[Samba] DNS Updates after upgrade

Christian Naumer cn at brain-biotech.de
Mon Jun 29 10:31:41 UTC 2020

Hello everybody,
last weeks I started upgrading our DC from Centos 7 to Centos 8. After
having read this
and especially this "Joining a DC to domain can be a troublesome process
for some users, and it can be difficult to recover your DC if something
goes wrong". I really looked forward to this ... :-| So this is a bit of
a long read...

This Domain was "classic upgraded" from an NT Style domain with Samba
version 4.4. All upgrades until now where done "in place".

We have 4 DCs. 3 VMs and one physical Server. Samba version is 4.12.3 on
all the DCs before and after the upgrade. We are using the Sernet
packages. I was very careful and went step by step. Here is the general

-- Demote old DC
	-- check if all entries are gone as listed on the wiki
	-- run "samba-tool dbcheck --cross-ncs --fix" to remove deleted objects

-- Install new dc as per Wiki and my notes (Same Name same IP)
	-- Join DC
	-- run checks (samba-tool drs showrepl,samba-tool dbcheck --cross-ncs)
	-- Check DNS Updates (samba_dnsupdate --verbose --all-names)

Now here is how it worked out...

-- First DC demote and rejoin with the same name and IP (after
installing a new VM) went fine. No Errors! Great now to the next one I
thought.... (actually I waited a few days)

-- Second DC demote went fine. After the Rejoin bind would not start
because it complained about empty zones. I read about this on this list.
So I deleted those Zones and the entries (just a view so no big
problem). Now bind did start and all checks (samba-tool drs showrepl;
samba-tool dbcheck --cross-ncs --fix,samba_dnsupdate --verbose
--all-names) are fine. DNS Updates work. So on to the next one...

-- Third DC. This was the FSMO holder so I transferred the roles to DC2.
After the Join Bind complained on ALL zone except the primary AD zone
that they were empty and would not start. So I again deleted them and
recreated the zone and the entries. All worked OK. No errors after I
fixed the zones.

-- The last DC (this one a physical server) I demoted and reinstalled on
the same hardware. I followed my notes and because a read some more in
the meant time I added NS records for all DCs in all zones (they are
only added automatically to the AD zone not any reverse zones etc).
After the Join every check worked (samba-tool drs showrepl; samba-tool
dbcheck --cross-ncs --fix,samba_dnsupdate --verbose --all-names).
However, there is one problem Windows clients can not update there DNS
records on this DC. All the others work.

So here are my questions:

-- On two of the new joins I did. the KCC Objects appeared only after
running samba_kcc. Is this normal or should I have waited a bit longre?

-- Do any of you manually add NS records for all DCs into all your zones
(specificall the reverse zones) or should this be done by samba?

-- Is the file "/var/lib/samba/bind-dns/named.conf.update.static" still
needed? I needed this to get DNS updates from the clients working with
Samba 4.4 (when this Domain was provisioned the current version). I
moved it from the private dir to bind-dns dir. But named.conf.update
does not get created (on all DCs).

-- Last question does any one have an Idea how to fix this? At the
moment I am inclined to just remove the offending DC and join it again.

Here is the logentry with debug level 5 from the dlz module from the
faulty DC:

27-Jun-2020 21:02:46.144 samba_dlz: DSDB Transaction [rollback] at [Sat,
27 Jun 2020 21:02:46.144303 CEST] duration [3618]
27-Jun-2020 21:02:46.144 samba_dlz: {"timestamp":
"2020-06-27T21:02:46.144494+0200", "type": "dsdbTransaction",
"dsdbTransaction": {"version": {"major": 1, "minor": 0}, "action":
"rollback", "transactionId": "9cb08a1a-01d2-467c-a582-616185189020",
"duration": 3618}}
27-Jun-2020 21:02:46.144 samba_dlz: cancelling transaction on zone

Here from a working DC:

27-Jun-2020 21:04:24.308 samba_dlz: starting transaction on zone
27-Jun-2020 21:04:24.311 client @0x7f5ab01c88f0
update 'ad.domain.de/IN' denied
27-Jun-2020 21:04:24.311 samba_dlz: DSDB Transaction [rollback] at [Sat,
27 Jun 2020 21:04:24.311712 CEST] duration [2575]
27-Jun-2020 21:04:24.311 samba_dlz: {"timestamp":
"2020-06-27T21:04:24.311817+0200", "type": "dsdbTransaction",
"dsdbTransaction": {"version": {"major": 1, "minor": 0}, "action":
"rollback", "transactionId": "cfaf0fd3-3bd5-47e6-a3ba-5523b
4dea6f8", "duration": 2575}}
27-Jun-2020 21:04:24.312 samba_dlz: cancelling transaction on zone
27-Jun-2020 21:04:24.466 samba_dlz: starting transaction on zone
27-Jun-2020 21:04:24.468 samba_dlz: Starting GENSEC mechanism spnego
27-Jun-2020 21:04:24.468 samba_dlz: Starting GENSEC submechanism gssapi_krb5
27-Jun-2020 21:04:24.470 samba_dlz: gensec_gssapi: NO credentials were
27-Jun-2020 21:04:24.470 samba_dlz: GSSAPI Connection will be
cryptographically signed
27-Jun-2020 21:04:24.470 samba_dlz: Successful AuthZ: [(null),krb5] user
[S-1-5-21-773202902-494389186-2375354597-132211] at [Sat, 27 Jun 2020
21:04:24.470917 CEST] Remote host [NULL] local host [NULL]
27-Jun-2020 21:04:24.471 samba_dlz: {"timestamp":
"2020-06-27T21:04:24.471156+0200", "type": "Authorization",
"Authorization": {"version": {"major": 1, "minor": 1}, "localAddress":
null, "remoteAddress": null, "serviceDescription": null,
"authType": "krb5", "domain": "BRAIN-02", "account": "LANSWEEPER$",
"sid": "S-1-5-21-773202902-494389186-2375354597-132211", "sessionId":
"9887dc0f-41b2-4cb7-a7e8-b885ae239ac3", "logonServer": "DC2",
"transportProtection": "SIGN", "accoun
tFlags": "0x00000080"}}
27-Jun-2020 21:04:24.474 samba_dlz: allowing update of
signer=LANSWEEPER\$\@ad.domain.DE name=lansweeper.ad.domain.de
tcpaddr= type=AAAA

Here are the relevant configs:

        netbios name = DC1
        realm = AD.DOMAIN.DE
        server services = s3fs, rpc, wrepl, ldap, cldap, kdc, drepl,
winbindd, ntp_signd, kcc, dnsupdate
        workgroup = DOMAIN-02
        log level =  1 auth_audit:4 dsdb_password_audit:5
dsdb_transaction_audit:5 dsdb_group_audit:5
        #log level = 10
        logging =syslog
        server role = active directory domain controller
        dns zone scavenging = yes
        prefork children = 8
        idmap_ldb:use rfc2307 = yes
        template shell = /bin/bash
        template homedir = /home/%U
        #ntlm auth = yes
        ntlm auth = mschapv2-and-ntlmv2-only
        disable netbios = yes
        smb ports = 445
        server min protocol = SMB2
        client min protocol = SMB2
        tls enabled  = yes
        tls keyfile  = tls/server_de.key
        tls certfile = tls/server.pem
        tls cafile   = tls/ca.pem
        kerberos method = secrets and keytab
        dedicated keytab file = /etc/krb5.keytab

        path = /var/lib/samba/sysvol/AD.DOMAIN.de/scripts
        read only = No

        path = /var/lib/samba/sysvol
        read only = No

# Global BIND configuration options
include "/var/lib/samba/bind-dns/named.conf";
options {
    tkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab";
    minimal-responses yes;
    auth-nxdomain yes;
    directory "/var/named";
    notify no;
    empty-zones-enable no;

    allow-query {;;
        # add other networks you want to allow to query your DNS

    allow-recursion {;
        # add other networks you want to allow to do recursive queries

    forwarders {
        # Google public DNS server here - replace with your own if necessary;

    allow-transfer {
        # this config is for a single master DNS server

# Root servers (required zone for recursive queries)
zone "." {
   type hint;
   file "named.root";

# Required localhost forward-/reverse zones
zone "localhost" {
    type master;
    file "master/localhost.zone";

zone "0.0.127.in-addr.arpa" {
    type master;
    file "master/0.0.127.zone";

dlz "AD DNS Zone" {
    # For BIND 9.8.x
    # database "dlopen /usr/lib64/samba/bind9/dlz_bind9.so";

    # For BIND 9.9.x
    # database "dlopen /usr/lib64/samba/bind9/dlz_bind9_9.so";

    # For BIND 9.10.x
    # database "dlopen /usr/lib64/samba/bind9/dlz_bind9_10.so";

    # For BIND 9.11.x
     database "dlopen /usr/lib64/samba/bind9/dlz_bind9_11.so";
    # For BIND 9.12.x
    # database "dlopen /usr/lib64/samba/bind9/dlz_bind9_12.so";

default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

default_realm = AD.DOMAIN.DE
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true

Thanks for any help!




Dr. Christian Naumer
Unit Head Bioprocess Development

B.R.A.I.N Aktiengesellschaft
Darmstaedter Str. 34-36, D-64673 Zwingenberg
e-mail cn at brain-biotech.com, homepage www.brain-biotech.com
fon +49-6251-9331-30  /   fax +49-6251-9331-11

Sitz der Gesellschaft: Zwingenberg/Bergstrasse
Registergericht AG Darmstadt, HRB 24758
Vorstand: Adriaan Moelker (Vorstandsvorsitzender), 
Manfred Bender, Ludger Roedder
Aufsichtsratsvorsitzender: Dr. Georg Kellinghusen

More information about the samba mailing list