samba - Aug 2024 - Problems on joining samba DC to a Windows Domain while adding DNS record for new DC

On Sat, 10 Aug 2024 09:34:32 +0200
Mitja Tav?ar via samba <samba at lists.samba.org> wrote:
> Il giorno ven, 09/08/2024 alle 17.32 +0100, Rowland Penny via samba
> ha scritto:
> > On Fri, 09 Aug 2024 17:51:22 +0200
> > Mitja Tav?ar via samba <samba at lists.samba.org> wrote:
> > 
> > > 
> > > The original domain was not deployed as 2008R2 but as Windows2000
> > > and then upgraded to 2003 and subsequently to 2008R2 level. But
> > > we have not encountered any problems so far.
> > 
> > The DNS on a W2k is very different from what is used now, so when it
> > was updated was the DNS updated as well ?
> 
> Ok, according to the error that popped out also of Douglas patch it
> should be a missing DNS zone in my DNS.
> 
> (9601, 'WERR_DNS_ERROR_ZONE_DOES_NOT_EXIST')
> 
> > If it wasn't, then the base NC will not be there to put the dns
> > record into.
> 
> Maybe you know how can i check if the correct NC exists? whith ADSI
> Edit or some other tool?
> 
> Should this be relevant to my?
>
https://wiki.samba.org/index.php/Samba_AD_DC_Troubleshooting#DNS_zone_does_not_exist
> 
> 
> Thank You
> 
> 
> Mitja Tav?ar
> 
Do you have any Linux domain clients ?
If so try this command:

sudo ldbsearch --cross-ncs --show-binary -H
ldap://vmw2srvdc1.intra.comune.trento.it -P -b
'dc=intra,dc=comune,dc=trento,dc=it' -s sub
'(objectclass=dnszone)' -d0
| grep 'dn:'

(that should be all on one line).

If you haven't got any Linux domain clients, then, on the computer you
are trying to join as a DC, check if you have a valid ticket in /tmp
for Administrator (usually /tmp/krb5cc_0), if not, run 'kinit
Administrator' as root and enter the Administrator password when
prompted, you should now have /tmp/krb5cc_0

Once you have the ticket, run the ldbsearch command again, but replace
'-P' with '--use-krb5-ccache=/tmp/krb5cc_0'

When I run the command, I get this:

dn:
DC=samdom.example.com,CN=MicrosoftDNS,DC=DomainDnsZones,DC=samdom,DC=example,DC=com
dn:
DC=_msdcs.samdom.example.com,CN=MicrosoftDNS,DC=ForestDnsZones,DC=samdom,DC=example,DC=com
dn:
DC=1.168.192.in-addr.arpa,CN=MicrosoftDNS,DC=DomainDnsZones,DC=samdom,DC=example,DC=com
dn:
DC=RootDNSServers,CN=MicrosoftDNS,DC=DomainDnsZones,DC=samdom,DC=example,DC=com
dn: DC=RootDNSServers,CN=MicrosoftDNS,CN=System,DC=samdom,DC=example,DC=com

Yours will not be in the same order, I have re-ordered them to explain
them better.
The first is the forward domain dns zone.
the second is the forward forest dns zone.
the third is the reverse zone and in this case isn't important, you may
not have one, or you could have multiple, but can be created/deleted at
will.
The final two are 'root' dns servers and are not used by Samba.

Rowland

Il giorno sab, 10/08/2024 alle 09.29 +0100, Rowland Penny via samba ha
scritto:
> On Sat, 10 Aug 2024 09:34:32 +0200
> Mitja Tav?ar via samba <samba at lists.samba.org> wrote:
> 
> > Il giorno ven, 09/08/2024 alle 17.32 +0100, Rowland Penny via samba
> > ha scritto:
> > > On Fri, 09 Aug 2024 17:51:22 +0200
> > > Mitja Tav?ar via samba <samba at lists.samba.org> wrote:
> > > 
> > > > 
> > > > The original domain was not deployed as 2008R2 but as
Windows2000
> > > > and then upgraded to 2003 and subsequently to 2008R2 level.
But
> > > > we have not encountered any problems so far.
> > > 
> > > The DNS on a W2k is very different from what is used now, so when
it
> > > was updated was the DNS updated as well ?
> > 
> > Ok, according to the error that popped out also of Douglas patch it
> > should be a missing DNS zone in my DNS.
> > 
> > (9601, 'WERR_DNS_ERROR_ZONE_DOES_NOT_EXIST')
> > 
> > > If it wasn't, then the base NC will not be there to put the
dns
> > > record into.
> > 
> > Maybe you know how can i check if the correct NC exists? whith ADSI
> > Edit or some other tool?
> > 
> 
> Do you have any Linux domain clients ?
> If so try this command:
> 
> sudo ldbsearch --cross-ncs --show-binary -H
> ldap://vmw2srvdc1.intra.comune.trento.it -P -b
> 'dc=intra,dc=comune,dc=trento,dc=it' -s sub
'(objectclass=dnszone)' -d0
> > grep 'dn:'
> 
> When I run the command, I get this:
> 
> dn:
DC=samdom.example.com,CN=MicrosoftDNS,DC=DomainDnsZones,DC=samdom,DC=example,DC=com
> dn:
DC=_msdcs.samdom.example.com,CN=MicrosoftDNS,DC=ForestDnsZones,DC=samdom,DC=example,DC=com
> dn:
DC=1.168.192.in-addr.arpa,CN=MicrosoftDNS,DC=DomainDnsZones,DC=samdom,DC=example,DC=com
> dn:
DC=RootDNSServers,CN=MicrosoftDNS,DC=DomainDnsZones,DC=samdom,DC=example,DC=com
> dn: DC=RootDNSServers,CN=MicrosoftDNS,CN=System,DC=samdom,DC=example,DC=com
> 
> Yours will not be in the same order, I have re-ordered them to explain
> them better.
> The first is the forward domain dns zone.
> the second is the forward forest dns zone.
> the third is the reverse zone and in this case isn't important, you may
> not have one, or you could have multiple, but can be created/deleted at
> will.
> The final two are 'root' dns servers and are not used by Samba.
I ran the command as domain administrator

sudo ldbsearch --cross-ncs --show-binary -H
ldap://vmw2srvdc1.intra.comune.trento.it -P -b
'dc=intra,dc=comune,dc=trento,dc=it' -s sub
'(objectclass=dnszone)' -d0 | grep 'dn:'

and received this response:

dn:
DC=RootDNSServers,CN=MicrosoftDNS,CN=System,DC=intra,DC=comune,DC=trento,DC=it
dn:
DC=10.168.192.in-addr.arpa,CN=MicrosoftDNS,CN=System,DC=intra,DC=comune,DC=trento,DC=it
dn:
DC=11.168.192.in-addr.arpa,CN=MicrosoftDNS,CN=System,DC=intra,DC=comune,DC=trento,DC=it
(...cut all similar lines...)
dn:
DC=27.168.192.in-addr.arpa,CN=MicrosoftDNS,CN=System,DC=intra,DC=comune,DC=trento,DC=it
dn:
DC=43.168.192.in-addr.arpa,CN=MicrosoftDNS,CN=System,DC=intra,DC=comune,DC=trento,DC=it
dn:
DC=37.168.192.in-addr.arpa,CN=MicrosoftDNS,CN=System,DC=intra,DC=comune,DC=trento,DC=it


I can see that, apart for the reverse zone records, only one of the
'root' dns servers records exist in my directory.
So almost all the relevant top level DNS objects are missing.

I think I need to verify and correct the zones in Active Directory and maybe
recreate them. The system is in production and so I think I will have to
plan to work with some notice. 

Thank You for the help

Mitja Tav?ar