[Samba] Replication not working for remote Domain Controller

shacky shacky83 at gmail.com
Fri Dec 27 19:46:15 UTC 2019 

Hi, sorry for the late reply!
Here are the result of the command:

======================================================================
root at dc1:/ (20:39:47)# ldbsearch --cross-ncs -H
/var/lib/samba/private/sam.ldb -b 'dc=my,dc=domain,dc=com' -s sub
'(|(dnsRoot=DomainDnsZones.my.domain.com)(dnsRoot=
ForestDnsZones.my.domain.com))' nCName
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
# record 1
dn:
CN=8aa53516-60b1-4be7-b9fd-d73e4c3f2fd2,CN=Partitions,CN=Configuration,DC=my,DC=domain,DC=com
nCName: DC=DomainDnsZones,DC=my,DC=domain,DC=com

# record 2
dn:
CN=b1601ad2-0321-401b-9d02-ca9827e133af,CN=Partitions,CN=Configuration,DC=my,DC=domain,DC=com
nCName: DC=ForestDnsZones,DC=my,DC=domain,DC=com

# returned 2 records
# 2 entries
# 0 referrals
======================================================================

I checked into the Windows DNS client application, and in fact some DNS
records seems to be present:

- _kerberos.dc._msdcs.my.domain.com (SRV) -> dc1.my.domain.com
- _kerberos.dc._msdcs.my.domain.com (SRV) -> dc2.my.domain.com
- _ldap.dc._msdcs.my.domain.com (SRV) -> dc1.my.domain.com
- _ldap.dc._msdcs.my.domain.com (SRV) -> dc2.my.domain.com
- _kerberos.mysite._sites.dc._msdcs.my.domain.com (SRV) -> dc1.my.domain.com
- _kerberos.mysite._sites.dc._msdcs.my.domain.com (SRV) -> dc2.my.domain.com
- _ldap.mysite._sites.dc._msdcs.my.domain.com (SRV) -> dc1.my.domain.com
- _ldap.mysite._sites.dc._msdcs.my.domain.com (SRV) -> dc2.my.domain.com
... and so on

Thanks!

Il giorno mer 18 dic 2019 alle ore 14:35 Rowland penny via samba <
samba at lists.samba.org> ha scritto:

> On 18/12/2019 11:56, shacky wrote:
> > Hi Rowland,
> >
> >     I have been doing a bit of investigation and I 'think' we do have
> >     a tool ;-)
> >     If you examine 'samba_upgradedns', at the top it says this:
> >     # Upgrade DNS provision from BIND9_FLATFILE to BIND9_DLZ or
> >     SAMBA_INTERNAL
> >     I think if you use it to upgrade to either BIND_DLZ or
> >     SAMBA_INTERNAL,
> >     it should create the required AD objects.
> >
> >
> > I cloned the DC in a sandbox and tries samba_upgradedns:
> >
> > ===============================================
> > root at dc1:/ # samba_upgradedns --dns-backend=BIND9_DLZ
> > lpcfg_load: refreshing parameters from /etc/samba/smb.conf
> > Reading domain information
> > lpcfg_load: refreshing parameters from /etc/samba/smb.conf
> > DNS accounts already exist
> > No zone file /var/lib/samba/private/dns/MY.DOMAIN.COM.zone
> > DNS records will be automatically created
> > DNS partitions already exist
> > dns-dc1 account already exists
> > See /var/lib/samba/private/named.conf for an example configuration
> > include file for BIND
> > and /var/lib/samba/private/named.txt for further documentation
> > required for secure DNS updates
> > Finished upgrading DNS
> > ===============================================
> >
> > But after that ldbsearch output is empty anyway:
> >
> > ===============================================
> > root at dc1:/ (17:23:33)# ldbsearch --cross-ncs -H
> > /var/lib/samba/private/sam.ldb -b 'DC=my.domain.com
> > <http://my.domain.com/>,CN=MicrosoftDNS,DC=DomainDnsZones,DC=my,DC=domain,DC=com'
>
> > -s sub '(objectclass=dnsnode)' | grep dn
> >
> > root at dc1:/ (17:23:36)#
> > ===============================================
> >
> > :-(
>
> I think I understand what is happening. It checks if a couple of records
> exist and if they don't, it creates them along with other missing
> records, but it looks like they do exist, but the other records don't.
>
> You can check this with:
>
> ldbsearch --cross-ncs -H /var/lib/samba/private/sam.ldb -b
> 'dc=samdom,dc=example,dc=com' -s sub
> '(|(dnsRoot=DomainDnsZones.samdom.example.com)(dnsRoot=
> ForestDnsZones.samdom.example.com))'
> nCName
>
> I can probably use parts of samba_upgradedns to add your missing
> records, just have to decide what parts to use ;-)
>
> Rowland
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

More information about the samba mailing list