[Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline
Rowland penny
rpenny at samba.org
Thu Dec 10 14:49:59 UTC 2015
On 10/12/15 14:40, Ole Traupe wrote:
>
>>> However, my 2nd DC is not that new, I restarted it many times, just
>>> again (samba service). No DNS records are created anywhere.
>>>
>>> If I go through the DNS console, in each and every container there
>>> is some entry for the 1st DC, but none for the 2nd (except on the
>>> top levels: FQDN and _msdcs.FQDN).
>>>
>>> Could this have to do with...
>>> a) I demoted my initial 1st DC (seized FSMO roles) and got rid of
>>> DNS entries via this script on the wiki?
>>> b) set up the *new* 2nd DC on the hardware of the prior 1st DC (with
>>> the same IP address)?
>>>
>>>
>>>
>>
>> Possibly, but can you try this on your second DC, run
>> 'samba_dnsupdate --verbose'
>>
>> Rowland
>>
>
> Doesn't look too good to me:
>
>
> [root at DC2 me]# samba_dnsupdate --verbose
> IPs: ['IP_of_2nd_DC']
> Looking for DNS entry A DC2.my.domain.tld IP_of_2nd_DC as
> DC2.my.domain.tld.
> Looking for DNS entry A my.domain.tld IP_of_2nd_DC as my.domain.tld.
> Failed to find matching DNS entry A my.domain.tld IP_of_2nd_DC
> Looking for DNS entry SRV _ldap._tcp.my.domain.tld DC2.my.domain.tld
> 389 as _ldap._tcp.my.domain.tld.
> Checking 0 100 389 DC1.my.domain.tld. against SRV
> _ldap._tcp.my.domain.tld DC2.my.domain.tld 389
> Failed to find matching DNS entry SRV _ldap._tcp.my.domain.tld
> DC2.my.domain.tld 389
> Looking for DNS entry SRV _ldap._tcp.dc._msdcs.my.domain.tld
> DC2.my.domain.tld 389 as _ldap._tcp.dc._msdcs.my.domain.tld.
> Checking 0 100 389 DC1.my.domain.tld. against SRV
> _ldap._tcp.dc._msdcs.my.domain.tld DC2.my.domain.tld 389
> Failed to find matching DNS entry SRV
> _ldap._tcp.dc._msdcs.my.domain.tld DC2.my.domain.tld 389
> Looking for DNS entry SRV
> _ldap._tcp.c2e92ed0-e889-40a0-a272-7375f90de91d.domains._msdcs.my.domain.tld
> DC2.my.domain.tld 389 as
> _ldap._tcp.c2e92ed0-e889-40a0-a272-7375f90de91d.domains._msdcs.my.domain.tld.
> Checking 0 100 389 DC1.my.domain.tld. against SRV
> _ldap._tcp.c2e92ed0-e889-40a0-a272-7375f90de91d.domains._msdcs.my.domain.tld
> DC2.my.domain.tld 389
> Failed to find matching DNS entry SRV
> _ldap._tcp.c2e92ed0-e889-40a0-a272-7375f90de91d.domains._msdcs.my.domain.tld
> DC2.my.domain.tld 389
> Looking for DNS entry SRV _kerberos._tcp.my.domain.tld
> DC2.my.domain.tld 88 as _kerberos._tcp.my.domain.tld.
> Checking 0 100 88 DC1.my.domain.tld. against SRV
> _kerberos._tcp.my.domain.tld DC2.my.domain.tld 88
> Failed to find matching DNS entry SRV _kerberos._tcp.my.domain.tld
> DC2.my.domain.tld 88
> Looking for DNS entry SRV _kerberos._udp.my.domain.tld
> DC2.my.domain.tld 88 as _kerberos._udp.my.domain.tld.
> Checking 0 100 88 DC1.my.domain.tld. against SRV
> _kerberos._udp.my.domain.tld DC2.my.domain.tld 88
> Failed to find matching DNS entry SRV _kerberos._udp.my.domain.tld
> DC2.my.domain.tld 88
> Looking for DNS entry SRV _kerberos._tcp.dc._msdcs.my.domain.tld
> DC2.my.domain.tld 88 as _kerberos._tcp.dc._msdcs.my.domain.tld.
> Checking 0 100 88 DC1.my.domain.tld. against SRV
> _kerberos._tcp.dc._msdcs.my.domain.tld DC2.my.domain.tld 88
> Failed to find matching DNS entry SRV
> _kerberos._tcp.dc._msdcs.my.domain.tld DC2.my.domain.tld 88
> Looking for DNS entry SRV _kpasswd._tcp.my.domain.tld
> DC2.my.domain.tld 464 as _kpasswd._tcp.my.domain.tld.
> Checking 0 100 464 DC1.my.domain.tld. against SRV
> _kpasswd._tcp.my.domain.tld DC2.my.domain.tld 464
> Failed to find matching DNS entry SRV _kpasswd._tcp.my.domain.tld
> DC2.my.domain.tld 464
> Looking for DNS entry SRV _kpasswd._udp.my.domain.tld
> DC2.my.domain.tld 464 as _kpasswd._udp.my.domain.tld.
> Checking 0 100 464 DC1.my.domain.tld. against SRV
> _kpasswd._udp.my.domain.tld DC2.my.domain.tld 464
> Failed to find matching DNS entry SRV _kpasswd._udp.my.domain.tld
> DC2.my.domain.tld 464
> Looking for DNS entry CNAME
> d1df6d3d-7fd1-45f4-b613-74c7825d9208._msdcs.my.domain.tld
> DC2.my.domain.tld as
> d1df6d3d-7fd1-45f4-b613-74c7825d9208._msdcs.my.domain.tld.
> Looking for DNS entry SRV
> _ldap._tcp.Default-First-Site-Name._sites.my.domain.tld
> DC2.my.domain.tld 389 as
> _ldap._tcp.Default-First-Site-Name._sites.my.domain.tld.
> Checking 0 100 389 DC1.my.domain.tld. against SRV
> _ldap._tcp.Default-First-Site-Name._sites.my.domain.tld
> DC2.my.domain.tld 389
> Failed to find matching DNS entry SRV
> _ldap._tcp.Default-First-Site-Name._sites.my.domain.tld
> DC2.my.domain.tld 389
> Looking for DNS entry SRV
> _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.my.domain.tld
> DC2.my.domain.tld 389 as
> _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.my.domain.tld.
> Checking 0 100 389 DC1.my.domain.tld. against SRV
> _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.my.domain.tld
> DC2.my.domain.tld 389
> Failed to find matching DNS entry SRV
> _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.my.domain.tld
> DC2.my.domain.tld 389
> Looking for DNS entry SRV
> _kerberos._tcp.Default-First-Site-Name._sites.my.domain.tld
> DC2.my.domain.tld 88 as
> _kerberos._tcp.Default-First-Site-Name._sites.my.domain.tld.
> Checking 0 100 88 DC1.my.domain.tld. against SRV
> _kerberos._tcp.Default-First-Site-Name._sites.my.domain.tld
> DC2.my.domain.tld 88
> Failed to find matching DNS entry SRV
> _kerberos._tcp.Default-First-Site-Name._sites.my.domain.tld
> DC2.my.domain.tld 88
> Looking for DNS entry SRV
> _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.my.domain.tld
> DC2.my.domain.tld 88 as
> _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.my.domain.tld.
> Checking 0 100 88 DC1.my.domain.tld. against SRV
> _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.my.domain.tld
> DC2.my.domain.tld 88
> Failed to find matching DNS entry SRV
> _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.my.domain.tld
> DC2.my.domain.tld 88
> Looking for DNS entry A gc._msdcs.my.domain.tld IP_of_2nd_DC as
> gc._msdcs.my.domain.tld.
> Failed to find matching DNS entry A gc._msdcs.my.domain.tld IP_of_2nd_DC
> Looking for DNS entry SRV _gc._tcp.my.domain.tld DC2.my.domain.tld
> 3268 as _gc._tcp.my.domain.tld.
> Checking 0 100 3268 DC1.my.domain.tld. against SRV
> _gc._tcp.my.domain.tld DC2.my.domain.tld 3268
> Failed to find matching DNS entry SRV _gc._tcp.my.domain.tld
> DC2.my.domain.tld 3268
> Looking for DNS entry SRV _ldap._tcp.gc._msdcs.my.domain.tld
> DC2.my.domain.tld 3268 as _ldap._tcp.gc._msdcs.my.domain.tld.
> Checking 0 100 3268 DC1.my.domain.tld. against SRV
> _ldap._tcp.gc._msdcs.my.domain.tld DC2.my.domain.tld 3268
> Failed to find matching DNS entry SRV
> _ldap._tcp.gc._msdcs.my.domain.tld DC2.my.domain.tld 3268
> Looking for DNS entry SRV
> _gc._tcp.Default-First-Site-Name._sites.my.domain.tld
> DC2.my.domain.tld 3268 as
> _gc._tcp.Default-First-Site-Name._sites.my.domain.tld.
> Checking 0 100 3268 DC1.my.domain.tld. against SRV
> _gc._tcp.Default-First-Site-Name._sites.my.domain.tld
> DC2.my.domain.tld 3268
> Failed to find matching DNS entry SRV
> _gc._tcp.Default-First-Site-Name._sites.my.domain.tld
> DC2.my.domain.tld 3268
> Looking for DNS entry SRV
> _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.my.domain.tld
> DC2.my.domain.tld 3268 as
> _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.my.domain.tld.
> Checking 0 100 3268 DC1.my.domain.tld. against SRV
> _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.my.domain.tld
> DC2.my.domain.tld 3268
> Failed to find matching DNS entry SRV
> _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.my.domain.tld
> DC2.my.domain.tld 3268
> Looking for DNS entry A DomainDnsZones.my.domain.tld IP_of_2nd_DC as
> DomainDnsZones.my.domain.tld.
> Failed to find matching DNS entry A DomainDnsZones.my.domain.tld
> IP_of_2nd_DC
> Looking for DNS entry SRV _ldap._tcp.DomainDnsZones.my.domain.tld
> DC2.my.domain.tld 389 as _ldap._tcp.DomainDnsZones.my.domain.tld.
> Checking 0 100 389 DC1.my.domain.tld. against SRV
> _ldap._tcp.DomainDnsZones.my.domain.tld DC2.my.domain.tld 389
> Failed to find matching DNS entry SRV
> _ldap._tcp.DomainDnsZones.my.domain.tld DC2.my.domain.tld 389
> Looking for DNS entry SRV
> _ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones.my.domain.tld
> DC2.my.domain.tld 389 as
> _ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones.my.domain.tld.
> Checking 0 100 389 DC1.my.domain.tld. against SRV
> _ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones.my.domain.tld
> DC2.my.domain.tld 389
> Failed to find matching DNS entry SRV
> _ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones.my.domain.tld
> DC2.my.domain.tld 389
> Looking for DNS entry A ForestDnsZones.my.domain.tld IP_of_2nd_DC as
> ForestDnsZones.my.domain.tld.
> Failed to find matching DNS entry A ForestDnsZones.my.domain.tld
> IP_of_2nd_DC
> Looking for DNS entry SRV _ldap._tcp.ForestDnsZones.my.domain.tld
> DC2.my.domain.tld 389 as _ldap._tcp.ForestDnsZones.my.domain.tld.
> Checking 0 100 389 DC1.my.domain.tld. against SRV
> _ldap._tcp.ForestDnsZones.my.domain.tld DC2.my.domain.tld 389
> Failed to find matching DNS entry SRV
> _ldap._tcp.ForestDnsZones.my.domain.tld DC2.my.domain.tld 389
> Looking for DNS entry SRV
> _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.my.domain.tld
> DC2.my.domain.tld 389 as
> _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.my.domain.tld.
> Checking 0 100 389 DC1.my.domain.tld. against SRV
> _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.my.domain.tld
> DC2.my.domain.tld 389
> Failed to find matching DNS entry SRV
> _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.my.domain.tld
> DC2.my.domain.tld 389
> Calling nsupdate for A my.domain.tld IP_of_2nd_DC (add)
> Outgoing update query:
> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
> ;; UPDATE SECTION:
> my.domain.tld. 900 IN A IP_of_2nd_DC
>
> ; TSIG error with server: tsig verify failure
> update failed: FORMERR
> Failed nsupdate: 2
> Calling nsupdate for SRV _ldap._tcp.my.domain.tld DC2.my.domain.tld
> 389 (add)
> Outgoing update query:
> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
> ;; UPDATE SECTION:
> _ldap._tcp.my.domain.tld. 900 IN SRV 0 100 389 DC2.my.domain.tld.
>
> ; TSIG error with server: tsig verify failure
> update failed: FORMERR
> Failed nsupdate: 2
> Calling nsupdate for SRV _ldap._tcp.dc._msdcs.my.domain.tld
> DC2.my.domain.tld 389 (add)
> Outgoing update query:
> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
> ;; UPDATE SECTION:
> _ldap._tcp.dc._msdcs.my.domain.tld. 900 IN SRV 0 100 389
> DC2.my.domain.tld.
>
> ; TSIG error with server: tsig verify failure
> update failed: FORMERR
> Failed nsupdate: 2
> Calling nsupdate for SRV
> _ldap._tcp.c2e92ed0-e889-40a0-a272-7375f90de91d.domains._msdcs.my.domain.tld
> DC2.my.domain.tld 389 (add)
> Outgoing update query:
> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
> ;; UPDATE SECTION:
> _ldap._tcp.c2e92ed0-e889-40a0-a272-7375f90de91d.domains._msdcs.my.domain.tld.
> 900 IN SRV 0 100 389 DC2.my.domain.tld.
>
> ; TSIG error with server: tsig verify failure
> update failed: FORMERR
> Failed nsupdate: 2
> Calling nsupdate for SRV _kerberos._tcp.my.domain.tld
> DC2.my.domain.tld 88 (add)
> Outgoing update query:
> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
> ;; UPDATE SECTION:
> _kerberos._tcp.my.domain.tld. 900 IN SRV 0 100 88 DC2.my.domain.tld.
>
> ; TSIG error with server: tsig verify failure
> update failed: FORMERR
> Failed nsupdate: 2
> Calling nsupdate for SRV _kerberos._udp.my.domain.tld
> DC2.my.domain.tld 88 (add)
> Outgoing update query:
> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
> ;; UPDATE SECTION:
> _kerberos._udp.my.domain.tld. 900 IN SRV 0 100 88 DC2.my.domain.tld.
>
> ; TSIG error with server: tsig verify failure
> update failed: FORMERR
> Failed nsupdate: 2
> Calling nsupdate for SRV _kerberos._tcp.dc._msdcs.my.domain.tld
> DC2.my.domain.tld 88 (add)
> Outgoing update query:
> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
> ;; UPDATE SECTION:
> _kerberos._tcp.dc._msdcs.my.domain.tld. 900 IN SRV 0 100 88
> DC2.my.domain.tld.
>
> ; TSIG error with server: tsig verify failure
> update failed: FORMERR
> Failed nsupdate: 2
> Calling nsupdate for SRV _kpasswd._tcp.my.domain.tld DC2.my.domain.tld
> 464 (add)
> Outgoing update query:
> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
> ;; UPDATE SECTION:
> _kpasswd._tcp.my.domain.tld. 900 IN SRV 0 100 464 DC2.my.domain.tld.
>
> ; TSIG error with server: tsig verify failure
> update failed: FORMERR
> Failed nsupdate: 2
> Calling nsupdate for SRV _kpasswd._udp.my.domain.tld DC2.my.domain.tld
> 464 (add)
> Outgoing update query:
> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
> ;; UPDATE SECTION:
> _kpasswd._udp.my.domain.tld. 900 IN SRV 0 100 464 DC2.my.domain.tld.
>
> ; TSIG error with server: tsig verify failure
> update failed: FORMERR
> Failed nsupdate: 2
> Calling nsupdate for SRV
> _ldap._tcp.Default-First-Site-Name._sites.my.domain.tld
> DC2.my.domain.tld 389 (add)
> Outgoing update query:
> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
> ;; UPDATE SECTION:
> _ldap._tcp.Default-First-Site-Name._sites.my.domain.tld. 900 IN SRV 0
> 100 389 DC2.my.domain.tld.
>
> ; TSIG error with server: tsig verify failure
> update failed: FORMERR
> Failed nsupdate: 2
> Calling nsupdate for SRV
> _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.my.domain.tld
> DC2.my.domain.tld 389 (add)
> Outgoing update query:
> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
> ;; UPDATE SECTION:
> _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.my.domain.tld. 900
> IN SRV 0 100 389 DC2.my.domain.tld.
>
> ; TSIG error with server: tsig verify failure
> update failed: FORMERR
> Failed nsupdate: 2
> Calling nsupdate for SRV
> _kerberos._tcp.Default-First-Site-Name._sites.my.domain.tld
> DC2.my.domain.tld 88 (add)
> Outgoing update query:
> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
> ;; UPDATE SECTION:
> _kerberos._tcp.Default-First-Site-Name._sites.my.domain.tld. 900 IN
> SRV 0 100 88 DC2.my.domain.tld.
>
> ; TSIG error with server: tsig verify failure
> update failed: FORMERR
> Failed nsupdate: 2
> Calling nsupdate for SRV
> _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.my.domain.tld
> DC2.my.domain.tld 88 (add)
> Outgoing update query:
> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
> ;; UPDATE SECTION:
> _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.my.domain.tld.
> 900 IN SRV 0 100 88 DC2.my.domain.tld.
>
> ; TSIG error with server: tsig verify failure
> update failed: FORMERR
> Failed nsupdate: 2
> Calling nsupdate for A gc._msdcs.my.domain.tld IP_of_2nd_DC (add)
> Outgoing update query:
> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
> ;; UPDATE SECTION:
> gc._msdcs.my.domain.tld. 900 IN A IP_of_2nd_DC
>
> ; TSIG error with server: tsig verify failure
> update failed: FORMERR
> Failed nsupdate: 2
> Calling nsupdate for SRV _gc._tcp.my.domain.tld DC2.my.domain.tld 3268
> (add)
> Outgoing update query:
> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
> ;; UPDATE SECTION:
> _gc._tcp.my.domain.tld. 900 IN SRV 0 100 3268
> DC2.my.domain.tld.
>
> ; TSIG error with server: tsig verify failure
> update failed: FORMERR
> Failed nsupdate: 2
> Calling nsupdate for SRV _ldap._tcp.gc._msdcs.my.domain.tld
> DC2.my.domain.tld 3268 (add)
> Outgoing update query:
> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
> ;; UPDATE SECTION:
> _ldap._tcp.gc._msdcs.my.domain.tld. 900 IN SRV 0 100 3268
> DC2.my.domain.tld.
>
> ; TSIG error with server: tsig verify failure
> update failed: FORMERR
> Failed nsupdate: 2
> Calling nsupdate for SRV
> _gc._tcp.Default-First-Site-Name._sites.my.domain.tld
> DC2.my.domain.tld 3268 (add)
> Outgoing update query:
> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
> ;; UPDATE SECTION:
> _gc._tcp.Default-First-Site-Name._sites.my.domain.tld. 900 IN SRV 0
> 100 3268 DC2.my.domain.tld.
>
> ; TSIG error with server: tsig verify failure
> update failed: FORMERR
> Failed nsupdate: 2
> Calling nsupdate for SRV
> _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.my.domain.tld
> DC2.my.domain.tld 3268 (add)
> Outgoing update query:
> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
> ;; UPDATE SECTION:
> _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.my.domain.tld. 900
> IN SRV 0 100 3268 DC2.my.domain.tld.
>
> ; TSIG error with server: tsig verify failure
> update failed: FORMERR
> Failed nsupdate: 2
> Calling nsupdate for A DomainDnsZones.my.domain.tld IP_of_2nd_DC (add)
> Outgoing update query:
> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
> ;; UPDATE SECTION:
> DomainDnsZones.my.domain.tld. 900 IN A IP_of_2nd_DC
>
> ; TSIG error with server: tsig verify failure
> update failed: FORMERR
> Failed nsupdate: 2
> Calling nsupdate for SRV _ldap._tcp.DomainDnsZones.my.domain.tld
> DC2.my.domain.tld 389 (add)
> Outgoing update query:
> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
> ;; UPDATE SECTION:
> _ldap._tcp.DomainDnsZones.my.domain.tld. 900 IN SRV 0 100 389
> DC2.my.domain.tld.
>
> ; TSIG error with server: tsig verify failure
> update failed: FORMERR
> Failed nsupdate: 2
> Calling nsupdate for SRV
> _ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones.my.domain.tld
> DC2.my.domain.tld 389 (add)
> Outgoing update query:
> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
> ;; UPDATE SECTION:
> _ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones.my.domain.tld. 900
> IN SRV 0 100 389 DC2.my.domain.tld.
>
> ; TSIG error with server: tsig verify failure
> update failed: FORMERR
> Failed nsupdate: 2
> Calling nsupdate for A ForestDnsZones.my.domain.tld IP_of_2nd_DC (add)
> Outgoing update query:
> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
> ;; UPDATE SECTION:
> ForestDnsZones.my.domain.tld. 900 IN A IP_of_2nd_DC
>
> ; TSIG error with server: tsig verify failure
> update failed: FORMERR
> Failed nsupdate: 2
> Calling nsupdate for SRV _ldap._tcp.ForestDnsZones.my.domain.tld
> DC2.my.domain.tld 389 (add)
> Outgoing update query:
> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
> ;; UPDATE SECTION:
> _ldap._tcp.ForestDnsZones.my.domain.tld. 900 IN SRV 0 100 389
> DC2.my.domain.tld.
>
> ; TSIG error with server: tsig verify failure
> update failed: FORMERR
> Failed nsupdate: 2
> Calling nsupdate for SRV
> _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.my.domain.tld
> DC2.my.domain.tld 389 (add)
> Outgoing update query:
> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
> ;; UPDATE SECTION:
> _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.my.domain.tld. 900
> IN SRV 0 100 389 DC2.my.domain.tld.
>
> ; TSIG error with server: tsig verify failure
> update failed: FORMERR
> Failed nsupdate: 2
> Failed update of 24 entries
>
>
>
There is a known problem, even though the updates print '; TSIG error
with server: tsig verify failure', it still works. Try running 'host -t
SRV _kerberos._udp.my.domain.tld.' again.
Rowland
More information about the samba
mailing list