[Samba] pdc emulator dns record missing after transferring role

Alex samba at abisoft.biz
Wed Mar 18 12:28:48 UTC 2020 

Hello Rowland,

>> During the migration from Windows DCs to Samba DCs, the following issue came up:
>> after  transferring  PDC  emulator  role to a samba DC, the according DNS record
>> wasn't re-created:
>>
> Yes and no (well not in the way you are thinking)

> Yes, you are missing the fact that the dns_update_list has this:

> # The PDC emulator
> ${IF_PDC}SRV _ldap._tcp.pdc._msdcs.${DNSDOMAIN}                    
> ${HOSTNAME} 389

I  don't  miss  it.  I've  checked dns_update_list before writing, which made me
thinking  there's  a  bug here along with the fact that after switching the role
back to Windows DC the pdc record has appeared almost immediately.

> If this is the DC with the PDC Emulator role, but doesn't have the 
> required dns record, samba_dnsupdate should create it next time it is 
> run and Samba runs it regularly.

Hm..  I  was  waiting  for  several minutes after the role was transferred - the
record  wasn't  created.  Wouldn't it be a good enhancement if the fsmo transfer
command issued samba_dnsupdate right after the role has been transferred?

Just   transferred   the  PDC  role  to  samba  DC  again  and  manually  issued
"samba_dnsupdate  --use-samba-tool --fail-immediately" command right after that.
No pdc record added and the error came up:
ERROR(runtime): uncaught exception - (9717, 'WERR_DNS_ERROR_DS_UNAVAILABLE')
  File "/usr/local/samba/lib64/python3.6/site-packages/samba/netcmd/__init__.py", line 186, in _run
    return self.run(*args, **kwargs)
  File "/usr/local/samba/lib64/python3.6/site-packages/samba/netcmd/dns.py", line 945, in run
    raise e
  File "/usr/local/samba/lib64/python3.6/site-packages/samba/netcmd/dns.py", line 941, in run
    0, server, zone, name, add_rec_buf, None)

Gave it one more try by restarting samba - same result: no pdc record and that
error in the log.

Any ideas?

> No, it isn't a bug, except after checking on my domain, I find I have 
> two dns records for _ldap._tcp.pdc._msdcs.samdom.example.com and you can 
> only have one PDC Emulator. I will have to examine the code (it could 
> just be my domain), but it is possible that there is no code to delete 
> the dns record if the computer isn't the PDC Emulator.

It  would be great to add such code along with a code which will clean things up
after  the  samba  DC  is demoted - I had to manually delete all the dns records
multiple time during my tests (which is annoying :).

-- 
Best regards,
Alex

More information about the samba mailing list