[Samba] Setup a Samba AD DC as an additional DC
Andrew Bartlett
abartlet at samba.org
Wed Dec 5 04:46:34 UTC 2018
On Tue, 2018-12-04 at 21:25 -0500, Andrew Ruscica via samba wrote:
> Apologies for not replying to the thread, I just subscribed to the list,
> after a day of troubleshooting this.
>
> Regarding:
> 9601, 'WERR_DNS_ERROR_ZONE_DOES_NOT_EXIST'
>
> I am experiencing the same symptoms, in a simpler environment than the
> original submitter at the previous thread:
>
> Single Windows 2008R2 Domain Controller
> Schema version 47
> No MS Exchange
It is very likely 'just a bug'. We do some DNS things trying to make
sure the new DC can work the moment it starts (before that, folks had a
lot of difficulty with the new DC not being in global DNS).
This is different to what windows does, and there is a variety of
different ways DNS can be set up on windows, so clearly it isn't
interoperable right now.
Sorry about that.
Andrew Bartlett
> Attempting to add a Samba 4 domain controller with the intention of
> decommissioning the Windows Server.
>
> Same symptoms from two different Samba 4 platforms:
>
> FreeBSD 11.2 - samba 4.8.7 from packages
> CentOS 7 - samba 4.9.3 compiled from source
>
> SERVER1 = Windows Server 2008R2 Standard
> SERVER3 = FreeBSD Samba Host
>
> kinit and klist work fine.
>
> # samba-tool domain join ad.mydomain DC -U"AD\administrator"
> --dns-backend=SAMBA_INTERNAL
>
> ...
> Adding DNS CNAME record
> f44ee6af-47c7-4cb1-b29f-5d4470bc3063._msdcs.ad.mydomain for
> SERVER3.ad.mydomain
> Join failed - cleaning up
> ...
> ERROR(runtime): uncaught exception - (9601,
> 'WERR_DNS_ERROR_ZONE_DOES_NOT_EXIST')
> File "/usr/local/lib/python2.7/site-packages/samba/netcmd/__init__.py",
> line 176, in _run
> return self.run(*args, **kwargs)
> File "/usr/local/lib/python2.7/site-packages/samba/netcmd/domain.py",
> line 706, in run
> plaintext_secrets=plaintext_secrets)
> File "/usr/local/lib/python2.7/site-packages/samba/join.py", line 1482,
> in join_DC
> ctx.do_join()
> File "/usr/local/lib/python2.7/site-packages/samba/join.py", line 1390,
> in do_join
> ctx.join_add_dns_records()
> File "/usr/local/lib/python2.7/site-packages/samba/join.py", line 1144,
> in join_add_dns_records
> None)
>
>
> So, next - try checking then adding the DC DNS record manually via:
> https://wiki.samba.org/index.php/Verifying_and_Creating_a_DC_DNS_Record#Verifying_and_Creating_the_objectGUID_Record
>
>
> # ldbsearch -H /var/db/samba4/private/sam.ldb '(invocationId=*)'
> --cross-ncs objectguid
>
> # record 1
> dn: CN=NTDS
> Settings,CN=SERVER3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ad,DC=mydomain
> objectGUID: f44ee6af-47c7-4cb1-b29f-5d4470bc3063
>
> # record 2
> dn: CN=NTDS
> Settings,CN=SERVER1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ad,DC=mydomain
> objectGUID: f5bf75a2-8dae-4456-835e-a568910c9052
>
> # returned 2 records
> # 2 entries
> # 0 referrals
>
>
> # host -t CNAME f44ee6af-47c7-4cb1-b29f-5d4470bc3063._msdcs.ad.mydomain.
> Host f44ee6af-47c7-4cb1-b29f-5d4470bc3063._msdcs.ad.mydomain not found:
> 3(NXDOMAIN)
>
> # samba-tool dns add SERVER1 _msdcs.ad.mydomain
> f44ee6af-47c7-4cb1-b29f-5d4470bc3063 CNAME SERVER3.ad.mydomain
> -Uadministrator
>
> root at server3:/var/db/samba4/private # samba-tool dns add SERVER1
> _msdcs.ad.mydomain f44ee6af-47c7-4cb1-b29f-5d4470bc3063 CNAME
> SERVER3.ad.mydomain -Uadministrator
> Password for [AD\administrator]:
> ERROR(runtime): uncaught exception - (9601,
> 'WERR_DNS_ERROR_ZONE_DOES_NOT_EXIST')
> File "/usr/local/lib/python2.7/site-packages/samba/netcmd/__init__.py",
> line 176, in _run
> return self.run(*args, **kwargs)
> File "/usr/local/lib/python2.7/site-packages/samba/netcmd/dns.py", line
> 940, in run
> raise e
>
>
> When I list the zones, I don't see the _msdcs zone like I do at other
> domains - instead I have TrustAnchors. But DNSSEC isn't configured at
> SERVER1:
>
> # samba-tool dns zonelist SERVER1 -U administrator
>
> root at server3:/var/db/samba4/private # samba-tool dns zonelist SERVER1 -U
> administrator
> Password for [AD\administrator]:
> 3 zone(s) found
>
> pszZoneName : 254.168.192.in-addr.arpa
> Flags : DNS_RPC_ZONE_REVERSE
> ZoneType : DNS_ZONE_TYPE_PRIMARY
> Version : 50
> dwDpFlags : NONE
> pszDpFqdn : None
>
> pszZoneName : ad.mydomain
> Flags : DNS_RPC_ZONE_DSINTEGRATED
> DNS_RPC_ZONE_UPDATE_SECURE
> ZoneType : DNS_ZONE_TYPE_PRIMARY
> Version : 50
> dwDpFlags : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT
> DNS_DP_ENLISTED
> pszDpFqdn : DomainDnsZones.ad.mydomain
>
> pszZoneName : TrustAnchors
> Flags : DNS_RPC_ZONE_DSINTEGRATED
> ZoneType : DNS_ZONE_TYPE_PRIMARY
> Version : 50
> dwDpFlags : DNS_DP_AUTOCREATED DNS_DP_FOREST_DEFAULT
> DNS_DP_ENLISTED
> pszDpFqdn : ForestDnsZones.ad.mydomain
>
>
> So this is where I'm at now. Earlier today I found a reference on another
> thread or another list which I need to find again, which suggested this
> might be a bug or issue with Samba 4.8 and higher. I have not yet tried
> adding Samba 4.7 to same domain.
>
> Hopefully this helps narrow it, and of course any suggestions to help
> resolve or continue troubleshooting are appreciated.
>
> Thanks,
> Andrew
--
Andrew Bartlett
https://samba.org/~abartlet/
Authentication Developer, Samba Team https://samba.org
Samba Development and Support, Catalyst IT
https://catalyst.net.nz/services/samba
More information about the samba
mailing list