[Samba] Internal DNS not coming up in 4.18.0

Anantha Raghava raghav at exzatechconsulting.com
Thu Mar 23 07:34:32 UTC 2023 

Hi,

Also, I tried to create the Zone using samba-tool dns zone create 
<server> <zone> command. It is asking for Domain password, On providing 
the password, I am receiving "rpc server error - 
WERR_DNS_ERROR_DS_UNAVAILABLE" error.

Thanks & Regards,

Anantha Raghava H A

DISCLAIMER:
This e-mail communication and any attachments may be privileged and 
confidential to Exzatech Consulting And Services Pvt. Ltd., Bangalore, 
and are intended only for the use of the recipients named above If you 
are not the addressee you may not copy, forward, disclose or use any 
part of it. If you have received this message in error, please delete it 
and all copies from your system and notify the sender immediately by 
return e-mail. Internet communications cannot be guaranteed to be 
timely, secure, error or virus-free. The sender does not accept 
liability for any errors or omissions.

Do not print this e-mail unless required. Save Paper & trees.


On 23/03/23 11:42 am, Anantha Raghava wrote:
>
> Hello Rowland,
>
> ldbsearch command is returning 0 records.
>
> # returned 0 records
> # 0 entries
> # 0 referrals
>
> On the backup front, I take the back up using samba-tool backup 
> command and it was successful.
>
> Can I create a new ForestZone using samba-tool? I asking this question 
> as RSAT is not connecting to DNS server.
>
> Thanks & Regards,
>
> Anantha Raghava H A
>
>
> This e-mail communication and any attachments may be privileged and 
> confidential to Exzatech Consulting And Services Pvt. Ltd., Bangalore, 
> and are intended only for the use of the recipients named above If you 
> are not the addressee you may not copy, forward, disclose or use any 
> part of it. If you have received this message in error, please delete 
> it and all copies from your system and notify the sender immediately 
> by return e-mail. Internet communications cannot be guaranteed to be 
> timely, secure, error or virus-free. The sender does not accept 
> liability for any errors or omissions.
>
> Do not print this e-mail unless required. Save Paper & trees.
>
>
> On 22/03/23 5:47 pm, Rowland Penny via samba wrote:
>>
>>
>> On 22/03/2023 01:04, Anantha Raghava via samba wrote:
>>> Hi,
>>>
>>> While upgrading Samba-AD fromm 4.15.9 to version 4.18, I ran into a 
>>> peculiar problem. AD Component is up, but DNS is just not coming up. 
>>> kinit is reporting KDC not found problem.
>>>
>>> All these years I have been compiling samba from source and for 
>>> nearly 7 years, it was working like a charm. But this upgrade 
>>> activity, we ran into rough weather. We do not upgrade the existing 
>>> servers where as, we retain one old server which has all FSMO roles, 
>>> demote and remove others in the cluster, add new servers with the 
>>> same IP and name. Finally I transfer FSMO roles to one new server, 
>>> demote & remove the final server and add the new one with same IP 
>>> and name. This time, in a cluster of two servers, the first one to 
>>> upgrade developed problems once I seized the FSMO roles, demoted 
>>> (removed the other dead server) & removed the second server. 
>>> Activities I did are as follows:
>>>
>>> 1. Demoted and removed the first server. Allotted the same IP/name 
>>> to new RHEL 8 server, compiled samba and installed. The Domain add 
>>> process also went well. But the drs showrepl reported errors and 
>>> these also got cleared once I did dbcheck and fix process.
>>>
>>> 2. I moved, rather seized the FSMO roles to new samba 4.18.0 on RHEL 
>>> 8, demoted (removed other dead server as demote process reported 
>>> crazy errors), allotted the same IP/name to new RHEL 8 Server, 
>>> compiled & installed samba.
>>>
>>> 3. The problems started when I attempted to add the samba as an 
>>> additional DC. It always tried to find itself (non-existent server) 
>>> as a writeable DC. This is when I found that SOA record in new samba 
>>> 4.18.0 server was pointing to the dead server in _msdsc.example.com, 
>>> which I could not remove either in RSAT or using samba-tool. 
>>> Although there was new SOA entry in Forward Zone pointing to new 
>>> samba 4.18.0, the domain join process always found itself 
>>> (non-existent server) as a writeable DC.
>>>
>>> 4. I did try to modify the _msdsc records in DNS and samba-ad dns 
>>> goes down. AD authentication is working. No client can find the DNS. 
>>> Even RSAT cannot find DNS. Kinit on the same server cannot find DNS.
>>>
>>> Unfortunately, I have no backup of running server. The back up is 
>>> from 4.15.9, restoring of this DB is causing samba main process to 
>>> exit with status code 1.
>>>
>>> After much effort, I brought AD component up, but DNS is still down.
>>>
>>> Any help to restore DNS in new samba 4.18.0 is much appreciated.
>>>
>>
>> You could try to update the SOA record with samba-tool:
>>
>> samba-tool dns update <server> <zone> @ SOA "olddata" "newdata"
>>
>> Where <server> is the DC's hostname, or ipaddress, or 127.0.0.1 or 
>> localhost
>>
>> <zone> is the forest zone, usually in the format 
>> '_msdcs.samdom.example.com' (where samdom.example.com' is your dns 
>> domain)
>>
>> "olddata" is what is there now and is the format:
>> "fqdn_dns fqdn_email serial refresh retry expire minimumttl"
>>
>> You can obtain this with ldbsearch:
>>
>> ldbsearch --cross-ncs --show-binary -H /var/lib/samba/private/sam.ldb 
>> -b "CN=MicrosoftDNS,DC=ForestDnsZones,DC=samdom,DC=example,DC=com" 
>> '(&(objectClass=dnsNode)(name=@))'
>>
>> You will need to run that as root and obvious change it to match your 
>> sam.ldb path and RootDSE
>>
>> "newdata" is what you want to change it to and is the same format as 
>> "olddata"
>>
>> NOTE: it should work, but I have never had to try it.
>>
>> As for your backup, it should work, but as they say, an untested 
>> backup is a bad backup. How are you backing up the domain and how did 
>> you try to restore it ?
>>
>> Rowland
>>

More information about the samba mailing list