Dear list,
I tried to replace the AD DC in my home network (all running samba-4.2.0rc2).
I followed this procedure:
- setup and join DC2 to the domain served by DC1
- transfer FSMO
- demote and switch off DC1
and as there were still remnants of DC1 in the domain:
- wipe out the traces of DC1 in ADUC.
The first issue is, that not all the traces could be
wiped out. ADUC refuses to do so while complaining about
missing permissions.
The second issue was, that bind didn't come up after
the scrubbing procedure:
Oct 18 20:08:12 DC2 named[1733]: samba_dlz: configured writeable zone
'samdom.samba.org'
Oct 18 20:08:12 DC2 named[1733]: zone _msdcs.samdom.samba.org/NONE: has no NS
records
Oct 18 20:08:12 DC2 named[1733]: samba_dlz: Failed to configure zone
'_msdcs.samdom.samba.org'
Oct 18 20:08:12 DC2 named[1733]: loading configuration: bad zone
Oct 18 20:08:12 DC2 named[1733]: exiting (due to fatal error)
I could this fix up by doing:
samba-tool dns add DC2 _msdcs.samdom.samba.org @ NS DC2.samdom.samba.org
-Uadministrator
- apparently I had deleted the record
@ IN NS DC1.samdom.samba.org.
I think, that it is a bug, that this entry is on DC2.
Seen from a BIND9 view, there are two master DNS server
in the net, which have exactly the same entries in their
zone files, e.g.:
$TTL 86400
@ IN SOA dns.samdom.samba.org admin.samdom.samba.org. (
... -> SOA goes here
@ IN NS DC1.samdom.samba.org.
DC1.samdom.samba.org. IN A 192.168.1.1
DC2.samdom.samba.org. IN A 192.168.1.2
But I think, on the second server the zone file should
look like this:
$TTL 86400
@ IN SOA dns.samdom.samba.org admin.samdom.samba.org. (
... -> SOA goes here
@ IN NS DC2.samdom.samba.org.
DC1.samdom.samba.org. IN A 192.168.1.1
DC2.samdom.samba.org. IN A 192.168.1.2
, i.e. the NS entry should point to the server itself.
Then both servers have a valid configuration as master DNS.
A second option would be to modify the NS record when doing
a FSMO transfer. But it is definitely a bug, when it points
to a demoted server after demoting.
And - if I was in the position to express a wish: it would
be nice, if samba-tool (or some other) could wipe out
traces of demoted domain controllers. That would really
be a great thing.
Best regards
Peter
PS: I would be pretty surprised, if this was only a 4.2.0rcx
issue...
