[Samba] DC replacement and DNS issue

mathias dufresne infractory at gmail.com
Fri Oct 23 12:03:01 UTC 2015


Hi all,

I posted on both mailing as this seems to be (to me) an internal issue.

As the 4.3.1 went out I decided to switch my DC from 4.3.0 to this new
version.

The process was to install Samba 4.3.1 on new systems, joining these Samba
as DC, seizing FSMO roles, demote all 4.3.0.

The few I tested until now is working except for DNS entries:
samba_dnsupdate is not working as it tries to update DNS zone on removed DC.

This is the beginning of samba_dnsupdate result. This was run on the 7 FSMO
owner.
This new FSMO owner is m700 with IP set to 10.156.248.216.
The old FSMO owner is m707 with IP set to 10.156.248.238, this one was
running 4.3.0.

--------------------------------------------------------------------------------
 ldbsearch -H $sam -b 'OU=Domain controllers,DC=AD,DC=DOMAIN,DC=TLD'
'(objectclass=computer)' dn
# record 1
dn: CN=M700,OU=Domain Controllers,DC=ad,DC=domain,DC=tld

# record 2
dn: CN=M701,OU=Domain Controllers,DC=ad,DC=domain,DC=tld

# record 3
dn: CN=M702,OU=Domain Controllers,DC=ad,DC=domain,DC=tld

# returned 3 records
# 3 entries
# 0 referrals
--------------------------------------------------------------------------------
shows only the 3 DC using 4.3.1.

All the FSMO are owned by m700.
--------------------------------------------------------------------------------
samba-tool fsmo show
SchemaMasterRole owner: CN=NTDS
Settings,CN=M700,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ad,DC=domain,DC=tld
InfrastructureMasterRole owner: CN=NTDS
Settings,CN=M700,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ad,DC=domain,DC=tld
RidAllocationMasterRole owner: CN=NTDS
Settings,CN=M700,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ad,DC=domain,DC=tld
PdcEmulationMasterRole owner: CN=NTDS
Settings,CN=M700,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ad,DC=domain,DC=tld
DomainNamingMasterRole owner: CN=NTDS
Settings,CN=M700,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ad,DC=domain,DC=tld
DomainDnsZonesMasterRole owner: CN=NTDS
Settings,CN=M700,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ad,DC=domain,DC=tld
ForestDnsZonesMasterRole owner: CN=NTDS
Settings,CN=M700,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ad,DC=ad,DC=domain,DC=tld
--------------------------------------------------------------------------------


--------------------------------------------------------------------------------
samba_dnsupdate --all-names  --verbose --all-interfaces
IPs: ['10.156.248.216']
Calling nsupdate for A m700.ad.domain.tld 10.156.248.216 (add)
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
m700.ad.domain.tld. 900 IN  A       10.156.248.216

; Communication with 10.156.248.238#53 failed: operation canceled
could not talk to any default name server
Failed nsupdate: 1
Calling nsupdate for A ad.domain.tld 10.156.248.216 (add)
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
ad.domain.tld. 900  IN      A       10.156.248.216
.....
--------------------------------------------------------------------------------

As samba_dnsupdate shows it tries to contact the old FSMO owner as it is
declared as SOA for that AD DNS zone:
--------------------------------------------------------------------------------
host -t SOA ad.domain.tld
ad.domain.tld has SOA record m707.ad.domain.tld. hostmaster.ad.domain.tld.
1 900 600 86400 3600
--------------------------------------------------------------------------------

And this leads to:
--------------------------------------------------------------------------------
host -t SRV _ldap._tcp.gc._msdcs.ad.domain.tld
_ldap._tcp.gc._msdcs.ad.domain.tld has SRV record 0 100 3268
m709.ad.domain.tld.
_ldap._tcp.gc._msdcs.ad.domain.tld has SRV record 0 100 3268
m700.ad.domain.tld.
_ldap._tcp.gc._msdcs.ad.domain.tld has SRV record 0 100 3268
m708.ad.domain.tld.
_ldap._tcp.gc._msdcs.ad.domain.tld has SRV record 0 100 3268
m707.ad.domain.tld.
--------------------------------------------------------------------------------

m707, m708 and m709 are removed DC.
m700, m701 and m702 are new DC.

So during demote no DC was removed from DNS zone, at least for that
specific record.
During join only one DC was added, perhaps it was during seizing, no real
idea as I trusted Samba to perform relevant changes into DNS zone.
During fsmo seizing SOA was not changed.

I tried to use samba-tool dns update to modify SOA but without success so I
used RSAT.
I did update SOA for both zones AD.DOMAIN.TLD and _msdcs.AD.DOMAIN.TLD

samba_dnsupdate was not working really better following that, it stopped
showing lines like that:
; Communication with 10.156.248.238#53 failed: operation canceled
but that the only relevant change I saw (note: I'm ill today so I can have
been easily lacking attention).

Still using RSAT i removed manually all entries I spotted regarding all 3
old DC.

Now on FSMO owner running samba_dnsupdate without option gives no errors.
With --all-names I've got these two errors:
couldn't get address for 'm707.ad.domain.tld': not found (10 times)
; TSIG error with server: tsig verify failure (17 times)

and finished with:
Failed update of 27 entries

On the two others DC
 samba_dnsupdate
response to GSS-TSIG query was unsuccessful
response to GSS-TSIG query was unsuccessful
response to GSS-TSIG query was unsuccessful
response to GSS-TSIG query was unsuccessful
response to GSS-TSIG query was unsuccessful
response to GSS-TSIG query was unsuccessful
response to GSS-TSIG query was unsuccessful
response to GSS-TSIG query was unsuccessful
Failed update of 8 entries

Finally as adding --verbose gives what entry this tool was supposed to add
I wrote an awk script to extract that information to re-run the "samba-tool
dns add" command.

Perhaps it is because I performed this update on the FSMO owner rather than
on current DC (using <server> from help equal to FSMO owner name) that all
the missing were added.

In attachment is the awk script I used to solved that. TO run it:
samba_dnsupdate --verbose | awk -f dnsupdate.awk

What shows all that is there is still some real issues with DNS entries.

I'll try to get time to retry the whole process soon: creating a domain
with several DC with 4.3.0, adding DC using 4.3.1, removing all DC using
4.3.0 after seizing FSMO roles.

Hoping I was clear enough...

Best regards,

mathias


More information about the samba mailing list