samba - Feb 2020 - FW: samba_kcc issue after joining the domain as a DC

On 11/02/2020 17:11, Alex via samba wrote:
>>> # samba-tool dns zonelist 172.26.1.81
>>> Password for [administrator at domain.com]:
>>>     2 zone(s) found
>>>
>>>     pszZoneName                 : _msdcs.domain.com
>>>     Flags                       : DNS_RPC_ZONE_DSINTEGRATED
DNS_RPC_ZONE_UPDATE_SECURE
>>>     ZoneType                    : DNS_ZONE_TYPE_PRIMARY
>>>     Version                     : 50
>>>     dwDpFlags                   : DNS_DP_AUTOCREATED
DNS_DP_FOREST_DEFAULT DNS_DP_ENLISTED
>>>     pszDpFqdn                   : ForestDnsZones.domain.com
>>>
>>>     pszZoneName                 : domain.com
>>>     Flags                       : DNS_RPC_ZONE_DSINTEGRATED
DNS_RPC_ZONE_UPDATE_SECURE
>>>     ZoneType                    : DNS_ZONE_TYPE_PRIMARY
>>>     Version                     : 50
>>>     dwDpFlags                   : DNS_DP_AUTOCREATED
DNS_DP_FOREST_DEFAULT DNS_DP_ENLISTED
>>>     pszDpFqdn                   : ForestDnsZones.domain.com
>>>
>> I have three zones, one being the reverse zone, but my domain zone is
this:
>>   ? pszZoneName??????? : samdom.example.com
>>   ? Flags?????????????????????? : DNS_RPC_ZONE_DSINTEGRATED
>> DNS_RPC_ZONE_UPDATE_SECURE
>>   ? ZoneType??????????????? : DNS_ZONE_TYPE_PRIMARY
>>   ? Version??????????????????? : 50
>>   ? dwDpFlags?????????????? : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT
>> DNS_DP_ENLISTED
>>   ? pszDpFqdn?????????????? : DomainDnsZones.samdom.example.com
>> Notice the difference in the last line.
> I see the difference. I guess it's b/c you didn't upgrade the zone
to
> forest-wide. Should I revert my zones to be domain-wide?
>
Alex, mine is correct, yours is wrong.

I could probably dump a list of dns DN's if needed.

Rowland

>>>> # samba-tool dns zonelist 172.26.1.81
>>>> Password for [administrator at domain.com]:
>>>>     2 zone(s) found
>>>>
>>>>     pszZoneName                 : _msdcs.domain.com
>>>>     Flags                       : DNS_RPC_ZONE_DSINTEGRATED
DNS_RPC_ZONE_UPDATE_SECURE
>>>>     ZoneType                    : DNS_ZONE_TYPE_PRIMARY
>>>>     Version                     : 50
>>>>     dwDpFlags                   : DNS_DP_AUTOCREATED
DNS_DP_FOREST_DEFAULT DNS_DP_ENLISTED
>>>>     pszDpFqdn                   : ForestDnsZones.domain.com
>>>>
>>>>     pszZoneName                 : domain.com
>>>>     Flags                       : DNS_RPC_ZONE_DSINTEGRATED
DNS_RPC_ZONE_UPDATE_SECURE
>>>>     ZoneType                    : DNS_ZONE_TYPE_PRIMARY
>>>>     Version                     : 50
>>>>     dwDpFlags                   : DNS_DP_AUTOCREATED
DNS_DP_FOREST_DEFAULT DNS_DP_ENLISTED
>>>>     pszDpFqdn                   : ForestDnsZones.domain.com
>>>>
>>> I have three zones, one being the reverse zone, but my domain zone
is this:
>>>   ? pszZoneName??????? : samdom.example.com
>>>   ? Flags?????????????????????? : DNS_RPC_ZONE_DSINTEGRATED
>>> DNS_RPC_ZONE_UPDATE_SECURE
>>>   ? ZoneType??????????????? : DNS_ZONE_TYPE_PRIMARY
>>>   ? Version??????????????????? : 50
>>>   ? dwDpFlags?????????????? : DNS_DP_AUTOCREATED
DNS_DP_DOMAIN_DEFAULT
>>> DNS_DP_ENLISTED
>>>   ? pszDpFqdn?????????????? : DomainDnsZones.samdom.example.com
>>> Notice the difference in the last line.
>> I see the difference. I guess it's b/c you didn't upgrade the
zone to
>> forest-wide. Should I revert my zones to be domain-wide?
>>
> Alex, mine is correct, yours is wrong.
Rowland,  I really appreciate your help and you're probably right. But could
you
please  shed  some  light  on why yours is correct (or why mine is not)? At this
moment, my AD is fully functional, no issues at all.

In my humble opinion, this looks more like a bug in Samba joining procedure, b/c
it should work well the existing AD configuration. However, it doesn't.
> I could probably dump a list of dns DN's if needed.
Yes, please do.

-- 
Best regards,
Alex Alex

On 12/02/2020 09:24, Alex via samba wrote:
> Rowland,  I really appreciate your help and you're probably right. But
could you
> please  shed  some  light  on why yours is correct (or why mine is not)? At
this
> moment, my AD is fully functional, no issues at all.
When Active Directory was introduced (2K), it used a different DNS setup 
to what is used now, this changed when Windows 2003 was introduced, but 
they didn't enforce the dns upgrade. This meant that many people didn't 
upgrade the DNS when they upgraded the server. We are now seeing a few 
reports of problems like yours, normally when trying to join Samba as a 
DC to an existing Windows domain.

Samba initially used the 2K DNS, but quickly moved to the later DNS 
system, so, if mine is wrong, then everyone else's is wrong.

It seems to work correctly, until you try to join another DC.
>
> In my humble opinion, this looks more like a bug in Samba joining
procedure, b/c
> it should work well the existing AD configuration. However, it doesn't.
If it is a bug and I do not accept it is, I doubt if it will be fixed, 
because if the DNS is correct, everything works
correctly.
>> I could probably dump a list of dns DN's if needed.
> Yes, please do.
>
Will do, I will send it to you offlist.

Rowland

I'm  sorry,  after  double-checking  the Louis's link I've found
that the domain
zone  should  be domain-wide, while the _msdcs stuff should be forest wide.
I'll
change it and try again. Apologies.
>>>>> # samba-tool dns zonelist 172.26.1.81
>>>>> Password for [administrator at domain.com]:
>>>>>     2 zone(s) found
>>>>>
>>>>>     pszZoneName                 : _msdcs.domain.com
>>>>>     Flags                       : DNS_RPC_ZONE_DSINTEGRATED
DNS_RPC_ZONE_UPDATE_SECURE
>>>>>     ZoneType                    : DNS_ZONE_TYPE_PRIMARY
>>>>>     Version                     : 50
>>>>>     dwDpFlags                   : DNS_DP_AUTOCREATED
DNS_DP_FOREST_DEFAULT DNS_DP_ENLISTED
>>>>>     pszDpFqdn                   : ForestDnsZones.domain.com
>>>>>
>>>>>     pszZoneName                 : domain.com
>>>>>     Flags                       : DNS_RPC_ZONE_DSINTEGRATED
DNS_RPC_ZONE_UPDATE_SECURE
>>>>>     ZoneType                    : DNS_ZONE_TYPE_PRIMARY
>>>>>     Version                     : 50
>>>>>     dwDpFlags                   : DNS_DP_AUTOCREATED
DNS_DP_FOREST_DEFAULT DNS_DP_ENLISTED
>>>>>     pszDpFqdn                   : ForestDnsZones.domain.com
>>>>>
>>>> I have three zones, one being the reverse zone, but my domain
zone is this:
>>>>   ? pszZoneName??????? : samdom.example.com
>>>>   ? Flags?????????????????????? : DNS_RPC_ZONE_DSINTEGRATED
>>>> DNS_RPC_ZONE_UPDATE_SECURE
>>>>   ? ZoneType??????????????? : DNS_ZONE_TYPE_PRIMARY
>>>>   ? Version??????????????????? : 50
>>>>   ? dwDpFlags?????????????? : DNS_DP_AUTOCREATED
DNS_DP_DOMAIN_DEFAULT
>>>> DNS_DP_ENLISTED
>>>>   ? pszDpFqdn?????????????? : DomainDnsZones.samdom.example.com
>>>> Notice the difference in the last line.
>>> I see the difference. I guess it's b/c you didn't upgrade
the zone to
>>> forest-wide. Should I revert my zones to be domain-wide?
>>>
>> Alex, mine is correct, yours is wrong.
> Rowland,  I really appreciate your help and you're probably right. But
could you
> please  shed  some  light  on why yours is correct (or why mine is not)? At
this
> moment, my AD is fully functional, no issues at all.
> In my humble opinion, this looks more like a bug in Samba joining
procedure, b/c
> it should work well the existing AD configuration. However, it doesn't.
>> I could probably dump a list of dns DN's if needed.
> Yes, please do.
-- 
Best regards,
Alex Alex