samba - Jan 2016 - DNS problems on windows AD

Hello Marc,

samba is 4.1.22.
I let the dcpromote choose the DC.
DNS is internal
Yes the windows DC has also global catalog

Regards
Olivier

On Fri, Jan 8, 2016 at 4:38 PM, Marc Muehlfeld <mmuehlfeld at samba.org>
wrote:
> Hello Olivier,
>
> Am 08.01.2016 um 12:02 schrieb Olivier Weinstoerffer:
> > I have a domain composed by 3 linux samba 4 AD servers.
>
> - Which version of Samba on the DCs?
> - Which DNS backend do each use?
> - Did you let the dcpromo choose one of the DCs as source or did you
> choose a specific one?
> - On the WinDC: DNS and GC = yes?
>
>
>
> > I wanted to add a windows based domain controller on it
> > and followed the documentation on the
> > samba wiki. Everything works fine except the DNS:
> > - when I try do add a dns record on the windows 2008r2 server, I got
an
> > error popup with "Refused"
>
> On which step exactly do you receive the error? Then I can try to
> reproduce it here.
>
>
>
> Regards,
> Marc
>


-- 

*Olivier Weinstoerffer*

Chief technical Architect

*Sword Performance Solutions*

M +41 79 390 42 00

T +41 61 723 01 88

E olivier.weinstoerffer at sword-performance.com

Schützengraben 7

4051 Basel, Switzerland
www.sword-performance.com

Sword Performance Solutions AG, a company registered in Switzerland with
registered number CHE-109.703.611 and whose registered office is in Basel,
Switzerland is part of the Sword Group.
This email (and any attachments) is intended for the named recipient(s) and
is private and confidential. If it is not for you, please inform us and
then delete it. If you are not the intended recipient(s), the use,
disclosure, copying or distribution of any information contained within
this email is prohibited. Messages to and from us may be monitored. If the
content is not about the business of the Sword Group then the message is
neither from nor sanctioned by us.
Internet communications are not secure. You should scan this message and
any attachments for viruses. Under no circumstances do we accept liability
for any loss or damage which may result from your receipt of this email or
any attachment.

Hi,

does anyone have an Idea?

Thanks in advance
Olivier

On Fri, Jan 8, 2016 at 4:52 PM, Olivier Weinstoerffer <
olivier.weinstoerffer at sword-performance.com> wrote:
> Hello Marc,
>
> samba is 4.1.22.
> I let the dcpromote choose the DC.
> DNS is internal
> Yes the windows DC has also global catalog
>
> Regards
> Olivier
>
> On Fri, Jan 8, 2016 at 4:38 PM, Marc Muehlfeld <mmuehlfeld at
samba.org>
> wrote:
>
>> Hello Olivier,
>>
>> Am 08.01.2016 um 12:02 schrieb Olivier Weinstoerffer:
>> > I have a domain composed by 3 linux samba 4 AD servers.
>>
>> - Which version of Samba on the DCs?
>> - Which DNS backend do each use?
>> - Did you let the dcpromo choose one of the DCs as source or did you
>> choose a specific one?
>> - On the WinDC: DNS and GC = yes?
>>
>>
>>
>> > I wanted to add a windows based domain controller on it
>> > and followed the documentation on the
>> > samba wiki. Everything works fine except the DNS:
>> > - when I try do add a dns record on the windows 2008r2 server, I
got an
>> > error popup with "Refused"
>>
>> On which step exactly do you receive the error? Then I can try to
>> reproduce it here.
>>
>>
>>
>> Regards,
>> Marc
>>
>
>
>
> --
>
> *Olivier Weinstoerffer*
>
> Chief technical Architect
>
> *Sword Performance Solutions*
>
> M +41 79 390 42 00
>
> T +41 61 723 01 88
>
> E olivier.weinstoerffer at sword-performance.com
>
> Schützengraben 7
>
> 4051 Basel, Switzerland
> www.sword-performance.com
>
> Sword Performance Solutions AG, a company registered in Switzerland with
> registered number CHE-109.703.611 and whose registered office is in Basel,
> Switzerland is part of the Sword Group.
> This email (and any attachments) is intended for the named recipient(s)
> and is private and confidential. If it is not for you, please inform us and
> then delete it. If you are not the intended recipient(s), the use,
> disclosure, copying or distribution of any information contained within
> this email is prohibited. Messages to and from us may be monitored. If the
> content is not about the business of the Sword Group then the message is
> neither from nor sanctioned by us.
> Internet communications are not secure. You should scan this message and
> any attachments for viruses. Under no circumstances do we accept liability
> for any loss or damage which may result from your receipt of this email or
> any attachment.
>


-- 

*Olivier Weinstoerffer*

Chief technical Architect

*Sword Performance Solutions*

M +41 79 390 42 00

T +41 61 723 01 88

E olivier.weinstoerffer at sword-performance.com

Schützengraben 7

4051 Basel, Switzerland
www.sword-performance.com

Sword Performance Solutions AG, a company registered in Switzerland with
registered number CHE-109.703.611 and whose registered office is in Basel,
Switzerland is part of the Sword Group.
This email (and any attachments) is intended for the named recipient(s) and
is private and confidential. If it is not for you, please inform us and
then delete it. If you are not the intended recipient(s), the use,
disclosure, copying or distribution of any information contained within
this email is prohibited. Messages to and from us may be monitored. If the
content is not about the business of the Sword Group then the message is
neither from nor sanctioned by us.
Internet communications are not secure. You should scan this message and
any attachments for viruses. Under no circumstances do we accept liability
for any loss or damage which may result from your receipt of this email or
any attachment.

Hello Olivier,

sorry for the delay.


Am 08.01.2016 um 16:52 schrieb Olivier Weinstoerffer:
> samba is 4.1.22.
> I let the dcpromote choose the DC.
> DNS is internal
> Yes the windows DC has also global catalog

I can reproduce the "refused" error here when trying to add an DNS
record to the Windows 2008R2 DC.

I saw, that DNS changes made on the Samba DCs are not replicated to the
Windows DC as well. I see no "outbound neighbors" entry for
DomainDnsZones and ForestDnsZones from my existing Samba 4.3.4 DCs to
the Windows DC:

# samba-tool drs showrepl
...
==== OUTBOUND NEIGHBORS ===
DC=DomainDnsZones,DC=samdom,DC=example,DC=com
	Default-First-Site-Name\DC1 via RPC
		DSA object GUID: 4a6bd92a-6612-4b15-aa8c-9ec371e8994f
		Last attempt @ NTTIME(0) was successful
		0 consecutive failure(s).
		Last success @ NTTIME(0)
...
DC=ForestDnsZones,DC=samdom,DC=example,DC=com
	Default-First-Site-Name\DC1 via RPC
		DSA object GUID: 4a6bd92a-6612-4b15-aa8c-9ec371e8994f
		Last attempt @ NTTIME(0) was successful
		0 consecutive failure(s).
		Last success @ NTTIME(0)



For both an entry should be listed to the Windows DC, like in my example
on the Wiki page (that's why I guess, it worked in the past or did
something wrong today :-)). Can you confirm that you also have no
Domain/ForestDnsZones entry to the Windows host in the "outbound"
area?


Regards,
Marc

Hi Marc,

in fact I see them in Outbound:
DC=ForestDnsZones,DC=simalaya-group,DC=com
        Default-First-Site-Name\SPSAD02 via RPC
                DSA object GUID: 38ee74c8-5b57-4b71-b601-88bdcc628a8d
                Last attempt @ Wed Dec 30 11:45:38 2015 CET was successful
                0 consecutive failure(s).
                Last success @ Wed Dec 30 11:45:38 2015 CET

DC=DomainDnsZones,DC=simalaya-group,DC=com
        Default-First-Site-Name\SPSAD02 via RPC
                DSA object GUID: 38ee74c8-5b57-4b71-b601-88bdcc628a8d
                Last attempt @ Thu Dec 31 16:32:43 2015 CET was successful
                0 consecutive failure(s).
                Last success @ Thu Dec 31 16:32:43 2015 CET

But it says last success was 30Dec.

I added new hosts to my samba DC today and they appear on the Windows DC
too.
But from the windows DC I still cannot add any DNS entry

I see this error on the windows event viewer:
The DNS server was unable to initialize Active Directory security
interfaces. Check that the Active Directory is functioning properly and
restart the DNS server. The event data contains the error.

all other stuff are working (creating users...)


thanks
Olivier

On Mon, Jan 18, 2016 at 8:06 PM, Marc Muehlfeld <mmuehlfeld at samba.org>
wrote:
> Hello Olivier,
>
> sorry for the delay.
>
>
> Am 08.01.2016 um 16:52 schrieb Olivier Weinstoerffer:
> > samba is 4.1.22.
> > I let the dcpromote choose the DC.
> > DNS is internal
> > Yes the windows DC has also global catalog
>
>
> I can reproduce the "refused" error here when trying to add an
DNS
> record to the Windows 2008R2 DC.
>
> I saw, that DNS changes made on the Samba DCs are not replicated to the
> Windows DC as well. I see no "outbound neighbors" entry for
> DomainDnsZones and ForestDnsZones from my existing Samba 4.3.4 DCs to
> the Windows DC:
>
> # samba-tool drs showrepl
> ...
> ==== OUTBOUND NEIGHBORS ===>
> DC=DomainDnsZones,DC=samdom,DC=example,DC=com
>         Default-First-Site-Name\DC1 via RPC
>                 DSA object GUID: 4a6bd92a-6612-4b15-aa8c-9ec371e8994f
>                 Last attempt @ NTTIME(0) was successful
>                 0 consecutive failure(s).
>                 Last success @ NTTIME(0)
> ...
> DC=ForestDnsZones,DC=samdom,DC=example,DC=com
>         Default-First-Site-Name\DC1 via RPC
>                 DSA object GUID: 4a6bd92a-6612-4b15-aa8c-9ec371e8994f
>                 Last attempt @ NTTIME(0) was successful
>                 0 consecutive failure(s).
>                 Last success @ NTTIME(0)
>
>
>
> For both an entry should be listed to the Windows DC, like in my example
> on the Wiki page (that's why I guess, it worked in the past or did
> something wrong today :-)). Can you confirm that you also have no
> Domain/ForestDnsZones entry to the Windows host in the "outbound"
area?
>
>
> Regards,
> Marc
>


-- 

*Olivier Weinstoerffer*

Chief technical Architect

*Sword Performance Solutions*

M +41 79 390 42 00

T +41 61 723 01 88

E olivier.weinstoerffer at sword-performance.com

Schützengraben 7

4051 Basel, Switzerland
www.sword-performance.com

Sword Performance Solutions AG, a company registered in Switzerland with
registered number CHE-109.703.611 and whose registered office is in Basel,
Switzerland is part of the Sword Group.
This email (and any attachments) is intended for the named recipient(s) and
is private and confidential. If it is not for you, please inform us and
then delete it. If you are not the intended recipient(s), the use,
disclosure, copying or distribution of any information contained within
this email is prohibited. Messages to and from us may be monitored. If the
content is not about the business of the Sword Group then the message is
neither from nor sanctioned by us.
Internet communications are not secure. You should scan this message and
any attachments for viruses. Under no circumstances do we accept liability
for any loss or damage which may result from your receipt of this email or
any attachment.