[Samba] DC replacement and DNS issue

mathias dufresne infractory at gmail.com
Fri Oct 23 12:14:53 UTC 2015 

I forget to add samba-technical address... Sorry about that.

2015-10-23 14:03 GMT+02:00 mathias dufresne <infractory at gmail.com>:

> Hi all,
>
> I posted on both mailing as this seems to be (to me) an internal issue.
>
> As the 4.3.1 went out I decided to switch my DC from 4.3.0 to this new
> version.
>
> The process was to install Samba 4.3.1 on new systems, joining these Samba
> as DC, seizing FSMO roles, demote all 4.3.0.
>
> The few I tested until now is working except for DNS entries:
> samba_dnsupdate is not working as it tries to update DNS zone on removed DC.
>
> This is the beginning of samba_dnsupdate result. This was run on the 7
> FSMO owner.
> This new FSMO owner is m700 with IP set to 10.156.248.216.
> The old FSMO owner is m707 with IP set to 10.156.248.238, this one was
> running 4.3.0.
>
>
> --------------------------------------------------------------------------------
>  ldbsearch -H $sam -b 'OU=Domain controllers,DC=AD,DC=DOMAIN,DC=TLD'
> '(objectclass=computer)' dn
> # record 1
> dn: CN=M700,OU=Domain Controllers,DC=ad,DC=domain,DC=tld
>
> # record 2
> dn: CN=M701,OU=Domain Controllers,DC=ad,DC=domain,DC=tld
>
> # record 3
> dn: CN=M702,OU=Domain Controllers,DC=ad,DC=domain,DC=tld
>
> # returned 3 records
> # 3 entries
> # 0 referrals
>
> --------------------------------------------------------------------------------
> shows only the 3 DC using 4.3.1.
>
> All the FSMO are owned by m700.
>
> --------------------------------------------------------------------------------
> samba-tool fsmo show
> SchemaMasterRole owner: CN=NTDS
> Settings,CN=M700,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ad,DC=domain,DC=tld
> InfrastructureMasterRole owner: CN=NTDS
> Settings,CN=M700,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ad,DC=domain,DC=tld
> RidAllocationMasterRole owner: CN=NTDS
> Settings,CN=M700,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ad,DC=domain,DC=tld
> PdcEmulationMasterRole owner: CN=NTDS
> Settings,CN=M700,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ad,DC=domain,DC=tld
> DomainNamingMasterRole owner: CN=NTDS
> Settings,CN=M700,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ad,DC=domain,DC=tld
> DomainDnsZonesMasterRole owner: CN=NTDS
> Settings,CN=M700,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ad,DC=domain,DC=tld
> ForestDnsZonesMasterRole owner: CN=NTDS
> Settings,CN=M700,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ad,DC=ad,DC=domain,DC=tld
>
> --------------------------------------------------------------------------------
>
>
>
> --------------------------------------------------------------------------------
> samba_dnsupdate --all-names  --verbose --all-interfaces
> IPs: ['10.156.248.216']
> Calling nsupdate for A m700.ad.domain.tld 10.156.248.216 (add)
> Outgoing update query:
> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
> ;; UPDATE SECTION:
> m700.ad.domain.tld. 900 IN  A       10.156.248.216
>
> ; Communication with 10.156.248.238#53 failed: operation canceled
> could not talk to any default name server
> Failed nsupdate: 1
> Calling nsupdate for A ad.domain.tld 10.156.248.216 (add)
> Outgoing update query:
> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
> ;; UPDATE SECTION:
> ad.domain.tld. 900  IN      A       10.156.248.216
> .....
>
> --------------------------------------------------------------------------------
>
> As samba_dnsupdate shows it tries to contact the old FSMO owner as it is
> declared as SOA for that AD DNS zone:
>
> --------------------------------------------------------------------------------
> host -t SOA ad.domain.tld
> ad.domain.tld has SOA record m707.ad.domain.tld. hostmaster.ad.domain.tld.
> 1 900 600 86400 3600
>
> --------------------------------------------------------------------------------
>
> And this leads to:
>
> --------------------------------------------------------------------------------
> host -t SRV _ldap._tcp.gc._msdcs.ad.domain.tld
> _ldap._tcp.gc._msdcs.ad.domain.tld has SRV record 0 100 3268
> m709.ad.domain.tld.
> _ldap._tcp.gc._msdcs.ad.domain.tld has SRV record 0 100 3268
> m700.ad.domain.tld.
> _ldap._tcp.gc._msdcs.ad.domain.tld has SRV record 0 100 3268
> m708.ad.domain.tld.
> _ldap._tcp.gc._msdcs.ad.domain.tld has SRV record 0 100 3268
> m707.ad.domain.tld.
>
> --------------------------------------------------------------------------------
>
> m707, m708 and m709 are removed DC.
> m700, m701 and m702 are new DC.
>
> So during demote no DC was removed from DNS zone, at least for that
> specific record.
> During join only one DC was added, perhaps it was during seizing, no real
> idea as I trusted Samba to perform relevant changes into DNS zone.
> During fsmo seizing SOA was not changed.
>
> I tried to use samba-tool dns update to modify SOA but without success so
> I used RSAT.
> I did update SOA for both zones AD.DOMAIN.TLD and _msdcs.AD.DOMAIN.TLD
>
> samba_dnsupdate was not working really better following that, it stopped
> showing lines like that:
> ; Communication with 10.156.248.238#53 failed: operation canceled
> but that the only relevant change I saw (note: I'm ill today so I can have
> been easily lacking attention).
>
> Still using RSAT i removed manually all entries I spotted regarding all 3
> old DC.
>
> Now on FSMO owner running samba_dnsupdate without option gives no errors.
> With --all-names I've got these two errors:
> couldn't get address for 'm707.ad.domain.tld': not found (10 times)
> ; TSIG error with server: tsig verify failure (17 times)
>
> and finished with:
> Failed update of 27 entries
>
> On the two others DC
>  samba_dnsupdate
> response to GSS-TSIG query was unsuccessful
> response to GSS-TSIG query was unsuccessful
> response to GSS-TSIG query was unsuccessful
> response to GSS-TSIG query was unsuccessful
> response to GSS-TSIG query was unsuccessful
> response to GSS-TSIG query was unsuccessful
> response to GSS-TSIG query was unsuccessful
> response to GSS-TSIG query was unsuccessful
> Failed update of 8 entries
>
> Finally as adding --verbose gives what entry this tool was supposed to add
> I wrote an awk script to extract that information to re-run the "samba-tool
> dns add" command.
>
> Perhaps it is because I performed this update on the FSMO owner rather
> than on current DC (using <server> from help equal to FSMO owner name) that
> all the missing were added.
>
> In attachment is the awk script I used to solved that. TO run it:
> samba_dnsupdate --verbose | awk -f dnsupdate.awk
>
> What shows all that is there is still some real issues with DNS entries.
>
> I'll try to get time to retry the whole process soon: creating a domain
> with several DC with 4.3.0, adding DC using 4.3.1, removing all DC using
> 4.3.0 after seizing FSMO roles.
>
> Hoping I was clear enough...
>
> Best regards,
>
> mathias
>
>
>
>

More information about the samba mailing list