[Samba] Non Functioning Internal DNS - Samba4

Donaldson Jeff Jeff.Donaldson at ncs.k12.de.us
Mon Nov 3 16:25:15 MST 2014


The July date was when we first moved from Samba3 to 4. Not sure about the October date. Any ideas on what other things I can/should look at? Thanks!



> On Nov 3, 2014, at 5:26 PM, "Rowland Penny" <rowlandpenny at googlemail.com> wrote:
> 
>> On 03/11/14 21:25, Donaldson Jeff wrote:
>> Sorry, forgot to replay all...
>> 
>> Thanks! Here's the DNS record from your query...
>> 
>> # record 1
>> dn: DC=PRIMARYDC,DC=domain.com,CN=MicrosoftDNS,DC=DomainDnsZones,DC=domain,DC=com
>> objectClass: top
>> objectClass: dnsNode
>> instanceType: 4
>> whenCreated: 20130724141714.0Z
>> uSNCreated: 3656
>> showInAdvancedViewOnly: TRUE
>> name: primarydc
>> objectGUID: b119f8e2-64d8-4482-b6b1-9dc9388950a4
>> objectCategory: CN=Dns-Node,CN=Schema,CN=Configuration,DC=domain,DC=com
>> dc: primarydc
>> dnsRecord:: BAABAAXwAABuAAAAAAADhAAAAAAAAAAACrMCGQ==
>> whenChanged: 20131002220652.0Z
>> uSNChanged: 83735
>> distinguishedName: DC=primarydc,DC=domain.com,CN=MicrosoftDNS,DC=DomainDnsZ
>>  ones,DC=domain,DC=com
>> 
>> 
>> Jeff Donaldson
>> Technology Director
>> Newark Charter School
>> jeff.donaldson at ncs.k12.de.us
>> (302) 369-2001 ext: 425
>> 
>> ________________________________________
>> From: samba-bounces at lists.samba.org <samba-bounces at lists.samba.org> on behalf of Rowland Penny <rowlandpenny at googlemail.com>
>> Sent: Monday, November 3, 2014 12:51 PM
>> To: samba at lists.samba.org
>> Subject: Re: [Samba] Non Functioning Internal DNS - Samba4
>> 
>>> On 03/11/14 17:19, Donaldson Jeff wrote:
>>> Thank you. Below is the cleaned up record from sam.ldb. Any help is appreciated.
>>> 
>>> # record 752
>>>   dn: CN=PRIMARYDC,OU=Domain Controllers,DC=domain
>>>   objectClass: top
>>>   objectClass: person
>>>   objectClass: organizationalPerson
>>>   objectClass: user
>>>   objectClass: computer
>>>   cn: PRIMARYDC
>>>   instanceType: 4
>>>   whenCreated: 20130724141655.0Z
>>>   uSNCreated: 3583
>>>   name: PRIMARYDC
>>>   objectGUID: 83003f9f-ed01-4805-9bc2-162ac0216db0
>>>   userAccountControl: 532480
>>>   badPwdCount: 0
>>>   codePage: 0
>>>   countryCode: 0
>>>   badPasswordTime: 0
>>>   lastLogoff: 0
>>>   lastLogon: 0
>>>   localPolicyFlags: 0
>>>   pwdLastSet: 130191490150000000
>>>   primaryGroupID: 516
>>>   objectSid: S-1-5-21-276688905-1455118844-2751846679-67110187
>>>   accountExpires: 9223372036854775807
>>>   logonCount: 0
>>>   sAMAccountName: PRIMARYDC$
>>>   sAMAccountType: 805306369
>>>   operatingSystem: Samba
>>>   operatingSystemVersion: 4.2.0pre1-GIT-b505111
>>>   dNSHostName: primarydc
>>>   objectCategory: CN=Computer,CN=Schema,CN=Configuration,DC=domain
>>>   isCriticalSystemObject: TRUE
>>>   rIDSetReferences: CN=RID Set,CN=PRIMARYDC,OU=Domain Controllers,DC=domain
>>>   serverReferenceBL: CN=PRIMARYDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites
>>>    ,CN=Configuration,DC=domain
>>>   msDS-SupportedEncryptionTypes: 31
>>>   whenChanged: 20130825181055.0Z
>>>   uSNChanged: 21555
>>>   servicePrincipalName: HOST/primarydc.domain
>>>   servicePrincipalName: HOST/primarydc.domain/NEWARKCHARTER
>>>   servicePrincipalName: ldap/primarydc.domain/NEWARKCHARTER
>>>   servicePrincipalName: GC/primarydc.domain/domain
>>>   servicePrincipalName: ldap/primarydc.domain
>>>   servicePrincipalName: HOST/primarydc.domain/domain
>>>   servicePrincipalName: ldap/primarydc.domain/domain
>>>   servicePrincipalName: HOST/PRIMARYDC
>>>   servicePrincipalName: E3514235-4B06-11D1-AB04-00C04FC2DCD2/0bd99af6-a59f-4143-
>>>    a56d-dae3dd6c2fd5/domain
>>>   servicePrincipalName: ldap/0bd99af6-a59f-4143-a56d-dae3dd6c2fd5._msdcs.domain
>>>   servicePrincipalName: ldap/PRIMARYDC
>>>   servicePrincipalName: RestrictedKrbHost/PRIMARYDC
>>>   servicePrincipalName: RestrictedKrbHost/primarydc.domain
>>>   servicePrincipalName: ldap/primarydc.domain/DomainDnsZones.domain
>>>   servicePrincipalName: ldap/primarydc.domain/ForestDnsZones.domain
>>>   servicePrincipalName: HOST/ORPHANDC.domain
>>>   servicePrincipalName: HOST/ORPHANDC.domain/NEWARKCHARTER
>>>   servicePrincipalName: ldap/ORPHANDC.domain/NEWARKCHARTER
>>>   servicePrincipalName: GC/ORPHANDC.domain/domain
>>>   servicePrincipalName: ldap/ORPHANDC.domain
>>>   servicePrincipalName: HOST/ORPHANDC.domain/domain
>>>   servicePrincipalName: ldap/ORPHANDC.domain/domain
>>>   servicePrincipalName: E3514235-4B06-11D1-AB04-00C04FC2DCD2/976c9c86-288d-483e-
>>>    baec-7043a9c4a6cd/domain
>>>   servicePrincipalName: ldap/976c9c86-288d-483e-baec-7043a9c4a6cd._msdcs.domain
>>>   servicePrincipalName: RestrictedKrbHost/ORPHANDC.domain
>>>   servicePrincipalName: ldap/ORPHANDC.domain/DomainDnsZones.domain
>>>   servicePrincipalName: ldap/ORPHANDC.domain/ForestDnsZones.domain
>>>   distinguishedName: CN=PRIMARYDC,OU=Domain Controllers,DC=domain
>>> 
>>> # record 753
>>> 
>>> 
>>> Jeff Donaldson
>>> Technology Director
>>> Newark Charter School
>>> jeff.donaldson at ncs.k12.de.us
>>> (302) 369-2001 ext: 425
>>> 
>>> ________________________________________
>>> From: samba-bounces at lists.samba.org <samba-bounces at lists.samba.org> on behalf of Rowland Penny <rowlandpenny at googlemail.com>
>>> Sent: Saturday, November 1, 2014 7:54 AM
>>> To: samba at lists.samba.org
>>> Subject: Re: [Samba] Non Functioning Internal DNS - Samba4
>>> 
>>>> On 31/10/14 13:55, Donaldson Jeff wrote:
>>>> ??
>>>> 
>>>> Recently one of my Samba4 (4.2.0 Ver) Domain Controllers started acting up. Authentication against it would time out and fail, but until recently the internal DNS was still working. Now the internal DNS fails. If I use nslookup and set the server to it, then look up any hostname I get "connection timed out; no servers could be reached". This DC is my primary and has all FSMO roles. I need to get this working again in order to seize those roles on one of my other DCs. During troubleshooting here are some of the things I found.
>>>> 
>>>> 
>>>> If I nslookup the IP address of my primary DC on one of my other servers, I get two records
>>>> 
>>>> 
>>>> 25.2.xxx.xx.in-addr.arpa          name = hostname.
>>>> 
>>>> 25.2.xxx.xx.in-addr.arpa          name = FQDN.
>>>> 
>>>> 
>>>> I only get the FQDN when I lookup my other DCs. When I found this, I tried to use Samba-Tool to delete the hostname. record, but I get message that the record doesn't exist. If I then run samba-tool dns serverinfo hostname, I get the following error...
>>>> 
>>>> 
>>>> ERROR(runtime): uncaught exception - (-1073741643, 'NT_STATUS_IO_TIMEOUT')  File "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py", line 175, in _run
>>>> 
>>>> return self.run(*args, **kwargs)
>>>> 
>>>> File "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/dns.py", line 703, in run
>>>> 
>>>> dns_conn = dns_connect(server, self.lp, self.creds)
>>>> 
>>>> File "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/dns.py", line 37, in dns_connect
>>>> 
>>>> dns_conn = dnsserver.dnsserver(binding_str, lp, creds)
>>>> 
>>>> 
>>>> I then tried checking the sam.ldb to see how the record is entered using ldbedit --url=sam.ldb. When I look at it's record, there are at least 10 additional servicePrincipalName lines that are pointing to an old orphaned DC that I had to manually remove using ADSI and AD Sites and Services several months back. They are somehow attached to the Primary DC record in sam.ldb now. Could this be causing the DNS failure? If so, what if I were to take each DC down (over a weekend of course) then manually edit the record in sam.ldb on each DC making  sure that only the one being edited was up at a time, then once all of the changes are complete bring each one back online. The database record would be the same on all DCs and therefore replication wouldn't cause any further damage.
>>> Is there any chance you could post the record that you want to alter
>>> (suitably sanitized) ? It may be easier to just change the record on the
>>> first DC and then let replication change the others.
>>> 
>>> Rowland
>>> 
>>>> Oddly enough, despite all of this I can still connect to this DC via DNS Manager. Its really slow, but I can see all of the records and even attempted to delete the PTR record for the odd hostname. I got similar error that the record does not exist. I can only assume that there is a timeout querying DNS via nslookup that DNS manager doesn't hit.
>>>> 
>>>> 
>>>> Is there anything else I may be missing in troubleshooting this problem? If needed I can provide info from resolv.conf and hosts. Any help is appreciated.
>>>> 
>>>> Regards,
>>>> 
>>>> Jeff
>>>> 
>>>> Jeff Donaldson
>>>> Technology Director
>>>> Newark Charter School
>>>> jeff.donaldson at ncs.k12.de.us
>>>> (302) 369-2001 ext: 425
>>> --
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions:  https://lists.samba.org/mailman/options/samba
>> OK, that is not your dns record, if you want to see your dns record try
>> this:
>> 
>> ldbedit -e nano -H /var/lib/samba/private/sam.ldb --cross-ncs -b
>> DC=primarydc,DC=example.com,CN=MicrosoftDNS,DC=DomainDnsZones,DC=example,DC=com
>> 
>> This should display your dns record
>> 
>> As for the no longer required SPN's, I would think that you should be
>> able to delete them without problems, but as usuall, make a a backup of
>> sam.ldb etc first, before you try anything.
>> 
>> Rowland
>> 
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
> Hi, your AD dns record basically matches mine (with the obvious differences) , only thing I noticed is, you initially created the record on the 24th July 2013 and it was changed on the 2nd Oct 2013, do these date mean anything to you ?
> 
> Rowland
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba


More information about the samba mailing list