[Samba] DNS managment error

Garth Keesler garthk at gdcjk.com
Wed Aug 28 12:48:31 MDT 2013 

Many thanks! I'll give this a try.

See ya...
Garth

On 08/28/2013 01:18 PM, Antun Horvat wrote:
> To clarify things a bit for others with the same problem, I will try 
> to explain exact things that I did.
>
> Like I said, one of my issues was that the domain was functioning in 
> level 2003 native, but the forest remained in the 2000 native 
> functioning level.
> So you need to be sure that both domain and forest levels are indeed 
> functioning in 2003 native level.
> If your domain and forest is not running in that level, you need to 
> transfer all FSMO roles to your Windows server. These roles are (RID, 
> PDC, Infrastructure, Naming master, Schema master).
> At that point I removed all samba servers from the domain which may 
> not be needed, but I wanted to decrease the chance of Samba to 
> interfere with the process
> of raising the level.
> Since I could not demote the samba for some reason from the domain, i 
> simply stopped the Samba process on Linux servers and removed Samba 
> metadata on windows using ntdsutil tool. You must be careful with that 
> command since you can destroy all your domain data with it.
>
> Now with just Windows 2003 server in the domain I have simply raised 
> the forest level and did not experience any problems with it.
>
> Next, I opened DNS MMC in Windows2003 and selected my domain zones, 
> right clicked the zone and in options selected forest wide replication.
> I don't remember the exact name of the tab, but it is easily identified.
>
> Now I have reinstalled (make uninstall; make install) Samba on the 
> Linux servers and joined them as DC's to Windows server.
> Now it is a good time to test replication of LDAP data between server 
> by adding for example user1 to Windows and user2 to Linux server and see
> if the users are being replicated between the servers.  Also check the 
> status of "samba-tool drs showrepl".
>
> Then if the data is replicating without any error using the 
> "samba-tool fsmo transfer --role=all" transfer all FSMO roles to Linux 
> server.
>
> Now wait few minutes and shutdown Windows 2003 server from the 
> network.  At this point the domain should be running just fine and 
> everything can be
> based on Samba4 AD's.  Now you can manage your Domain and DNS data 
> through Windows MMC tools or through samba-tool CLI tool.
>
>
> Also if you experience some issue with slow logins in Domain 
> workstations, be sure to delete ipv6 address from DNS zone, as it 
> fixed login times in my case.
>
> If you are doing this in fully functional environment where everything 
> is depending on your DC, and people are using workstations 24H don't 
> worry, it can
> be done since I did that without any downtime. I have successfully 
> converted old windows 2000 domain into 2003 compatible domain running 
> only on
> (for now) two Samba DC's.
>
>
> On 08/28/2013 06:29 PM, Garth Keesler wrote:
>> Wow! I'm impressed! :-) I also ensured that the domain was at 2003 
>> native but with no improvement.
>>
>> When you say that "in the DNS tool I configured forest wide zone 
>> replication", is that the Win DNS MMC or samba-tool? Can you be 
>> specific? That may have been my problem.
>>
>> Thanx,
>> Garth
>>
>> On 08/28/2013 09:52 AM, Antun Horvat wrote:
>>> Hello again,
>>>
>>> I wanted to notify everybody that I managed to overcome this problem.
>>> The issue was that CN=MicrosoftDNS,DC=ForestDnsZones,... branch was 
>>> missing because
>>> the Forest was operating in Windows 2000 native functional level.
>>> The thing that I did was, transfer all FSMO roles back to Windows 
>>> 2003 server plugged off Samba servers, cleaned Samba server metadata 
>>> and then raised the level of the domain to Windows 2003 Native.
>>> Then in the DNS tool I configured forest wide zone replication.
>>> Then i did fresh install of Samba on Linux servers and joined the 
>>> them to the domain.
>>>
>>> When I was sure that all changes are being replicated across all 
>>> domain controllers, I transfered all FSMO roles
>>> back to one Linux server and unplugged Windows 2003 from the network.
>>>
>>> Now I have full access to DNS services and all other levels of 
>>> Domain are functional.
>>>
>>> To be exact, I still have some minor issues such as long logon times 
>>> , but soon I will resolve them to.
>>>
>>> All best,
>>> Antun
>>>
>>> On 08/27/2013 09:00 PM, Antun Horvat wrote:
>>>> Well that's the thing, I can only replicate DNS changes from WinDC 
>>>> to Samba, but not in other way.
>>>> I can't even update DNS records on Samba side, only on Windows side.
>>>>
>>>> I managed to figure out an error on Samba caused by RPC call:
>>>> dnsserver: Found DNS zone .
>>>> Failed to find DNS Zones in 
>>>> CN=MicrosoftDNS,DC=ForestDnsZones,DC=Radio101,DC=local
>>>>
>>>> Now I am surfing on the web trying to find some kind of solution.
>>>>
>>>> All best,
>>>> Antun
>>>>
>>>> On 08/27/2013 08:46 PM, Garth Keesler wrote:
>>>>> Interesting. Are Forest and Domain records being replicated in 
>>>>> both directions from all DCs? It always worked from the WinDC to 
>>>>> the S4DC but not in the other direction. Also, were you able to 
>>>>> use the WIN DNS MMC to examine the DNS records on any of the Samba 
>>>>> DCs? If so, you are probably close to having it working; something 
>>>>> I never managed to do.
>>>>>
>>>>> See ya...
>>>>> Garth
>>>>>
>>>>> On 08/27/2013 12:07 PM, Antun Horvat wrote:
>>>>>> Thanks for such quick reply,
>>>>>>
>>>>>> I have just executed "samba-tool drs showrepl" command and it 
>>>>>> seems that Forest and Domain LDAP DIT are being replicated 
>>>>>> successfully.
>>>>>> But I still doubt that it can not be fixed since all RR records 
>>>>>> that are added to w2k3 server are successfully propagated and 
>>>>>> present. All name resolution queries on samba reflect the state 
>>>>>> of w2k3 DNS.
>>>>>>
>>>>>> Is there some way to debug RPC calls so that we can more 
>>>>>> precisely locate the error?
>>>>>>
>>>>>>
>>>>>> All best,
>>>>>> Antun
>>>>>>
>>>>>> On 08/27/2013 06:40 PM, Garth Keesler wrote:
>>>>>>> This issue has been discussed at length before with no 
>>>>>>> resolution to my knowledge. If you use "samba-tool drs 
>>>>>>> showrepl", you will probably notice that Forest and Domain DNS 
>>>>>>> is not being replicated to/from all DCs. Additionally, if you 
>>>>>>> use Win2003 DNS MMC, you will not be able to detect that DNS is 
>>>>>>> running on the Samba DCs nor that they are DCs at all. I have 
>>>>>>> only tested this using internal Samba DNS but have found no 
>>>>>>> workaround and have dropped trying to use Samba to 
>>>>>>> demote/replace a Win2003 DC for now.
>>>>>>>
>>>>>>> Good luck,
>>>>>>> Garth
>>>>>>>
>>>>>>> On 08/27/2013 09:58 AM, Antun Horvat wrote:
>>>>>>>>
>>>>>>>>
>>>>>>>> Hello,
>>>>>>>>
>>>>>>>> i have an issue with existing installation of samba4 domain 
>>>>>>>> controller
>>>>>>>> that is specific to dns managment.
>>>>>>>> In the domain I have two samba4 4.0.7 and one windows 2003 
>>>>>>>> server that I
>>>>>>>> plug periodically to manage the dns.
>>>>>>>> All fsmo roles are transfered to samba.
>>>>>>>>
>>>>>>>> All aspects of the domain work perfectly, except one, the 
>>>>>>>> samba-tool dns
>>>>>>>> commands do not work.
>>>>>>>> All commands when executed on samba server return "ERROR(runtime):
>>>>>>>> uncaught exception - (9717, 'WERR_DNS_ERROR_DS_UNAVAILABLE')" 
>>>>>>>> error. The
>>>>>>>> same command pointed to windows server works fine.
>>>>>>>> All commands that add hosts to window are replicated to samba 
>>>>>>>> instances.
>>>>>>>>
>>>>>>>> The domain is functioning at 2003 native level (reported by 
>>>>>>>> windows
>>>>>>>> tool), but samba can't figure out the level.
>>>>>>>> Also when i try to demote the w2k3 server i get the error that 
>>>>>>>> "Active
>>>>>>>> Directory could not find another domain controller to transfer the
>>>>>>>> remaining data in the directory partition
>>>>>>>> DC=DomainDnsZones,Dc=example,dc=com"
>>>>>>>>
>>>>>>>> Could you please point me to the right resources so that i can 
>>>>>>>> resolve
>>>>>>>> my current issues.
>>>>>>>>
>>>>>>>> Thanks in advance, and I wish best to all Samba community.
>>>>>>>>
>>>>>>>> ps
>>>>>>>> If you need some kind of help, such as testing rc's in certain
>>>>>>>> configuration, please contact me.
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>
>>

More information about the samba mailing list