[Solved] Samba with internal dns server does not replicate DomainDnsZones and ForestDnsZones to win2008r2

Günter Kukkukk linux at kukkukk.com
Fri Nov 21 15:07:34 MST 2014 

Am 20.11.2014 um 05:32 schrieb Günter Kukkukk:
> Hi all,
> 
> some days ago nick "xdexter" on IRC-channel #samba brought this
> to my attention:
> When a samba server with internal dns server is joined to
> a win2008r2 server, DomainDnsZones and ForestDnsZones are *not*
> replicated (outbound) from samba to w2008r2.
> 
> In the reverse direction all is fine!
> 
> I atm have a setup with 3 AD DCs joined to a domain
>   - samba with DLZ module
>   - samba with internal DNS server
>   - w2008r2
> 
> I saw the same strange behavior.
> All replications were done pretty well in both directions
> (inbound / outbound), BUT the samba server with internal dns
> server was *not* replicating (outbound) DomainDnsZones and
> ForestDnsZones to win2008r2! (only these 2 were missing)
> 
> On IRC I talked with ekacnet about this phenomenon and he told
> me that DomainDnsZones and ForestDnsZones are special, because
> both are "application partitions".
> He said, that one can enable those application partitions for
> replication and he will have a look, which (python) commands
> can be used for that...
> 
> Nick "xdexter" posted a solution for this using MS tool ntdsutil.
> 
> In the following example the server with missing outbound
> dns replication is named "li131":
> 
> ntdsutil
> - partition management
> -- connections
> --- connect to server li131
> --- q
> -- List NC Replicas DC=ForestDnsZones,DC=addlz,DC=kukkukk,DC=com       // li131 should not be listed here
> -- List NC Replicas DC=DomainDnsZones,DC=addlz,DC=kukkukk,DC=com       // li131 should not be listed here
> -- Add NC Replica DC=ForestDnsZones,DC=addlz,DC=kukkukk,DC=com li131.addlz.kukkukk.com
> -- Add NC Replica DC=DomainDnsZones,DC=addlz,DC=kukkukk,DC=com li131.addlz.kukkukk.com
> -- q
> - q
> 
> After this all 3 DCs were replicating all NCs in all directions! :-)
> 
> One question remains:
> Why was samba with DLZ module working and the one with internal dns was not?
> Could have been the sequence in which i've joined the DCs.
> Afair, the very first DC was samba/DLZ, then i joined w2008r2, then samba/internal dns.
> But user "xdexter" only had 2 DCs.
> 
> Hopefully ekacnet can add a command to samba-tool to also allow enabling of
> application partitions.
> 
> Cheers, Günter
> 

the inbound/outbound settings of a DC can also be done with
the GUI "Active Directory Sites and Services":

Sites->Default-First-Site-Name->Servers->DC01->NTDS-settings
In the right frame select a server's settings (rightclick->...).
(In the settings dialog change "Replicated Namingcontexts")

http://picpaste.com/NCs-Forest-Domain-K9nHVlbb.png

Cheers, Günter

--

More information about the samba-technical mailing list