[Samba] joining second DC to domain and non creation of DC DNS records

Fri Oct 23 10:44:22 UTC 2015

On 23/10/15 11:23, MORILLO Jordi wrote:
> Hi Rowland,
>
> I have similar problem with sernet  4.2.4 package: no dns entry created and logs are showing NOTAUTH for dnsupdate
> Here is my work around:
>
> New DC joins domain with:
> --dns-backend=BIND9_DLZ and --server=partnerDC.contoso.com
>
> Don't start samba or bind yet !!
>
> After that I've to correct some permissions rights on these folders/files (bind can read):
> - private
> - dns
> - dns/*
> - sam.ldb
> - sam.ldb.d
> - sam.ldb.d/*
> - dns.keytab
>
> If I start samba + bind, i have dnsupdate failed
> Tips is to restart bind on partnerDC.contoso.com (partner replication on domain joined)
> L.P.H von BELLE have similar troube, see: https://lists.samba.org/archive/samba/2015-April/191143.html
>
> After bind restarted on partnerDC, you can start samba + bind after
> All dns entry are created and replicated :-)
>
> I don't know why I have to restart bind on partnerDC between second DC domain join and second DC samba start...
>
>
> -----Message d'origine-----
> De : samba [mailto:samba-bounces at lists.samba.org] De la part de Dirk Laurenz
> Envoyé : vendredi 23 octobre 2015 12:01
> À : Rowland Penny <rowlandpenny241155 at gmail.com>; sambalist <samba at lists.samba.org>
> Objet : Re: [Samba] joining second DC to domain and non creation of DC DNS records
>
> Hello Rowland,
>
> just hat a similar problem with 4.3.0. What fixed my problem was:
>
> stop samba
> switch to samba internal backend
> remove dns-dc record
> switch back to bind backend
> afterwards, everything worked for me
>
> Am 22.10.2015 um 22:06 schrieb Rowland Penny:
>> Hi, I am in the middle of creating (or should that be re-creating) my
>> test domain, creation of the first DC went without incidence, so I
>> moved on to the second DC and this is where the problems started.
>>
>> I downloaded samba 4.3.1 and compiled it, I then setup bind9 etc and
>> joined the new DC to the domain, everything seemed ok, so I then
>> started testing DNS. This is where I found that my nice new DC did not
>> have a DNS record.
>>
>> I then remember that there was a problem, so scanned the wiki (well
>> somebody has to read it) and found this page:
>>
>> https://wiki.samba.org/index.php/Check_and_fix_DNS_entries_on_DC_joins
>>
>> This described my problem precisely, so I started to follow it, but it
>> didn't fully fix my problem, in fact it changed it to another.
>>
>> So I went to this page :
>> https://wiki.samba.org/index.php/Dns_tkey_negotiategss:_TKEY_is_unacce
>> ptable
>>
>> and started to follow it, but it all went pear shaped when I deleted
>> the bind dns account and then samba flatly refused to recreate it,
>> saying it still existed, when plainly it didn't ( I later found lower
>> down the page, that this was another known bug, but I totally missed
>> it when I first read the page. Note to Marc, I will be altering that
>> page!)
>>
>> So, having totally missed the next bug, what did I do, well as this
>> was a new DC, I stopped bind and samba, removed /usr/local/samba and
>> re-ran 'make install' and tried again, this time everything worked.
>> The only difference was that this time the new DCs dns record was
>> already in AD on the first DC.
>>
>> I now know how to join any more DCs, precreate the new DCs dns records
>> in AD before joining it.
>>
>> Rowland
>>
>>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

You are missing the point as well, I joined the second DC and the New 
DCs A record was *not* created. I tried to follow the instructions on 
the Samba wiki but had problems and missed the fix on the webpage.

I then removed the /usr/local/samba directory and re-ran 'make install' 
and then joined the DC again, exactly as I did the first time and 
everything worked as it should, all the CNAME records were created and I 
didn't need to change anything other than what I would normally do i.e. 
/etc/resolv.conf

So, until the bug is fixed, I 'think' the cure is, add the new DCs A 
record to AD before doing the join.

Rowland