samba - Oct 2015 - joining second DC to domain and non creation of DC DNS records

Hi, I am in the middle of creating (or should that be re-creating) my 
test domain, creation of the first DC went without incidence, so I moved 
on to the second DC and this is where the problems started.

I downloaded samba 4.3.1 and compiled it, I then setup bind9 etc and 
joined the new DC to the domain, everything seemed ok, so I then started 
testing DNS. This is where I found that my nice new DC did not have a 
DNS record.

I then remember that there was a problem, so scanned the wiki (well 
somebody has to read it) and found this page:

https://wiki.samba.org/index.php/Check_and_fix_DNS_entries_on_DC_joins

This described my problem precisely, so I started to follow it, but it 
didn't fully fix my problem, in fact it changed it to another.

So I went to this page : 
https://wiki.samba.org/index.php/Dns_tkey_negotiategss:_TKEY_is_unacceptable

and started to follow it, but it all went pear shaped when I deleted the 
bind dns account and then samba flatly refused to recreate it, saying it 
still existed, when plainly it didn't ( I later found lower down the 
page, that this was another known bug, but I totally missed it when I 
first read the page. Note to Marc, I will be altering that page!)

So, having totally missed the next bug, what did I do, well as this was 
a new DC, I stopped bind and samba, removed /usr/local/samba and re-ran 
'make install' and tried again, this time everything worked. The only 
difference was that this time the new DCs dns record was already in AD 
on the first DC.

I now know how to join any more DCs, precreate the new DCs dns records 
in AD before joining it.

Rowland

Hello Rowland,

just hat a similar problem with 4.3.0. What fixed my problem was:

stop samba
switch to samba internal backend
remove dns-dc record
switch back to bind backend
afterwards, everything worked for me

Am 22.10.2015 um 22:06 schrieb Rowland Penny:
> Hi, I am in the middle of creating (or should that be re-creating) my 
> test domain, creation of the first DC went without incidence, so I 
> moved on to the second DC and this is where the problems started.
>
> I downloaded samba 4.3.1 and compiled it, I then setup bind9 etc and 
> joined the new DC to the domain, everything seemed ok, so I then 
> started testing DNS. This is where I found that my nice new DC did not 
> have a DNS record.
>
> I then remember that there was a problem, so scanned the wiki (well 
> somebody has to read it) and found this page:
>
> https://wiki.samba.org/index.php/Check_and_fix_DNS_entries_on_DC_joins
>
> This described my problem precisely, so I started to follow it, but it 
> didn't fully fix my problem, in fact it changed it to another.
>
> So I went to this page : 
>
https://wiki.samba.org/index.php/Dns_tkey_negotiategss:_TKEY_is_unacceptable
>
> and started to follow it, but it all went pear shaped when I deleted 
> the bind dns account and then samba flatly refused to recreate it, 
> saying it still existed, when plainly it didn't ( I later found lower 
> down the page, that this was another known bug, but I totally missed 
> it when I first read the page. Note to Marc, I will be altering that 
> page!)
>
> So, having totally missed the next bug, what did I do, well as this 
> was a new DC, I stopped bind and samba, removed /usr/local/samba and 
> re-ran 'make install' and tried again, this time everything worked.
> The only difference was that this time the new DCs dns record was 
> already in AD on the first DC.
>
> I now know how to join any more DCs, precreate the new DCs dns records 
> in AD before joining it.
>
> Rowland
>
>

On 23/10/15 10:22, Dirk Laurenz wrote:
> Hello Rowland,
>
> just hat a similar problem with 4.3.0. What fixed my problem was:
>
> stop samba
> switch to samba internal backend
> remove dns-dc record
> switch back to bind backend
> afterwards, everything worked for me
>
I totally missed that bit on the wiki page, or I would have tried it, 
hopefully now that I have altered the page it is a bit more obvious.

But what I was trying to get across was, the problem is apparently 
caused by the new DCs A record not being created in AD, hence none of 
the CNAME records are either. If the A record exists before the join, it 
just works.

Rowland

Hi Rowland,

I have similar problem with sernet  4.2.4 package: no dns entry created and logs
are showing NOTAUTH for dnsupdate
Here is my work around:

New DC joins domain with:
--dns-backend=BIND9_DLZ and --server=partnerDC.contoso.com

Don't start samba or bind yet !!

After that I've to correct some permissions rights on these folders/files
(bind can read):
- private
- dns
- dns/*
- sam.ldb
- sam.ldb.d
- sam.ldb.d/*
- dns.keytab

If I start samba + bind, i have dnsupdate failed
Tips is to restart bind on partnerDC.contoso.com (partner replication on domain
joined)
L.P.H von BELLE have similar troube, see:
https://lists.samba.org/archive/samba/2015-April/191143.html

After bind restarted on partnerDC, you can start samba + bind after
All dns entry are created and replicated :-)

I don't know why I have to restart bind on partnerDC between second DC
domain join and second DC samba start...


-----Message d'origine-----
De : samba [mailto:samba-bounces at lists.samba.org] De la part de Dirk Laurenz
Envoyé : vendredi 23 octobre 2015 12:01
À : Rowland Penny <rowlandpenny241155 at gmail.com>; sambalist <samba
at lists.samba.org>
Objet : Re: [Samba] joining second DC to domain and non creation of DC DNS
records

Hello Rowland,

just hat a similar problem with 4.3.0. What fixed my problem was:

stop samba
switch to samba internal backend
remove dns-dc record
switch back to bind backend
afterwards, everything worked for me

Am 22.10.2015 um 22:06 schrieb Rowland Penny:
> Hi, I am in the middle of creating (or should that be re-creating) my 
> test domain, creation of the first DC went without incidence, so I 
> moved on to the second DC and this is where the problems started.
>
> I downloaded samba 4.3.1 and compiled it, I then setup bind9 etc and 
> joined the new DC to the domain, everything seemed ok, so I then 
> started testing DNS. This is where I found that my nice new DC did not 
> have a DNS record.
>
> I then remember that there was a problem, so scanned the wiki (well 
> somebody has to read it) and found this page:
>
> https://wiki.samba.org/index.php/Check_and_fix_DNS_entries_on_DC_joins
>
> This described my problem precisely, so I started to follow it, but it 
> didn't fully fix my problem, in fact it changed it to another.
>
> So I went to this page : 
> https://wiki.samba.org/index.php/Dns_tkey_negotiategss:_TKEY_is_unacce
> ptable
>
> and started to follow it, but it all went pear shaped when I deleted 
> the bind dns account and then samba flatly refused to recreate it, 
> saying it still existed, when plainly it didn't ( I later found lower 
> down the page, that this was another known bug, but I totally missed 
> it when I first read the page. Note to Marc, I will be altering that
> page!)
>
> So, having totally missed the next bug, what did I do, well as this 
> was a new DC, I stopped bind and samba, removed /usr/local/samba and 
> re-ran 'make install' and tried again, this time everything worked.
> The only difference was that this time the new DCs dns record was 
> already in AD on the first DC.
>
> I now know how to join any more DCs, precreate the new DCs dns records 
> in AD before joining it.
>
> Rowland
>
>

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba