[Samba] samba4 replication issues | sam.ldb inconsistency

mourik jan heupink - merit heupink at merit.unu.edu
Tue Jul 15 10:41:22 MDT 2014 

Some more info on the current situation:

On my new DC3, checking replication, it says 0 failures, except for DC1, 
on my corrupted DC=DomainDnsZones:

DC=DomainDnsZones,DC=samba,DC=company,DC=com
         Default-First-Site-Name\DC1 via RPC
                 DSA object GUID: 81a27497-bdfb-4977-9874-675bbfba490f
                 Last attempt @ Tue Jul 15 18:18:10 2014 CEST failed, 
result 8442 (WERR_DS_DRA_INTERNAL_ERROR)
                 10 consecutive failure(s).
                 Last success @ NTTIME(0)

Since this is my corrupted DC1, I guess this is to be expected. 
Replication from DC2 seems fine, 0 failures.

The majority of errors starting my new DC3 seems to be:
  samba_dnsupdate: update failed: SERVFAIL

Taking tips the list, I tried:
  samba_dnsupdate --verbose
(it's full output is here: http://pastebin.com/H4EYkxnA)

This command gives the following errors:

Failed to find matching DNS entry A samba.company.com 192.87.x.y

Failed to find matching DNS entry SRV _kpasswd._tcp.samba.company.com 
dc3.samba.company.com 464

Failed to find matching DNS entry SRV _kpasswd._udp.samba.company.com 
dc3.samba.company.com 464

Failed to find matching DNS entry SRV _kerberos._tcp.samba.company.com 
dc3.samba.company.com 88

Failed to find matching DNS entry SRV 
_kerberos._tcp.default-first-site-name._sites.samba.company.com 
dc3.samba.company.com 88

Failed to find matching DNS entry SRV _kerberos._udp.samba.company.com 
dc3.samba.company.com 88

Failed to find matching DNS entry SRV _gc._tcp.samba.company.com 
dc3.samba.company.com 3268

; TSIG error with server: tsig verify failure
update failed: SERVFAIL
Failed nsupdate: 2
Calling nsupdate for SRV _kpasswd._tcp.samba.company.com 
dc3.samba.company.com 464
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_kpasswd._tcp.samba.company.com. 900 IN SRV   0 100 464 
dc3.samba.company.com.

; TSIG error with server: tsig verify failure
update failed: SERVFAIL
Failed nsupdate: 2
Calling nsupdate for SRV _kpasswd._udp.samba.company.com 
dc3.samba.company.com 464
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_kpasswd._udp.samba.company.com. 900 IN SRV   0 100 464 
dc3.samba.company.com.

; TSIG error with server: tsig verify failure
update failed: SERVFAIL
Failed nsupdate: 2
Failed update of 10 entries
root at dc3:/var/log/samba# samba_dnsupdate --verbose | less
Failed to find matching DNS entry SRV _kerberos._tcp.samba.company.com 
dc3.samba.company.com 88
Looking for DNS entry SRV _kerberos._tcp.dc._msdcs.samba.company.com 
dc3.samba.company.com 88 as _kerberos._tcp.dc._msdcs.samba.company.com.

My problem seems to be missing dns entries for my new dc3...? Should I 
add all these missing dns names..? Surely that cannot be the way..?

Thanks very much for any help!

More information about the samba mailing list