[Samba] Setup a Samba AD DC as an additional DC

Andrew Bartlett abartlet at samba.org
Wed Dec 5 04:46:34 UTC 2018 

On Tue, 2018-12-04 at 21:25 -0500, Andrew Ruscica via samba wrote:
> Apologies for not replying to the thread, I just subscribed to the list,
> after a day of troubleshooting this.
> 
> Regarding:
> 9601, 'WERR_DNS_ERROR_ZONE_DOES_NOT_EXIST'
> 
> I am experiencing the same symptoms, in a simpler environment than the
> original submitter at the previous thread:
> 
> Single Windows 2008R2 Domain Controller
> Schema version 47
> No MS Exchange

It is very likely 'just a bug'.  We do some DNS things trying to make
sure the new DC can work the moment it starts (before that, folks had a
lot of difficulty with the new DC not being in global DNS). 

This is different to what windows does, and there is a variety of
different ways DNS can be set up on windows, so clearly it isn't
interoperable right now.

Sorry about that. 

Andrew Bartlett

> Attempting to add a Samba 4 domain controller with the intention of
> decommissioning the Windows Server.
> 
> Same symptoms from two different Samba 4 platforms:
> 
> FreeBSD 11.2 - samba 4.8.7 from packages
> CentOS 7 - samba 4.9.3 compiled from source
> 
> SERVER1 = Windows Server 2008R2 Standard
> SERVER3 = FreeBSD Samba Host
> 
> kinit and klist work fine.
> 
> # samba-tool domain join ad.mydomain DC -U"AD\administrator"
> --dns-backend=SAMBA_INTERNAL
> 
> ...
> Adding DNS CNAME record
> f44ee6af-47c7-4cb1-b29f-5d4470bc3063._msdcs.ad.mydomain for
> SERVER3.ad.mydomain
> Join failed - cleaning up
> ...
> ERROR(runtime): uncaught exception - (9601,
> 'WERR_DNS_ERROR_ZONE_DOES_NOT_EXIST')
>   File "/usr/local/lib/python2.7/site-packages/samba/netcmd/__init__.py",
> line 176, in _run
>     return self.run(*args, **kwargs)
>   File "/usr/local/lib/python2.7/site-packages/samba/netcmd/domain.py",
> line 706, in run
>     plaintext_secrets=plaintext_secrets)
>   File "/usr/local/lib/python2.7/site-packages/samba/join.py", line 1482,
> in join_DC
>     ctx.do_join()
>   File "/usr/local/lib/python2.7/site-packages/samba/join.py", line 1390,
> in do_join
>     ctx.join_add_dns_records()
>   File "/usr/local/lib/python2.7/site-packages/samba/join.py", line 1144,
> in join_add_dns_records
>     None)
> 
> 
> So, next - try checking then adding the DC DNS record manually via:
> https://wiki.samba.org/index.php/Verifying_and_Creating_a_DC_DNS_Record#Verifying_and_Creating_the_objectGUID_Record
> 
> 
> # ldbsearch -H /var/db/samba4/private/sam.ldb '(invocationId=*)'
> --cross-ncs objectguid
> 
> # record 1
> dn: CN=NTDS
> Settings,CN=SERVER3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ad,DC=mydomain
> objectGUID: f44ee6af-47c7-4cb1-b29f-5d4470bc3063
> 
> # record 2
> dn: CN=NTDS
> Settings,CN=SERVER1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ad,DC=mydomain
> objectGUID: f5bf75a2-8dae-4456-835e-a568910c9052
> 
> # returned 2 records
> # 2 entries
> # 0 referrals
> 
> 
> # host -t CNAME f44ee6af-47c7-4cb1-b29f-5d4470bc3063._msdcs.ad.mydomain.
> Host f44ee6af-47c7-4cb1-b29f-5d4470bc3063._msdcs.ad.mydomain not found:
> 3(NXDOMAIN)
> 
> # samba-tool dns add SERVER1 _msdcs.ad.mydomain
> f44ee6af-47c7-4cb1-b29f-5d4470bc3063 CNAME SERVER3.ad.mydomain
> -Uadministrator
> 
> root at server3:/var/db/samba4/private # samba-tool dns add SERVER1
> _msdcs.ad.mydomain f44ee6af-47c7-4cb1-b29f-5d4470bc3063 CNAME
> SERVER3.ad.mydomain -Uadministrator
> Password for [AD\administrator]:
> ERROR(runtime): uncaught exception - (9601,
> 'WERR_DNS_ERROR_ZONE_DOES_NOT_EXIST')
>   File "/usr/local/lib/python2.7/site-packages/samba/netcmd/__init__.py",
> line 176, in _run
>     return self.run(*args, **kwargs)
>   File "/usr/local/lib/python2.7/site-packages/samba/netcmd/dns.py", line
> 940, in run
>     raise e
> 
> 
> When I list the zones, I don't see the _msdcs zone like I do at other
> domains - instead I have TrustAnchors.  But DNSSEC isn't configured at
> SERVER1:
> 
> # samba-tool dns zonelist SERVER1 -U administrator
> 
> root at server3:/var/db/samba4/private # samba-tool dns zonelist SERVER1 -U
> administrator
> Password for [AD\administrator]:
>   3 zone(s) found
> 
>   pszZoneName                 : 254.168.192.in-addr.arpa
>   Flags                       : DNS_RPC_ZONE_REVERSE
>   ZoneType                    : DNS_ZONE_TYPE_PRIMARY
>   Version                     : 50
>   dwDpFlags                   : NONE
>   pszDpFqdn                   : None
> 
>   pszZoneName                 : ad.mydomain
>   Flags                       : DNS_RPC_ZONE_DSINTEGRATED
> DNS_RPC_ZONE_UPDATE_SECURE
>   ZoneType                    : DNS_ZONE_TYPE_PRIMARY
>   Version                     : 50
>   dwDpFlags                   : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT
> DNS_DP_ENLISTED
>   pszDpFqdn                   : DomainDnsZones.ad.mydomain
> 
>   pszZoneName                 : TrustAnchors
>   Flags                       : DNS_RPC_ZONE_DSINTEGRATED
>   ZoneType                    : DNS_ZONE_TYPE_PRIMARY
>   Version                     : 50
>   dwDpFlags                   : DNS_DP_AUTOCREATED DNS_DP_FOREST_DEFAULT
> DNS_DP_ENLISTED
>   pszDpFqdn                   : ForestDnsZones.ad.mydomain
> 
> 
> So this is where I'm at now.  Earlier today I found a reference on another
> thread or another list which I need to find again, which suggested this
> might be a bug or issue with Samba 4.8 and higher.  I have not yet tried
> adding Samba 4.7 to same domain.
> 
> Hopefully this helps narrow it, and of course any suggestions to help
> resolve or continue troubleshooting are appreciated.
> 
> Thanks,
> Andrew
-- 
Andrew Bartlett
https://samba.org/~abartlet/
Authentication Developer, Samba Team         https://samba.org
Samba Development and Support, Catalyst IT   
https://catalyst.net.nz/services/samba

More information about the samba mailing list