On Sun, 10 May 2015, Rowland Penny wrote:> Have you really got 19 reverse zones for your samba 4 active directory ?Yep :-)> Can you try running 'samba-tool ldapcmp ldap://<YOUR_FIRST_DC> ldap://<YOUR_SECOND_DC>Interesting. DC1 and DC2 have many differences; DC1 and DC3 are the same. Maybe I will demote DC2 and join it again.> Check if you actually have dns records:For DC1 (host name baxter): dn: DC=baxter,DC=europa.icse.cornell.edu,CN=MicrosoftDNS,DC=DomainDnsZones,DC=europa,DC=icse,DC=cornell,DC=edu objectClass: top objectClass: dnsNode instanceType: 4 whenCreated: 20150430150532.0Z whenChanged: 20150430150532.0Z uSNCreated: 4725 uSNChanged: 4725 showInAdvancedViewOnly: TRUE name: baxter objectGUID: 739a5762-719a-44d2-968e-f8b12f5bc07b dnsRecord:: BAABAAXwAAAWAAAAAAADhAAAAAAnazcAChbICw=objectCategory: CN=Dns-Node,CN=Schema,CN=Configuration,DC=europa,DC=icse,DC=cornell,DC=edu dc: baxter distinguishedName: DC=baxter,DC=europa.icse.cornell.edu,CN=MicrosoftDNS,DC=DomainDnsZones,DC=europa,DC=icse,DC=cornell,DC=edu For DC2 (host name bear): dn: DC=bear,DC=europa.icse.cornell.edu,CN=MicrosoftDNS,DC=DomainDnsZones,DC=europa,DC=icse,DC=cornell,DC=edu objectClass: top objectClass: dnsNode instanceType: 4 whenCreated: 20150504141356.0Z whenChanged: 20150504141356.0Z uSNCreated: 4897 uSNChanged: 4897 showInAdvancedViewOnly: TRUE name: bear objectGUID: 93d1aaa6-8c41-4754-8b27-370870b9129d dnsRecord:: BAABAAXwAAA1AAAAAAADhAAAAACGazcAChbIDA=objectCategory: CN=Dns-Node,CN=Schema,CN=Configuration,DC=europa,DC=icse,DC=cornell,DC=edu dc: bear distinguishedName: DC=bear,DC=europa.icse.cornell.edu,CN=MicrosoftDNS,DC=DomainDnsZones,DC=europa,DC=icse,DC=cornell,DC=edu and for DC3 (host name benford): dn: DC=benford,DC=europa.icse.cornell.edu,CN=MicrosoftDNS,DC=DomainDnsZones,DC=europa,DC=icse,DC=cornell,DC=edu objectClass: top objectClass: dnsNode instanceType: 4 whenCreated: 20150504150126.0Z whenChanged: 20150504150126.0Z uSNCreated: 4996 uSNChanged: 4996 showInAdvancedViewOnly: TRUE name: benford objectGUID: 6701ab99-d883-44da-8ebf-769a98274a2c dnsRecord:: BAABAAXwAABGAAAAAAADhAAAAACHazcAChbIDQ=objectCategory: CN=Dns-Node,CN=Schema,CN=Configuration,DC=europa,DC=icse,DC=cornell,DC=edu dc: benford distinguishedName: DC=benford,DC=europa.icse.cornell.edu,CN=MicrosoftDNS,DC=DomainDnsZones,DC=europa,DC=icse,DC=cornell,DC=edu> To see defined zones:2 zone(s) found pszZoneName : europa.icse.cornell.edu Flags : DNS_RPC_ZONE_DSINTEGRATED DNS_RPC_ZONE_UPDATE_SECURE ZoneType : DNS_ZONE_TYPE_PRIMARY Version : 50 dwDpFlags : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT DNS_DP_ENLISTED pszDpFqdn : DomainDnsZones.europa.icse.cornell.edu pszZoneName : _msdcs.europa.icse.cornell.edu Flags : DNS_RPC_ZONE_DSINTEGRATED DNS_RPC_ZONE_UPDATE_SECURE ZoneType : DNS_ZONE_TYPE_PRIMARY Version : 50 dwDpFlags : DNS_DP_AUTOCREATED DNS_DP_FOREST_DEFAULT DNS_DP_ENLISTED pszDpFqdn : ForestDnsZones.europa.icse.cornell.edu with identical output from all three DC's.> To see dns server info:dwVersion : 0xece0205 fBootMethod : DNS_BOOT_METHOD_DIRECTORY fAdminConfigured : FALSE fAllowUpdate : TRUE fDsAvailable : TRUE pszServerName : BAXTER.europa.icse.cornell.edu pszDsContainer : CN=MicrosoftDNS,DC=DomainDnsZones,DC=europa,DC=icse,DC=cornell,DC=edu aipServerAddrs : ['10.22.200.11', '127.0.0.1'] aipListenAddrs : ['10.22.200.11', '127.0.0.1'] aipForwarders : [] dwLogLevel : 0 dwDebugLevel : 0 dwForwardTimeout : 3 dwRpcPrototol : 0x5 dwNameCheckFlag : DNS_ALLOW_MULTIBYTE_NAMES cAddressAnswerLimit : 0 dwRecursionRetry : 3 dwRecursionTimeout : 8 dwMaxCacheTtl : 86400 dwDsPollingInterval : 180 dwScavengingInterval : 0 dwDefaultRefreshInterval : 168 dwDefaultNoRefreshInterval : 168 fAutoReverseZones : FALSE fAutoCacheUpdate : FALSE fRecurseAfterForwarding : FALSE fForwardDelegations : TRUE fNoRecursion : FALSE fSecureResponses : FALSE fRoundRobin : TRUE fLocalNetPriority : FALSE fBindSecondaries : FALSE fWriteAuthorityNs : FALSE fStrictFileParsing : FALSE fLooseWildcarding : FALSE fDefaultAgingState : FALSE dwRpcStructureVersion : 0x2 aipLogFilter : [] pwszLogFilePath : None pszDomainName : europa.icse.cornell.edu pszForestName : europa.icse.cornell.edu pszDomainDirectoryPartition : DC=DomainDnsZones,DC=europa,DC=icse,DC=cornell,DC=edu pszForestDirectoryPartition : DC=ForestDnsZones,DC=europa,DC=icse,DC=cornell,DC=edu dwLocalNetPriorityNetMask : 0xff dwLastScavengeTime : 0 dwEventLogLevel : 4 dwLogFileMaxSize : 0 dwDsForestVersion : 2 dwDsDomainVersion : 2 dwDsDsaVersion : 4 fReadOnlyDC : FALSE and on DC2 and DC3 they are the same, except for host names and IP addresses. There were two DC's that were members of the copnfiguration for about two years; these two were demoted and the three that I have now were added recently. Maybe something went wrong with the demotion of the original two, but the BIND problem did not surface until yesterday evening; the BIND servers had been restarted multiple times before then (and after the demotion of the original two). -Steve -- ---------------------------------------------------------------------------- Steve Thompson E-mail: smt AT vgersoft DOT com Voyager Software LLC Web: http://www DOT vgersoft DOT com 39 Smugglers Path VSW Support: support AT vgersoft DOT com Ithaca, NY 14850 "186,282 miles per second: it's not just a good idea, it's the law" ----------------------------------------------------------------------------
On 10/05/15 15:34, Steve Thompson wrote:> On Sun, 10 May 2015, Rowland Penny wrote: > >> Have you really got 19 reverse zones for your samba 4 active directory ? > > Yep :-)Why ? And why don't they show up when you ask for the zones with samba-tool ?> >> Can you try running 'samba-tool ldapcmp ldap://<YOUR_FIRST_DC> >> ldap://<YOUR_SECOND_DC> > > Interesting. DC1 and DC2 have many differences; DC1 and DC3 are the > same. Maybe I will demote DC2 and join it again.Just check that it isn't just non replicating attributes that are different.> >> Check if you actually have dns records: > > For DC1 (host name baxter): > > dn: > DC=baxter,DC=europa.icse.cornell.edu,CN=MicrosoftDNS,DC=DomainDnsZones,DC=europa,DC=icse,DC=cornell,DC=edu > objectClass: top > objectClass: dnsNode > instanceType: 4 > whenCreated: 20150430150532.0Z > whenChanged: 20150430150532.0Z > uSNCreated: 4725 > uSNChanged: 4725 > showInAdvancedViewOnly: TRUE > name: baxter > objectGUID: 739a5762-719a-44d2-968e-f8b12f5bc07b > dnsRecord:: BAABAAXwAAAWAAAAAAADhAAAAAAnazcAChbICw=> objectCategory: > CN=Dns-Node,CN=Schema,CN=Configuration,DC=europa,DC=icse,DC=cornell,DC=edu > dc: baxter > distinguishedName: > DC=baxter,DC=europa.icse.cornell.edu,CN=MicrosoftDNS,DC=DomainDnsZones,DC=europa,DC=icse,DC=cornell,DC=edu > > For DC2 (host name bear): > > dn: > DC=bear,DC=europa.icse.cornell.edu,CN=MicrosoftDNS,DC=DomainDnsZones,DC=europa,DC=icse,DC=cornell,DC=edu > objectClass: top > objectClass: dnsNode > instanceType: 4 > whenCreated: 20150504141356.0Z > whenChanged: 20150504141356.0Z > uSNCreated: 4897 > uSNChanged: 4897 > showInAdvancedViewOnly: TRUE > name: bear > objectGUID: 93d1aaa6-8c41-4754-8b27-370870b9129d > dnsRecord:: BAABAAXwAAA1AAAAAAADhAAAAACGazcAChbIDA=> objectCategory: > CN=Dns-Node,CN=Schema,CN=Configuration,DC=europa,DC=icse,DC=cornell,DC=edu > dc: bear > distinguishedName: > DC=bear,DC=europa.icse.cornell.edu,CN=MicrosoftDNS,DC=DomainDnsZones,DC=europa,DC=icse,DC=cornell,DC=edu > > and for DC3 (host name benford): > > dn: > DC=benford,DC=europa.icse.cornell.edu,CN=MicrosoftDNS,DC=DomainDnsZones,DC=europa,DC=icse,DC=cornell,DC=edu > objectClass: top > objectClass: dnsNode > instanceType: 4 > whenCreated: 20150504150126.0Z > whenChanged: 20150504150126.0Z > uSNCreated: 4996 > uSNChanged: 4996 > showInAdvancedViewOnly: TRUE > name: benford > objectGUID: 6701ab99-d883-44da-8ebf-769a98274a2c > dnsRecord:: BAABAAXwAABGAAAAAAADhAAAAACHazcAChbIDQ=> objectCategory: > CN=Dns-Node,CN=Schema,CN=Configuration,DC=europa,DC=icse,DC=cornell,DC=edu > dc: benford > distinguishedName: > DC=benford,DC=europa.icse.cornell.edu,CN=MicrosoftDNS,DC=DomainDnsZones,DC=europa,DC=icse,DC=cornell,DC=edu > >> To see defined zones: > > 2 zone(s) found > > pszZoneName : europa.icse.cornell.edu > Flags : DNS_RPC_ZONE_DSINTEGRATED > DNS_RPC_ZONE_UPDATE_SECURE > ZoneType : DNS_ZONE_TYPE_PRIMARY > Version : 50 > dwDpFlags : DNS_DP_AUTOCREATED > DNS_DP_DOMAIN_DEFAULT DNS_DP_ENLISTED > pszDpFqdn : DomainDnsZones.europa.icse.cornell.edu > > pszZoneName : _msdcs.europa.icse.cornell.edu > Flags : DNS_RPC_ZONE_DSINTEGRATED > DNS_RPC_ZONE_UPDATE_SECURE > ZoneType : DNS_ZONE_TYPE_PRIMARY > Version : 50 > dwDpFlags : DNS_DP_AUTOCREATED > DNS_DP_FOREST_DEFAULT DNS_DP_ENLISTED > pszDpFqdn : ForestDnsZones.europa.icse.cornell.edu > > with identical output from all three DC's. > >> To see dns server info: > > dwVersion : 0xece0205 > fBootMethod : DNS_BOOT_METHOD_DIRECTORY > fAdminConfigured : FALSE > fAllowUpdate : TRUE > fDsAvailable : TRUE > pszServerName : BAXTER.europa.icse.cornell.edu > pszDsContainer : > CN=MicrosoftDNS,DC=DomainDnsZones,DC=europa,DC=icse,DC=cornell,DC=edu > aipServerAddrs : ['10.22.200.11', '127.0.0.1'] > aipListenAddrs : ['10.22.200.11', '127.0.0.1'] > aipForwarders : [] > dwLogLevel : 0 > dwDebugLevel : 0 > dwForwardTimeout : 3 > dwRpcPrototol : 0x5 > dwNameCheckFlag : DNS_ALLOW_MULTIBYTE_NAMES > cAddressAnswerLimit : 0 > dwRecursionRetry : 3 > dwRecursionTimeout : 8 > dwMaxCacheTtl : 86400 > dwDsPollingInterval : 180 > dwScavengingInterval : 0 > dwDefaultRefreshInterval : 168 > dwDefaultNoRefreshInterval : 168 > fAutoReverseZones : FALSE > fAutoCacheUpdate : FALSE > fRecurseAfterForwarding : FALSE > fForwardDelegations : TRUE > fNoRecursion : FALSE > fSecureResponses : FALSE > fRoundRobin : TRUE > fLocalNetPriority : FALSE > fBindSecondaries : FALSE > fWriteAuthorityNs : FALSE > fStrictFileParsing : FALSE > fLooseWildcarding : FALSE > fDefaultAgingState : FALSE > dwRpcStructureVersion : 0x2 > aipLogFilter : [] > pwszLogFilePath : None > pszDomainName : europa.icse.cornell.edu > pszForestName : europa.icse.cornell.edu > pszDomainDirectoryPartition : > DC=DomainDnsZones,DC=europa,DC=icse,DC=cornell,DC=edu > pszForestDirectoryPartition : > DC=ForestDnsZones,DC=europa,DC=icse,DC=cornell,DC=edu > dwLocalNetPriorityNetMask : 0xff > dwLastScavengeTime : 0 > dwEventLogLevel : 4 > dwLogFileMaxSize : 0 > dwDsForestVersion : 2 > dwDsDomainVersion : 2 > dwDsDsaVersion : 4 > fReadOnlyDC : FALSE > > and on DC2 and DC3 they are the same, except for host names and IP > addresses. > > There were two DC's that were members of the copnfiguration for about > two years; these two were demoted and the three that I have now were > added recently. Maybe something went wrong with the demotion of the > original two, but the BIND problem did not surface until yesterday > evening; the BIND servers had been restarted multiple times before > then (and after the demotion of the original two). > > -SteveCheck your FSMO roles. Rowland
Roland, Thank you very much for your attention to this. You should get a medal for all the help you give everyone on this list. On Sun, 10 May 2015, Rowland Penny wrote:> Why ? And why don't they show up when you ask for the zones with samba-tool ?I have that many subnets. As for why they don't show up: they are defined in BIND's configuration and not samba's; they never did show up with samba-tool. I wasn't expecting that they should.> Just check that it isn't just non replicating attributes that are different.It looks like a real problem. This is what I get when I compare DC1 and DC2 (again, DC1 and DC3 are the same): * Result for [DOMAIN]: FAILURE Attributes found only in ldap://baxter: isCriticalSystemObject cn ipsecName fSMORoleOwner objectClass ipsecISAKMPReference iPSECNegotiationPolicyAction showInAdvancedViewOnly ipsecFilterReference priorSetTime instanceType ipsecOwnersReference distinguishedName ipsecNFAReference msDS-TombstoneQuotaFactor ipsecData description objectCategory objectGUID whenCreated systemFlags ipsecNegotiationPolicyReference ipsecID lastSetTime iPSECNegotiationPolicyType name memberOf ipsecDataType * Result for [CONFIGURATION]: FAILURE Attributes found only in ldap://baxter: distinguishedName isCriticalSystemObject name objectCategory objectClass msDS-Behavior-Version description msDS-TombstoneQuotaFactor objectGUID showInAdvancedViewOnly systemFlags whenCreated fSMORoleOwner instanceType cn * Result for [DNSDOMAIN]: FAILURE Attributes found only in ldap://baxter: distinguishedName isCriticalSystemObject cn objectCategory objectClass objectGUID whenCreated showInAdvancedViewOnly systemFlags instanceType name * Result for [DNSFOREST]: FAILURE Attributes found only in ldap://baxter: distinguishedName isCriticalSystemObject cn objectCategory objectClass objectGUID whenCreated showInAdvancedViewOnly systemFlags instanceType name and everything else is in order. "samba-tool drs showrepl" shows no problems.> Check your FSMO roles.I've done that; this appears to be in order (DC1 = baxter): InfrastructureMasterRole owner: CN=NTDS Settings,CN=BAXTER,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=europa,DC=icse,DC=cornell,DC=edu RidAllocationMasterRole owner: CN=NTDS Settings,CN=BAXTER,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=europa,DC=icse,DC=cornell,DC=edu PdcEmulationMasterRole owner: CN=NTDS Settings,CN=BAXTER,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=europa,DC=icse,DC=cornell,DC=edu DomainNamingMasterRole owner: CN=NTDS Settings,CN=BAXTER,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=europa,DC=icse,DC=cornell,DC=edu SchemaMasterRole owner: CN=NTDS Settings,CN=BAXTER,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=europa,DC=icse,DC=cornell,DC=edu -Steve -- ---------------------------------------------------------------------------- Steve Thompson E-mail: smt AT vgersoft DOT com Voyager Software LLC Web: http://www DOT vgersoft DOT com 39 Smugglers Path VSW Support: support AT vgersoft DOT com Ithaca, NY 14850 "186,282 miles per second: it's not just a good idea, it's the law" ----------------------------------------------------------------------------
On Sun, 10 May 2015, Steve Thompson wrote:> On Sun, 10 May 2015, Rowland Penny wrote: >> Can you try running 'samba-tool ldapcmp ldap://<YOUR_FIRST_DC> >> ldap://<YOUR_SECOND_DC> > Interesting. DC1 and DC2 have many differences; DC1 and DC3 are the same.Turns out I made a dumb mistake. I did a kinit before ldapcmp, but omitted the "-k 1" on the latter. When I do it correctly, all three DC's are exactly the same. Phew. Steve
> Turns out I made a dumb mistake. I did a kinit before ldapcmp, but > omitted the "-k 1" on the latter. When I do it correctly, all three DC's > are exactly the same. Phew.I thought kinit is not required on samba-tool ldapcmp I just tried _with_ kinit, and only saw the same differences on whenChanged. MJ