[Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline

L.P.H. van Belle belle at bazuin.nl
Thu Dec 10 16:07:15 UTC 2015


Hmm..

> >>>> Could this have to do with...
> >>>> a) I demoted my initial 1st DC (seized FSMO roles) and got rid of
> >>>> DNS entries via this script on the wiki?
> >>>> b) set up the *new* 2nd DC on the hardware of the prior 1st DC
> >>>> (with the same IP address)?

This can be a problem yes, depending on the order of what and how you did it. i think you forgot to remove the "old" entry in the AD (with user tool) 

I suggest you try the following, why, it safes time and then your sure thing are going ok. 

and remember BACKUPS ! sysvol things like that. 
( this is why my DC are only DC ) 

A) install a new DC. *(any hardware, this is a temparairy server ) 
B) check if all needed dns records are available on the new DC. 
C) dont use the same ip or hostname  ! 

Check, check check, see previous e-mails for checkups and the dns updates. 

If its all ok, then, 
D) transfer the FSMO roles to this DC and check again. 
E) If ok, remove the wrong server. 
F) check and remove remaining entries from the dns AND OU=Computers in the 
   RSAT user tool. 
G) install the a new DC again, on the "DC" hardware. 
   If your sure now you can use the original hostname and ip. 
H) transfer the FSMO roles to this DC back and check again.

This should be about 30min-120min work and you end up with a good dns and AD database. 

If you use virtuals, this is about 20 min work, (for me, but i've scripted my installs.) i'v done this now about 4-5 times, works very well for me. 
Very importent is that "old" entries are gone before you join the new 

But again above is a suggestion, i think you save time by doing a new correct install. 

And a tip, dont use any ip anyware for accessing server services. 
For example, 
ntp1.domain.tld CNAME DC1.domain.tld
ntp2.domain.tld CNAME DC2.domain.tld
ns1.domain.tld CNAME DC1.domain.tld
ns2.domain.tld CNAME DC2.domain.tld
ldap1.domain.tld CNAME DC1.domain.tld
ldap2.domain.tld CNAME DC2.domain.tld

now for an easy switch, also add 
ntp.domain.tld CNAME ntp1.domain.tld 
ldap.domain.tld CNAME ldap1.domain.tld

so if you set your server to ntp.domain.tld and you remove the server. 
Just change the cname, wait out the ttl, and your done. 
I do the same with my ldap and proxy and web servers. 
If i need to maintain them, i change the cname, down the servers, 
do my work, up the again, and change it back when done. 
Keeps my users happy.. i do down server etc. during worktime.. 
nobody notices it.  :-) 
and a setup like above make you very flexible to move things around,
if you slit up a server in 2 different servers(with services), I only change cnames for the services. 



Greetz, 

Louis




> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Ole Traupe
> Verzonden: donderdag 10 december 2015 16:14
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Authentication to Secondary Domain Controller
> initially fails when PDC is offline
> 
> 
> 
> Am 10.12.2015 um 15:49 schrieb Rowland penny:
> > On 10/12/15 14:40, Ole Traupe wrote:
> >>
> >>>> However, my 2nd DC is not that new, I restarted it many times, just
> >>>> again (samba service). No DNS records are created anywhere.
> >>>>
> >>>> If I go through the DNS console, in each and every container there
> >>>> is some entry for the 1st DC, but none for the 2nd (except on the
> >>>> top levels: FQDN and _msdcs.FQDN).
> >>>>
> >>>> Could this have to do with...
> >>>> a) I demoted my initial 1st DC (seized FSMO roles) and got rid of
> >>>> DNS entries via this script on the wiki?
> >>>> b) set up the *new* 2nd DC on the hardware of the prior 1st DC
> >>>> (with the same IP address)?
> >>>>
> >>>>
> >>>>
> >>>
> >>> Possibly, but can you try this on your second DC, run
> >>> 'samba_dnsupdate --verbose'
> >>>
> >>> Rowland
> >>>
> >>
> >> Doesn't look too good to me:
> >>
> >>
> >> [root at DC2 me]# samba_dnsupdate --verbose
> >> IPs: ['IP_of_2nd_DC']
> >> Looking for DNS entry A DC2.my.domain.tld IP_of_2nd_DC as
> >> DC2.my.domain.tld.
> >> Looking for DNS entry A my.domain.tld IP_of_2nd_DC as my.domain.tld.
> >> Failed to find matching DNS entry A my.domain.tld IP_of_2nd_DC
> >> Looking for DNS entry SRV _ldap._tcp.my.domain.tld DC2.my.domain.tld
> >> 389 as _ldap._tcp.my.domain.tld.
> >> Checking 0 100 389 DC1.my.domain.tld. against SRV
> >> _ldap._tcp.my.domain.tld DC2.my.domain.tld 389
> >> Failed to find matching DNS entry SRV _ldap._tcp.my.domain.tld
> >> DC2.my.domain.tld 389
> >> Looking for DNS entry SRV _ldap._tcp.dc._msdcs.my.domain.tld
> >> DC2.my.domain.tld 389 as _ldap._tcp.dc._msdcs.my.domain.tld.
> >> Checking 0 100 389 DC1.my.domain.tld. against SRV
> >> _ldap._tcp.dc._msdcs.my.domain.tld DC2.my.domain.tld 389
> >> Failed to find matching DNS entry SRV
> >> _ldap._tcp.dc._msdcs.my.domain.tld DC2.my.domain.tld 389
> >> Looking for DNS entry SRV
> >> _ldap._tcp.c2e92ed0-e889-40a0-a272-
> 7375f90de91d.domains._msdcs.my.domain.tld
> >> DC2.my.domain.tld 389 as
> >> _ldap._tcp.c2e92ed0-e889-40a0-a272-
> 7375f90de91d.domains._msdcs.my.domain.tld.
> >> Checking 0 100 389 DC1.my.domain.tld. against SRV
> >> _ldap._tcp.c2e92ed0-e889-40a0-a272-
> 7375f90de91d.domains._msdcs.my.domain.tld
> >> DC2.my.domain.tld 389
> >> Failed to find matching DNS entry SRV
> >> _ldap._tcp.c2e92ed0-e889-40a0-a272-
> 7375f90de91d.domains._msdcs.my.domain.tld
> >> DC2.my.domain.tld 389
> >> Looking for DNS entry SRV _kerberos._tcp.my.domain.tld
> >> DC2.my.domain.tld 88 as _kerberos._tcp.my.domain.tld.
> >> Checking 0 100 88 DC1.my.domain.tld. against SRV
> >> _kerberos._tcp.my.domain.tld DC2.my.domain.tld 88
> >> Failed to find matching DNS entry SRV _kerberos._tcp.my.domain.tld
> >> DC2.my.domain.tld 88
> >> Looking for DNS entry SRV _kerberos._udp.my.domain.tld
> >> DC2.my.domain.tld 88 as _kerberos._udp.my.domain.tld.
> >> Checking 0 100 88 DC1.my.domain.tld. against SRV
> >> _kerberos._udp.my.domain.tld DC2.my.domain.tld 88
> >> Failed to find matching DNS entry SRV _kerberos._udp.my.domain.tld
> >> DC2.my.domain.tld 88
> >> Looking for DNS entry SRV _kerberos._tcp.dc._msdcs.my.domain.tld
> >> DC2.my.domain.tld 88 as _kerberos._tcp.dc._msdcs.my.domain.tld.
> >> Checking 0 100 88 DC1.my.domain.tld. against SRV
> >> _kerberos._tcp.dc._msdcs.my.domain.tld DC2.my.domain.tld 88
> >> Failed to find matching DNS entry SRV
> >> _kerberos._tcp.dc._msdcs.my.domain.tld DC2.my.domain.tld 88
> >> Looking for DNS entry SRV _kpasswd._tcp.my.domain.tld
> >> DC2.my.domain.tld 464 as _kpasswd._tcp.my.domain.tld.
> >> Checking 0 100 464 DC1.my.domain.tld. against SRV
> >> _kpasswd._tcp.my.domain.tld DC2.my.domain.tld 464
> >> Failed to find matching DNS entry SRV _kpasswd._tcp.my.domain.tld
> >> DC2.my.domain.tld 464
> >> Looking for DNS entry SRV _kpasswd._udp.my.domain.tld
> >> DC2.my.domain.tld 464 as _kpasswd._udp.my.domain.tld.
> >> Checking 0 100 464 DC1.my.domain.tld. against SRV
> >> _kpasswd._udp.my.domain.tld DC2.my.domain.tld 464
> >> Failed to find matching DNS entry SRV _kpasswd._udp.my.domain.tld
> >> DC2.my.domain.tld 464
> >> Looking for DNS entry CNAME
> >> d1df6d3d-7fd1-45f4-b613-74c7825d9208._msdcs.my.domain.tld
> >> DC2.my.domain.tld as
> >> d1df6d3d-7fd1-45f4-b613-74c7825d9208._msdcs.my.domain.tld.
> >> Looking for DNS entry SRV
> >> _ldap._tcp.Default-First-Site-Name._sites.my.domain.tld
> >> DC2.my.domain.tld 389 as
> >> _ldap._tcp.Default-First-Site-Name._sites.my.domain.tld.
> >> Checking 0 100 389 DC1.my.domain.tld. against SRV
> >> _ldap._tcp.Default-First-Site-Name._sites.my.domain.tld
> >> DC2.my.domain.tld 389
> >> Failed to find matching DNS entry SRV
> >> _ldap._tcp.Default-First-Site-Name._sites.my.domain.tld
> >> DC2.my.domain.tld 389
> >> Looking for DNS entry SRV
> >> _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.my.domain.tld
> >> DC2.my.domain.tld 389 as
> >> _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.my.domain.tld.
> >> Checking 0 100 389 DC1.my.domain.tld. against SRV
> >> _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.my.domain.tld
> >> DC2.my.domain.tld 389
> >> Failed to find matching DNS entry SRV
> >> _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.my.domain.tld
> >> DC2.my.domain.tld 389
> >> Looking for DNS entry SRV
> >> _kerberos._tcp.Default-First-Site-Name._sites.my.domain.tld
> >> DC2.my.domain.tld 88 as
> >> _kerberos._tcp.Default-First-Site-Name._sites.my.domain.tld.
> >> Checking 0 100 88 DC1.my.domain.tld. against SRV
> >> _kerberos._tcp.Default-First-Site-Name._sites.my.domain.tld
> >> DC2.my.domain.tld 88
> >> Failed to find matching DNS entry SRV
> >> _kerberos._tcp.Default-First-Site-Name._sites.my.domain.tld
> >> DC2.my.domain.tld 88
> >> Looking for DNS entry SRV
> >> _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.my.domain.tld
> >> DC2.my.domain.tld 88 as
> >> _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.my.domain.tld.
> >> Checking 0 100 88 DC1.my.domain.tld. against SRV
> >> _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.my.domain.tld
> >> DC2.my.domain.tld 88
> >> Failed to find matching DNS entry SRV
> >> _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.my.domain.tld
> >> DC2.my.domain.tld 88
> >> Looking for DNS entry A gc._msdcs.my.domain.tld IP_of_2nd_DC as
> >> gc._msdcs.my.domain.tld.
> >> Failed to find matching DNS entry A gc._msdcs.my.domain.tld
> IP_of_2nd_DC
> >> Looking for DNS entry SRV _gc._tcp.my.domain.tld DC2.my.domain.tld
> >> 3268 as _gc._tcp.my.domain.tld.
> >> Checking 0 100 3268 DC1.my.domain.tld. against SRV
> >> _gc._tcp.my.domain.tld DC2.my.domain.tld 3268
> >> Failed to find matching DNS entry SRV _gc._tcp.my.domain.tld
> >> DC2.my.domain.tld 3268
> >> Looking for DNS entry SRV _ldap._tcp.gc._msdcs.my.domain.tld
> >> DC2.my.domain.tld 3268 as _ldap._tcp.gc._msdcs.my.domain.tld.
> >> Checking 0 100 3268 DC1.my.domain.tld. against SRV
> >> _ldap._tcp.gc._msdcs.my.domain.tld DC2.my.domain.tld 3268
> >> Failed to find matching DNS entry SRV
> >> _ldap._tcp.gc._msdcs.my.domain.tld DC2.my.domain.tld 3268
> >> Looking for DNS entry SRV
> >> _gc._tcp.Default-First-Site-Name._sites.my.domain.tld
> >> DC2.my.domain.tld 3268 as
> >> _gc._tcp.Default-First-Site-Name._sites.my.domain.tld.
> >> Checking 0 100 3268 DC1.my.domain.tld. against SRV
> >> _gc._tcp.Default-First-Site-Name._sites.my.domain.tld
> >> DC2.my.domain.tld 3268
> >> Failed to find matching DNS entry SRV
> >> _gc._tcp.Default-First-Site-Name._sites.my.domain.tld
> >> DC2.my.domain.tld 3268
> >> Looking for DNS entry SRV
> >> _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.my.domain.tld
> >> DC2.my.domain.tld 3268 as
> >> _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.my.domain.tld.
> >> Checking 0 100 3268 DC1.my.domain.tld. against SRV
> >> _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.my.domain.tld
> >> DC2.my.domain.tld 3268
> >> Failed to find matching DNS entry SRV
> >> _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.my.domain.tld
> >> DC2.my.domain.tld 3268
> >> Looking for DNS entry A DomainDnsZones.my.domain.tld IP_of_2nd_DC as
> >> DomainDnsZones.my.domain.tld.
> >> Failed to find matching DNS entry A DomainDnsZones.my.domain.tld
> >> IP_of_2nd_DC
> >> Looking for DNS entry SRV _ldap._tcp.DomainDnsZones.my.domain.tld
> >> DC2.my.domain.tld 389 as _ldap._tcp.DomainDnsZones.my.domain.tld.
> >> Checking 0 100 389 DC1.my.domain.tld. against SRV
> >> _ldap._tcp.DomainDnsZones.my.domain.tld DC2.my.domain.tld 389
> >> Failed to find matching DNS entry SRV
> >> _ldap._tcp.DomainDnsZones.my.domain.tld DC2.my.domain.tld 389
> >> Looking for DNS entry SRV
> >> _ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones.my.domain.tld
> DC2.my.domain.tld
> >> 389 as
> >> _ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones.my.domain.tld.
> >> Checking 0 100 389 DC1.my.domain.tld. against SRV
> >> _ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones.my.domain.tld
> DC2.my.domain.tld
> >> 389
> >> Failed to find matching DNS entry SRV
> >> _ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones.my.domain.tld
> DC2.my.domain.tld
> >> 389
> >> Looking for DNS entry A ForestDnsZones.my.domain.tld IP_of_2nd_DC as
> >> ForestDnsZones.my.domain.tld.
> >> Failed to find matching DNS entry A ForestDnsZones.my.domain.tld
> >> IP_of_2nd_DC
> >> Looking for DNS entry SRV _ldap._tcp.ForestDnsZones.my.domain.tld
> >> DC2.my.domain.tld 389 as _ldap._tcp.ForestDnsZones.my.domain.tld.
> >> Checking 0 100 389 DC1.my.domain.tld. against SRV
> >> _ldap._tcp.ForestDnsZones.my.domain.tld DC2.my.domain.tld 389
> >> Failed to find matching DNS entry SRV
> >> _ldap._tcp.ForestDnsZones.my.domain.tld DC2.my.domain.tld 389
> >> Looking for DNS entry SRV
> >> _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.my.domain.tld
> DC2.my.domain.tld
> >> 389 as
> >> _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.my.domain.tld.
> >> Checking 0 100 389 DC1.my.domain.tld. against SRV
> >> _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.my.domain.tld
> DC2.my.domain.tld
> >> 389
> >> Failed to find matching DNS entry SRV
> >> _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.my.domain.tld
> DC2.my.domain.tld
> >> 389
> >> Calling nsupdate for A my.domain.tld IP_of_2nd_DC (add)
> >> Outgoing update query:
> >> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
> >> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
> >> ;; UPDATE SECTION:
> >> my.domain.tld.       900     IN      A       IP_of_2nd_DC
> >>
> >> ; TSIG error with server: tsig verify failure
> >> update failed: FORMERR
> >> Failed nsupdate: 2
> >> Calling nsupdate for SRV _ldap._tcp.my.domain.tld DC2.my.domain.tld
> >> 389 (add)
> >> Outgoing update query:
> >> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
> >> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
> >> ;; UPDATE SECTION:
> >> _ldap._tcp.my.domain.tld. 900 IN     SRV     0 100 389
> >> DC2.my.domain.tld.
> >>
> >> ; TSIG error with server: tsig verify failure
> >> update failed: FORMERR
> >> Failed nsupdate: 2
> >> Calling nsupdate for SRV _ldap._tcp.dc._msdcs.my.domain.tld
> >> DC2.my.domain.tld 389 (add)
> >> Outgoing update query:
> >> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
> >> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
> >> ;; UPDATE SECTION:
> >> _ldap._tcp.dc._msdcs.my.domain.tld. 900 IN SRV 0 100 389
> >> DC2.my.domain.tld.
> >>
> >> ; TSIG error with server: tsig verify failure
> >> update failed: FORMERR
> >> Failed nsupdate: 2
> >> Calling nsupdate for SRV
> >> _ldap._tcp.c2e92ed0-e889-40a0-a272-
> 7375f90de91d.domains._msdcs.my.domain.tld
> >> DC2.my.domain.tld 389 (add)
> >> Outgoing update query:
> >> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
> >> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
> >> ;; UPDATE SECTION:
> >> _ldap._tcp.c2e92ed0-e889-40a0-a272-
> 7375f90de91d.domains._msdcs.my.domain.tld.
> >> 900 IN SRV 0 100 389 DC2.my.domain.tld.
> >>
> >> ; TSIG error with server: tsig verify failure
> >> update failed: FORMERR
> >> Failed nsupdate: 2
> >> Calling nsupdate for SRV _kerberos._tcp.my.domain.tld
> >> DC2.my.domain.tld 88 (add)
> >> Outgoing update query:
> >> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
> >> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
> >> ;; UPDATE SECTION:
> >> _kerberos._tcp.my.domain.tld. 900 IN SRV     0 100 88
> DC2.my.domain.tld.
> >>
> >> ; TSIG error with server: tsig verify failure
> >> update failed: FORMERR
> >> Failed nsupdate: 2
> >> Calling nsupdate for SRV _kerberos._udp.my.domain.tld
> >> DC2.my.domain.tld 88 (add)
> >> Outgoing update query:
> >> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
> >> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
> >> ;; UPDATE SECTION:
> >> _kerberos._udp.my.domain.tld. 900 IN SRV     0 100 88
> DC2.my.domain.tld.
> >>
> >> ; TSIG error with server: tsig verify failure
> >> update failed: FORMERR
> >> Failed nsupdate: 2
> >> Calling nsupdate for SRV _kerberos._tcp.dc._msdcs.my.domain.tld
> >> DC2.my.domain.tld 88 (add)
> >> Outgoing update query:
> >> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
> >> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
> >> ;; UPDATE SECTION:
> >> _kerberos._tcp.dc._msdcs.my.domain.tld. 900 IN SRV 0 100 88
> >> DC2.my.domain.tld.
> >>
> >> ; TSIG error with server: tsig verify failure
> >> update failed: FORMERR
> >> Failed nsupdate: 2
> >> Calling nsupdate for SRV _kpasswd._tcp.my.domain.tld
> >> DC2.my.domain.tld 464 (add)
> >> Outgoing update query:
> >> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
> >> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
> >> ;; UPDATE SECTION:
> >> _kpasswd._tcp.my.domain.tld. 900 IN  SRV     0 100 464
> >> DC2.my.domain.tld.
> >>
> >> ; TSIG error with server: tsig verify failure
> >> update failed: FORMERR
> >> Failed nsupdate: 2
> >> Calling nsupdate for SRV _kpasswd._udp.my.domain.tld
> >> DC2.my.domain.tld 464 (add)
> >> Outgoing update query:
> >> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
> >> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
> >> ;; UPDATE SECTION:
> >> _kpasswd._udp.my.domain.tld. 900 IN  SRV     0 100 464
> >> DC2.my.domain.tld.
> >>
> >> ; TSIG error with server: tsig verify failure
> >> update failed: FORMERR
> >> Failed nsupdate: 2
> >> Calling nsupdate for SRV
> >> _ldap._tcp.Default-First-Site-Name._sites.my.domain.tld
> >> DC2.my.domain.tld 389 (add)
> >> Outgoing update query:
> >> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
> >> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
> >> ;; UPDATE SECTION:
> >> _ldap._tcp.Default-First-Site-Name._sites.my.domain.tld. 900 IN SRV 0
> >> 100 389 DC2.my.domain.tld.
> >>
> >> ; TSIG error with server: tsig verify failure
> >> update failed: FORMERR
> >> Failed nsupdate: 2
> >> Calling nsupdate for SRV
> >> _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.my.domain.tld
> >> DC2.my.domain.tld 389 (add)
> >> Outgoing update query:
> >> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
> >> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
> >> ;; UPDATE SECTION:
> >> _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.my.domain.tld.
> >> 900 IN SRV 0 100 389 DC2.my.domain.tld.
> >>
> >> ; TSIG error with server: tsig verify failure
> >> update failed: FORMERR
> >> Failed nsupdate: 2
> >> Calling nsupdate for SRV
> >> _kerberos._tcp.Default-First-Site-Name._sites.my.domain.tld
> >> DC2.my.domain.tld 88 (add)
> >> Outgoing update query:
> >> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
> >> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
> >> ;; UPDATE SECTION:
> >> _kerberos._tcp.Default-First-Site-Name._sites.my.domain.tld. 900 IN
> >> SRV 0 100 88 DC2.my.domain.tld.
> >>
> >> ; TSIG error with server: tsig verify failure
> >> update failed: FORMERR
> >> Failed nsupdate: 2
> >> Calling nsupdate for SRV
> >> _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.my.domain.tld
> >> DC2.my.domain.tld 88 (add)
> >> Outgoing update query:
> >> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
> >> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
> >> ;; UPDATE SECTION:
> >> _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.my.domain.tld.
> 900
> >> IN SRV 0 100 88 DC2.my.domain.tld.
> >>
> >> ; TSIG error with server: tsig verify failure
> >> update failed: FORMERR
> >> Failed nsupdate: 2
> >> Calling nsupdate for A gc._msdcs.my.domain.tld IP_of_2nd_DC (add)
> >> Outgoing update query:
> >> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
> >> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
> >> ;; UPDATE SECTION:
> >> gc._msdcs.my.domain.tld. 900 IN      A       IP_of_2nd_DC
> >>
> >> ; TSIG error with server: tsig verify failure
> >> update failed: FORMERR
> >> Failed nsupdate: 2
> >> Calling nsupdate for SRV _gc._tcp.my.domain.tld DC2.my.domain.tld
> >> 3268 (add)
> >> Outgoing update query:
> >> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
> >> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
> >> ;; UPDATE SECTION:
> >> _gc._tcp.my.domain.tld. 900  IN      SRV     0 100 3268
> >> DC2.my.domain.tld.
> >>
> >> ; TSIG error with server: tsig verify failure
> >> update failed: FORMERR
> >> Failed nsupdate: 2
> >> Calling nsupdate for SRV _ldap._tcp.gc._msdcs.my.domain.tld
> >> DC2.my.domain.tld 3268 (add)
> >> Outgoing update query:
> >> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
> >> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
> >> ;; UPDATE SECTION:
> >> _ldap._tcp.gc._msdcs.my.domain.tld. 900 IN SRV 0 100 3268
> >> DC2.my.domain.tld.
> >>
> >> ; TSIG error with server: tsig verify failure
> >> update failed: FORMERR
> >> Failed nsupdate: 2
> >> Calling nsupdate for SRV
> >> _gc._tcp.Default-First-Site-Name._sites.my.domain.tld
> >> DC2.my.domain.tld 3268 (add)
> >> Outgoing update query:
> >> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
> >> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
> >> ;; UPDATE SECTION:
> >> _gc._tcp.Default-First-Site-Name._sites.my.domain.tld. 900 IN SRV 0
> >> 100 3268 DC2.my.domain.tld.
> >>
> >> ; TSIG error with server: tsig verify failure
> >> update failed: FORMERR
> >> Failed nsupdate: 2
> >> Calling nsupdate for SRV
> >> _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.my.domain.tld
> >> DC2.my.domain.tld 3268 (add)
> >> Outgoing update query:
> >> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
> >> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
> >> ;; UPDATE SECTION:
> >> _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.my.domain.tld.
> >> 900 IN SRV 0 100 3268 DC2.my.domain.tld.
> >>
> >> ; TSIG error with server: tsig verify failure
> >> update failed: FORMERR
> >> Failed nsupdate: 2
> >> Calling nsupdate for A DomainDnsZones.my.domain.tld IP_of_2nd_DC (add)
> >> Outgoing update query:
> >> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
> >> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
> >> ;; UPDATE SECTION:
> >> DomainDnsZones.my.domain.tld. 900 IN A       IP_of_2nd_DC
> >>
> >> ; TSIG error with server: tsig verify failure
> >> update failed: FORMERR
> >> Failed nsupdate: 2
> >> Calling nsupdate for SRV _ldap._tcp.DomainDnsZones.my.domain.tld
> >> DC2.my.domain.tld 389 (add)
> >> Outgoing update query:
> >> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
> >> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
> >> ;; UPDATE SECTION:
> >> _ldap._tcp.DomainDnsZones.my.domain.tld. 900 IN SRV 0 100 389
> >> DC2.my.domain.tld.
> >>
> >> ; TSIG error with server: tsig verify failure
> >> update failed: FORMERR
> >> Failed nsupdate: 2
> >> Calling nsupdate for SRV
> >> _ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones.my.domain.tld
> DC2.my.domain.tld
> >> 389 (add)
> >> Outgoing update query:
> >> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
> >> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
> >> ;; UPDATE SECTION:
> >> _ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones.my.domain.tld.
> >> 900 IN SRV 0 100 389 DC2.my.domain.tld.
> >>
> >> ; TSIG error with server: tsig verify failure
> >> update failed: FORMERR
> >> Failed nsupdate: 2
> >> Calling nsupdate for A ForestDnsZones.my.domain.tld IP_of_2nd_DC (add)
> >> Outgoing update query:
> >> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
> >> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
> >> ;; UPDATE SECTION:
> >> ForestDnsZones.my.domain.tld. 900 IN A       IP_of_2nd_DC
> >>
> >> ; TSIG error with server: tsig verify failure
> >> update failed: FORMERR
> >> Failed nsupdate: 2
> >> Calling nsupdate for SRV _ldap._tcp.ForestDnsZones.my.domain.tld
> >> DC2.my.domain.tld 389 (add)
> >> Outgoing update query:
> >> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
> >> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
> >> ;; UPDATE SECTION:
> >> _ldap._tcp.ForestDnsZones.my.domain.tld. 900 IN SRV 0 100 389
> >> DC2.my.domain.tld.
> >>
> >> ; TSIG error with server: tsig verify failure
> >> update failed: FORMERR
> >> Failed nsupdate: 2
> >> Calling nsupdate for SRV
> >> _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.my.domain.tld
> DC2.my.domain.tld
> >> 389 (add)
> >> Outgoing update query:
> >> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
> >> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
> >> ;; UPDATE SECTION:
> >> _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.my.domain.tld.
> >> 900 IN SRV 0 100 389 DC2.my.domain.tld.
> >>
> >> ; TSIG error with server: tsig verify failure
> >> update failed: FORMERR
> >> Failed nsupdate: 2
> >> Failed update of 24 entries
> >>
> >>
> >>
> >
> > There is a known problem, even though the updates print '; TSIG error
> > with server: tsig verify failure', it still works. Try running 'host
> > -t SRV _kerberos._udp.my.domain.tld.' again.
> >
> > Rowland
> 
> Nope, still one record.
> 
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba





More information about the samba mailing list