checking 0 100 88 voyager.aeriagames.local. against SRV 
> _kerberos._tcp.berlinoffice._sites.dc._msdcs.aeriagames.local 
> voyager.aeriagames.local 88
> Looking for DNS entry SRV _kerberos._udp.aeriagames.local 
> voyager.aeriagames.local 88 as _kerberos._udp.aeriagames.local.
> Checking 0 100 88 coruscant.aeriagames.local. against SRV 
> _kerberos._udp.aeriagames.local voyager.aeriagames.local 88
> Checking 0 100 88 voyager.aeriagames.local. against SRV 
> _kerberos._udp.aeriagames.local voyager.aeriagames.local 88
> Looking for DNS entry SRV _ldap._tcp.aeriagames.local 
> voyager.aeriagames.local 389 as _ldap._tcp.aeriagames.local.
> Checking 0 100 389 coruscant.aeriagames.local. against SRV 
> _ldap._tcp.aeriagames.local voyager.aeriagames.local 389
> Checking 0 100 389 voyager.aeriagames.local. against SRV 
> _ldap._tcp.aeriagames.local voyager.aeriagames.local 389
> Looking for DNS entry SRV _ldap._tcp.dc._msdcs.aeriagames.local 
> voyager.aeriagames.local 389 as _ldap._tcp.dc._msdcs.aeriagames.local.
> Checking 0 100 389 coruscant.aeriagames.local. against SRV 
> _ldap._tcp.dc._msdcs.aeriagames.local voyager.aeriagames.local 389
> Checking 0 100 389 voyager.aeriagames.local. against SRV 
> _ldap._tcp.dc._msdcs.aeriagames.local voyager.aeriagames.local 389
> Looking for DNS entry SRV _ldap._tcp.gc._msdcs.aeriagames.local 
> voyager.aeriagames.local 3268 as _ldap._tcp.gc._msdcs.aeriagames.local.
> Checking 0 100 3268 coruscant.aeriagames.local. against SRV 
> _ldap._tcp.gc._msdcs.aeriagames.local voyager.aeriagames.local 3268
> Checking 0 100 3268 voyager.aeriagames.local. against SRV 
> _ldap._tcp.gc._msdcs.aeriagames.local voyager.aeriagames.local 3268
> Looking for DNS entry SRV _ldap._tcp.pdc._msdcs.aeriagames.local 
> voyager.aeriagames.local 389 as _ldap._tcp.pdc._msdcs.aeriagames.local.
> Checking 0 100 389 coruscant.aeriagames.local. against SRV 
> _ldap._tcp.pdc._msdcs.aeriagames.local voyager.aeriagames.local 389
> Checking 0 100 389 voyager.aeriagames.local. against SRV 
> _ldap._tcp.pdc._msdcs.aeriagames.local voyager.aeriagames.local 389
> Looking for DNS entry SRV 
> _ldap._tcp.berlinoffice._sites.aeriagames.local 
> voyager.aeriagames.local 389 as 
> _ldap._tcp.berlinoffice._sites.aeriagames.local.
> Checking 0 100 389 coruscant.aeriagames.local. against SRV 
> _ldap._tcp.berlinoffice._sites.aeriagames.local 
> voyager.aeriagames.local 389
> Checking 0 100 389 voyager.aeriagames.local. against SRV 
> _ldap._tcp.berlinoffice._sites.aeriagames.local 
> voyager.aeriagames.local 389
> Looking for DNS entry SRV 
> _ldap._tcp.berlinoffice._sites.dc._msdcs.aeriagames.local 
> voyager.aeriagames.local 389 as 
> _ldap._tcp.berlinoffice._sites.dc._msdcs.aeriagames.local.
> Checking 0 100 389 coruscant.aeriagames.local. against SRV 
> _ldap._tcp.berlinoffice._sites.dc._msdcs.aeriagames.local 
> voyager.aeriagames.local 389
> Checking 0 100 389 voyager.aeriagames.local. against SRV 
> _ldap._tcp.berlinoffice._sites.dc._msdcs.aeriagames.local 
> voyager.aeriagames.local 389
> Looking for DNS entry SRV 
> _ldap._tcp.berlinoffice._sites.gc._msdcs.aeriagames.local 
> voyager.aeriagames.local 3268 as 
> _ldap._tcp.berlinoffice._sites.gc._msdcs.aeriagames.local.
> Checking 0 100 3268 coruscant.aeriagames.local. against SRV 
> _ldap._tcp.berlinoffice._sites.gc._msdcs.aeriagames.local 
> voyager.aeriagames.local 3268
> Checking 0 100 3268 voyager.aeriagames.local. against SRV 
> _ldap._tcp.berlinoffice._sites.gc._msdcs.aeriagames.local 
> voyager.aeriagames.local 3268
> Looking for DNS entry SRV 
> _ldap._tcp.59c177b5-4fa0-4af8-9af3-f2d7eb47e593.domains._msdcs.aeriagames.local 
> voyager.aeriagames.local 389 as 
> _ldap._tcp.59c177b5-4fa0-4af8-9af3-f2d7eb47e593.domains._msdcs.aeriagames.local.
> Checking 0 100 389 coruscant.aeriagames.local. against SRV 
> _ldap._tcp.59c177b5-4fa0-4af8-9af3-f2d7eb47e593.domains._msdcs.aeriagames.local 
> voyager.aeriagames.local 389
> Checking 0 100 389 voyager.aeriagames.local. against SRV 
> _ldap._tcp.59c177b5-4fa0-4af8-9af3-f2d7eb47e593.domains._msdcs.aeriagames.local 
> voyager.aeriagames.local 389
> Looking for DNS entry SRV _gc._tcp.aeriagames.local 
> voyager.aeriagames.local 3268 as _gc._tcp.aeriagames.local.
> Checking 0 100 3268 coruscant.aeriagames.local. against SRV 
> _gc._tcp.aeriagames.local voyager.aeriagames.local 3268
> Checking 0 100 3268 voyager.aeriagames.local. against SRV 
> _gc._tcp.aeriagames.local voyager.aeriagames.local 3268
> Looking for DNS entry SRV 
> _gc._tcp.berlinoffice._sites.aeriagames.local voyager.aeriagames.local 
> 3268 as _gc._tcp.berlinoffice._sites.aeriagames.local.
> Checking 0 100 3268 coruscant.aeriagames.local. against SRV 
> _gc._tcp.berlinoffice._sites.aeriagames.local voyager.aeriagames.local 
> 3268
> Checking 0 100 3268 voyager.aeriagames.local. against SRV 
> _gc._tcp.berlinoffice._sites.aeriagames.local voyager.aeriagames.local 
> 3268
> No DNS updates needed
> [root at voyager sbin]#
>
>
> As you can see, it still checks for coruscant.aeriagames.local., which 
> is the old Windows DC. It can't really find the DC within the domain 
> though, I spent hours looking through the database with ADSI, but 
> could not find promising entries. 'Active Directory Sites and 
> Services' only shows VOYAGER under Servers.
>
>
> nsupdate run in debug mode gives back this:
>
>
> > server voyager.aeriagames.local
> > debug
> > update add ws011.aeriagames.local 7200 A 172.25.16.33
> > send
> Reply from SOA query:
> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 26679
> ;; flags: qr; QUESTION: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
> ;; QUESTION SECTION:
> ;ws011.aeriagames.local.        IN    SOA
>
> Reply from SOA query:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10643
> ;; flags: qr aa ra; QUESTION: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
> ;; QUESTION SECTION:
> ;aeriagames.local.        IN    SOA
>
> ;; ANSWER SECTION:
> aeriagames.local.    3600    IN    SOA coruscant.aeriagames.local. 
> hostmaster.aeriagames.local. 466457 900 600 86400 3600
>
> Found zone name: aeriagames.local
> The master is: coruscant.aeriagames.local
> Sending update to 172.25.15.2#53
> Outgoing update query:
> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 53811
> ;; flags:; ZONE: 1, PREREQ: 0, UPDATE: 1, ADDITIONAL: 0
> ;; UPDATE SECTION:
> ws011.aeriagames.local.    7200    IN    A    172.25.16.33
>
>
> Reply from update query:
> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 53811
> ;; flags: qr ra; ZONE: 1, PREREQ: 0, UPDATE: 1, ADDITIONAL: 0
> ;; ZONE SECTION:
> ;aeriagames.local.        IN    SOA
>
> ;; UPDATE SECTION:
> ws011.aeriagames.local.    7200    IN    A    172.25.16.33
>
>
>
>
> ---> The master is: coruscant.aeriagames.local
> This really worries me. The old DC should not be master of anything!
>
>
>
>
> Any ideas on how to fix this?
>
>
>
>
> Regards,
> Morten
>
>
>
>
>
>
>

More information about the samba-technical mailing list