[Samba] Horrible BIND9_DLZ DNS breakage after DC replaced and samba-tool domain demote --remove-other-dead-server

Mon Aug 15 07:07:38 UTC 2016

Just a question.. 

Did you reboot the servers after the join. 
And first the dc with FSMO, reboot it, wait untill its fully up again then the other. I dont know why but that helped me few times. 

Greetz, 

Louis

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Alex Crow via
> samba
> Verzonden: maandag 15 augustus 2016 0:18
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Horrible BIND9_DLZ DNS breakage after DC replaced
> and samba-tool domain demote --remove-other-dead-server
> 
> 
> 
> On 14/08/16 22:14, Rowland Penny via samba wrote:
> > On Sun, 14 Aug 2016 21:52:43 +0100
> > Alex Crow via samba <samba at lists.samba.org> wrote:
> >
> >>> I am fairly sure this is your problem, it should be able to find the
> >>> KDC on its own DC. Have you checked /etc/krb5.conf, /etc/hosts
> >>> and /etc/resolv.conf ?
> >> With the BIND server not running, and this krb5.conf:
> >>
> >> [libdefaults]
> >>         default_realm = SAMBA.IFA.NET
> >>         dns_lookup_realm = false
> >>         dns_lookup_kdc = true
> >> ~
> >>
> >> samba_dnsupdate cannot find the KDC. Even if I add:
> >>
> >> [realms]
> >>     SAMBA4.IFA.NET {
> >>     kdc= 172.31.0.10
> >> }
> >>
> > Well, I don't think you can find the KDC if the DNS server isn't
> > running, you could try changing 'dns_lookup_kdc = true' to false
> I think I tried that, but I'm not 100% sure. I tried a lot of things to
> get back on track.
> 
> >
> >> it still complains about not finding a KDC and does not complete.
> >>
> >> Oddly if I can use the output to figure out the DNS entries I need to
> >> add, so I thought "ah, cool, I'll use samba-tool dns" to add them back
> >> in. To my great surprise, when I try to add each entry that
> >> samba_dnsupdate says is missing, samba-tool tells me it already
> >> exists!!
> > OK, try running:
> >
> > ldbedit -e nano -H /usr/local/samba/private/sam.ldb --cross-ncs
> > --show-binary
> >
> > replace nano with your favourite editor and
> > '/usr/local/samba/private/sam.ldb' with the path to your sam.ldb.
> >
> > You should now be able to search the entire AD and see if your entries
> > do exist.
> 
> I did had a quick look with ldbedit before this last email. There were
> indeed a number of DNS nodes but perhaps as I didn't use "
> 
> --show-binary
> 
> "
> 
> I was missing something.
> 
> Cheers
> 
> Alex
> 
> 
> --
> This message is intended only for the addressee and may contain
> confidential information. Unless you are that person, you may not
> disclose its contents or use it in any way and are requested to delete
> the message along with any attachments and notify us immediately.
> This email is not intended to, nor should it be taken to, constitute
> advice.
> The information provided is correct to our knowledge & belief and must not
> be used as a substitute for obtaining tax, regulatory, investment, legal
> or
> any other appropriate advice.
> 
> "Transact" is operated by Integrated Financial Arrangements Ltd.
> 29 Clement's Lane, London EC4N 7AE. Tel: (020) 7608 4900 Fax: (020) 7608
> 5300.
> (Registered office: as above; Registered in England and Wales under
> number: 3727592). Authorised and regulated by the Financial Conduct
> Authority (entered on the Financial Services Register; no. 190856).
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba