[Samba] Horrible BIND9_DLZ DNS breakage after DC replaced and samba-tool domain demote --remove-other-dead-server

Rowland Penny rpenny at samba.org
Sun Aug 14 21:14:04 UTC 2016 

On Sun, 14 Aug 2016 21:52:43 +0100
Alex Crow via samba <samba at lists.samba.org> wrote:

> 
> > I am fairly sure this is your problem, it should be able to find the
> > KDC on its own DC. Have you checked /etc/krb5.conf, /etc/hosts
> > and /etc/resolv.conf ?
> 
> With the BIND server not running, and this krb5.conf:
> 
> [libdefaults]
>         default_realm = SAMBA.IFA.NET
>         dns_lookup_realm = false
>         dns_lookup_kdc = true
> ~                           
> 
> samba_dnsupdate cannot find the KDC. Even if I add:
> 
> [realms]
>     SAMBA4.IFA.NET {
>     kdc= 172.31.0.10
> }
> 

Well, I don't think you can find the KDC if the DNS server isn't
running, you could try changing 'dns_lookup_kdc = true' to false 

> it still complains about not finding a KDC and does not complete.
> 
> Oddly if I can use the output to figure out the DNS entries I need to
> add, so I thought "ah, cool, I'll use samba-tool dns" to add them back
> in. To my great surprise, when I try to add each entry that
> samba_dnsupdate says is missing, samba-tool tells me it already
> exists!!

OK, try running:

ldbedit -e nano -H /usr/local/samba/private/sam.ldb --cross-ncs
--show-binary

replace nano with your favourite editor and
'/usr/local/samba/private/sam.ldb' with the path to your sam.ldb.

You should now be able to search the entire AD and see if your entries
do exist.

> 
> /etc/hosts on the new DC:
> 
> 172.31.0.10     samba4-dc-2.samba.ifa.net samba4-dc-2
> 
> also:
> 
> [root at samba4-dc-2 ~]# hostname -f
> samba4-dc-2.samba.ifa.net
> 
> resolv.conf:
> 
> search samba.ifa.net. ifa.net.
> nameserver 172.31.0.10
> 
> 
> 
> >
> >> I've done the dnsupdate on both DCs before turning off the first,
> >> and it completes fine with after a couple of restarts of samba and
> >> bind. I'm still not sure what I should turn off bind on the newer
> >> DC as it's surely a requirement for the domain to function?
> >>
> > Yes it is, I was just making sure.
> >
> > Rowland
> 
> Feels a bit chicken-and-egg at the moment. Is there a definitive
> procedure documented for neophytes to, post-classicupgrade:
> 
> 1) add an new BIND9_DLZ based DC properly
> 2) remove all traces of the DC used for the classicupgrade
> 
> ?


I don't think so, most people just use the upgraded DC.

Rowland

More information about the samba mailing list