[Samba] DNS managment error

Antun Horvat antun.horvat at radio101.hr
Wed Aug 28 12:18:47 MDT 2013

To clarify things a bit for others with the same problem, I will try to 
explain exact things that I did.

Like I said, one of my issues was that the domain was functioning in 
level 2003 native, but the forest remained in the 2000 native 
functioning level.
So you need to be sure that both domain and forest levels are indeed 
functioning in 2003 native level.
If your domain and forest is not running in that level, you need to 
transfer all FSMO roles to your Windows server. These roles are (RID, 
PDC, Infrastructure, Naming master, Schema master).
At that point I removed all samba servers from the domain which may not 
be needed, but I wanted to decrease the chance of Samba to interfere 
with the process
of raising the level.
Since I could not demote the samba for some reason from the domain, i 
simply stopped the Samba process on Linux servers and removed Samba 
metadata on windows using ntdsutil tool. You must be careful with that 
command since you can destroy all your domain data with it.

Now with just Windows 2003 server in the domain I have simply raised the 
forest level and did not experience any problems with it.

Next, I opened DNS MMC in Windows2003 and selected my domain zones, 
right clicked the zone and in options selected forest wide replication.
I don't remember the exact name of the tab, but it is easily identified.

Now I have reinstalled (make uninstall; make install) Samba on the Linux 
servers and joined them as DC's to Windows server.
Now it is a good time to test replication of LDAP data between server by 
adding for example user1 to Windows and user2 to Linux server and see
if the users are being replicated between the servers.  Also check the 
status of "samba-tool drs showrepl".

Then if the data is replicating without any error using the "samba-tool 
fsmo transfer --role=all" transfer all FSMO roles to Linux server.

Now wait few minutes and shutdown Windows 2003 server from the network.  
At this point the domain should be running just fine and everything can be
based on Samba4 AD's.  Now you can manage your Domain and DNS data 
through Windows MMC tools or through samba-tool CLI tool.

Also if you experience some issue with slow logins in Domain 
workstations, be sure to delete ipv6 address from DNS zone, as it fixed 
login times in my case.

If you are doing this in fully functional environment where everything 
is depending on your DC, and people are using workstations 24H don't 
worry, it can
be done since I did that without any downtime. I have successfully 
converted old windows 2000 domain into 2003 compatible domain running 
only on
(for now) two Samba DC's.

On 08/28/2013 06:29 PM, Garth Keesler wrote:
> Wow! I'm impressed! :-) I also ensured that the domain was at 2003 
> native but with no improvement.
> When you say that "in the DNS tool I configured forest wide zone 
> replication", is that the Win DNS MMC or samba-tool? Can you be 
> specific? That may have been my problem.
> Thanx,
> Garth
> On 08/28/2013 09:52 AM, Antun Horvat wrote:
>> Hello again,
>> I wanted to notify everybody that I managed to overcome this problem.
>> The issue was that CN=MicrosoftDNS,DC=ForestDnsZones,... branch was 
>> missing because
>> the Forest was operating in Windows 2000 native functional level.
>> The thing that I did was, transfer all FSMO roles back to Windows 
>> 2003 server plugged off Samba servers, cleaned Samba server metadata 
>> and then raised the level of the domain to Windows 2003 Native.
>> Then in the DNS tool I configured forest wide zone replication.
>> Then i did fresh install of Samba on Linux servers and joined the 
>> them to the domain.
>> When I was sure that all changes are being replicated across all 
>> domain controllers, I transfered all FSMO roles
>> back to one Linux server and unplugged Windows 2003 from the network.
>> Now I have full access to DNS services and all other levels of Domain 
>> are functional.
>> To be exact, I still have some minor issues such as long logon times 
>> , but soon I will resolve them to.
>> All best,
>> Antun
>> On 08/27/2013 09:00 PM, Antun Horvat wrote:
>>> Well that's the thing, I can only replicate DNS changes from WinDC 
>>> to Samba, but not in other way.
>>> I can't even update DNS records on Samba side, only on Windows side.
>>> I managed to figure out an error on Samba caused by RPC call:
>>> dnsserver: Found DNS zone .
>>> Failed to find DNS Zones in 
>>> CN=MicrosoftDNS,DC=ForestDnsZones,DC=Radio101,DC=local
>>> Now I am surfing on the web trying to find some kind of solution.
>>> All best,
>>> Antun
>>> On 08/27/2013 08:46 PM, Garth Keesler wrote:
>>>> Interesting. Are Forest and Domain records being replicated in both 
>>>> directions from all DCs? It always worked from the WinDC to the 
>>>> S4DC but not in the other direction. Also, were you able to use the 
>>>> WIN DNS MMC to examine the DNS records on any of the Samba DCs? If 
>>>> so, you are probably close to having it working; something I never 
>>>> managed to do.
>>>> See ya...
>>>> Garth
>>>> On 08/27/2013 12:07 PM, Antun Horvat wrote:
>>>>> Thanks for such quick reply,
>>>>> I have just executed "samba-tool drs showrepl" command and it 
>>>>> seems that Forest and Domain LDAP DIT are being replicated 
>>>>> successfully.
>>>>> But I still doubt that it can not be fixed since all RR records 
>>>>> that are added to w2k3 server are successfully propagated and 
>>>>> present. All name resolution queries on samba reflect the state of 
>>>>> w2k3 DNS.
>>>>> Is there some way to debug RPC calls so that we can more precisely 
>>>>> locate the error?
>>>>> All best,
>>>>> Antun
>>>>> On 08/27/2013 06:40 PM, Garth Keesler wrote:
>>>>>> This issue has been discussed at length before with no resolution 
>>>>>> to my knowledge. If you use "samba-tool drs showrepl", you will 
>>>>>> probably notice that Forest and Domain DNS is not being 
>>>>>> replicated to/from all DCs. Additionally, if you use Win2003 DNS 
>>>>>> MMC, you will not be able to detect that DNS is running on the 
>>>>>> Samba DCs nor that they are DCs at all. I have only tested this 
>>>>>> using internal Samba DNS but have found no workaround and have 
>>>>>> dropped trying to use Samba to demote/replace a Win2003 DC for now.
>>>>>> Good luck,
>>>>>> Garth
>>>>>> On 08/27/2013 09:58 AM, Antun Horvat wrote:
>>>>>>> Hello,
>>>>>>> i have an issue with existing installation of samba4 domain 
>>>>>>> controller
>>>>>>> that is specific to dns managment.
>>>>>>> In the domain I have two samba4 4.0.7 and one windows 2003 
>>>>>>> server that I
>>>>>>> plug periodically to manage the dns.
>>>>>>> All fsmo roles are transfered to samba.
>>>>>>> All aspects of the domain work perfectly, except one, the 
>>>>>>> samba-tool dns
>>>>>>> commands do not work.
>>>>>>> All commands when executed on samba server return "ERROR(runtime):
>>>>>>> uncaught exception - (9717, 'WERR_DNS_ERROR_DS_UNAVAILABLE')" 
>>>>>>> error. The
>>>>>>> same command pointed to windows server works fine.
>>>>>>> All commands that add hosts to window are replicated to samba 
>>>>>>> instances.
>>>>>>> The domain is functioning at 2003 native level (reported by windows
>>>>>>> tool), but samba can't figure out the level.
>>>>>>> Also when i try to demote the w2k3 server i get the error that 
>>>>>>> "Active
>>>>>>> Directory could not find another domain controller to transfer the
>>>>>>> remaining data in the directory partition
>>>>>>> DC=DomainDnsZones,Dc=example,dc=com"
>>>>>>> Could you please point me to the right resources so that i can 
>>>>>>> resolve
>>>>>>> my current issues.
>>>>>>> Thanks in advance, and I wish best to all Samba community.
>>>>>>> ps
>>>>>>> If you need some kind of help, such as testing rc's in certain
>>>>>>> configuration, please contact me.

More information about the samba mailing list