-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello, I just set up a Domain with two DCs. I use Debian jessie the debian-pakages. And bind9 also from the debian repositories. After setting up the first DC everything was working fine. The nameresolution of hosts ans SRV-records worked. Then I set up a second DC also everything aut of the debian-box with bind9 as nameserver. The "join" and the replication of the database worked with no errormessage. BUT then I tested the DNS I saw that only the second DC got alle SRV-records: - ------------- root at addc2:~# host -t srv _kerberos._tcp.example.net _kerberos._tcp.example.net has SRV record 0 100 88 addc1.example.net. _kerberos._tcp.example.net has SRV record 0 100 88 addc2.example.net. root at addc2:~# host -t srv _ldap._tcp.example.net _ldap._tcp.example.net has SRV record 0 100 389 addc2.example.net. _ldap._tcp.example.net has SRV record 0 100 389 addc1.example.net. root at addc2:~# host -t srv _gc._tcp.example.net _gc._tcp.example.net has SRV record 0 100 3268 addc1.example.net. _gc._tcp.example.net has SRV record 0 100 3268 addc2.example.net. root at addc2:~# - ------------ On the first DC I see only the SRV-records from the first DC: - ------------ root at addc1:~# host -t srv _kerberos._tcp.example.net _kerberos._tcp.example.net has SRV record 0 100 88 addc1.example.net. root at addc1:~# host -t srv _ldap._tcp.example.net _ldap._tcp.example.net has SRV record 0 100 389 addc1.example.net. root at addc1:~# host -t srv _gc._tcp.example.net _gc._tcp.example.net has SRV record 0 100 3268 addc1.example.net. - ------------ So replication check was not working: - ------------ root at addc1:~# samba-tool drs showrepl ==== INBOUND NEIGHBORS === DC=ForestDnsZones,DC=example,DC=net Default-First-Site-Name\ADDC2 via RPC DSA object GUID: 9fba93aa-5e34-48fc-826b-dddc24072883 Last attempt @ Fri Jun 24 12:42:40 2016 CEST failed, result 2 (WERR_BADFILE) 23 consecutive failure(s). Last success @ NTTIME(0) - ------------ Trying to replicate dc1 with dc2 - ------------ root at addc1:~# samba-tool drs replicate addc1 addc2 example.net ERROR(<class 'samba.drs_utils.drsException'>): DsReplicaSync failed - drsException: DsReplicaSync failed (8440, 'WERR_DS_DRA_BAD_NC') File "/usr/lib/python2.7/dist-packages/samba/netcmd/drs.py", line 345, in run drs_utils.sendDsReplicaSync(self.drsuapi, self.drsuapi_handle, source_dsa_guid, NC, req_options) File "/usr/lib/python2.7/dist-packages/samba/drs_utils.py", line 83, in sendDsReplicaSync raise drsException("DsReplicaSync failed %s" % estr) - ---------- Then I added a win10 Client to see the DNS entries via the rsat. Alle the srv-records missing BUT the new windows client was added to DNS and I cam see it on both DCs, as object and as dns-record. Running a "samba_dnsupdate --verbose --all-names" is running on both DCs without any error Testing the objectGUID is working: - ---------- root at addc1:~# ldbsearch -H /var/lib/samba/private/sam.ldb '(invocationid=*)' --cross-ncs objectguid # record 1 dn: CN=NTDS Settings,CN=ADDC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Conf iguration,DC=example,DC=net objectGUID: 9fba93aa-5e34-48fc-826b-dddc24072883 # record 2 dn: CN=NTDS Settings,CN=ADDC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Conf iguration,DC=example,DC=net objectGUID: b33e0b61-960c-41de-9271-6dad3f57ece0 - ---------- On the first DC the CNAME for the second DC is not there - ---------- root at addc1:~# host -t CNAME 9fba93aa-5e34-48fc-826b-dddc24072883._msdcs.example.net. Host 9fba93aa-5e34-48fc-826b-dddc24072883._msdcs.example.net. not found: 3(NXDOMAIN) root at addc1:~# host -t CNAME b33e0b61-960c-41de-9271-6dad3f57ece0._msdcs.example.net. b33e0b61-960c-41de-9271-6dad3f57ece0._msdcs.example.net is an alias for addc1.example.net. - ---------- consitency chek works on both DCs - ---------- root at addc1:~# kinit administrator administrator at EXAMPLE.NET's Password: root at addc1:~# samba-tool drs kcc -k yes Consistency check on addc1.example.net successful. root at addc2:~# kinit administrator administrator at EXAMPLE.NET's Password: root at addc2:~# samba-tool drs kcc -k yes Consistency check on addc2.example.net successful. - ---------- On the second DC everything is ok. smb.conf on DC1: - ---------- [global] workgroup = EXAMPLE realm = EXAMPLE.NET netbios name = ADDC1 server role = active directory domain controller server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate interfaces = 192.168.56.81 bind interfaces only = yes [netlogon] path = /var/lib/samba/sysvol/example.net/scripts read only = No [sysvol] path = /var/lib/samba/sysvol read only = No - ---------- smb.conf on DC2: - ---------- [global] workgroup = EXAMPLE realm = example.net netbios name = ADDC2 server role = active directory domain controller server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate interfaces = 192.168.56.82 bind interfaces only = yes [netlogon] path = /var/lib/samba/sysvol/example.net/scripts read only = No [sysvol] path = /var/lib/samba/sysvol read only = No - ---------- At the moment I don't know where to look. Can someone help please Stefan -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iEYEARECAAYFAldtGDIACgkQ2JOGcNAHDTZSoACghKDh878JQk1nakNq+HCfTSja OzwAoNF1+zYF8VUL8Fnph2Efh2f41ZlI =6Cci -----END PGP SIGNATURE-----
On 24/06/16 12:23, Stefan Kania wrote:> -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hello, > > I just set up a Domain with two DCs. I use Debian jessie the > debian-pakages. And bind9 also from the debian repositories. > > After setting up the first DC everything was working fine. The > nameresolution of hosts ans SRV-records worked. > > Then I set up a second DC also everything aut of the debian-box with > bind9 as nameserver. > > The "join" and the replication of the database worked with no > errormessage. > > BUT then I tested the DNS I saw that only the second DC got alle > SRV-records: > - ------------- > root at addc2:~# host -t srv _kerberos._tcp.example.net > _kerberos._tcp.example.net has SRV record 0 100 88 addc1.example.net. > _kerberos._tcp.example.net has SRV record 0 100 88 addc2.example.net. > > root at addc2:~# host -t srv _ldap._tcp.example.net > _ldap._tcp.example.net has SRV record 0 100 389 addc2.example.net. > _ldap._tcp.example.net has SRV record 0 100 389 addc1.example.net. > > root at addc2:~# host -t srv _gc._tcp.example.net > _gc._tcp.example.net has SRV record 0 100 3268 addc1.example.net. > _gc._tcp.example.net has SRV record 0 100 3268 addc2.example.net. > root at addc2:~# > - ------------ > > On the first DC I see only the SRV-records from the first DC: > - ------------ > root at addc1:~# host -t srv _kerberos._tcp.example.net > _kerberos._tcp.example.net has SRV record 0 100 88 addc1.example.net. > root at addc1:~# host -t srv _ldap._tcp.example.net > _ldap._tcp.example.net has SRV record 0 100 389 addc1.example.net. > root at addc1:~# host -t srv _gc._tcp.example.net > _gc._tcp.example.net has SRV record 0 100 3268 addc1.example.net. > - ------------ > > So replication check was not working: > - ------------ > root at addc1:~# samba-tool drs showrepl > ==== INBOUND NEIGHBORS ===> > DC=ForestDnsZones,DC=example,DC=net > Default-First-Site-Name\ADDC2 via RPC > DSA object GUID: 9fba93aa-5e34-48fc-826b-dddc24072883 > Last attempt @ Fri Jun 24 12:42:40 2016 CEST failed, > result 2 (WERR_BADFILE) > 23 consecutive failure(s). > Last success @ NTTIME(0) > - ------------ > > Trying to replicate dc1 with dc2 > - ------------ > root at addc1:~# samba-tool drs replicate addc1 addc2 example.net > ERROR(<class 'samba.drs_utils.drsException'>): DsReplicaSync failed - > drsException: DsReplicaSync failed (8440, 'WERR_DS_DRA_BAD_NC') > File "/usr/lib/python2.7/dist-packages/samba/netcmd/drs.py", line > 345, in run > drs_utils.sendDsReplicaSync(self.drsuapi, self.drsuapi_handle, > source_dsa_guid, NC, req_options) > File "/usr/lib/python2.7/dist-packages/samba/drs_utils.py", line 83, > in sendDsReplicaSync > raise drsException("DsReplicaSync failed %s" % estr) > - ---------- > > Then I added a win10 Client to see the DNS entries via the rsat. Alle > the srv-records missing BUT the new windows client was added to DNS > and I cam see it on both DCs, as object and as dns-record. > > Running a "samba_dnsupdate --verbose --all-names" is running on both > DCs without any error > > Testing the objectGUID is working: > - ---------- > root at addc1:~# ldbsearch -H /var/lib/samba/private/sam.ldb > '(invocationid=*)' --cross-ncs objectguid > # record 1 > dn: CN=NTDS > Settings,CN=ADDC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Conf > iguration,DC=example,DC=net > objectGUID: 9fba93aa-5e34-48fc-826b-dddc24072883 > > # record 2 > dn: CN=NTDS > Settings,CN=ADDC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Conf > iguration,DC=example,DC=net > objectGUID: b33e0b61-960c-41de-9271-6dad3f57ece0 > - ---------- > > On the first DC the CNAME for the second DC is not there > - ---------- > root at addc1:~# host -t CNAME > 9fba93aa-5e34-48fc-826b-dddc24072883._msdcs.example.net. > Host 9fba93aa-5e34-48fc-826b-dddc24072883._msdcs.example.net. not > found: 3(NXDOMAIN) > root at addc1:~# host -t CNAME > b33e0b61-960c-41de-9271-6dad3f57ece0._msdcs.example.net. > b33e0b61-960c-41de-9271-6dad3f57ece0._msdcs.example.net is an alias > for addc1.example.net. > - ---------- > > consitency chek works on both DCs > - ---------- > root at addc1:~# kinit administrator > administrator at EXAMPLE.NET's Password: > root at addc1:~# samba-tool drs kcc -k yes > Consistency check on addc1.example.net successful. > > root at addc2:~# kinit administrator > administrator at EXAMPLE.NET's Password: > root at addc2:~# samba-tool drs kcc -k yes > Consistency check on addc2.example.net successful. > - ---------- > > On the second DC everything is ok. > > smb.conf on DC1: > - ---------- > [global] > workgroup = EXAMPLE > realm = EXAMPLE.NET > netbios name = ADDC1 > server role = active directory domain controller > server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, > drepl, winbindd, ntp_signd, kcc, dnsupdate > interfaces = 192.168.56.81 > bind interfaces only = yes > > [netlogon] > path = /var/lib/samba/sysvol/example.net/scripts > read only = No > > [sysvol] > path = /var/lib/samba/sysvol > read only = No > - ---------- > > smb.conf on DC2: > - ---------- > [global] > workgroup = EXAMPLE > realm = example.net > netbios name = ADDC2 > server role = active directory domain controller > server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, > drepl, winbindd, ntp_signd, kcc, dnsupdate > interfaces = 192.168.56.82 > bind interfaces only = yes > > [netlogon] > path = /var/lib/samba/sysvol/example.net/scripts > read only = No > > [sysvol] > path = /var/lib/samba/sysvol > read only = No > - ---------- > > At the moment I don't know where to look. Can someone help please > > Stefan > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v2.0.22 (GNU/Linux) > > iEYEARECAAYFAldtGDIACgkQ2JOGcNAHDTZSoACghKDh878JQk1nakNq+HCfTSja > OzwAoNF1+zYF8VUL8Fnph2Efh2f41ZlI > =6Cci > -----END PGP SIGNATURE----- >I don't think this has anything to do with bind9, bind uses exactly the same objects in AD that the internal DNS does. Have you tried restarting Samba on the second DC ? Have you tried running 'samba-tool ldapcmp ldap://dc1 ldap://dc2' Rowland
2016-06-24 14:21 GMT+02:00 Rowland penny <rpenny at samba.org>:> On 24/06/16 12:23, Stefan Kania wrote: > >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> Hello, >> >> I just set up a Domain with two DCs. I use Debian jessie the >> debian-pakages. And bind9 also from the debian repositories. >> >> After setting up the first DC everything was working fine. The >> nameresolution of hosts ans SRV-records worked. >> >> Then I set up a second DC also everything aut of the debian-box with >> bind9 as nameserver. >> >> The "join" and the replication of the database worked with no >> errormessage. >> >> BUT then I tested the DNS I saw that only the second DC got alle >> SRV-records: >> - ------------- >> root at addc2:~# host -t srv _kerberos._tcp.example.net >> _kerberos._tcp.example.net has SRV record 0 100 88 addc1.example.net. >> _kerberos._tcp.example.net has SRV record 0 100 88 addc2.example.net. >> >> root at addc2:~# host -t srv _ldap._tcp.example.net >> _ldap._tcp.example.net has SRV record 0 100 389 addc2.example.net. >> _ldap._tcp.example.net has SRV record 0 100 389 addc1.example.net. >> >> root at addc2:~# host -t srv _gc._tcp.example.net >> _gc._tcp.example.net has SRV record 0 100 3268 addc1.example.net. >> _gc._tcp.example.net has SRV record 0 100 3268 addc2.example.net. >> root at addc2:~# >> - ------------ >> >> On the first DC I see only the SRV-records from the first DC: >> - ------------ >> root at addc1:~# host -t srv _kerberos._tcp.example.net >> _kerberos._tcp.example.net has SRV record 0 100 88 addc1.example.net. >> root at addc1:~# host -t srv _ldap._tcp.example.net >> _ldap._tcp.example.net has SRV record 0 100 389 addc1.example.net. >> root at addc1:~# host -t srv _gc._tcp.example.net >> _gc._tcp.example.net has SRV record 0 100 3268 addc1.example.net. >> - ------------ >> >Here is certainly the issue. This record must be created on replicating DC and on the new one for replication begins really between all your DC (ok only one) and the new one. Here it is: https://wiki.samba.org/index.php/Check_and_fix_DNS_entries_on_DC_joins#Resolve_the_objectGUID_CNAME_record_of_the_new_joined_Domain_Controller Could you please try to fix that and retry?> >> So replication check was not working: >> - ------------ >> root at addc1:~# samba-tool drs showrepl >> ==== INBOUND NEIGHBORS ===>> >> DC=ForestDnsZones,DC=example,DC=net >> Default-First-Site-Name\ADDC2 via RPC >> DSA object GUID: 9fba93aa-5e34-48fc-826b-dddc24072883 >> Last attempt @ Fri Jun 24 12:42:40 2016 CEST failed, >> result 2 (WERR_BADFILE) >> 23 consecutive failure(s). >> Last success @ NTTIME(0) >> - ------------ >> >> Trying to replicate dc1 with dc2 >> - ------------ >> root at addc1:~# samba-tool drs replicate addc1 addc2 example.net >> ERROR(<class 'samba.drs_utils.drsException'>): DsReplicaSync failed - >> drsException: DsReplicaSync failed (8440, 'WERR_DS_DRA_BAD_NC') >> File "/usr/lib/python2.7/dist-packages/samba/netcmd/drs.py", line >> 345, in run >> drs_utils.sendDsReplicaSync(self.drsuapi, self.drsuapi_handle, >> source_dsa_guid, NC, req_options) >> File "/usr/lib/python2.7/dist-packages/samba/drs_utils.py", line 83, >> in sendDsReplicaSync >> raise drsException("DsReplicaSync failed %s" % estr) >> - ---------- >> >> Then I added a win10 Client to see the DNS entries via the rsat. Alle >> the srv-records missing BUT the new windows client was added to DNS >> and I cam see it on both DCs, as object and as dns-record. >> >> Running a "samba_dnsupdate --verbose --all-names" is running on both >> DCs without any error >> >> Testing the objectGUID is working: >> - ---------- >> root at addc1:~# ldbsearch -H /var/lib/samba/private/sam.ldb >> '(invocationid=*)' --cross-ncs objectguid >> # record 1 >> dn: CN=NTDS >> Settings,CN=ADDC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Conf >> iguration,DC=example,DC=net >> objectGUID: 9fba93aa-5e34-48fc-826b-dddc24072883 >> >> # record 2 >> dn: CN=NTDS >> Settings,CN=ADDC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Conf >> iguration,DC=example,DC=net >> objectGUID: b33e0b61-960c-41de-9271-6dad3f57ece0 >> - ---------- >> >> On the first DC the CNAME for the second DC is not there >> - ---------- >> root at addc1:~# host -t CNAME >> 9fba93aa-5e34-48fc-826b-dddc24072883._msdcs.example.net. >> Host 9fba93aa-5e34-48fc-826b-dddc24072883._msdcs.example.net. not >> found: 3(NXDOMAIN) >> root at addc1:~# host -t CNAME >> b33e0b61-960c-41de-9271-6dad3f57ece0._msdcs.example.net. >> b33e0b61-960c-41de-9271-6dad3f57ece0._msdcs.example.net is an alias >> for addc1.example.net. >> - ---------- >> >> consitency chek works on both DCs >> - ---------- >> root at addc1:~# kinit administrator >> administrator at EXAMPLE.NET's Password: >> root at addc1:~# samba-tool drs kcc -k yes >> Consistency check on addc1.example.net successful. >> >> root at addc2:~# kinit administrator >> administrator at EXAMPLE.NET's Password: >> root at addc2:~# samba-tool drs kcc -k yes >> Consistency check on addc2.example.net successful. >> - ---------- >> >> On the second DC everything is ok. >> >> smb.conf on DC1: >> - ---------- >> [global] >> workgroup = EXAMPLE >> realm = EXAMPLE.NET >> netbios name = ADDC1 >> server role = active directory domain controller >> server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, >> drepl, winbindd, ntp_signd, kcc, dnsupdate >> interfaces = 192.168.56.81 >> bind interfaces only = yes >> >> [netlogon] >> path = /var/lib/samba/sysvol/example.net/scripts >> read only = No >> >> [sysvol] >> path = /var/lib/samba/sysvol >> read only = No >> - ---------- >> >> smb.conf on DC2: >> - ---------- >> [global] >> workgroup = EXAMPLE >> realm = example.net >> netbios name = ADDC2 >> server role = active directory domain controller >> server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, >> drepl, winbindd, ntp_signd, kcc, dnsupdate >> interfaces = 192.168.56.82 >> bind interfaces only = yes >> >> [netlogon] >> path = /var/lib/samba/sysvol/example.net/scripts >> read only = No >> >> [sysvol] >> path = /var/lib/samba/sysvol >> read only = No >> - ---------- >> >> At the moment I don't know where to look. Can someone help please >> >> Stefan >> -----BEGIN PGP SIGNATURE----- >> Version: GnuPG v2.0.22 (GNU/Linux) >> >> iEYEARECAAYFAldtGDIACgkQ2JOGcNAHDTZSoACghKDh878JQk1nakNq+HCfTSja >> OzwAoNF1+zYF8VUL8Fnph2Efh2f41ZlI >> =6Cci >> -----END PGP SIGNATURE----- >> >> > I don't think this has anything to do with bind9, bind uses exactly the > same objects in AD that the internal DNS does. > > Have you tried restarting Samba on the second DC ? > Have you tried running 'samba-tool ldapcmp ldap://dc1 ldap://dc2' > > Rowland > > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
Possibly Parallel Threads
- SRV-records not replicated with BIND9_DLZ
- bind9 and samba 4.9.1
- Samba4 Domain Member Server "Getent show diferents UID"
- Samba 4.12.0 on Fedora32: bind DNS still say "named: client @...: update 'fedora.loc/IN' denied"
- Samba4 Domain Member Server "Getent show diferents UID"