Hi all, I posted on both mailing as this seems to be (to me) an internal issue. As the 4.3.1 went out I decided to switch my DC from 4.3.0 to this new version. The process was to install Samba 4.3.1 on new systems, joining these Samba as DC, seizing FSMO roles, demote all 4.3.0. The few I tested until now is working except for DNS entries: samba_dnsupdate is not working as it tries to update DNS zone on removed DC. This is the beginning of samba_dnsupdate result. This was run on the 7 FSMO owner. This new FSMO owner is m700 with IP set to 10.156.248.216. The old FSMO owner is m707 with IP set to 10.156.248.238, this one was running 4.3.0. -------------------------------------------------------------------------------- ldbsearch -H $sam -b 'OU=Domain controllers,DC=AD,DC=DOMAIN,DC=TLD' '(objectclass=computer)' dn # record 1 dn: CN=M700,OU=Domain Controllers,DC=ad,DC=domain,DC=tld # record 2 dn: CN=M701,OU=Domain Controllers,DC=ad,DC=domain,DC=tld # record 3 dn: CN=M702,OU=Domain Controllers,DC=ad,DC=domain,DC=tld # returned 3 records # 3 entries # 0 referrals -------------------------------------------------------------------------------- shows only the 3 DC using 4.3.1. All the FSMO are owned by m700. -------------------------------------------------------------------------------- samba-tool fsmo show SchemaMasterRole owner: CN=NTDS Settings,CN=M700,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ad,DC=domain,DC=tld InfrastructureMasterRole owner: CN=NTDS Settings,CN=M700,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ad,DC=domain,DC=tld RidAllocationMasterRole owner: CN=NTDS Settings,CN=M700,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ad,DC=domain,DC=tld PdcEmulationMasterRole owner: CN=NTDS Settings,CN=M700,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ad,DC=domain,DC=tld DomainNamingMasterRole owner: CN=NTDS Settings,CN=M700,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ad,DC=domain,DC=tld DomainDnsZonesMasterRole owner: CN=NTDS Settings,CN=M700,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ad,DC=domain,DC=tld ForestDnsZonesMasterRole owner: CN=NTDS Settings,CN=M700,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ad,DC=ad,DC=domain,DC=tld -------------------------------------------------------------------------------- -------------------------------------------------------------------------------- samba_dnsupdate --all-names --verbose --all-interfaces IPs: ['10.156.248.216'] Calling nsupdate for A m700.ad.domain.tld 10.156.248.216 (add) Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: m700.ad.domain.tld. 900 IN A 10.156.248.216 ; Communication with 10.156.248.238#53 failed: operation canceled could not talk to any default name server Failed nsupdate: 1 Calling nsupdate for A ad.domain.tld 10.156.248.216 (add) Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: ad.domain.tld. 900 IN A 10.156.248.216 ..... -------------------------------------------------------------------------------- As samba_dnsupdate shows it tries to contact the old FSMO owner as it is declared as SOA for that AD DNS zone: -------------------------------------------------------------------------------- host -t SOA ad.domain.tld ad.domain.tld has SOA record m707.ad.domain.tld. hostmaster.ad.domain.tld. 1 900 600 86400 3600 -------------------------------------------------------------------------------- And this leads to: -------------------------------------------------------------------------------- host -t SRV _ldap._tcp.gc._msdcs.ad.domain.tld _ldap._tcp.gc._msdcs.ad.domain.tld has SRV record 0 100 3268 m709.ad.domain.tld. _ldap._tcp.gc._msdcs.ad.domain.tld has SRV record 0 100 3268 m700.ad.domain.tld. _ldap._tcp.gc._msdcs.ad.domain.tld has SRV record 0 100 3268 m708.ad.domain.tld. _ldap._tcp.gc._msdcs.ad.domain.tld has SRV record 0 100 3268 m707.ad.domain.tld. -------------------------------------------------------------------------------- m707, m708 and m709 are removed DC. m700, m701 and m702 are new DC. So during demote no DC was removed from DNS zone, at least for that specific record. During join only one DC was added, perhaps it was during seizing, no real idea as I trusted Samba to perform relevant changes into DNS zone. During fsmo seizing SOA was not changed. I tried to use samba-tool dns update to modify SOA but without success so I used RSAT. I did update SOA for both zones AD.DOMAIN.TLD and _msdcs.AD.DOMAIN.TLD samba_dnsupdate was not working really better following that, it stopped showing lines like that: ; Communication with 10.156.248.238#53 failed: operation canceled but that the only relevant change I saw (note: I'm ill today so I can have been easily lacking attention). Still using RSAT i removed manually all entries I spotted regarding all 3 old DC. Now on FSMO owner running samba_dnsupdate without option gives no errors. With --all-names I've got these two errors: couldn't get address for 'm707.ad.domain.tld': not found (10 times) ; TSIG error with server: tsig verify failure (17 times) and finished with: Failed update of 27 entries On the two others DC samba_dnsupdate response to GSS-TSIG query was unsuccessful response to GSS-TSIG query was unsuccessful response to GSS-TSIG query was unsuccessful response to GSS-TSIG query was unsuccessful response to GSS-TSIG query was unsuccessful response to GSS-TSIG query was unsuccessful response to GSS-TSIG query was unsuccessful response to GSS-TSIG query was unsuccessful Failed update of 8 entries Finally as adding --verbose gives what entry this tool was supposed to add I wrote an awk script to extract that information to re-run the "samba-tool dns add" command. Perhaps it is because I performed this update on the FSMO owner rather than on current DC (using <server> from help equal to FSMO owner name) that all the missing were added. In attachment is the awk script I used to solved that. TO run it: samba_dnsupdate --verbose | awk -f dnsupdate.awk What shows all that is there is still some real issues with DNS entries. I'll try to get time to retry the whole process soon: creating a domain with several DC with 4.3.0, adding DC using 4.3.1, removing all DC using 4.3.0 after seizing FSMO roles. Hoping I was clear enough... Best regards, mathias
I forget to add samba-technical address... Sorry about that. 2015-10-23 14:03 GMT+02:00 mathias dufresne <infractory at gmail.com>:> Hi all, > > I posted on both mailing as this seems to be (to me) an internal issue. > > As the 4.3.1 went out I decided to switch my DC from 4.3.0 to this new > version. > > The process was to install Samba 4.3.1 on new systems, joining these Samba > as DC, seizing FSMO roles, demote all 4.3.0. > > The few I tested until now is working except for DNS entries: > samba_dnsupdate is not working as it tries to update DNS zone on removed DC. > > This is the beginning of samba_dnsupdate result. This was run on the 7 > FSMO owner. > This new FSMO owner is m700 with IP set to 10.156.248.216. > The old FSMO owner is m707 with IP set to 10.156.248.238, this one was > running 4.3.0. > > > -------------------------------------------------------------------------------- > ldbsearch -H $sam -b 'OU=Domain controllers,DC=AD,DC=DOMAIN,DC=TLD' > '(objectclass=computer)' dn > # record 1 > dn: CN=M700,OU=Domain Controllers,DC=ad,DC=domain,DC=tld > > # record 2 > dn: CN=M701,OU=Domain Controllers,DC=ad,DC=domain,DC=tld > > # record 3 > dn: CN=M702,OU=Domain Controllers,DC=ad,DC=domain,DC=tld > > # returned 3 records > # 3 entries > # 0 referrals > > -------------------------------------------------------------------------------- > shows only the 3 DC using 4.3.1. > > All the FSMO are owned by m700. > > -------------------------------------------------------------------------------- > samba-tool fsmo show > SchemaMasterRole owner: CN=NTDS > Settings,CN=M700,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ad,DC=domain,DC=tld > InfrastructureMasterRole owner: CN=NTDS > Settings,CN=M700,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ad,DC=domain,DC=tld > RidAllocationMasterRole owner: CN=NTDS > Settings,CN=M700,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ad,DC=domain,DC=tld > PdcEmulationMasterRole owner: CN=NTDS > Settings,CN=M700,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ad,DC=domain,DC=tld > DomainNamingMasterRole owner: CN=NTDS > Settings,CN=M700,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ad,DC=domain,DC=tld > DomainDnsZonesMasterRole owner: CN=NTDS > Settings,CN=M700,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ad,DC=domain,DC=tld > ForestDnsZonesMasterRole owner: CN=NTDS > Settings,CN=M700,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ad,DC=ad,DC=domain,DC=tld > > -------------------------------------------------------------------------------- > > > > -------------------------------------------------------------------------------- > samba_dnsupdate --all-names --verbose --all-interfaces > IPs: ['10.156.248.216'] > Calling nsupdate for A m700.ad.domain.tld 10.156.248.216 (add) > Outgoing update query: > ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 > ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 > ;; UPDATE SECTION: > m700.ad.domain.tld. 900 IN A 10.156.248.216 > > ; Communication with 10.156.248.238#53 failed: operation canceled > could not talk to any default name server > Failed nsupdate: 1 > Calling nsupdate for A ad.domain.tld 10.156.248.216 (add) > Outgoing update query: > ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 > ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 > ;; UPDATE SECTION: > ad.domain.tld. 900 IN A 10.156.248.216 > ..... > > -------------------------------------------------------------------------------- > > As samba_dnsupdate shows it tries to contact the old FSMO owner as it is > declared as SOA for that AD DNS zone: > > -------------------------------------------------------------------------------- > host -t SOA ad.domain.tld > ad.domain.tld has SOA record m707.ad.domain.tld. hostmaster.ad.domain.tld. > 1 900 600 86400 3600 > > -------------------------------------------------------------------------------- > > And this leads to: > > -------------------------------------------------------------------------------- > host -t SRV _ldap._tcp.gc._msdcs.ad.domain.tld > _ldap._tcp.gc._msdcs.ad.domain.tld has SRV record 0 100 3268 > m709.ad.domain.tld. > _ldap._tcp.gc._msdcs.ad.domain.tld has SRV record 0 100 3268 > m700.ad.domain.tld. > _ldap._tcp.gc._msdcs.ad.domain.tld has SRV record 0 100 3268 > m708.ad.domain.tld. > _ldap._tcp.gc._msdcs.ad.domain.tld has SRV record 0 100 3268 > m707.ad.domain.tld. > > -------------------------------------------------------------------------------- > > m707, m708 and m709 are removed DC. > m700, m701 and m702 are new DC. > > So during demote no DC was removed from DNS zone, at least for that > specific record. > During join only one DC was added, perhaps it was during seizing, no real > idea as I trusted Samba to perform relevant changes into DNS zone. > During fsmo seizing SOA was not changed. > > I tried to use samba-tool dns update to modify SOA but without success so > I used RSAT. > I did update SOA for both zones AD.DOMAIN.TLD and _msdcs.AD.DOMAIN.TLD > > samba_dnsupdate was not working really better following that, it stopped > showing lines like that: > ; Communication with 10.156.248.238#53 failed: operation canceled > but that the only relevant change I saw (note: I'm ill today so I can have > been easily lacking attention). > > Still using RSAT i removed manually all entries I spotted regarding all 3 > old DC. > > Now on FSMO owner running samba_dnsupdate without option gives no errors. > With --all-names I've got these two errors: > couldn't get address for 'm707.ad.domain.tld': not found (10 times) > ; TSIG error with server: tsig verify failure (17 times) > > and finished with: > Failed update of 27 entries > > On the two others DC > samba_dnsupdate > response to GSS-TSIG query was unsuccessful > response to GSS-TSIG query was unsuccessful > response to GSS-TSIG query was unsuccessful > response to GSS-TSIG query was unsuccessful > response to GSS-TSIG query was unsuccessful > response to GSS-TSIG query was unsuccessful > response to GSS-TSIG query was unsuccessful > response to GSS-TSIG query was unsuccessful > Failed update of 8 entries > > Finally as adding --verbose gives what entry this tool was supposed to add > I wrote an awk script to extract that information to re-run the "samba-tool > dns add" command. > > Perhaps it is because I performed this update on the FSMO owner rather > than on current DC (using <server> from help equal to FSMO owner name) that > all the missing were added. > > In attachment is the awk script I used to solved that. TO run it: > samba_dnsupdate --verbose | awk -f dnsupdate.awk > > What shows all that is there is still some real issues with DNS entries. > > I'll try to get time to retry the whole process soon: creating a domain > with several DC with 4.3.0, adding DC using 4.3.1, removing all DC using > 4.3.0 after seizing FSMO roles. > > Hoping I was clear enough... > > Best regards, > > mathias > > > >
Hai, If you just upgrade / changed the samba servers, then most probily replication is in progress.. Depanding on the numbers of objects this can take some time, so dont be to quick with checking. So take some time and wait... get koffie (maybe beer) ;-) Get this script , if needed change it and run it https://secure.bazuin.nl/scripts/samba-check-db-repl.sh it check up to 10 domain controllers for database replication. It explains itself. And for the needed dns records, see my previous mail. ;-) Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens mathias dufresne > Verzonden: vrijdag 23 oktober 2015 14:03 > Aan: samba > Onderwerp: [Samba] DC replacement and DNS issue > > Hi all, > > I posted on both mailing as this seems to be (to me) an internal issue. > > As the 4.3.1 went out I decided to switch my DC from 4.3.0 to this new > version. > > The process was to install Samba 4.3.1 on new systems, joining these Samba > as DC, seizing FSMO roles, demote all 4.3.0. > > The few I tested until now is working except for DNS entries: > samba_dnsupdate is not working as it tries to update DNS zone on removed > DC. > > This is the beginning of samba_dnsupdate result. This was run on the 7 > FSMO > owner. > This new FSMO owner is m700 with IP set to 10.156.248.216. > The old FSMO owner is m707 with IP set to 10.156.248.238, this one was > running 4.3.0. > > -------------------------------------------------------------------------- > ------ > ldbsearch -H $sam -b 'OU=Domain controllers,DC=AD,DC=DOMAIN,DC=TLD' > '(objectclass=computer)' dn > # record 1 > dn: CN=M700,OU=Domain Controllers,DC=ad,DC=domain,DC=tld > > # record 2 > dn: CN=M701,OU=Domain Controllers,DC=ad,DC=domain,DC=tld > > # record 3 > dn: CN=M702,OU=Domain Controllers,DC=ad,DC=domain,DC=tld > > # returned 3 records > # 3 entries > # 0 referrals > -------------------------------------------------------------------------- > ------ > shows only the 3 DC using 4.3.1. > > All the FSMO are owned by m700. > -------------------------------------------------------------------------- > ------ > samba-tool fsmo show > SchemaMasterRole owner: CN=NTDS > Settings,CN=M700,CN=Servers,CN=Default-First-Site- > Name,CN=Sites,CN=Configuration,DC=ad,DC=domain,DC=tld > InfrastructureMasterRole owner: CN=NTDS > Settings,CN=M700,CN=Servers,CN=Default-First-Site- > Name,CN=Sites,CN=Configuration,DC=ad,DC=domain,DC=tld > RidAllocationMasterRole owner: CN=NTDS > Settings,CN=M700,CN=Servers,CN=Default-First-Site- > Name,CN=Sites,CN=Configuration,DC=ad,DC=domain,DC=tld > PdcEmulationMasterRole owner: CN=NTDS > Settings,CN=M700,CN=Servers,CN=Default-First-Site- > Name,CN=Sites,CN=Configuration,DC=ad,DC=domain,DC=tld > DomainNamingMasterRole owner: CN=NTDS > Settings,CN=M700,CN=Servers,CN=Default-First-Site- > Name,CN=Sites,CN=Configuration,DC=ad,DC=domain,DC=tld > DomainDnsZonesMasterRole owner: CN=NTDS > Settings,CN=M700,CN=Servers,CN=Default-First-Site- > Name,CN=Sites,CN=Configuration,DC=ad,DC=domain,DC=tld > ForestDnsZonesMasterRole owner: CN=NTDS > Settings,CN=M700,CN=Servers,CN=Default-First-Site- > Name,CN=Sites,CN=Configuration,DC=ad,DC=ad,DC=domain,DC=tld > -------------------------------------------------------------------------- > ------ > > > -------------------------------------------------------------------------- > ------ > samba_dnsupdate --all-names --verbose --all-interfaces > IPs: ['10.156.248.216'] > Calling nsupdate for A m700.ad.domain.tld 10.156.248.216 (add) > Outgoing update query: > ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 > ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 > ;; UPDATE SECTION: > m700.ad.domain.tld. 900 IN A 10.156.248.216 > > ; Communication with 10.156.248.238#53 failed: operation canceled > could not talk to any default name server > Failed nsupdate: 1 > Calling nsupdate for A ad.domain.tld 10.156.248.216 (add) > Outgoing update query: > ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 > ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 > ;; UPDATE SECTION: > ad.domain.tld. 900 IN A 10.156.248.216 > ..... > -------------------------------------------------------------------------- > ------ > > As samba_dnsupdate shows it tries to contact the old FSMO owner as it is > declared as SOA for that AD DNS zone: > -------------------------------------------------------------------------- > ------ > host -t SOA ad.domain.tld > ad.domain.tld has SOA record m707.ad.domain.tld. hostmaster.ad.domain.tld. > 1 900 600 86400 3600 > -------------------------------------------------------------------------- > ------ > > And this leads to: > -------------------------------------------------------------------------- > ------ > host -t SRV _ldap._tcp.gc._msdcs.ad.domain.tld > _ldap._tcp.gc._msdcs.ad.domain.tld has SRV record 0 100 3268 > m709.ad.domain.tld. > _ldap._tcp.gc._msdcs.ad.domain.tld has SRV record 0 100 3268 > m700.ad.domain.tld. > _ldap._tcp.gc._msdcs.ad.domain.tld has SRV record 0 100 3268 > m708.ad.domain.tld. > _ldap._tcp.gc._msdcs.ad.domain.tld has SRV record 0 100 3268 > m707.ad.domain.tld. > -------------------------------------------------------------------------- > ------ > > m707, m708 and m709 are removed DC. > m700, m701 and m702 are new DC. > > So during demote no DC was removed from DNS zone, at least for that > specific record. > During join only one DC was added, perhaps it was during seizing, no real > idea as I trusted Samba to perform relevant changes into DNS zone. > During fsmo seizing SOA was not changed. > > I tried to use samba-tool dns update to modify SOA but without success so > I > used RSAT. > I did update SOA for both zones AD.DOMAIN.TLD and _msdcs.AD.DOMAIN.TLD > > samba_dnsupdate was not working really better following that, it stopped > showing lines like that: > ; Communication with 10.156.248.238#53 failed: operation canceled > but that the only relevant change I saw (note: I'm ill today so I can have > been easily lacking attention). > > Still using RSAT i removed manually all entries I spotted regarding all 3 > old DC. > > Now on FSMO owner running samba_dnsupdate without option gives no errors. > With --all-names I've got these two errors: > couldn't get address for 'm707.ad.domain.tld': not found (10 times) > ; TSIG error with server: tsig verify failure (17 times) > > and finished with: > Failed update of 27 entries > > On the two others DC > samba_dnsupdate > response to GSS-TSIG query was unsuccessful > response to GSS-TSIG query was unsuccessful > response to GSS-TSIG query was unsuccessful > response to GSS-TSIG query was unsuccessful > response to GSS-TSIG query was unsuccessful > response to GSS-TSIG query was unsuccessful > response to GSS-TSIG query was unsuccessful > response to GSS-TSIG query was unsuccessful > Failed update of 8 entries > > Finally as adding --verbose gives what entry this tool was supposed to add > I wrote an awk script to extract that information to re-run the "samba- > tool > dns add" command. > > Perhaps it is because I performed this update on the FSMO owner rather > than > on current DC (using <server> from help equal to FSMO owner name) that all > the missing were added. > > In attachment is the awk script I used to solved that. TO run it: > samba_dnsupdate --verbose | awk -f dnsupdate.awk > > What shows all that is there is still some real issues with DNS entries. > > I'll try to get time to retry the whole process soon: creating a domain > with several DC with 4.3.0, adding DC using 4.3.1, removing all DC using > 4.3.0 after seizing FSMO roles. > > Hoping I was clear enough... > > Best regards, > > mathias > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba
On 23/10/15 13:03, mathias dufresne wrote:> Hi all, > > I posted on both mailing as this seems to be (to me) an internal issue. > > As the 4.3.1 went out I decided to switch my DC from 4.3.0 to this new > version. > > The process was to install Samba 4.3.1 on new systems, joining these Samba > as DC, seizing FSMO roles, demote all 4.3.0. > > The few I tested until now is working except for DNS entries: > samba_dnsupdate is not working as it tries to update DNS zone on removed DC. > > This is the beginning of samba_dnsupdate result. This was run on the 7 FSMO > owner. > This new FSMO owner is m700 with IP set to 10.156.248.216. > The old FSMO owner is m707 with IP set to 10.156.248.238, this one was > running 4.3.0. > > -------------------------------------------------------------------------------- > ldbsearch -H $sam -b 'OU=Domain controllers,DC=AD,DC=DOMAIN,DC=TLD' > '(objectclass=computer)' dn > # record 1 > dn: CN=M700,OU=Domain Controllers,DC=ad,DC=domain,DC=tld > > # record 2 > dn: CN=M701,OU=Domain Controllers,DC=ad,DC=domain,DC=tld > > # record 3 > dn: CN=M702,OU=Domain Controllers,DC=ad,DC=domain,DC=tld > > # returned 3 records > # 3 entries > # 0 referrals > -------------------------------------------------------------------------------- > shows only the 3 DC using 4.3.1. > > All the FSMO are owned by m700. > -------------------------------------------------------------------------------- > samba-tool fsmo show > SchemaMasterRole owner: CN=NTDS > Settings,CN=M700,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ad,DC=domain,DC=tld > InfrastructureMasterRole owner: CN=NTDS > Settings,CN=M700,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ad,DC=domain,DC=tld > RidAllocationMasterRole owner: CN=NTDS > Settings,CN=M700,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ad,DC=domain,DC=tld > PdcEmulationMasterRole owner: CN=NTDS > Settings,CN=M700,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ad,DC=domain,DC=tld > DomainNamingMasterRole owner: CN=NTDS > Settings,CN=M700,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ad,DC=domain,DC=tld > DomainDnsZonesMasterRole owner: CN=NTDS > Settings,CN=M700,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ad,DC=domain,DC=tld > ForestDnsZonesMasterRole owner: CN=NTDS > Settings,CN=M700,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ad,DC=ad,DC=domain,DC=tld > -------------------------------------------------------------------------------- > > > -------------------------------------------------------------------------------- > samba_dnsupdate --all-names --verbose --all-interfaces > IPs: ['10.156.248.216'] > Calling nsupdate for A m700.ad.domain.tld 10.156.248.216 (add) > Outgoing update query: > ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 > ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 > ;; UPDATE SECTION: > m700.ad.domain.tld. 900 IN A 10.156.248.216 > > ; Communication with 10.156.248.238#53 failed: operation canceled > could not talk to any default name server > Failed nsupdate: 1 > Calling nsupdate for A ad.domain.tld 10.156.248.216 (add) > Outgoing update query: > ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 > ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 > ;; UPDATE SECTION: > ad.domain.tld. 900 IN A 10.156.248.216 > ..... > -------------------------------------------------------------------------------- > > As samba_dnsupdate shows it tries to contact the old FSMO owner as it is > declared as SOA for that AD DNS zone: > -------------------------------------------------------------------------------- > host -t SOA ad.domain.tld > ad.domain.tld has SOA record m707.ad.domain.tld. hostmaster.ad.domain.tld. > 1 900 600 86400 3600 > -------------------------------------------------------------------------------- > > And this leads to: > -------------------------------------------------------------------------------- > host -t SRV _ldap._tcp.gc._msdcs.ad.domain.tld > _ldap._tcp.gc._msdcs.ad.domain.tld has SRV record 0 100 3268 > m709.ad.domain.tld. > _ldap._tcp.gc._msdcs.ad.domain.tld has SRV record 0 100 3268 > m700.ad.domain.tld. > _ldap._tcp.gc._msdcs.ad.domain.tld has SRV record 0 100 3268 > m708.ad.domain.tld. > _ldap._tcp.gc._msdcs.ad.domain.tld has SRV record 0 100 3268 > m707.ad.domain.tld. > -------------------------------------------------------------------------------- > > m707, m708 and m709 are removed DC. > m700, m701 and m702 are new DC. > > So during demote no DC was removed from DNS zone, at least for that > specific record. > During join only one DC was added, perhaps it was during seizing, no real > idea as I trusted Samba to perform relevant changes into DNS zone. > During fsmo seizing SOA was not changed. > > I tried to use samba-tool dns update to modify SOA but without success so I > used RSAT. > I did update SOA for both zones AD.DOMAIN.TLD and _msdcs.AD.DOMAIN.TLD > > samba_dnsupdate was not working really better following that, it stopped > showing lines like that: > ; Communication with 10.156.248.238#53 failed: operation canceled > but that the only relevant change I saw (note: I'm ill today so I can have > been easily lacking attention). > > Still using RSAT i removed manually all entries I spotted regarding all 3 > old DC. > > Now on FSMO owner running samba_dnsupdate without option gives no errors. > With --all-names I've got these two errors: > couldn't get address for 'm707.ad.domain.tld': not found (10 times) > ; TSIG error with server: tsig verify failure (17 times) > > and finished with: > Failed update of 27 entries > > On the two others DC > samba_dnsupdate > response to GSS-TSIG query was unsuccessful > response to GSS-TSIG query was unsuccessful > response to GSS-TSIG query was unsuccessful > response to GSS-TSIG query was unsuccessful > response to GSS-TSIG query was unsuccessful > response to GSS-TSIG query was unsuccessful > response to GSS-TSIG query was unsuccessful > response to GSS-TSIG query was unsuccessful > Failed update of 8 entries > > Finally as adding --verbose gives what entry this tool was supposed to add > I wrote an awk script to extract that information to re-run the "samba-tool > dns add" command. > > Perhaps it is because I performed this update on the FSMO owner rather than > on current DC (using <server> from help equal to FSMO owner name) that all > the missing were added. > > In attachment is the awk script I used to solved that. TO run it: > samba_dnsupdate --verbose | awk -f dnsupdate.awk > > What shows all that is there is still some real issues with DNS entries. > > I'll try to get time to retry the whole process soon: creating a domain > with several DC with 4.3.0, adding DC using 4.3.1, removing all DC using > 4.3.0 after seizing FSMO roles. > > Hoping I was clear enough... > > Best regards, > > mathiasI wonder if this has anything to do with the problems I had when joining a second DC, 'response to GSS-TSIG query was unsuccessful' looks very familiar. Transferring or seizing a FSMO role has nothing to do with the SOA, but if samba-tool is not changing the SOA record then this seems like another bug. Rowland
Hey, Thank you Louis for this script, I didn't yet took time to dig in but I'll do. I didn't took time neither to perform another test. That should be done today. Anyway I waited for DC synchronisation before posting. I joined my DC and removed the old ones almost at same time then I gave more than 12 hours to my DC to synchronize. Then I tried to understand what happened, I wrote the script and posted that message, re and re and re testing samba_dnsupdate during that hours (hours which took place after the 12 hours for synchro). So I expect there is something wrong in 4.3.1 DNS entries creation/renaming. And as I modified SOA by hand using ADUC and samba_dnsupdate was not working to remove old entries (for removed DC) and was also not working to add DNS entries for new DC, I expect the issue in samba_dnsupdate (but I could be completely wrong : ) Cheers, mathias 2015-10-23 14:17 GMT+02:00 L.P.H. van Belle <belle at bazuin.nl>:> Hai, > > If you just upgrade / changed the samba servers, then most probily > replication is in progress.. > > Depanding on the numbers of objects this can take some time, so dont be to > quick with checking. > > So take some time and wait... get koffie (maybe beer) ;-) > Get this script , if needed change it and run it > > https://secure.bazuin.nl/scripts/samba-check-db-repl.sh > it check up to 10 domain controllers for database replication. > It explains itself. > > And for the needed dns records, see my previous mail. ;-) > > > Greetz, > > Louis > > > > -----Oorspronkelijk bericht----- > > Van: samba [mailto:samba-bounces at lists.samba.org] Namens mathias > dufresne > > Verzonden: vrijdag 23 oktober 2015 14:03 > > Aan: samba > > Onderwerp: [Samba] DC replacement and DNS issue > > > > Hi all, > > > > I posted on both mailing as this seems to be (to me) an internal issue. > > > > As the 4.3.1 went out I decided to switch my DC from 4.3.0 to this new > > version. > > > > The process was to install Samba 4.3.1 on new systems, joining these > Samba > > as DC, seizing FSMO roles, demote all 4.3.0. > > > > The few I tested until now is working except for DNS entries: > > samba_dnsupdate is not working as it tries to update DNS zone on removed > > DC. > > > > This is the beginning of samba_dnsupdate result. This was run on the 7 > > FSMO > > owner. > > This new FSMO owner is m700 with IP set to 10.156.248.216. > > The old FSMO owner is m707 with IP set to 10.156.248.238, this one was > > running 4.3.0. > > > > > -------------------------------------------------------------------------- > > ------ > > ldbsearch -H $sam -b 'OU=Domain controllers,DC=AD,DC=DOMAIN,DC=TLD' > > '(objectclass=computer)' dn > > # record 1 > > dn: CN=M700,OU=Domain Controllers,DC=ad,DC=domain,DC=tld > > > > # record 2 > > dn: CN=M701,OU=Domain Controllers,DC=ad,DC=domain,DC=tld > > > > # record 3 > > dn: CN=M702,OU=Domain Controllers,DC=ad,DC=domain,DC=tld > > > > # returned 3 records > > # 3 entries > > # 0 referrals > > > -------------------------------------------------------------------------- > > ------ > > shows only the 3 DC using 4.3.1. > > > > All the FSMO are owned by m700. > > > -------------------------------------------------------------------------- > > ------ > > samba-tool fsmo show > > SchemaMasterRole owner: CN=NTDS > > Settings,CN=M700,CN=Servers,CN=Default-First-Site- > > Name,CN=Sites,CN=Configuration,DC=ad,DC=domain,DC=tld > > InfrastructureMasterRole owner: CN=NTDS > > Settings,CN=M700,CN=Servers,CN=Default-First-Site- > > Name,CN=Sites,CN=Configuration,DC=ad,DC=domain,DC=tld > > RidAllocationMasterRole owner: CN=NTDS > > Settings,CN=M700,CN=Servers,CN=Default-First-Site- > > Name,CN=Sites,CN=Configuration,DC=ad,DC=domain,DC=tld > > PdcEmulationMasterRole owner: CN=NTDS > > Settings,CN=M700,CN=Servers,CN=Default-First-Site- > > Name,CN=Sites,CN=Configuration,DC=ad,DC=domain,DC=tld > > DomainNamingMasterRole owner: CN=NTDS > > Settings,CN=M700,CN=Servers,CN=Default-First-Site- > > Name,CN=Sites,CN=Configuration,DC=ad,DC=domain,DC=tld > > DomainDnsZonesMasterRole owner: CN=NTDS > > Settings,CN=M700,CN=Servers,CN=Default-First-Site- > > Name,CN=Sites,CN=Configuration,DC=ad,DC=domain,DC=tld > > ForestDnsZonesMasterRole owner: CN=NTDS > > Settings,CN=M700,CN=Servers,CN=Default-First-Site- > > Name,CN=Sites,CN=Configuration,DC=ad,DC=ad,DC=domain,DC=tld > > > -------------------------------------------------------------------------- > > ------ > > > > > > > -------------------------------------------------------------------------- > > ------ > > samba_dnsupdate --all-names --verbose --all-interfaces > > IPs: ['10.156.248.216'] > > Calling nsupdate for A m700.ad.domain.tld 10.156.248.216 (add) > > Outgoing update query: > > ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 > > ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 > > ;; UPDATE SECTION: > > m700.ad.domain.tld. 900 IN A 10.156.248.216 > > > > ; Communication with 10.156.248.238#53 failed: operation canceled > > could not talk to any default name server > > Failed nsupdate: 1 > > Calling nsupdate for A ad.domain.tld 10.156.248.216 (add) > > Outgoing update query: > > ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 > > ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 > > ;; UPDATE SECTION: > > ad.domain.tld. 900 IN A 10.156.248.216 > > ..... > > > -------------------------------------------------------------------------- > > ------ > > > > As samba_dnsupdate shows it tries to contact the old FSMO owner as it is > > declared as SOA for that AD DNS zone: > > > -------------------------------------------------------------------------- > > ------ > > host -t SOA ad.domain.tld > > ad.domain.tld has SOA record m707.ad.domain.tld. > hostmaster.ad.domain.tld. > > 1 900 600 86400 3600 > > > -------------------------------------------------------------------------- > > ------ > > > > And this leads to: > > > -------------------------------------------------------------------------- > > ------ > > host -t SRV _ldap._tcp.gc._msdcs.ad.domain.tld > > _ldap._tcp.gc._msdcs.ad.domain.tld has SRV record 0 100 3268 > > m709.ad.domain.tld. > > _ldap._tcp.gc._msdcs.ad.domain.tld has SRV record 0 100 3268 > > m700.ad.domain.tld. > > _ldap._tcp.gc._msdcs.ad.domain.tld has SRV record 0 100 3268 > > m708.ad.domain.tld. > > _ldap._tcp.gc._msdcs.ad.domain.tld has SRV record 0 100 3268 > > m707.ad.domain.tld. > > > -------------------------------------------------------------------------- > > ------ > > > > m707, m708 and m709 are removed DC. > > m700, m701 and m702 are new DC. > > > > So during demote no DC was removed from DNS zone, at least for that > > specific record. > > During join only one DC was added, perhaps it was during seizing, no real > > idea as I trusted Samba to perform relevant changes into DNS zone. > > During fsmo seizing SOA was not changed. > > > > I tried to use samba-tool dns update to modify SOA but without success so > > I > > used RSAT. > > I did update SOA for both zones AD.DOMAIN.TLD and _msdcs.AD.DOMAIN.TLD > > > > samba_dnsupdate was not working really better following that, it stopped > > showing lines like that: > > ; Communication with 10.156.248.238#53 failed: operation canceled > > but that the only relevant change I saw (note: I'm ill today so I can > have > > been easily lacking attention). > > > > Still using RSAT i removed manually all entries I spotted regarding all 3 > > old DC. > > > > Now on FSMO owner running samba_dnsupdate without option gives no errors. > > With --all-names I've got these two errors: > > couldn't get address for 'm707.ad.domain.tld': not found (10 times) > > ; TSIG error with server: tsig verify failure (17 times) > > > > and finished with: > > Failed update of 27 entries > > > > On the two others DC > > samba_dnsupdate > > response to GSS-TSIG query was unsuccessful > > response to GSS-TSIG query was unsuccessful > > response to GSS-TSIG query was unsuccessful > > response to GSS-TSIG query was unsuccessful > > response to GSS-TSIG query was unsuccessful > > response to GSS-TSIG query was unsuccessful > > response to GSS-TSIG query was unsuccessful > > response to GSS-TSIG query was unsuccessful > > Failed update of 8 entries > > > > Finally as adding --verbose gives what entry this tool was supposed to > add > > I wrote an awk script to extract that information to re-run the "samba- > > tool > > dns add" command. > > > > Perhaps it is because I performed this update on the FSMO owner rather > > than > > on current DC (using <server> from help equal to FSMO owner name) that > all > > the missing were added. > > > > In attachment is the awk script I used to solved that. TO run it: > > samba_dnsupdate --verbose | awk -f dnsupdate.awk > > > > What shows all that is there is still some real issues with DNS entries. > > > > I'll try to get time to retry the whole process soon: creating a domain > > with several DC with 4.3.0, adding DC using 4.3.1, removing all DC using > > 4.3.0 after seizing FSMO roles. > > > > Hoping I was clear enough... > > > > Best regards, > > > > mathias > > -- > > To unsubscribe from this list go to the following URL and read the > > instructions: https://lists.samba.org/mailman/options/samba > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >