[Samba] Unable to transfer ForestDns/DomainDNS

Jason Waters jason at geeknocity.com
Thu Jul 7 12:56:35 UTC 2016 

So I continue to struggle getting this moved away from windows 2003 to
samba.  I've been working in VM's to test before doing it on production.  I
think something is just wrong/broken with my windows 2003 AD.  These are a
couple of the things I have tried.

- Going from Windows 2003 to Windows 2008 to Samba
- Seizing the roles and then joining another samba domain controller.  But
I'm unable to move the DomainDnsZones and ForestDnsZones fsmo's to the new
samba box.  Like it is coping bad data.
- Setup a new domain with samba, joined Windows 2008 and migrated
everything around fine!  Another reason why I think something is wrong in
my data.


So the last thing I've been trying to figure out is why the command
ldbsearch --cross-ncs -H ldap://pdc -b
"DC=DomainDnsZones,DC=fisherthompson,DC=local" -s sub -Uadministrator

returns a referral instead of the records.  On my purely stock samba domain
it works fine, so something about the windows 2003 ad?

But if I open ASDIEDIT and connect to
DC=DomainDnsZones,DC=fisherthompson,DC=local on the windows 2003 DC I see
everything like I should.....


It seems like samba and ldbtools isn't following the referrals.  Or they
shouldn't be referrals?  Or something else that I have no idea about!

Any other suggestions?  Thanks!

Jason

On Wed, Jun 29, 2016 at 11:31 AM, lingpanda101 at gmail.com <
lingpanda101 at gmail.com> wrote:

> On 6/29/2016 11:23 AM, Jason Waters wrote:
>
>> So I setup a testing environment so I can test/break things.  I think my
>> issue is that something is screwed up with the Partitions on the windows
>> 2003 server.  The forest and domain partitions look odd, are they?
>>
>>   Mine looks kind of like this...
>>
>> http://1ask2.com/Wndows2012/Upgrade/migration09.jpg
>>
>> On Tue, Jun 28, 2016 at 8:21 AM, Jason Waters <jason at geeknocity.com>
>> wrote:
>>
>> I still feel like there is something I can do to get the 2003 server to
>>> have what I need to do a fsmo transfer instead of a seize.  Doesn't that
>>> check box say to store it inside AD?
>>>
>>> http://i.imgur.com/UolzBwP.png
>>> http://i.imgur.com/tHTmB5c.png
>>>
>>>
>>> On Tue, Jun 28, 2016 at 8:09 AM, Jason Waters <jason at geeknocity.com>
>>> wrote:
>>>
>>> I still feel like there is something I can do to get the 2003 server to
>>>> have what I need to do a fsmo transfer instead of a seize.  Doesn't that
>>>> check box say to store it inside AD?
>>>>
>>>> Thu, Jun 23, 2016 at 2:19 PM, Rowland penny <rpenny at samba.org> wrote:
>>>>
>>>> On 23/06/16 18:52, Jason Waters wrote:
>>>>>
>>>>> lol...sorry!
>>>>>>
>>>>>> - The windows domain controller does run a DNS server
>>>>>>
>>>>>> - I joined the samba DC's to the windows DC.  I used the normal
>>>>>> command, but did get an error about the forest and domain dns. The
>>>>>> error is:
>>>>>>
>>>>>> descriptor_sd_propagation_recursive:
>>>>>> DC=DomainDnsZones,DC=fisherthompson,DC=local not found under
>>>>>> DC=fisherthompson,DC=local
>>>>>> descriptor_sd_propagation_recursive:
>>>>>> DC=ForestDnsZones,DC=fisherthompson,DC=local not found under
>>>>>> DC=fisherthompson,DC=local
>>>>>>
>>>>>>
>>>>>> Below is the full join output.....
>>>>>>
>>>>>>
>>>>>> START OF DOMAIN JOIN
>>>>>> *************************************
>>>>>> root at DC01:/var/lib/samba# samba-tool domain join fisherthompson.local
>>>>>> DC -UAdministrator
>>>>>> Finding a writeable DC for domain 'fisherthompson.local'
>>>>>> Found DC PDC.fisherthompson.local
>>>>>> Password for [FISHERTHOMPSON\Administrator]:
>>>>>> workgroup is FISHERTHOMPSON
>>>>>> realm is fisherthompson.local
>>>>>> checking sAMAccountName
>>>>>> Adding CN=DC01,OU=Domain Controllers,DC=fisherthompson,DC=local
>>>>>> Adding
>>>>>>
>>>>>> CN=DC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=fisherthompson,DC=local
>>>>>> Adding CN=NTDS
>>>>>>
>>>>>> Settings,CN=DC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=fisherthompson,DC=local
>>>>>> Adding SPNs to CN=DC01,OU=Domain
>>>>>> Controllers,DC=fisherthompson,DC=local
>>>>>> Setting account password for DC01$
>>>>>> Enabling account
>>>>>> Calling bare provision
>>>>>> Looking up IPv4 addresses
>>>>>> Looking up IPv6 addresses
>>>>>> No IPv6 address will be assigned
>>>>>> Setting up share.ldb
>>>>>> Setting up secrets.ldb
>>>>>> Setting up the registry
>>>>>> Setting up the privileges database
>>>>>> Setting up idmap db
>>>>>> Setting up SAM db
>>>>>> Setting up sam.ldb partitions and settings
>>>>>> Setting up sam.ldb rootDSE
>>>>>> Pre-loading the Samba 4 and AD schema
>>>>>> A Kerberos configuration suitable for Samba 4 has been generated at
>>>>>> /var/lib/samba/private/krb5.conf
>>>>>> Provision OK for domain DN DC=fisherthompson,DC=local
>>>>>> Starting replication
>>>>>> Schema-DN[CN=Schema,CN=Configuration,DC=fisherthompson,DC=local]
>>>>>> objects[402] linked_values[0]
>>>>>> Schema-DN[CN=Schema,CN=Configuration,DC=fisherthompson,DC=local]
>>>>>> objects[804] linked_values[0]
>>>>>> Schema-DN[CN=Schema,CN=Configuration,DC=fisherthompson,DC=local]
>>>>>> objects[1206] linked_values[0]
>>>>>> Schema-DN[CN=Schema,CN=Configuration,DC=fisherthompson,DC=local]
>>>>>> objects[1376] linked_values[0]
>>>>>> Analyze and apply schema objects
>>>>>> Partition[CN=Configuration,DC=fisherthompson,DC=local] objects[402]
>>>>>> linked_values[0]
>>>>>> Partition[CN=Configuration,DC=fisherthompson,DC=local] objects[804]
>>>>>> linked_values[0]
>>>>>> Partition[CN=Configuration,DC=fisherthompson,DC=local] objects[1206]
>>>>>> linked_values[0]
>>>>>> Partition[CN=Configuration,DC=fisherthompson,DC=local] objects[1608]
>>>>>> linked_values[18]
>>>>>> Partition[CN=Configuration,DC=fisherthompson,DC=local] objects[1629]
>>>>>> linked_values[10]
>>>>>> Replicating critical objects from the base DN of the domain
>>>>>> Partition[DC=fisherthompson,DC=local] objects[93] linked_values[7]
>>>>>> Partition[DC=fisherthompson,DC=local] objects[387] linked_values[0]
>>>>>> Partition[DC=fisherthompson,DC=local] objects[569] linked_values[175]
>>>>>> Partition[DC=fisherthompson,DC=local] objects[741] linked_values[36]
>>>>>> Partition[DC=fisherthompson,DC=local] objects[741] linked_values[0]
>>>>>> Done with always replicated NC (base, config, schema)
>>>>>> Replicating DC=DomainDnsZones,DC=fisherthompson,DC=local
>>>>>> Partition[DC=DomainDnsZones,DC=fisherthompson,DC=local] objects[191]
>>>>>> linked_values[0]
>>>>>> Replicating DC=ForestDnsZones,DC=fisherthompson,DC=local
>>>>>> Partition[DC=ForestDnsZones,DC=fisherthompson,DC=local] objects[33]
>>>>>> linked_values[0]
>>>>>> Committing SAM database
>>>>>> descriptor_sd_propagation_recursive:
>>>>>> DC=DomainDnsZones,DC=fisherthompson,DC=local not found under
>>>>>> DC=fisherthompson,DC=local
>>>>>> descriptor_sd_propagation_recursive:
>>>>>> DC=ForestDnsZones,DC=fisherthompson,DC=local not found under
>>>>>> DC=fisherthompson,DC=local
>>>>>> Sending DsReplicaUpdateRefs for all the replicated partitions
>>>>>> Setting isSynchronized and dsServiceName
>>>>>> Setting up secrets database
>>>>>> Joined domain FISHERTHOMPSON (SID
>>>>>> S-1-5-21-4059926353-2957580592-3733343930) as a DC
>>>>>>
>>>>>> *************************************
>>>>>> END OF DOMAIN JOIN
>>>>>>
>>>>>>
>>>>>>
>>>>>> It looks like your windows DC doesn't store its DNS zones in AD, the
>>>>> code in join.py to replicate DNS info is this:
>>>>>
>>>>>
>>>>>               print "Done with always replicated NC (base, config,
>>>>> schema)"
>>>>>
>>>>>              for nc in (ctx.domaindns_zone, ctx.forestdns_zone):
>>>>>                  if nc in ctx.nc_list:
>>>>>                      print "Replicating %s" % (str(nc))
>>>>>                      repl.replicate(nc, source_dsa_invocation_id,
>>>>>                                      destination_dsa_guid,
>>>>> rodc=ctx.RODC,
>>>>>                                      replica_flags=ctx.replica_flags)
>>>>>
>>>>> Your 'join' info shows this:
>>>>>
>>>>> Done with always replicated NC (base, config, schema)
>>>>> Replicating DC=DomainDnsZones,DC=fisherthompson,DC=local
>>>>> Partition[DC=DomainDnsZones,DC=fisherthompson,DC=local] objects[191]
>>>>> linked_values[0]
>>>>> Replicating DC=ForestDnsZones,DC=fisherthompson,DC=local
>>>>> Partition[DC=ForestDnsZones,DC=fisherthompson,DC=local] objects[33]
>>>>> linked_values[0]
>>>>> Committing SAM database
>>>>> descriptor_sd_propagation_recursive:
>>>>> DC=DomainDnsZones,DC=fisherthompson,DC=local not found under
>>>>> DC=fisherthompson,DC=local
>>>>> descriptor_sd_propagation_recursive:
>>>>> DC=ForestDnsZones,DC=fisherthompson,DC=local not found under
>>>>> DC=fisherthompson,DC=local
>>>>>
>>>>> I 'think' the last two lines mean nothing was replicated because there
>>>>> was nothing to replicate to or from.
>>>>>
>>>>> You say your windows DC runs a DNS server, what sort & type ?
>>>>>
>>>>>
>>>>> Rowland
>>>>>
>>>>>
>>>>> --
>>>>> To unsubscribe from this list go to the following URL and read the
>>>>> instructions:  https://lists.samba.org/mailman/options/samba
>>>>>
>>>>>
>>>>
> The partitions look fine from that screenshot alone.
>
> --
> -James
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

More information about the samba mailing list