[Samba] several dns issues after switching fsmo roles to samba-dc
Rowland penny
rpenny at samba.org
Tue Jun 2 15:22:21 UTC 2020
On 02/06/2020 16:08, Alex wrote:
> Hello Rowland,
>
>>> 3. I see the errors in the System log on the former DC (vm-dc1), like:
>>> The dynamic registration of the DNS record '_ldap._tcp.DomainDnsZones.domain.com. 600 IN SRV 0 100 389 vm-dc1.domain.com.' failed on the following DNS server:
>>>
>>> DNS server IP address: 172.26.1.83
>>> Returned Response Code (RCODE): 0
>>> Returned Status Code: 9016
>>> ...
>>> ADDITIONAL DATA
>>> Error Value: DNS signature failed to verify.
>>>
>>> (172.26.1.83 is the new PDC - vm-dc3)
>> Interesting, if it is in a log on a windows PC, then it is likely that
>> it is the windows DC trying to update the record, which it shouldn't and
>> will fail if vm-dc3 already has updated it.
> Indeed, the Windows DC tried to update the record.. The other day, I've found
> that the record is just missing (expired?). So, I've started to dig in and was
> able to resolve the issue in this way:
> 1. I could reproduce the issue by restarting NETLOGON service on the Windows DC.
> Also the following commands failed with "Connection Status = 1311 0x51f
> ERROR_NO_LOGON_SERVERS":
> nltest.exe /dsregdn
> nltest /query
> 2. After some googling, I've found the fixing command:
> nltest /sc_reset:domain.com
>
> After that, all vm-dc1 records were registered in the AD w/o issues
> using "nltest.exe /dsregdn" command.
> Unfortunately, it's failing again after restarting NETLOGON service.
>
As far as I am aware, there are certain dns records that each DC should
maintain for itself, you can find a list in the file 'dns_update_list'
on each Samba DC, this is used by the samba_dnsupdate script. I presume
a Windows DC uses a similar setup, but it should only attempt to update
its own records, perhaps this is the direction to look and I cannot help
here, I don't have a Windows DC.
Rowland
More information about the samba
mailing list