samba - Mar 2020 - pdc emulator dns record missing after transferring role

Hi,

Samba: 4.12.0

During the migration from Windows DCs to Samba DCs, the following issue came up:
after  transferring  PDC  emulator  role to a samba DC, the according DNS record
wasn't re-created:

# samba-tool fsmo show -d 0 | grep PdcEmulationMasterRole
PdcEmulationMasterRole owner: CN=NTDS
Settings,CN=VM-DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=com

# dig _ldap._tcp.pdc._msdcs.abisoft.biz any
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el8 <<>>
_ldap._tcp.pdc._msdcs.domain.com any
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40894
;; flags: qr aa rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0

;; ANSWER SECTION:
_ldap._tcp.pdc._msdcs.domain.com. 600 IN SRV    0 100 389 vm-dc1.domain.com.

# samba-tool fsmo transfer --role pdc -Uadministrator
FSMO transfer of 'pdc' role successful

# samba-tool fsmo show -d 0 | grep PdcEmulationMasterRole
PdcEmulationMasterRole owner: CN=NTDS
Settings,CN=VM-DC4,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=com

# dig _ldap._tcp.pdc._msdcs.abisoft.biz any

; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el8 <<>>
_ldap._tcp.pdc._msdcs.domain.com any
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 22457
;; flags: qr aa rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

After transferring the PDC role back to Windows DC, the record was re-created.

Am I missing something here or it's a bug?

-- 
Best regards,
Alex

On 18/03/2020 11:25, Alex via samba wrote:
> Hi,
>
> Samba: 4.12.0
>
> During the migration from Windows DCs to Samba DCs, the following issue
came up:
> after  transferring  PDC  emulator  role to a samba DC, the according DNS
record
> wasn't re-created:
>
> # samba-tool fsmo show -d 0 | grep PdcEmulationMasterRole
> PdcEmulationMasterRole owner: CN=NTDS
Settings,CN=VM-DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=com
>
> # dig _ldap._tcp.pdc._msdcs.abisoft.biz any
> ; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el8 <<>>
_ldap._tcp.pdc._msdcs.domain.com any
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40894
> ;; flags: qr aa rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0
>
> ;; ANSWER SECTION:
> _ldap._tcp.pdc._msdcs.domain.com. 600 IN SRV    0 100 389
vm-dc1.domain.com.
>
> # samba-tool fsmo transfer --role pdc -Uadministrator
> FSMO transfer of 'pdc' role successful
>
> # samba-tool fsmo show -d 0 | grep PdcEmulationMasterRole
> PdcEmulationMasterRole owner: CN=NTDS
Settings,CN=VM-DC4,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=com
>
> # dig _ldap._tcp.pdc._msdcs.abisoft.biz any
>
> ; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el8 <<>>
_ldap._tcp.pdc._msdcs.domain.com any
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 22457
> ;; flags: qr aa rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
>
> After transferring the PDC role back to Windows DC, the record was
re-created.
>
> Am I missing something here or it's a bug?
>
Yes and no (well not in the way you are thinking)

Yes, you are missing the fact that the dns_update_list has this:

# The PDC emulator
${IF_PDC}SRV _ldap._tcp.pdc._msdcs.${DNSDOMAIN}??????????????????? 
${HOSTNAME} 389

If this is the DC with the PDC Emulator role, but doesn't have the 
required dns record, samba_dnsupdate should create it next time it is 
run and Samba runs it regularly.

No, it isn't a bug, except after checking on my domain, I find I have 
two dns records for _ldap._tcp.pdc._msdcs.samdom.example.com and you can 
only have one PDC Emulator. I will have to examine the code (it could 
just be my domain), but it is possible that there is no code to delete 
the dns record if the computer isn't the PDC Emulator.

Rowland

Hello Rowland,
>> During the migration from Windows DCs to Samba DCs, the following issue
came up:
>> after  transferring  PDC  emulator  role to a samba DC, the according
DNS record
>> wasn't re-created:
>>
> Yes and no (well not in the way you are thinking)
> Yes, you are missing the fact that the dns_update_list has this:
> # The PDC emulator
> ${IF_PDC}SRV _ldap._tcp.pdc._msdcs.${DNSDOMAIN}??????????????????? 
> ${HOSTNAME} 389
I  don't  miss  it.  I've  checked dns_update_list before writing, which
made me
thinking  there's  a  bug here along with the fact that after switching the
role
back to Windows DC the pdc record has appeared almost immediately.
> If this is the DC with the PDC Emulator role, but doesn't have the 
> required dns record, samba_dnsupdate should create it next time it is 
> run and Samba runs it regularly.
Hm..  I  was  waiting  for  several minutes after the role was transferred - the
record  wasn't  created.  Wouldn't it be a good enhancement if the fsmo
transfer
command issued samba_dnsupdate right after the role has been transferred?

Just   transferred   the  PDC  role  to  samba  DC  again  and  manually  issued
"samba_dnsupdate  --use-samba-tool --fail-immediately" command right
after that.
No pdc record added and the error came up:
ERROR(runtime): uncaught exception - (9717,
'WERR_DNS_ERROR_DS_UNAVAILABLE')
  File
"/usr/local/samba/lib64/python3.6/site-packages/samba/netcmd/__init__.py",
line 186, in _run
    return self.run(*args, **kwargs)
  File
"/usr/local/samba/lib64/python3.6/site-packages/samba/netcmd/dns.py",
line 945, in run
    raise e
  File
"/usr/local/samba/lib64/python3.6/site-packages/samba/netcmd/dns.py",
line 941, in run
    0, server, zone, name, add_rec_buf, None)

Gave it one more try by restarting samba - same result: no pdc record and that
error in the log.

Any ideas?
> No, it isn't a bug, except after checking on my domain, I find I have 
> two dns records for _ldap._tcp.pdc._msdcs.samdom.example.com and you can 
> only have one PDC Emulator. I will have to examine the code (it could 
> just be my domain), but it is possible that there is no code to delete 
> the dns record if the computer isn't the PDC Emulator.
It  would be great to add such code along with a code which will clean things up
after  the  samba  DC  is demoted - I had to manually delete all the dns records
multiple time during my tests (which is annoying :).

-- 
Best regards,
Alex