[Samba] Horrible BIND9_DLZ DNS breakage after DC replaced and samba-tool domain demote --remove-other-dead-server

Rowland Penny rpenny at samba.org
Mon Aug 15 18:59:56 UTC 2016

On Mon, 15 Aug 2016 16:02:38 +0100
Rowland Penny via samba <samba at lists.samba.org> wrote:

> OK, this has nothing to do with the classicupgrade, I have setup a
> couple of VMs and provisioned a test DC in one and joined another DC
> in the other.
> I am now at the point the OP is at, samba_dnsupdate cannot add the
> required records, all I get in log.samba is this multiple times:
> [2016/08/15 15:57:23.949917,
> 0] ../lib/util/util_runcmd.c:328(samba_runcmd_io_handler) /usr/local/samba/sbin/samba_dnsupdate:
> update failed: NOTAUTH
> and it ends with this:
> [2016/08/15 15:57:23.975421,
> 0] ../source4/dsdb/dns/dns_update.c:295(dnsupdate_nameupdate_done) ../source4/dsdb/dns/dns_update.c:295:
> Now to try and find the cause and fix it.
> Rowland

OK, I think I have sorted this, I added some lines to samba_dnsupdate
to print out why it didn't work and got this:

Could not obtain Kerberos ticket for DNS/devdc1.example.com as DEVDC2$
response to GSS-TSIG query was unsuccessful
response to GSS-TSIG query was unsuccessful
Failed update of 24 entries

So, I thought, no SOA records for DEVDC2

Added them:

samba-tool dns add example.com devdc2 A -Uadministrator

samba-tool dns add example.com @ NS devdc2.example.com -Uadministrator

samba-tool dns add _msdcs.example.com @ NS devdc2.example.com -Uadministrator

and then ran samba_dnsupdate again and this time it didn't print
anything, so I tried this:

root at devdc2:~# host -t SRV _ldap._tcp.example.com.

and got this:

_ldap._tcp.example.com has SRV record 0 100 389 devdc1.example.com.
_ldap._tcp.example.com has SRV record 0 100 389 devdc2.example.com.

I think all the records are now there.

So, as the OP said, this is a bit of a chicken and egg situation, you
need the SOA records to add the SOA records via samba_dnsupdate.


More information about the samba mailing list