[Samba] Setup a Samba AD DC as an additional DC

Andrew Ruscica andrew.lists at ruscica.com
Wed Dec 5 02:25:27 UTC 2018 

Apologies for not replying to the thread, I just subscribed to the list,
after a day of troubleshooting this.

Regarding:
9601, 'WERR_DNS_ERROR_ZONE_DOES_NOT_EXIST'

I am experiencing the same symptoms, in a simpler environment than the
original submitter at the previous thread:

Single Windows 2008R2 Domain Controller
Schema version 47
No MS Exchange

Attempting to add a Samba 4 domain controller with the intention of
decommissioning the Windows Server.

Same symptoms from two different Samba 4 platforms:

FreeBSD 11.2 - samba 4.8.7 from packages
CentOS 7 - samba 4.9.3 compiled from source

SERVER1 = Windows Server 2008R2 Standard
SERVER3 = FreeBSD Samba Host

kinit and klist work fine.

# samba-tool domain join ad.mydomain DC -U"AD\administrator"
--dns-backend=SAMBA_INTERNAL

...
Adding DNS CNAME record
f44ee6af-47c7-4cb1-b29f-5d4470bc3063._msdcs.ad.mydomain for
SERVER3.ad.mydomain
Join failed - cleaning up
...
ERROR(runtime): uncaught exception - (9601,
'WERR_DNS_ERROR_ZONE_DOES_NOT_EXIST')
  File "/usr/local/lib/python2.7/site-packages/samba/netcmd/__init__.py",
line 176, in _run
    return self.run(*args, **kwargs)
  File "/usr/local/lib/python2.7/site-packages/samba/netcmd/domain.py",
line 706, in run
    plaintext_secrets=plaintext_secrets)
  File "/usr/local/lib/python2.7/site-packages/samba/join.py", line 1482,
in join_DC
    ctx.do_join()
  File "/usr/local/lib/python2.7/site-packages/samba/join.py", line 1390,
in do_join
    ctx.join_add_dns_records()
  File "/usr/local/lib/python2.7/site-packages/samba/join.py", line 1144,
in join_add_dns_records
    None)


So, next - try checking then adding the DC DNS record manually via:
https://wiki.samba.org/index.php/Verifying_and_Creating_a_DC_DNS_Record#Verifying_and_Creating_the_objectGUID_Record


# ldbsearch -H /var/db/samba4/private/sam.ldb '(invocationId=*)'
--cross-ncs objectguid

# record 1
dn: CN=NTDS
Settings,CN=SERVER3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ad,DC=mydomain
objectGUID: f44ee6af-47c7-4cb1-b29f-5d4470bc3063

# record 2
dn: CN=NTDS
Settings,CN=SERVER1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ad,DC=mydomain
objectGUID: f5bf75a2-8dae-4456-835e-a568910c9052

# returned 2 records
# 2 entries
# 0 referrals


# host -t CNAME f44ee6af-47c7-4cb1-b29f-5d4470bc3063._msdcs.ad.mydomain.
Host f44ee6af-47c7-4cb1-b29f-5d4470bc3063._msdcs.ad.mydomain not found:
3(NXDOMAIN)

# samba-tool dns add SERVER1 _msdcs.ad.mydomain
f44ee6af-47c7-4cb1-b29f-5d4470bc3063 CNAME SERVER3.ad.mydomain
-Uadministrator

root at server3:/var/db/samba4/private # samba-tool dns add SERVER1
_msdcs.ad.mydomain f44ee6af-47c7-4cb1-b29f-5d4470bc3063 CNAME
SERVER3.ad.mydomain -Uadministrator
Password for [AD\administrator]:
ERROR(runtime): uncaught exception - (9601,
'WERR_DNS_ERROR_ZONE_DOES_NOT_EXIST')
  File "/usr/local/lib/python2.7/site-packages/samba/netcmd/__init__.py",
line 176, in _run
    return self.run(*args, **kwargs)
  File "/usr/local/lib/python2.7/site-packages/samba/netcmd/dns.py", line
940, in run
    raise e


When I list the zones, I don't see the _msdcs zone like I do at other
domains - instead I have TrustAnchors.  But DNSSEC isn't configured at
SERVER1:

# samba-tool dns zonelist SERVER1 -U administrator

root at server3:/var/db/samba4/private # samba-tool dns zonelist SERVER1 -U
administrator
Password for [AD\administrator]:
  3 zone(s) found

  pszZoneName                 : 254.168.192.in-addr.arpa
  Flags                       : DNS_RPC_ZONE_REVERSE
  ZoneType                    : DNS_ZONE_TYPE_PRIMARY
  Version                     : 50
  dwDpFlags                   : NONE
  pszDpFqdn                   : None

  pszZoneName                 : ad.mydomain
  Flags                       : DNS_RPC_ZONE_DSINTEGRATED
DNS_RPC_ZONE_UPDATE_SECURE
  ZoneType                    : DNS_ZONE_TYPE_PRIMARY
  Version                     : 50
  dwDpFlags                   : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT
DNS_DP_ENLISTED
  pszDpFqdn                   : DomainDnsZones.ad.mydomain

  pszZoneName                 : TrustAnchors
  Flags                       : DNS_RPC_ZONE_DSINTEGRATED
  ZoneType                    : DNS_ZONE_TYPE_PRIMARY
  Version                     : 50
  dwDpFlags                   : DNS_DP_AUTOCREATED DNS_DP_FOREST_DEFAULT
DNS_DP_ENLISTED
  pszDpFqdn                   : ForestDnsZones.ad.mydomain


So this is where I'm at now.  Earlier today I found a reference on another
thread or another list which I need to find again, which suggested this
might be a bug or issue with Samba 4.8 and higher.  I have not yet tried
adding Samba 4.7 to same domain.

Hopefully this helps narrow it, and of course any suggestions to help
resolve or continue troubleshooting are appreciated.

Thanks,
Andrew

More information about the samba mailing list