samba- 4.2.1 as PDC in an 2008R2 domain - WERR_DNS_ERROR_DS_UNAVAILABLE

"Dr. Hansjörg Maurer" hansjoerg.maurer at
Tue May 5 12:32:21 MDT 2015


i successfully joined a samba 4.2.1 server as PDC to an 2008R2 domain
(which might have a 2003 history).

The only message during the join I wondered about was

descriptor_sd_propagation_recursive: DC=DomainDnsZones,DC=XXX,DC=net not
found under DC=XXX,DC=net
descriptor_sd_propagation_recursive: DC=ForestDnsZones,DC=XXX,DC=net not
found under DC=XXX,DC=net

When I try to query the samba DC for a DNS record using samba-tool

samba-tool dns query  server01 A -U Administrator

I got

ERROR(runtime): uncaught exception - (9717, 'WERR_DNS_ERROR_DS_UNAVAILABLE')
  File "/usr/lib64/python2.7/site-packages/samba/netcmd/",
line 175, in _run
    return*args, **kwargs)
  File "/usr/lib64/python2.7/site-packages/samba/netcmd/", line
994, in run
    None, record_type, select_flags, None, None)

When I query the MS DC I get the correct answer

  Name=, Records=1, Children=0
    A: (flags=f0, serial=0, ttl=900)

If I query the samba DC  using nslookup the host is resolved.

I am also unable to manage DNS on the samba DC using MMC
In the list archive I found under

"The older versions of window server (2003 and older) created the DNS
containers under CN=System in the domain partition, whereas the newer
windows server (2008+) creates separate application partitions for
DNS. DNS RPC server uses DNS partitions to store the DNS zone
information. But for querying purposes, dlz_bind9 module and internal
DNS server both can read records from CN=System in domain partition.
DNS RPC server can be easily modified to support CN=System for DNS
information. Patches are welcome! ;-) "

Is there a chance to fix that problem (on the samba or on th AD side)?



Unser System ist mit einem Mailverschluesselungs-Gateway ausgestattet. Wenn Sie moechten, dass an Sie gerichtete E-Mails verschluesselt werden, senden Sie einfach eine S/MIME-signierte E-Mail oder Ihren PGP Public Key an hansjoerg.maurer at

Our system is equipped with an email encryption gateway. If you want email sent to you to be encrypted please send a S/MIME signed email or your PGP public key to hansjoerg.maurer at

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5906 bytes
Desc: not available
URL: <>

More information about the samba-technical mailing list