[Samba] Setup a Samba AD DC as an additional DC

Barry D. Adkins Barry at daram.com
Wed Dec 5 04:59:05 UTC 2018 

As I posted I've been dealing with this same problem for 3 weeks.  To the point I'm setting up a system to debug the problem.

Samba-tool complains that the Machine Account is not in the Secrets.LDB file and I can confirm IT IS NOT.  Only Records 1 & 2 are there.  Yet it throws this DNS zone does not exists exception.  I observe Samba Tool is writing AD data for a joined DC only to delete it when the join fails.

I've had to take a few days to sleep as I've been working numerous all-nighters working on this.  I expect in the next few days to have a system building Samba and then hope to setup debugging.  I was a systems software developer for Compaq from 1994 until 2002.  I can do it, but have to become familiar with such things on Linux and all the integrated scripts... python.  I did python development for Computational Analysis in 2015, but it was solely Python so we were using an IDE for Python.

I am committed to get this to work and we are also working to dump Exchange in order to migrate to all Samba AD DCs.  We embarked on a plan to just join a member server, which did not completely work.  Then upon support list member recommendation to add a Samba DC with NO success.  Later to learn that while we were planning to dump Exchange that we need to get that as a top priority which it can be.

-Barry Adkins

-----Original Message-----
From: samba [mailto:samba-bounces at lists.samba.org] On Behalf Of Andrew Bartlett via samba
Sent: Tuesday, December 4, 2018 10:47 PM
To: Andrew Ruscica <andrew.lists at ruscica.com>; samba at lists.samba.org
Subject: Re: [Samba] Setup a Samba AD DC as an additional DC

On Tue, 2018-12-04 at 21:25 -0500, Andrew Ruscica via samba wrote:
> Apologies for not replying to the thread, I just subscribed to the 
> list, after a day of troubleshooting this.
> 
> Regarding:
> 9601, 'WERR_DNS_ERROR_ZONE_DOES_NOT_EXIST'
> 
> I am experiencing the same symptoms, in a simpler environment than the 
> original submitter at the previous thread:
> 
> Single Windows 2008R2 Domain Controller Schema version 47 No MS 
> Exchange

It is very likely 'just a bug'.  We do some DNS things trying to make sure the new DC can work the moment it starts (before that, folks had a lot of difficulty with the new DC not being in global DNS). 

This is different to what windows does, and there is a variety of different ways DNS can be set up on windows, so clearly it isn't interoperable right now.

Sorry about that. 

Andrew Bartlett

> Attempting to add a Samba 4 domain controller with the intention of 
> decommissioning the Windows Server.
> 
> Same symptoms from two different Samba 4 platforms:
> 
> FreeBSD 11.2 - samba 4.8.7 from packages CentOS 7 - samba 4.9.3 
> compiled from source
> 
> SERVER1 = Windows Server 2008R2 Standard
> SERVER3 = FreeBSD Samba Host
> 
> kinit and klist work fine.
> 
> # samba-tool domain join ad.mydomain DC -U"AD\administrator"
> --dns-backend=SAMBA_INTERNAL
> 
> ...
> Adding DNS CNAME record
> f44ee6af-47c7-4cb1-b29f-5d4470bc3063._msdcs.ad.mydomain for 
> SERVER3.ad.mydomain Join failed - cleaning up ...
> ERROR(runtime): uncaught exception - (9601,
> 'WERR_DNS_ERROR_ZONE_DOES_NOT_EXIST')
>   File 
> "/usr/local/lib/python2.7/site-packages/samba/netcmd/__init__.py",
> line 176, in _run
>     return self.run(*args, **kwargs)
>   File 
> "/usr/local/lib/python2.7/site-packages/samba/netcmd/domain.py",
> line 706, in run
>     plaintext_secrets=plaintext_secrets)
>   File "/usr/local/lib/python2.7/site-packages/samba/join.py", line 
> 1482, in join_DC
>     ctx.do_join()
>   File "/usr/local/lib/python2.7/site-packages/samba/join.py", line 
> 1390, in do_join
>     ctx.join_add_dns_records()
>   File "/usr/local/lib/python2.7/site-packages/samba/join.py", line 
> 1144, in join_add_dns_records
>     None)
> 
> 
> So, next - try checking then adding the DC DNS record manually via:
> https://wiki.samba.org/index.php/Verifying_and_Creating_a_DC_DNS_Recor
> d#Verifying_and_Creating_the_objectGUID_Record
> 
> 
> # ldbsearch -H /var/db/samba4/private/sam.ldb '(invocationId=*)'
> --cross-ncs objectguid
> 
> # record 1
> dn: CN=NTDS
> Settings,CN=SERVER3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=
> Configuration,DC=ad,DC=mydomain
> objectGUID: f44ee6af-47c7-4cb1-b29f-5d4470bc3063
> 
> # record 2
> dn: CN=NTDS
> Settings,CN=SERVER1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=
> Configuration,DC=ad,DC=mydomain
> objectGUID: f5bf75a2-8dae-4456-835e-a568910c9052
> 
> # returned 2 records
> # 2 entries
> # 0 referrals
> 
> 
> # host -t CNAME f44ee6af-47c7-4cb1-b29f-5d4470bc3063._msdcs.ad.mydomain.
> Host f44ee6af-47c7-4cb1-b29f-5d4470bc3063._msdcs.ad.mydomain not found:
> 3(NXDOMAIN)
> 
> # samba-tool dns add SERVER1 _msdcs.ad.mydomain
> f44ee6af-47c7-4cb1-b29f-5d4470bc3063 CNAME SERVER3.ad.mydomain 
> -Uadministrator
> 
> root at server3:/var/db/samba4/private # samba-tool dns add SERVER1 
> _msdcs.ad.mydomain f44ee6af-47c7-4cb1-b29f-5d4470bc3063 CNAME 
> SERVER3.ad.mydomain -Uadministrator Password for [AD\administrator]:
> ERROR(runtime): uncaught exception - (9601,
> 'WERR_DNS_ERROR_ZONE_DOES_NOT_EXIST')
>   File 
> "/usr/local/lib/python2.7/site-packages/samba/netcmd/__init__.py",
> line 176, in _run
>     return self.run(*args, **kwargs)
>   File "/usr/local/lib/python2.7/site-packages/samba/netcmd/dns.py", 
> line 940, in run
>     raise e
> 
> 
> When I list the zones, I don't see the _msdcs zone like I do at other 
> domains - instead I have TrustAnchors.  But DNSSEC isn't configured at
> SERVER1:
> 
> # samba-tool dns zonelist SERVER1 -U administrator
> 
> root at server3:/var/db/samba4/private # samba-tool dns zonelist SERVER1 
> -U administrator Password for [AD\administrator]:
>   3 zone(s) found
> 
>   pszZoneName                 : 254.168.192.in-addr.arpa
>   Flags                       : DNS_RPC_ZONE_REVERSE
>   ZoneType                    : DNS_ZONE_TYPE_PRIMARY
>   Version                     : 50
>   dwDpFlags                   : NONE
>   pszDpFqdn                   : None
> 
>   pszZoneName                 : ad.mydomain
>   Flags                       : DNS_RPC_ZONE_DSINTEGRATED
> DNS_RPC_ZONE_UPDATE_SECURE
>   ZoneType                    : DNS_ZONE_TYPE_PRIMARY
>   Version                     : 50
>   dwDpFlags                   : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT
> DNS_DP_ENLISTED
>   pszDpFqdn                   : DomainDnsZones.ad.mydomain
> 
>   pszZoneName                 : TrustAnchors
>   Flags                       : DNS_RPC_ZONE_DSINTEGRATED
>   ZoneType                    : DNS_ZONE_TYPE_PRIMARY
>   Version                     : 50
>   dwDpFlags                   : DNS_DP_AUTOCREATED DNS_DP_FOREST_DEFAULT
> DNS_DP_ENLISTED
>   pszDpFqdn                   : ForestDnsZones.ad.mydomain
> 
> 
> So this is where I'm at now.  Earlier today I found a reference on 
> another thread or another list which I need to find again, which 
> suggested this might be a bug or issue with Samba 4.8 and higher.  I 
> have not yet tried adding Samba 4.7 to same domain.
> 
> Hopefully this helps narrow it, and of course any suggestions to help 
> resolve or continue troubleshooting are appreciated.
> 
> Thanks,
> Andrew
--
Andrew Bartlett
https://samba.org/~abartlet/
Authentication Developer, Samba Team         https://samba.org
Samba Development and Support, Catalyst IT   
https://catalyst.net.nz/services/samba





-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list