samba - Oct 2012 - Internal DNS replication and how to fix

Hi All,

First, off I'm a bit of a n00b w/Samba4 so I'll apologize ahead of time 
if any of this seems obvious/trivial.  I'm working with Samba RC1 tar 
build and trying to get DNS replication working. Right how I get the 
following under

--snip--

==== KCC CONNECTION OBJECTS ===Connection --
Connection name: fa253d86-3549-4208-ab29-a0d702ccdb02
Enabled        : TRUE
Server DNS name : target.OwnerIQ.local
     Server DN name  : CN=NTDS 
Settings,CN=TARGET,CN=Servers,CN=Default-First-Site,CN=Sites,CN=Configuration,DC=DOMAIN,DC=local
     TransportType: RPC
options: 0x00000001
Warning: No NC replicated for Connection!

I only have one server running W2k3 SP1.  I have trolled Google and read 
that both the internal DNS does not replicate some objects and that 
dynamic updates are not fully functional.  But, even after reading a 
bunch of documents, it's not clear /how/I fix that.  I've read that the 
replication is not complete on a additional DC and that it has to be 
done manually.  Not sure if that has anything to do with the 
"samba_upgradedns" command (which I ran, it complained about not
having
a zone file in /usr/local/samba/private/dns but all else seemed well).  
I also ran "samba_dnsupdate --verbose" and while that seemed alright,
I
did notice:

schema_fsmo_init: we are master[no] updates allowed[no]
Skipping PDC entry (SRV _ldap._tcp.pdc._msdcs.${DNSDOMAIN}

Shouldn't updates allowed be yes if I added "allow dns updates =
true"
in smb.conf?  One final note, I do have my resolv.conf pointing to my 
Win2k3 as the first DNS server.

My end goal is to replace the 2k3 server with Samba4 so, either way, if 
internal DNS is not an option right now because it hasn't matured, I'm 
tempted, based on what I've read, to try BIND to get around the internal 
problems.  I have that built with Bind 9.8.3 with the following:
./configure --prefix=/var/named --bindir=/usr/bin --sbindir=/usr/sbin 
--sysconfdir=/etc --datadir=/usr/share --includedir=/usr/include 
--libdir=/usr/lib 
--libexecdir=/usr/libexe --sharedstatedir=/var/lib --with-libtool 
--enable-threads  --with-dlopen --with-gssapi

I would be willing to try the switch over but, while it's clear how to 
switch the backend (--/dns/-/backend=/BIND_DLZ) when provisioning Samba, 
how would I do this from a join perspective? Thanks in advance for any help!

-Brett

On 10/05/2012 07:57 AM, Brett Rowley wrote:
> Hi All,
>
> First, off I'm a bit of a n00b w/Samba4 so I'll apologize ahead of 
> time if any of this seems obvious/trivial.  I'm working with Samba RC1 
> tar build and trying to get DNS replication working. Right how I get 
> the following under
>
> --snip--
>
> ==== KCC CONNECTION OBJECTS ===> Connection --
> Connection name: fa253d86-3549-4208-ab29-a0d702ccdb02
> Enabled        : TRUE
> Server DNS name : target.OwnerIQ.local
>     Server DN name  : CN=NTDS 
>
Settings,CN=TARGET,CN=Servers,CN=Default-First-Site,CN=Sites,CN=Configuration,DC=DOMAIN,DC=local
>     TransportType: RPC
> options: 0x00000001
> Warning: No NC replicated for Connection!
Is it the result of repadmin ?
Can you send it in total ?
Can you do samba-tool drs showrepl on the samba server ?
>
> I only have one server running W2k3 SP1.  I have trolled Google and 
> read that both the internal DNS does not replicate some objects and 
> that dynamic updates are not fully functional. 
The updates are fixed as for the non replication of some object I never 
heard of it at least not on purpose.
> But, even after reading a bunch of documents, it's not clear /how/I 
> fix that.  I've read that the replication is not complete on a 
> additional DC and that it has to be done manually.  Not sure if that 
> has anything to do with the "samba_upgradedns" command (which I
ran,
> it complained about not having a zone file in 
> /usr/local/samba/private/dns but all else seemed well).
So for the moment when a second samba DC joins an active directory 
domain it didn't replicate the dns zones by default
>   I also ran "samba_dnsupdate --verbose" and while that seemed 
> alright, I did notice:
>
> schema_fsmo_init: we are master[no] updates allowed[no]
> Skipping PDC entry (SRV _ldap._tcp.pdc._msdcs.${DNSDOMAIN}
That's normal most probably the FSMO for PDC is on you windows
DC.
>
> Shouldn't updates allowed be yes if I added "allow dns updates =
true"
no you should use allow dns updates = signed but it should be the 
default now.
> in smb.conf?  One final note, I do have my resolv.conf pointing to my 
> Win2k3 as the first DNS server.
That shouldn't be too much of a problem.
>
> My end goal is to replace the 2k3 server with Samba4 so, either way, 
> if internal DNS is not an option right now because it hasn't matured, 
> I'm tempted, based on what I've read, to try BIND to get around the
> internal problems.  I have that built with Bind 9.8.3 with the following:
> ./configure --prefix=/var/named --bindir=/usr/bin --sbindir=/usr/sbin 
> --sysconfdir=/etc --datadir=/usr/share --includedir=/usr/include 
> --libdir=/usr/lib --libexecdir=/usr/libexe --sharedstatedir=/var/lib 
> --with-libtool --enable-threads  --with-dlopen --with-gssapi
>
> I would be willing to try the switch over but, while it's clear how to 
> switch the backend (--/dns/-/backend=/BIND_DLZ) when provisioning 
> Samba, how would I do this from a join perspective? Thanks in advance 
> for any help!
So I'm not too surprised that you run in such trouble for applications 
partitions as we have some bugs in the way we mark application 
partitions: 9200 & 9201
https://bugzilla.samba.org/show_bug.cgi?id=9201
https://bugzilla.samba.org/show_bug.cgi?id=9200

All of this should be resolvable hopefully.

Matthieu

-- 
Matthieu Patou
Samba Team
http://samba.org