[Samba] DC replacement and DNS issue
mathias dufresne
infractory at gmail.com
Tue Oct 27 15:35:16 UTC 2015
DNS in AD is complex, so I forget one record which seems important:
_ldap._tcp.pdc._msdcs.samba.domain.tld
As far as I understand this record must have only record,
the DomainDnsZonesMasterRole (or ForestDnsZonesMasterRole, perhaps) FSMO
role.
Seizing FSMO roles and recreating records as explained in previous mails
generates a new record for _ldap._tcp.pdc._msdcs.samba.domain.tld
associated to the new FSMO owner.
So the old one has to be removed:
samba-tool dns delete <someDC> _msdcs.samba.domain.tld _ldap._tcp.pdc SRV
'DCname.samba.domain.tld 389 0 100'
2015-10-27 15:28 GMT+01:00 mathias dufresne <infractory at gmail.com>:
> Back from another test: rather than build new DCs, join them and use one
> of them to seize FSMO roles, I just seize FSMO with one of my current DCs.
>
> Once more the SOA was not updated, which seems to mean there is a real
> issue about that as seizing these roles has chances to precede removal of
> old FSMO owner.
>
> To update SOA record using samba-tool:
> 1) If not created, create a NS record for the DC which will become the
> SOA. I'm not completely sure this is needed.
>
> samba-tool dns add <DCname> <AD DNS zone> <new DNS server FQDN> NS <new
> DNS server IP addr>
>
> 2) Change the SOA record on the 2 DNS zones:
> samba.domain.tld and _msdcs.samba.domain.tld
>
> a) retrieve serial for current SOA:
> samba-tool dns query <DCname> <AD DNS zone> <AD DNS zone> SOA -k yes
> Name=, Records=1, Children=0
> SOA: *serial=58, refresh=900, retry=600, expire=86400, minttl=3600,
> ns=dc14.samba.domain.tld., email=hostmaster.samba.domain.tld.*
> (flags=600000f0, serial=110, ttl=3600)
> Name=_msdcs, Records=0, Children=0
> Name=_sites, Records=0, Children=1
> Name=_tcp, Records=0, Children=4
> Name=_udp, Records=0, Children=2
> Name=domain1, Records=0, Children=1
> Name=DomainDnsZones, Records=0, Children=2
> Name=ForestDnsZones, Records=0, Children=2
> Name=m700, Records=0, Children=0
> Name=m701, Records=0, Children=0
> Name=m702, Records=0, Children=0
>
> -k yes -> use Kerberos ticket to authenticate, ticket must be existing.
> the second <AD DNS zone> is because we look for the SOA for that zone
>
> On line starting with SOA: we have all information needed to run the next
> command, to update this record.
>
> samba-tool gives:
> Usage: samba-tool dns update <server> <zone> <name>
> <A|AAAA|PTR|CNAME|NS|MX|SOA|SRV|TXT> <olddata> <newdata>
>
> To update SOA the beginning is as usual:
> samba-tool dns update <server> <zone> <zone> SOA .......
>
> The question is what to put after for <olddata> and <newdata>.
>
> olddata and newdata must be surrounded by quotes and contain 7 elements,
> as error shows us:
> ERROR: Data requires 7 elements - nameserver, email, serial, refresh,
> retry, expire, minimumttl
>
> In these quotes each data must be separated by spaces and no space can
> exist between last character used for minimumttl and the closing quote.
>
> Using data from previous query that would give, to replace dc14 with dc27:
> samba-tool dns update <server> <zone> <zone> SOA \
> '*dc14*.samba.domain.tld. hostmaster.samba.domain.tld. *58* 900 600
> 86400 3600' \
> '*dc27*.samba.domain.tld. hostmaster.samba.domain.tld. *59* 900 600
> 86400 3600'
>
> According to https://support.microsoft.com/fr-fr/kb/282826 the serial
> must be incremented.
>
> I explained all that here to regroup information I found wandering around.
>
> Cheers,
>
> mathias
>
> 2015-10-26 12:23 GMT+01:00 mathias dufresne <infractory at gmail.com>:
>
>> Hey,
>>
>> Thank you Louis for this script, I didn't yet took time to dig in but
>> I'll do.
>> I didn't took time neither to perform another test. That should be done
>> today.
>>
>> Anyway I waited for DC synchronisation before posting. I joined my DC and
>> removed the old ones almost at same time then I gave more than 12 hours to
>> my DC to synchronize. Then I tried to understand what happened, I wrote the
>> script and posted that message, re and re and re testing samba_dnsupdate
>> during that hours (hours which took place after the 12 hours for synchro).
>>
>> So I expect there is something wrong in 4.3.1 DNS entries
>> creation/renaming.
>>
>> And as I modified SOA by hand using ADUC and samba_dnsupdate was not
>> working to remove old entries (for removed DC) and was also not working to
>> add DNS entries for new DC, I expect the issue in samba_dnsupdate (but I
>> could be completely wrong : )
>>
>> Cheers,
>>
>> mathias
>>
>> 2015-10-23 14:17 GMT+02:00 L.P.H. van Belle <belle at bazuin.nl>:
>>
>>> Hai,
>>>
>>> If you just upgrade / changed the samba servers, then most probily
>>> replication is in progress..
>>>
>>> Depanding on the numbers of objects this can take some time, so dont be
>>> to quick with checking.
>>>
>>> So take some time and wait... get koffie (maybe beer) ;-)
>>> Get this script , if needed change it and run it
>>>
>>> https://secure.bazuin.nl/scripts/samba-check-db-repl.sh
>>> it check up to 10 domain controllers for database replication.
>>> It explains itself.
>>>
>>> And for the needed dns records, see my previous mail. ;-)
>>>
>>>
>>> Greetz,
>>>
>>> Louis
>>>
>>>
>>> > -----Oorspronkelijk bericht-----
>>> > Van: samba [mailto:samba-bounces at lists.samba.org] Namens mathias
>>> dufresne
>>> > Verzonden: vrijdag 23 oktober 2015 14:03
>>> > Aan: samba
>>> > Onderwerp: [Samba] DC replacement and DNS issue
>>> >
>>> > Hi all,
>>> >
>>> > I posted on both mailing as this seems to be (to me) an internal issue.
>>> >
>>> > As the 4.3.1 went out I decided to switch my DC from 4.3.0 to this new
>>> > version.
>>> >
>>> > The process was to install Samba 4.3.1 on new systems, joining these
>>> Samba
>>> > as DC, seizing FSMO roles, demote all 4.3.0.
>>> >
>>> > The few I tested until now is working except for DNS entries:
>>> > samba_dnsupdate is not working as it tries to update DNS zone on
>>> removed
>>> > DC.
>>> >
>>> > This is the beginning of samba_dnsupdate result. This was run on the 7
>>> > FSMO
>>> > owner.
>>> > This new FSMO owner is m700 with IP set to 10.156.248.216.
>>> > The old FSMO owner is m707 with IP set to 10.156.248.238, this one was
>>> > running 4.3.0.
>>> >
>>> >
>>> --------------------------------------------------------------------------
>>> > ------
>>> > ldbsearch -H $sam -b 'OU=Domain controllers,DC=AD,DC=DOMAIN,DC=TLD'
>>> > '(objectclass=computer)' dn
>>> > # record 1
>>> > dn: CN=M700,OU=Domain Controllers,DC=ad,DC=domain,DC=tld
>>> >
>>> > # record 2
>>> > dn: CN=M701,OU=Domain Controllers,DC=ad,DC=domain,DC=tld
>>> >
>>> > # record 3
>>> > dn: CN=M702,OU=Domain Controllers,DC=ad,DC=domain,DC=tld
>>> >
>>> > # returned 3 records
>>> > # 3 entries
>>> > # 0 referrals
>>> >
>>> --------------------------------------------------------------------------
>>> > ------
>>> > shows only the 3 DC using 4.3.1.
>>> >
>>> > All the FSMO are owned by m700.
>>> >
>>> --------------------------------------------------------------------------
>>> > ------
>>> > samba-tool fsmo show
>>> > SchemaMasterRole owner: CN=NTDS
>>> > Settings,CN=M700,CN=Servers,CN=Default-First-Site-
>>> > Name,CN=Sites,CN=Configuration,DC=ad,DC=domain,DC=tld
>>> > InfrastructureMasterRole owner: CN=NTDS
>>> > Settings,CN=M700,CN=Servers,CN=Default-First-Site-
>>> > Name,CN=Sites,CN=Configuration,DC=ad,DC=domain,DC=tld
>>> > RidAllocationMasterRole owner: CN=NTDS
>>> > Settings,CN=M700,CN=Servers,CN=Default-First-Site-
>>> > Name,CN=Sites,CN=Configuration,DC=ad,DC=domain,DC=tld
>>> > PdcEmulationMasterRole owner: CN=NTDS
>>> > Settings,CN=M700,CN=Servers,CN=Default-First-Site-
>>> > Name,CN=Sites,CN=Configuration,DC=ad,DC=domain,DC=tld
>>> > DomainNamingMasterRole owner: CN=NTDS
>>> > Settings,CN=M700,CN=Servers,CN=Default-First-Site-
>>> > Name,CN=Sites,CN=Configuration,DC=ad,DC=domain,DC=tld
>>> > DomainDnsZonesMasterRole owner: CN=NTDS
>>> > Settings,CN=M700,CN=Servers,CN=Default-First-Site-
>>> > Name,CN=Sites,CN=Configuration,DC=ad,DC=domain,DC=tld
>>> > ForestDnsZonesMasterRole owner: CN=NTDS
>>> > Settings,CN=M700,CN=Servers,CN=Default-First-Site-
>>> > Name,CN=Sites,CN=Configuration,DC=ad,DC=ad,DC=domain,DC=tld
>>> >
>>> --------------------------------------------------------------------------
>>> > ------
>>> >
>>> >
>>> >
>>> --------------------------------------------------------------------------
>>> > ------
>>> > samba_dnsupdate --all-names --verbose --all-interfaces
>>> > IPs: ['10.156.248.216']
>>> > Calling nsupdate for A m700.ad.domain.tld 10.156.248.216 (add)
>>> > Outgoing update query:
>>> > ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
>>> > ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
>>> > ;; UPDATE SECTION:
>>> > m700.ad.domain.tld. 900 IN A 10.156.248.216
>>> >
>>> > ; Communication with 10.156.248.238#53 failed: operation canceled
>>> > could not talk to any default name server
>>> > Failed nsupdate: 1
>>> > Calling nsupdate for A ad.domain.tld 10.156.248.216 (add)
>>> > Outgoing update query:
>>> > ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
>>> > ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
>>> > ;; UPDATE SECTION:
>>> > ad.domain.tld. 900 IN A 10.156.248.216
>>> > .....
>>> >
>>> --------------------------------------------------------------------------
>>> > ------
>>> >
>>> > As samba_dnsupdate shows it tries to contact the old FSMO owner as it
>>> is
>>> > declared as SOA for that AD DNS zone:
>>> >
>>> --------------------------------------------------------------------------
>>> > ------
>>> > host -t SOA ad.domain.tld
>>> > ad.domain.tld has SOA record m707.ad.domain.tld.
>>> hostmaster.ad.domain.tld.
>>> > 1 900 600 86400 3600
>>> >
>>> --------------------------------------------------------------------------
>>> > ------
>>> >
>>> > And this leads to:
>>> >
>>> --------------------------------------------------------------------------
>>> > ------
>>> > host -t SRV _ldap._tcp.gc._msdcs.ad.domain.tld
>>> > _ldap._tcp.gc._msdcs.ad.domain.tld has SRV record 0 100 3268
>>> > m709.ad.domain.tld.
>>> > _ldap._tcp.gc._msdcs.ad.domain.tld has SRV record 0 100 3268
>>> > m700.ad.domain.tld.
>>> > _ldap._tcp.gc._msdcs.ad.domain.tld has SRV record 0 100 3268
>>> > m708.ad.domain.tld.
>>> > _ldap._tcp.gc._msdcs.ad.domain.tld has SRV record 0 100 3268
>>> > m707.ad.domain.tld.
>>> >
>>> --------------------------------------------------------------------------
>>> > ------
>>> >
>>> > m707, m708 and m709 are removed DC.
>>> > m700, m701 and m702 are new DC.
>>> >
>>> > So during demote no DC was removed from DNS zone, at least for that
>>> > specific record.
>>> > During join only one DC was added, perhaps it was during seizing, no
>>> real
>>> > idea as I trusted Samba to perform relevant changes into DNS zone.
>>> > During fsmo seizing SOA was not changed.
>>> >
>>> > I tried to use samba-tool dns update to modify SOA but without success
>>> so
>>> > I
>>> > used RSAT.
>>> > I did update SOA for both zones AD.DOMAIN.TLD and _msdcs.AD.DOMAIN.TLD
>>> >
>>> > samba_dnsupdate was not working really better following that, it
>>> stopped
>>> > showing lines like that:
>>> > ; Communication with 10.156.248.238#53 failed: operation canceled
>>> > but that the only relevant change I saw (note: I'm ill today so I can
>>> have
>>> > been easily lacking attention).
>>> >
>>> > Still using RSAT i removed manually all entries I spotted regarding
>>> all 3
>>> > old DC.
>>> >
>>> > Now on FSMO owner running samba_dnsupdate without option gives no
>>> errors.
>>> > With --all-names I've got these two errors:
>>> > couldn't get address for 'm707.ad.domain.tld': not found (10 times)
>>> > ; TSIG error with server: tsig verify failure (17 times)
>>> >
>>> > and finished with:
>>> > Failed update of 27 entries
>>> >
>>> > On the two others DC
>>> > samba_dnsupdate
>>> > response to GSS-TSIG query was unsuccessful
>>> > response to GSS-TSIG query was unsuccessful
>>> > response to GSS-TSIG query was unsuccessful
>>> > response to GSS-TSIG query was unsuccessful
>>> > response to GSS-TSIG query was unsuccessful
>>> > response to GSS-TSIG query was unsuccessful
>>> > response to GSS-TSIG query was unsuccessful
>>> > response to GSS-TSIG query was unsuccessful
>>> > Failed update of 8 entries
>>> >
>>> > Finally as adding --verbose gives what entry this tool was supposed to
>>> add
>>> > I wrote an awk script to extract that information to re-run the "samba-
>>> > tool
>>> > dns add" command.
>>> >
>>> > Perhaps it is because I performed this update on the FSMO owner rather
>>> > than
>>> > on current DC (using <server> from help equal to FSMO owner name) that
>>> all
>>> > the missing were added.
>>> >
>>> > In attachment is the awk script I used to solved that. TO run it:
>>> > samba_dnsupdate --verbose | awk -f dnsupdate.awk
>>> >
>>> > What shows all that is there is still some real issues with DNS
>>> entries.
>>> >
>>> > I'll try to get time to retry the whole process soon: creating a domain
>>> > with several DC with 4.3.0, adding DC using 4.3.1, removing all DC
>>> using
>>> > 4.3.0 after seizing FSMO roles.
>>> >
>>> > Hoping I was clear enough...
>>> >
>>> > Best regards,
>>> >
>>> > mathias
>>> > --
>>> > To unsubscribe from this list go to the following URL and read the
>>> > instructions: https://lists.samba.org/mailman/options/samba
>>>
>>>
>>>
>>> --
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions: https://lists.samba.org/mailman/options/samba
>>>
>>
>>
>
More information about the samba
mailing list