[Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline
Rowland penny
rpenny at samba.org
Thu Dec 10 15:32:38 UTC 2015
On 10/12/15 15:13, Ole Traupe wrote:
>
>
> Am 10.12.2015 um 15:49 schrieb Rowland penny:
>> On 10/12/15 14:40, Ole Traupe wrote:
>>>
>>>>> However, my 2nd DC is not that new, I restarted it many times,
>>>>> just again (samba service). No DNS records are created anywhere.
>>>>>
>>>>> If I go through the DNS console, in each and every container there
>>>>> is some entry for the 1st DC, but none for the 2nd (except on the
>>>>> top levels: FQDN and _msdcs.FQDN).
>>>>>
>>>>> Could this have to do with...
>>>>> a) I demoted my initial 1st DC (seized FSMO roles) and got rid of
>>>>> DNS entries via this script on the wiki?
>>>>> b) set up the *new* 2nd DC on the hardware of the prior 1st DC
>>>>> (with the same IP address)?
>>>>>
>>>>>
>>>>>
>>>>
>>>> Possibly, but can you try this on your second DC, run
>>>> 'samba_dnsupdate --verbose'
>>>>
>>>> Rowland
>>>>
>>>
>>> Doesn't look too good to me:
>>>
>>>
>>> [root at DC2 me]# samba_dnsupdate --verbose
>>> IPs: ['IP_of_2nd_DC']
>>> Looking for DNS entry A DC2.my.domain.tld IP_of_2nd_DC as
>>> DC2.my.domain.tld.
>>> Looking for DNS entry A my.domain.tld IP_of_2nd_DC as my.domain.tld.
>>> Failed to find matching DNS entry A my.domain.tld IP_of_2nd_DC
>>> Looking for DNS entry SRV _ldap._tcp.my.domain.tld DC2.my.domain.tld
>>> 389 as _ldap._tcp.my.domain.tld.
>>> Checking 0 100 389 DC1.my.domain.tld. against SRV
>>> _ldap._tcp.my.domain.tld DC2.my.domain.tld 389
>>> Failed to find matching DNS entry SRV _ldap._tcp.my.domain.tld
>>> DC2.my.domain.tld 389
>>> Looking for DNS entry SRV _ldap._tcp.dc._msdcs.my.domain.tld
>>> DC2.my.domain.tld 389 as _ldap._tcp.dc._msdcs.my.domain.tld.
>>> Checking 0 100 389 DC1.my.domain.tld. against SRV
>>> _ldap._tcp.dc._msdcs.my.domain.tld DC2.my.domain.tld 389
>>> Failed to find matching DNS entry SRV
>>> _ldap._tcp.dc._msdcs.my.domain.tld DC2.my.domain.tld 389
>>> Looking for DNS entry SRV
>>> _ldap._tcp.c2e92ed0-e889-40a0-a272-7375f90de91d.domains._msdcs.my.domain.tld
>>> DC2.my.domain.tld 389 as
>>> _ldap._tcp.c2e92ed0-e889-40a0-a272-7375f90de91d.domains._msdcs.my.domain.tld.
>>> Checking 0 100 389 DC1.my.domain.tld. against SRV
>>> _ldap._tcp.c2e92ed0-e889-40a0-a272-7375f90de91d.domains._msdcs.my.domain.tld
>>> DC2.my.domain.tld 389
>>> Failed to find matching DNS entry SRV
>>> _ldap._tcp.c2e92ed0-e889-40a0-a272-7375f90de91d.domains._msdcs.my.domain.tld
>>> DC2.my.domain.tld 389
>>> Looking for DNS entry SRV _kerberos._tcp.my.domain.tld
>>> DC2.my.domain.tld 88 as _kerberos._tcp.my.domain.tld.
>>> Checking 0 100 88 DC1.my.domain.tld. against SRV
>>> _kerberos._tcp.my.domain.tld DC2.my.domain.tld 88
>>> Failed to find matching DNS entry SRV _kerberos._tcp.my.domain.tld
>>> DC2.my.domain.tld 88
>>> Looking for DNS entry SRV _kerberos._udp.my.domain.tld
>>> DC2.my.domain.tld 88 as _kerberos._udp.my.domain.tld.
>>> Checking 0 100 88 DC1.my.domain.tld. against SRV
>>> _kerberos._udp.my.domain.tld DC2.my.domain.tld 88
>>> Failed to find matching DNS entry SRV _kerberos._udp.my.domain.tld
>>> DC2.my.domain.tld 88
>>> Looking for DNS entry SRV _kerberos._tcp.dc._msdcs.my.domain.tld
>>> DC2.my.domain.tld 88 as _kerberos._tcp.dc._msdcs.my.domain.tld.
>>> Checking 0 100 88 DC1.my.domain.tld. against SRV
>>> _kerberos._tcp.dc._msdcs.my.domain.tld DC2.my.domain.tld 88
>>> Failed to find matching DNS entry SRV
>>> _kerberos._tcp.dc._msdcs.my.domain.tld DC2.my.domain.tld 88
>>> Looking for DNS entry SRV _kpasswd._tcp.my.domain.tld
>>> DC2.my.domain.tld 464 as _kpasswd._tcp.my.domain.tld.
>>> Checking 0 100 464 DC1.my.domain.tld. against SRV
>>> _kpasswd._tcp.my.domain.tld DC2.my.domain.tld 464
>>> Failed to find matching DNS entry SRV _kpasswd._tcp.my.domain.tld
>>> DC2.my.domain.tld 464
>>> Looking for DNS entry SRV _kpasswd._udp.my.domain.tld
>>> DC2.my.domain.tld 464 as _kpasswd._udp.my.domain.tld.
>>> Checking 0 100 464 DC1.my.domain.tld. against SRV
>>> _kpasswd._udp.my.domain.tld DC2.my.domain.tld 464
>>> Failed to find matching DNS entry SRV _kpasswd._udp.my.domain.tld
>>> DC2.my.domain.tld 464
>>> Looking for DNS entry CNAME
>>> d1df6d3d-7fd1-45f4-b613-74c7825d9208._msdcs.my.domain.tld
>>> DC2.my.domain.tld as
>>> d1df6d3d-7fd1-45f4-b613-74c7825d9208._msdcs.my.domain.tld.
>>> Looking for DNS entry SRV
>>> _ldap._tcp.Default-First-Site-Name._sites.my.domain.tld
>>> DC2.my.domain.tld 389 as
>>> _ldap._tcp.Default-First-Site-Name._sites.my.domain.tld.
>>> Checking 0 100 389 DC1.my.domain.tld. against SRV
>>> _ldap._tcp.Default-First-Site-Name._sites.my.domain.tld
>>> DC2.my.domain.tld 389
>>> Failed to find matching DNS entry SRV
>>> _ldap._tcp.Default-First-Site-Name._sites.my.domain.tld
>>> DC2.my.domain.tld 389
>>> Looking for DNS entry SRV
>>> _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.my.domain.tld
>>> DC2.my.domain.tld 389 as
>>> _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.my.domain.tld.
>>> Checking 0 100 389 DC1.my.domain.tld. against SRV
>>> _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.my.domain.tld
>>> DC2.my.domain.tld 389
>>> Failed to find matching DNS entry SRV
>>> _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.my.domain.tld
>>> DC2.my.domain.tld 389
>>> Looking for DNS entry SRV
>>> _kerberos._tcp.Default-First-Site-Name._sites.my.domain.tld
>>> DC2.my.domain.tld 88 as
>>> _kerberos._tcp.Default-First-Site-Name._sites.my.domain.tld.
>>> Checking 0 100 88 DC1.my.domain.tld. against SRV
>>> _kerberos._tcp.Default-First-Site-Name._sites.my.domain.tld
>>> DC2.my.domain.tld 88
>>> Failed to find matching DNS entry SRV
>>> _kerberos._tcp.Default-First-Site-Name._sites.my.domain.tld
>>> DC2.my.domain.tld 88
>>> Looking for DNS entry SRV
>>> _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.my.domain.tld DC2.my.domain.tld
>>> 88 as
>>> _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.my.domain.tld.
>>> Checking 0 100 88 DC1.my.domain.tld. against SRV
>>> _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.my.domain.tld DC2.my.domain.tld
>>> 88
>>> Failed to find matching DNS entry SRV
>>> _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.my.domain.tld DC2.my.domain.tld
>>> 88
>>> Looking for DNS entry A gc._msdcs.my.domain.tld IP_of_2nd_DC as
>>> gc._msdcs.my.domain.tld.
>>> Failed to find matching DNS entry A gc._msdcs.my.domain.tld
>>> IP_of_2nd_DC
>>> Looking for DNS entry SRV _gc._tcp.my.domain.tld DC2.my.domain.tld
>>> 3268 as _gc._tcp.my.domain.tld.
>>> Checking 0 100 3268 DC1.my.domain.tld. against SRV
>>> _gc._tcp.my.domain.tld DC2.my.domain.tld 3268
>>> Failed to find matching DNS entry SRV _gc._tcp.my.domain.tld
>>> DC2.my.domain.tld 3268
>>> Looking for DNS entry SRV _ldap._tcp.gc._msdcs.my.domain.tld
>>> DC2.my.domain.tld 3268 as _ldap._tcp.gc._msdcs.my.domain.tld.
>>> Checking 0 100 3268 DC1.my.domain.tld. against SRV
>>> _ldap._tcp.gc._msdcs.my.domain.tld DC2.my.domain.tld 3268
>>> Failed to find matching DNS entry SRV
>>> _ldap._tcp.gc._msdcs.my.domain.tld DC2.my.domain.tld 3268
>>> Looking for DNS entry SRV
>>> _gc._tcp.Default-First-Site-Name._sites.my.domain.tld
>>> DC2.my.domain.tld 3268 as
>>> _gc._tcp.Default-First-Site-Name._sites.my.domain.tld.
>>> Checking 0 100 3268 DC1.my.domain.tld. against SRV
>>> _gc._tcp.Default-First-Site-Name._sites.my.domain.tld
>>> DC2.my.domain.tld 3268
>>> Failed to find matching DNS entry SRV
>>> _gc._tcp.Default-First-Site-Name._sites.my.domain.tld
>>> DC2.my.domain.tld 3268
>>> Looking for DNS entry SRV
>>> _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.my.domain.tld
>>> DC2.my.domain.tld 3268 as
>>> _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.my.domain.tld.
>>> Checking 0 100 3268 DC1.my.domain.tld. against SRV
>>> _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.my.domain.tld
>>> DC2.my.domain.tld 3268
>>> Failed to find matching DNS entry SRV
>>> _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.my.domain.tld
>>> DC2.my.domain.tld 3268
>>> Looking for DNS entry A DomainDnsZones.my.domain.tld IP_of_2nd_DC as
>>> DomainDnsZones.my.domain.tld.
>>> Failed to find matching DNS entry A DomainDnsZones.my.domain.tld
>>> IP_of_2nd_DC
>>> Looking for DNS entry SRV _ldap._tcp.DomainDnsZones.my.domain.tld
>>> DC2.my.domain.tld 389 as _ldap._tcp.DomainDnsZones.my.domain.tld.
>>> Checking 0 100 389 DC1.my.domain.tld. against SRV
>>> _ldap._tcp.DomainDnsZones.my.domain.tld DC2.my.domain.tld 389
>>> Failed to find matching DNS entry SRV
>>> _ldap._tcp.DomainDnsZones.my.domain.tld DC2.my.domain.tld 389
>>> Looking for DNS entry SRV
>>> _ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones.my.domain.tld
>>> DC2.my.domain.tld 389 as
>>> _ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones.my.domain.tld.
>>> Checking 0 100 389 DC1.my.domain.tld. against SRV
>>> _ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones.my.domain.tld
>>> DC2.my.domain.tld 389
>>> Failed to find matching DNS entry SRV
>>> _ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones.my.domain.tld
>>> DC2.my.domain.tld 389
>>> Looking for DNS entry A ForestDnsZones.my.domain.tld IP_of_2nd_DC as
>>> ForestDnsZones.my.domain.tld.
>>> Failed to find matching DNS entry A ForestDnsZones.my.domain.tld
>>> IP_of_2nd_DC
>>> Looking for DNS entry SRV _ldap._tcp.ForestDnsZones.my.domain.tld
>>> DC2.my.domain.tld 389 as _ldap._tcp.ForestDnsZones.my.domain.tld.
>>> Checking 0 100 389 DC1.my.domain.tld. against SRV
>>> _ldap._tcp.ForestDnsZones.my.domain.tld DC2.my.domain.tld 389
>>> Failed to find matching DNS entry SRV
>>> _ldap._tcp.ForestDnsZones.my.domain.tld DC2.my.domain.tld 389
>>> Looking for DNS entry SRV
>>> _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.my.domain.tld
>>> DC2.my.domain.tld 389 as
>>> _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.my.domain.tld.
>>> Checking 0 100 389 DC1.my.domain.tld. against SRV
>>> _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.my.domain.tld
>>> DC2.my.domain.tld 389
>>> Failed to find matching DNS entry SRV
>>> _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.my.domain.tld
>>> DC2.my.domain.tld 389
>>> Calling nsupdate for A my.domain.tld IP_of_2nd_DC (add)
>>> Outgoing update query:
>>> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
>>> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
>>> ;; UPDATE SECTION:
>>> my.domain.tld. 900 IN A IP_of_2nd_DC
>>>
>>> ; TSIG error with server: tsig verify failure
>>> update failed: FORMERR
>>> Failed nsupdate: 2
>>> Calling nsupdate for SRV _ldap._tcp.my.domain.tld DC2.my.domain.tld
>>> 389 (add)
>>> Outgoing update query:
>>> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
>>> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
>>> ;; UPDATE SECTION:
>>> _ldap._tcp.my.domain.tld. 900 IN SRV 0 100 389
>>> DC2.my.domain.tld.
>>>
>>> ; TSIG error with server: tsig verify failure
>>> update failed: FORMERR
>>> Failed nsupdate: 2
>>> Calling nsupdate for SRV _ldap._tcp.dc._msdcs.my.domain.tld
>>> DC2.my.domain.tld 389 (add)
>>> Outgoing update query:
>>> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
>>> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
>>> ;; UPDATE SECTION:
>>> _ldap._tcp.dc._msdcs.my.domain.tld. 900 IN SRV 0 100 389
>>> DC2.my.domain.tld.
>>>
>>> ; TSIG error with server: tsig verify failure
>>> update failed: FORMERR
>>> Failed nsupdate: 2
>>> Calling nsupdate for SRV
>>> _ldap._tcp.c2e92ed0-e889-40a0-a272-7375f90de91d.domains._msdcs.my.domain.tld
>>> DC2.my.domain.tld 389 (add)
>>> Outgoing update query:
>>> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
>>> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
>>> ;; UPDATE SECTION:
>>> _ldap._tcp.c2e92ed0-e889-40a0-a272-7375f90de91d.domains._msdcs.my.domain.tld.
>>> 900 IN SRV 0 100 389 DC2.my.domain.tld.
>>>
>>> ; TSIG error with server: tsig verify failure
>>> update failed: FORMERR
>>> Failed nsupdate: 2
>>> Calling nsupdate for SRV _kerberos._tcp.my.domain.tld
>>> DC2.my.domain.tld 88 (add)
>>> Outgoing update query:
>>> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
>>> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
>>> ;; UPDATE SECTION:
>>> _kerberos._tcp.my.domain.tld. 900 IN SRV 0 100 88
>>> DC2.my.domain.tld.
>>>
>>> ; TSIG error with server: tsig verify failure
>>> update failed: FORMERR
>>> Failed nsupdate: 2
>>> Calling nsupdate for SRV _kerberos._udp.my.domain.tld
>>> DC2.my.domain.tld 88 (add)
>>> Outgoing update query:
>>> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
>>> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
>>> ;; UPDATE SECTION:
>>> _kerberos._udp.my.domain.tld. 900 IN SRV 0 100 88
>>> DC2.my.domain.tld.
>>>
>>> ; TSIG error with server: tsig verify failure
>>> update failed: FORMERR
>>> Failed nsupdate: 2
>>> Calling nsupdate for SRV _kerberos._tcp.dc._msdcs.my.domain.tld
>>> DC2.my.domain.tld 88 (add)
>>> Outgoing update query:
>>> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
>>> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
>>> ;; UPDATE SECTION:
>>> _kerberos._tcp.dc._msdcs.my.domain.tld. 900 IN SRV 0 100 88
>>> DC2.my.domain.tld.
>>>
>>> ; TSIG error with server: tsig verify failure
>>> update failed: FORMERR
>>> Failed nsupdate: 2
>>> Calling nsupdate for SRV _kpasswd._tcp.my.domain.tld
>>> DC2.my.domain.tld 464 (add)
>>> Outgoing update query:
>>> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
>>> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
>>> ;; UPDATE SECTION:
>>> _kpasswd._tcp.my.domain.tld. 900 IN SRV 0 100 464
>>> DC2.my.domain.tld.
>>>
>>> ; TSIG error with server: tsig verify failure
>>> update failed: FORMERR
>>> Failed nsupdate: 2
>>> Calling nsupdate for SRV _kpasswd._udp.my.domain.tld
>>> DC2.my.domain.tld 464 (add)
>>> Outgoing update query:
>>> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
>>> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
>>> ;; UPDATE SECTION:
>>> _kpasswd._udp.my.domain.tld. 900 IN SRV 0 100 464
>>> DC2.my.domain.tld.
>>>
>>> ; TSIG error with server: tsig verify failure
>>> update failed: FORMERR
>>> Failed nsupdate: 2
>>> Calling nsupdate for SRV
>>> _ldap._tcp.Default-First-Site-Name._sites.my.domain.tld
>>> DC2.my.domain.tld 389 (add)
>>> Outgoing update query:
>>> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
>>> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
>>> ;; UPDATE SECTION:
>>> _ldap._tcp.Default-First-Site-Name._sites.my.domain.tld. 900 IN SRV
>>> 0 100 389 DC2.my.domain.tld.
>>>
>>> ; TSIG error with server: tsig verify failure
>>> update failed: FORMERR
>>> Failed nsupdate: 2
>>> Calling nsupdate for SRV
>>> _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.my.domain.tld
>>> DC2.my.domain.tld 389 (add)
>>> Outgoing update query:
>>> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
>>> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
>>> ;; UPDATE SECTION:
>>> _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.my.domain.tld.
>>> 900 IN SRV 0 100 389 DC2.my.domain.tld.
>>>
>>> ; TSIG error with server: tsig verify failure
>>> update failed: FORMERR
>>> Failed nsupdate: 2
>>> Calling nsupdate for SRV
>>> _kerberos._tcp.Default-First-Site-Name._sites.my.domain.tld
>>> DC2.my.domain.tld 88 (add)
>>> Outgoing update query:
>>> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
>>> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
>>> ;; UPDATE SECTION:
>>> _kerberos._tcp.Default-First-Site-Name._sites.my.domain.tld. 900 IN
>>> SRV 0 100 88 DC2.my.domain.tld.
>>>
>>> ; TSIG error with server: tsig verify failure
>>> update failed: FORMERR
>>> Failed nsupdate: 2
>>> Calling nsupdate for SRV
>>> _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.my.domain.tld DC2.my.domain.tld
>>> 88 (add)
>>> Outgoing update query:
>>> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
>>> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
>>> ;; UPDATE SECTION:
>>> _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.my.domain.tld.
>>> 900 IN SRV 0 100 88 DC2.my.domain.tld.
>>>
>>> ; TSIG error with server: tsig verify failure
>>> update failed: FORMERR
>>> Failed nsupdate: 2
>>> Calling nsupdate for A gc._msdcs.my.domain.tld IP_of_2nd_DC (add)
>>> Outgoing update query:
>>> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
>>> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
>>> ;; UPDATE SECTION:
>>> gc._msdcs.my.domain.tld. 900 IN A IP_of_2nd_DC
>>>
>>> ; TSIG error with server: tsig verify failure
>>> update failed: FORMERR
>>> Failed nsupdate: 2
>>> Calling nsupdate for SRV _gc._tcp.my.domain.tld DC2.my.domain.tld
>>> 3268 (add)
>>> Outgoing update query:
>>> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
>>> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
>>> ;; UPDATE SECTION:
>>> _gc._tcp.my.domain.tld. 900 IN SRV 0 100 3268
>>> DC2.my.domain.tld.
>>>
>>> ; TSIG error with server: tsig verify failure
>>> update failed: FORMERR
>>> Failed nsupdate: 2
>>> Calling nsupdate for SRV _ldap._tcp.gc._msdcs.my.domain.tld
>>> DC2.my.domain.tld 3268 (add)
>>> Outgoing update query:
>>> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
>>> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
>>> ;; UPDATE SECTION:
>>> _ldap._tcp.gc._msdcs.my.domain.tld. 900 IN SRV 0 100 3268
>>> DC2.my.domain.tld.
>>>
>>> ; TSIG error with server: tsig verify failure
>>> update failed: FORMERR
>>> Failed nsupdate: 2
>>> Calling nsupdate for SRV
>>> _gc._tcp.Default-First-Site-Name._sites.my.domain.tld
>>> DC2.my.domain.tld 3268 (add)
>>> Outgoing update query:
>>> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
>>> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
>>> ;; UPDATE SECTION:
>>> _gc._tcp.Default-First-Site-Name._sites.my.domain.tld. 900 IN SRV 0
>>> 100 3268 DC2.my.domain.tld.
>>>
>>> ; TSIG error with server: tsig verify failure
>>> update failed: FORMERR
>>> Failed nsupdate: 2
>>> Calling nsupdate for SRV
>>> _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.my.domain.tld
>>> DC2.my.domain.tld 3268 (add)
>>> Outgoing update query:
>>> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
>>> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
>>> ;; UPDATE SECTION:
>>> _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.my.domain.tld.
>>> 900 IN SRV 0 100 3268 DC2.my.domain.tld.
>>>
>>> ; TSIG error with server: tsig verify failure
>>> update failed: FORMERR
>>> Failed nsupdate: 2
>>> Calling nsupdate for A DomainDnsZones.my.domain.tld IP_of_2nd_DC (add)
>>> Outgoing update query:
>>> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
>>> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
>>> ;; UPDATE SECTION:
>>> DomainDnsZones.my.domain.tld. 900 IN A IP_of_2nd_DC
>>>
>>> ; TSIG error with server: tsig verify failure
>>> update failed: FORMERR
>>> Failed nsupdate: 2
>>> Calling nsupdate for SRV _ldap._tcp.DomainDnsZones.my.domain.tld
>>> DC2.my.domain.tld 389 (add)
>>> Outgoing update query:
>>> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
>>> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
>>> ;; UPDATE SECTION:
>>> _ldap._tcp.DomainDnsZones.my.domain.tld. 900 IN SRV 0 100 389
>>> DC2.my.domain.tld.
>>>
>>> ; TSIG error with server: tsig verify failure
>>> update failed: FORMERR
>>> Failed nsupdate: 2
>>> Calling nsupdate for SRV
>>> _ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones.my.domain.tld
>>> DC2.my.domain.tld 389 (add)
>>> Outgoing update query:
>>> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
>>> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
>>> ;; UPDATE SECTION:
>>> _ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones.my.domain.tld.
>>> 900 IN SRV 0 100 389 DC2.my.domain.tld.
>>>
>>> ; TSIG error with server: tsig verify failure
>>> update failed: FORMERR
>>> Failed nsupdate: 2
>>> Calling nsupdate for A ForestDnsZones.my.domain.tld IP_of_2nd_DC (add)
>>> Outgoing update query:
>>> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
>>> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
>>> ;; UPDATE SECTION:
>>> ForestDnsZones.my.domain.tld. 900 IN A IP_of_2nd_DC
>>>
>>> ; TSIG error with server: tsig verify failure
>>> update failed: FORMERR
>>> Failed nsupdate: 2
>>> Calling nsupdate for SRV _ldap._tcp.ForestDnsZones.my.domain.tld
>>> DC2.my.domain.tld 389 (add)
>>> Outgoing update query:
>>> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
>>> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
>>> ;; UPDATE SECTION:
>>> _ldap._tcp.ForestDnsZones.my.domain.tld. 900 IN SRV 0 100 389
>>> DC2.my.domain.tld.
>>>
>>> ; TSIG error with server: tsig verify failure
>>> update failed: FORMERR
>>> Failed nsupdate: 2
>>> Calling nsupdate for SRV
>>> _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.my.domain.tld
>>> DC2.my.domain.tld 389 (add)
>>> Outgoing update query:
>>> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
>>> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
>>> ;; UPDATE SECTION:
>>> _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.my.domain.tld.
>>> 900 IN SRV 0 100 389 DC2.my.domain.tld.
>>>
>>> ; TSIG error with server: tsig verify failure
>>> update failed: FORMERR
>>> Failed nsupdate: 2
>>> Failed update of 24 entries
>>>
>>>
>>>
>>
>> There is a known problem, even though the updates print '; TSIG error
>> with server: tsig verify failure', it still works. Try running 'host
>> -t SRV _kerberos._udp.my.domain.tld.' again.
>>
>> Rowland
>
> Nope, still one record.
>
>
OK, lets just double check that, try running this:
ldbsearch -H /var/lib/samba/private/sam.ldb -b
'DC=my.domain.tld,CN=MicrosoftDNS,DC=DomainDnsZones,DC=my,DC=domain,DC=tld'
-s sub '(dc=_kerberos._udp)' --cross-ncs --show-binary
That should all be one line and replace 'my.domain.tld' and
'DC=my,DC=domain,DC=tld' with the correct details
This should show you the dns record.
Rowland
More information about the samba
mailing list