[Samba] DC replacement and DNS issue

mathias dufresne infractory at gmail.com
Tue Oct 27 14:28:01 UTC 2015 

Back from another test: rather than build new DCs, join them and use one of
them to seize FSMO roles, I just seize FSMO with one of my current DCs.

Once more the SOA was not updated, which seems to mean there is a real
issue about that as seizing these roles has chances to precede removal of
old FSMO owner.

To update SOA record using samba-tool:
1) If not created, create a NS record for the DC which will become the SOA.
I'm not completely sure this is needed.

samba-tool dns add <DCname> <AD DNS zone> <new DNS server FQDN> NS <new DNS
server IP addr>

2) Change the SOA record on the 2 DNS zones:
samba.domain.tld and _msdcs.samba.domain.tld

a) retrieve serial for current SOA:
samba-tool dns query  <DCname> <AD DNS zone> <AD DNS zone> SOA -k yes
Name=, Records=1, Children=0
SOA: *serial=58, refresh=900, retry=600, expire=86400, minttl=3600,
ns=dc14.samba.domain.tld., email=hostmaster.samba.domain.tld.*
(flags=600000f0, serial=110, ttl=3600)
Name=_msdcs, Records=0, Children=0
Name=_sites, Records=0, Children=1
Name=_tcp, Records=0, Children=4
Name=_udp, Records=0, Children=2
Name=domain1, Records=0, Children=1
Name=DomainDnsZones, Records=0, Children=2
Name=ForestDnsZones, Records=0, Children=2
Name=m700, Records=0, Children=0
Name=m701, Records=0, Children=0
Name=m702, Records=0, Children=0

-k yes -> use Kerberos ticket to authenticate, ticket must be existing.
the second <AD DNS zone> is because we look for the SOA for that zone

On line starting with SOA: we have all information needed to run the next
command, to update this record.

samba-tool gives:
Usage: samba-tool dns update <server> <zone> <name>
<A|AAAA|PTR|CNAME|NS|MX|SOA|SRV|TXT> <olddata> <newdata>

To update SOA the beginning is as usual:
samba-tool dns update <server> <zone> <zone> SOA .......

The question is what to put after for <olddata> and <newdata>.

olddata and newdata must be surrounded by quotes and contain 7 elements, as
error shows us:
ERROR: Data requires 7 elements - nameserver, email, serial, refresh,
retry, expire, minimumttl

In these quotes each data must be separated by spaces and no space can
exist between last character used for minimumttl and the closing quote.

Using data from previous query that would give, to replace dc14 with dc27:
samba-tool dns update <server> <zone> <zone> SOA \
 '*dc14*.samba.domain.tld. hostmaster.samba.domain.tld. *58* 900 600 86400
3600' \
 '*dc27*.samba.domain.tld. hostmaster.samba.domain.tld. *59* 900 600 86400
3600'

According to https://support.microsoft.com/fr-fr/kb/282826 the serial must
be incremented.

I explained all that here to regroup information I found wandering around.

Cheers,

mathias

2015-10-26 12:23 GMT+01:00 mathias dufresne <infractory at gmail.com>:

> Hey,
>
> Thank you Louis for this script, I didn't yet took time to dig in but I'll
> do.
> I didn't took time neither to perform another test. That should be done
> today.
>
> Anyway I waited for DC synchronisation before posting. I joined my DC and
> removed the old ones almost at same time then I gave more than 12 hours to
> my DC to synchronize. Then I tried to understand what happened, I wrote the
> script and posted that message, re and re and re testing samba_dnsupdate
> during that hours (hours which took place after the 12 hours for synchro).
>
> So I expect there is something wrong in 4.3.1 DNS entries
> creation/renaming.
>
> And as I modified SOA by hand using ADUC and samba_dnsupdate was not
> working to remove old entries (for removed DC) and was also not working to
> add DNS entries for new DC, I expect the issue in samba_dnsupdate (but I
> could be completely wrong : )
>
> Cheers,
>
> mathias
>
> 2015-10-23 14:17 GMT+02:00 L.P.H. van Belle <belle at bazuin.nl>:
>
>> Hai,
>>
>> If you just upgrade / changed the samba servers, then most probily
>> replication is in progress..
>>
>> Depanding on the numbers of objects this can take some time, so dont be
>> to quick with checking.
>>
>> So take some time and wait... get koffie (maybe beer)  ;-)
>> Get this script , if needed change it and run it
>>
>> https://secure.bazuin.nl/scripts/samba-check-db-repl.sh
>> it check up to 10 domain controllers for database replication.
>> It explains itself.
>>
>> And for the needed dns records, see my previous mail.  ;-)
>>
>>
>> Greetz,
>>
>> Louis
>>
>>
>> > -----Oorspronkelijk bericht-----
>> > Van: samba [mailto:samba-bounces at lists.samba.org] Namens mathias
>> dufresne
>> > Verzonden: vrijdag 23 oktober 2015 14:03
>> > Aan: samba
>> > Onderwerp: [Samba] DC replacement and DNS issue
>> >
>> > Hi all,
>> >
>> > I posted on both mailing as this seems to be (to me) an internal issue.
>> >
>> > As the 4.3.1 went out I decided to switch my DC from 4.3.0 to this new
>> > version.
>> >
>> > The process was to install Samba 4.3.1 on new systems, joining these
>> Samba
>> > as DC, seizing FSMO roles, demote all 4.3.0.
>> >
>> > The few I tested until now is working except for DNS entries:
>> > samba_dnsupdate is not working as it tries to update DNS zone on removed
>> > DC.
>> >
>> > This is the beginning of samba_dnsupdate result. This was run on the 7
>> > FSMO
>> > owner.
>> > This new FSMO owner is m700 with IP set to 10.156.248.216.
>> > The old FSMO owner is m707 with IP set to 10.156.248.238, this one was
>> > running 4.3.0.
>> >
>> >
>> --------------------------------------------------------------------------
>> > ------
>> >  ldbsearch -H $sam -b 'OU=Domain controllers,DC=AD,DC=DOMAIN,DC=TLD'
>> > '(objectclass=computer)' dn
>> > # record 1
>> > dn: CN=M700,OU=Domain Controllers,DC=ad,DC=domain,DC=tld
>> >
>> > # record 2
>> > dn: CN=M701,OU=Domain Controllers,DC=ad,DC=domain,DC=tld
>> >
>> > # record 3
>> > dn: CN=M702,OU=Domain Controllers,DC=ad,DC=domain,DC=tld
>> >
>> > # returned 3 records
>> > # 3 entries
>> > # 0 referrals
>> >
>> --------------------------------------------------------------------------
>> > ------
>> > shows only the 3 DC using 4.3.1.
>> >
>> > All the FSMO are owned by m700.
>> >
>> --------------------------------------------------------------------------
>> > ------
>> > samba-tool fsmo show
>> > SchemaMasterRole owner: CN=NTDS
>> > Settings,CN=M700,CN=Servers,CN=Default-First-Site-
>> > Name,CN=Sites,CN=Configuration,DC=ad,DC=domain,DC=tld
>> > InfrastructureMasterRole owner: CN=NTDS
>> > Settings,CN=M700,CN=Servers,CN=Default-First-Site-
>> > Name,CN=Sites,CN=Configuration,DC=ad,DC=domain,DC=tld
>> > RidAllocationMasterRole owner: CN=NTDS
>> > Settings,CN=M700,CN=Servers,CN=Default-First-Site-
>> > Name,CN=Sites,CN=Configuration,DC=ad,DC=domain,DC=tld
>> > PdcEmulationMasterRole owner: CN=NTDS
>> > Settings,CN=M700,CN=Servers,CN=Default-First-Site-
>> > Name,CN=Sites,CN=Configuration,DC=ad,DC=domain,DC=tld
>> > DomainNamingMasterRole owner: CN=NTDS
>> > Settings,CN=M700,CN=Servers,CN=Default-First-Site-
>> > Name,CN=Sites,CN=Configuration,DC=ad,DC=domain,DC=tld
>> > DomainDnsZonesMasterRole owner: CN=NTDS
>> > Settings,CN=M700,CN=Servers,CN=Default-First-Site-
>> > Name,CN=Sites,CN=Configuration,DC=ad,DC=domain,DC=tld
>> > ForestDnsZonesMasterRole owner: CN=NTDS
>> > Settings,CN=M700,CN=Servers,CN=Default-First-Site-
>> > Name,CN=Sites,CN=Configuration,DC=ad,DC=ad,DC=domain,DC=tld
>> >
>> --------------------------------------------------------------------------
>> > ------
>> >
>> >
>> >
>> --------------------------------------------------------------------------
>> > ------
>> > samba_dnsupdate --all-names  --verbose --all-interfaces
>> > IPs: ['10.156.248.216']
>> > Calling nsupdate for A m700.ad.domain.tld 10.156.248.216 (add)
>> > Outgoing update query:
>> > ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
>> > ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
>> > ;; UPDATE SECTION:
>> > m700.ad.domain.tld. 900 IN  A       10.156.248.216
>> >
>> > ; Communication with 10.156.248.238#53 failed: operation canceled
>> > could not talk to any default name server
>> > Failed nsupdate: 1
>> > Calling nsupdate for A ad.domain.tld 10.156.248.216 (add)
>> > Outgoing update query:
>> > ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
>> > ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
>> > ;; UPDATE SECTION:
>> > ad.domain.tld. 900  IN      A       10.156.248.216
>> > .....
>> >
>> --------------------------------------------------------------------------
>> > ------
>> >
>> > As samba_dnsupdate shows it tries to contact the old FSMO owner as it is
>> > declared as SOA for that AD DNS zone:
>> >
>> --------------------------------------------------------------------------
>> > ------
>> > host -t SOA ad.domain.tld
>> > ad.domain.tld has SOA record m707.ad.domain.tld.
>> hostmaster.ad.domain.tld.
>> > 1 900 600 86400 3600
>> >
>> --------------------------------------------------------------------------
>> > ------
>> >
>> > And this leads to:
>> >
>> --------------------------------------------------------------------------
>> > ------
>> > host -t SRV _ldap._tcp.gc._msdcs.ad.domain.tld
>> > _ldap._tcp.gc._msdcs.ad.domain.tld has SRV record 0 100 3268
>> > m709.ad.domain.tld.
>> > _ldap._tcp.gc._msdcs.ad.domain.tld has SRV record 0 100 3268
>> > m700.ad.domain.tld.
>> > _ldap._tcp.gc._msdcs.ad.domain.tld has SRV record 0 100 3268
>> > m708.ad.domain.tld.
>> > _ldap._tcp.gc._msdcs.ad.domain.tld has SRV record 0 100 3268
>> > m707.ad.domain.tld.
>> >
>> --------------------------------------------------------------------------
>> > ------
>> >
>> > m707, m708 and m709 are removed DC.
>> > m700, m701 and m702 are new DC.
>> >
>> > So during demote no DC was removed from DNS zone, at least for that
>> > specific record.
>> > During join only one DC was added, perhaps it was during seizing, no
>> real
>> > idea as I trusted Samba to perform relevant changes into DNS zone.
>> > During fsmo seizing SOA was not changed.
>> >
>> > I tried to use samba-tool dns update to modify SOA but without success
>> so
>> > I
>> > used RSAT.
>> > I did update SOA for both zones AD.DOMAIN.TLD and _msdcs.AD.DOMAIN.TLD
>> >
>> > samba_dnsupdate was not working really better following that, it stopped
>> > showing lines like that:
>> > ; Communication with 10.156.248.238#53 failed: operation canceled
>> > but that the only relevant change I saw (note: I'm ill today so I can
>> have
>> > been easily lacking attention).
>> >
>> > Still using RSAT i removed manually all entries I spotted regarding all
>> 3
>> > old DC.
>> >
>> > Now on FSMO owner running samba_dnsupdate without option gives no
>> errors.
>> > With --all-names I've got these two errors:
>> > couldn't get address for 'm707.ad.domain.tld': not found (10 times)
>> > ; TSIG error with server: tsig verify failure (17 times)
>> >
>> > and finished with:
>> > Failed update of 27 entries
>> >
>> > On the two others DC
>> >  samba_dnsupdate
>> > response to GSS-TSIG query was unsuccessful
>> > response to GSS-TSIG query was unsuccessful
>> > response to GSS-TSIG query was unsuccessful
>> > response to GSS-TSIG query was unsuccessful
>> > response to GSS-TSIG query was unsuccessful
>> > response to GSS-TSIG query was unsuccessful
>> > response to GSS-TSIG query was unsuccessful
>> > response to GSS-TSIG query was unsuccessful
>> > Failed update of 8 entries
>> >
>> > Finally as adding --verbose gives what entry this tool was supposed to
>> add
>> > I wrote an awk script to extract that information to re-run the "samba-
>> > tool
>> > dns add" command.
>> >
>> > Perhaps it is because I performed this update on the FSMO owner rather
>> > than
>> > on current DC (using <server> from help equal to FSMO owner name) that
>> all
>> > the missing were added.
>> >
>> > In attachment is the awk script I used to solved that. TO run it:
>> > samba_dnsupdate --verbose | awk -f dnsupdate.awk
>> >
>> > What shows all that is there is still some real issues with DNS entries.
>> >
>> > I'll try to get time to retry the whole process soon: creating a domain
>> > with several DC with 4.3.0, adding DC using 4.3.1, removing all DC using
>> > 4.3.0 after seizing FSMO roles.
>> >
>> > Hoping I was clear enough...
>> >
>> > Best regards,
>> >
>> > mathias
>> > --
>> > To unsubscribe from this list go to the following URL and read the
>> > instructions:  https://lists.samba.org/mailman/options/samba
>>
>>
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>
>
>

More information about the samba mailing list