[Samba] DNS management error accessing the domain zone

Rowland Penny rpenny at samba.org
Wed Mar 19 21:14:10 UTC 2025 

On Wed, 19 Mar 2025 16:43:59 -0300
Nicolás Hermida via samba <samba at lists.samba.org> wrote:

> Hi everyone,
> 
> We have an Active Directory environment with a WS 2008 R2 functional
> level. There are two Windows Server 2012 R2 systems, we started the
> task of migrating these servers to Samba and we've added a Samba
> domain controller (Version 4.19.5) under Ubuntu 24.04.
> 
> So we have:
> SERVER1 (IP 172.30.16.10): Windows Server 2012 R2 Domain Controller
> SERVER2 (IP 172.30.16.11): Windows Server 2012 R2 Domain Controller
> SERVER3 (IP 172.30.16.14): Samba Domain Controller
> 
> Domain name: example.local
> 
> When we try to connect to SERVER3 (Samba DC) using the Windows DNS
> Management Tool to manage the DNS server, we get an error when trying
> to access the example.local forward lookup zone.
> 
> This error does not occur when accessing the _msdcs.example.local
> zone.
> 
> The error indicated by the Windows DNS tool is:
> Zone Not Loaded by DNS Server
> 
> The DNS server encountered a problem while attempting to load the
> zone. The transfer of zone data from the master server failed.
> 
> We ran the command to fix some errors detected by dbcheck:
> # samba-tool dbcheck --cross-ncs --fix
> 
> In the Samba service log, we observed these errors that we consider
> relevant: dnsserver: Invalid zone operation IsSigneddnsserver
> 
> ndr_pull_uint32: ndr_pull_error(Buffer Size Error): Pull bytes 4
> (librpc/ndr/ndr_basic.c:193) at librpc/ndr/ndr_basic.c:193
> 
> Replications work correctly.
> 
> Here you have a copy of the main configuration files:
> 
> /etc/resolv.conf
> # --- BEGIN PVE ---
> search example.local
> nameserver 172.30.16.10
> # --- END PVE ---
> 
> 
> Any ideas that might help us resolve this issue?
> 

A couple of things you can try, first, point the Samba DC at itself for
its nameserver, change 'nameserver 172.30.16.10' to 'nameserver
172.30.16.14'

The second is to compare the forward zone dns records on the Samba DC
with the records on one of the Windows DCs.

I also hope that 'example.local' is sanitising for the real AD dns
domain and that it really doesn't use the '.local' TLD.

Rowland

More information about the samba mailing list