thr3ads.net - samba - [Samba] Unable to transfer ForestDns/DomainDNS [Jun 2016]

If this information is useful, please help other people find it:
Share via:

Jason Waters

2016-Jun-23 18:26 UTC

[Samba] Unable to transfer ForestDns/DomainDNS

The built in DNS, sorry if that sounded like it was special!  So do I just
seize it then?  And do I do that before or after dcpromo?  Thanks for the
help.

Jason

On Thu, Jun 23, 2016 at 2:19 PM, Rowland penny <rpenny at samba.org>
wrote:
> On 23/06/16 18:52, Jason Waters wrote:
>
>> lol...sorry!
>>
>> - The windows domain controller does run a DNS server
>>
>> - I joined the samba DC's to the windows DC.  I used the normal
command,
>> but did get an error about the forest and domain dns. The error is:
>>
>> descriptor_sd_propagation_recursive:
>> DC=DomainDnsZones,DC=fisherthompson,DC=local not found under
>> DC=fisherthompson,DC=local
>> descriptor_sd_propagation_recursive:
>> DC=ForestDnsZones,DC=fisherthompson,DC=local not found under
>> DC=fisherthompson,DC=local
>>
>>
>> Below is the full join output.....
>>
>>
>> START OF DOMAIN JOIN
>> *************************************
>> root at DC01:/var/lib/samba# samba-tool domain join
fisherthompson.local DC
>> -UAdministrator
>> Finding a writeable DC for domain 'fisherthompson.local'
>> Found DC PDC.fisherthompson.local
>> Password for [FISHERTHOMPSON\Administrator]:
>> workgroup is FISHERTHOMPSON
>> realm is fisherthompson.local
>> checking sAMAccountName
>> Adding CN=DC01,OU=Domain Controllers,DC=fisherthompson,DC=local
>> Adding
>>
CN=DC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=fisherthompson,DC=local
>> Adding CN=NTDS
>>
Settings,CN=DC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=fisherthompson,DC=local
>> Adding SPNs to CN=DC01,OU=Domain Controllers,DC=fisherthompson,DC=local
>> Setting account password for DC01$
>> Enabling account
>> Calling bare provision
>> Looking up IPv4 addresses
>> Looking up IPv6 addresses
>> No IPv6 address will be assigned
>> Setting up share.ldb
>> Setting up secrets.ldb
>> Setting up the registry
>> Setting up the privileges database
>> Setting up idmap db
>> Setting up SAM db
>> Setting up sam.ldb partitions and settings
>> Setting up sam.ldb rootDSE
>> Pre-loading the Samba 4 and AD schema
>> A Kerberos configuration suitable for Samba 4 has been generated at
>> /var/lib/samba/private/krb5.conf
>> Provision OK for domain DN DC=fisherthompson,DC=local
>> Starting replication
>> Schema-DN[CN=Schema,CN=Configuration,DC=fisherthompson,DC=local]
>> objects[402] linked_values[0]
>> Schema-DN[CN=Schema,CN=Configuration,DC=fisherthompson,DC=local]
>> objects[804] linked_values[0]
>> Schema-DN[CN=Schema,CN=Configuration,DC=fisherthompson,DC=local]
>> objects[1206] linked_values[0]
>> Schema-DN[CN=Schema,CN=Configuration,DC=fisherthompson,DC=local]
>> objects[1376] linked_values[0]
>> Analyze and apply schema objects
>> Partition[CN=Configuration,DC=fisherthompson,DC=local] objects[402]
>> linked_values[0]
>> Partition[CN=Configuration,DC=fisherthompson,DC=local] objects[804]
>> linked_values[0]
>> Partition[CN=Configuration,DC=fisherthompson,DC=local] objects[1206]
>> linked_values[0]
>> Partition[CN=Configuration,DC=fisherthompson,DC=local] objects[1608]
>> linked_values[18]
>> Partition[CN=Configuration,DC=fisherthompson,DC=local] objects[1629]
>> linked_values[10]
>> Replicating critical objects from the base DN of the domain
>> Partition[DC=fisherthompson,DC=local] objects[93] linked_values[7]
>> Partition[DC=fisherthompson,DC=local] objects[387] linked_values[0]
>> Partition[DC=fisherthompson,DC=local] objects[569] linked_values[175]
>> Partition[DC=fisherthompson,DC=local] objects[741] linked_values[36]
>> Partition[DC=fisherthompson,DC=local] objects[741] linked_values[0]
>> Done with always replicated NC (base, config, schema)
>> Replicating DC=DomainDnsZones,DC=fisherthompson,DC=local
>> Partition[DC=DomainDnsZones,DC=fisherthompson,DC=local] objects[191]
>> linked_values[0]
>> Replicating DC=ForestDnsZones,DC=fisherthompson,DC=local
>> Partition[DC=ForestDnsZones,DC=fisherthompson,DC=local] objects[33]
>> linked_values[0]
>> Committing SAM database
>> descriptor_sd_propagation_recursive:
>> DC=DomainDnsZones,DC=fisherthompson,DC=local not found under
>> DC=fisherthompson,DC=local
>> descriptor_sd_propagation_recursive:
>> DC=ForestDnsZones,DC=fisherthompson,DC=local not found under
>> DC=fisherthompson,DC=local
>> Sending DsReplicaUpdateRefs for all the replicated partitions
>> Setting isSynchronized and dsServiceName
>> Setting up secrets database
>> Joined domain FISHERTHOMPSON (SID
>> S-1-5-21-4059926353-2957580592-3733343930) as a DC
>>
>> *************************************
>> END OF DOMAIN JOIN
>>
>>
>>
> It looks like your windows DC doesn't store its DNS zones in AD, the
code
> in join.py to replicate DNS info is this:
>
>
>              print "Done with always replicated NC (base, config,
schema)"
>
>             for nc in (ctx.domaindns_zone, ctx.forestdns_zone):
>                 if nc in ctx.nc_list:
>                     print "Replicating %s" % (str(nc))
>                     repl.replicate(nc, source_dsa_invocation_id,
>                                     destination_dsa_guid, rodc=ctx.RODC,
>                                     replica_flags=ctx.replica_flags)
>
> Your 'join' info shows this:
>
> Done with always replicated NC (base, config, schema)
> Replicating DC=DomainDnsZones,DC=fisherthompson,DC=local
> Partition[DC=DomainDnsZones,DC=fisherthompson,DC=local] objects[191]
> linked_values[0]
> Replicating DC=ForestDnsZones,DC=fisherthompson,DC=local
> Partition[DC=ForestDnsZones,DC=fisherthompson,DC=local] objects[33]
> linked_values[0]
> Committing SAM database
> descriptor_sd_propagation_recursive:
> DC=DomainDnsZones,DC=fisherthompson,DC=local not found under
> DC=fisherthompson,DC=local
> descriptor_sd_propagation_recursive:
> DC=ForestDnsZones,DC=fisherthompson,DC=local not found under
> DC=fisherthompson,DC=local
>
> I 'think' the last two lines mean nothing was replicated because
there was
> nothing to replicate to or from.
>
> You say your windows DC runs a DNS server, what sort & type ?
>
>
> Rowland
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

Rowland penny

2016-Jun-23 18:45 UTC

head link

[Samba] Unable to transfer ForestDns/DomainDNS

On 23/06/16 19:26, Jason Waters wrote:> The built in DNS, sorry if that sounded like it was special!  So do I 
> just seize it then?  And do I do that before or after dcpromo?  Thanks 
> for the help.
>
> Jason
>
I think you are going to have to, but I would try a further slight test 
first. run this:

ldbsearch --cross-ncs -H ldap://pdc -b 
"DC=DomainDnsZones,DC=fisherthompson,DC=local" -s sub -Uadministrator

This should display all your DNS records

Just double check that they don't exist.

If you then go on to seize the roles, use the '--force' option with 
'samba-tool fsmo seize' , this will bypass trying to transfer the role 
first.

I would transfer anything on the windows DC that you may need, then turn 
it off. You should then be able to seize the roles. Do not bring the old 
DC back on line unless you stop the DC software from starting, I would 
also change its hostname and if possible, its ipaddress.

Rowland

Jason Waters

2016-Jun-23 18:53 UTC

head link

[Samba] Unable to transfer ForestDns/DomainDNS

This is the output of that command.

root at DC01:~# ldbsearch --cross-ncs -H ldap://pdc -b
"DC=DomainDnsZones,DC=fisherthompson,DC=local" -s sub -Uadministrator
Password for [FISHERTHOMPSON\administrator]:
search error - LDAP error 10 LDAP_REFERRAL -  <0000202B: RefErr:
DSID-0310063C, data 0, 1 access points
        ref 1:
'DomainDnsZones.fisherthompson.local'><ldap://DomainDnsZones.fisherthompson.local/DC=DomainDnsZones,DC=fisherthompson,DC=local>
root at DC01:~#


wouldn't dcpromo take it out of the active directory? And then seizing it
would have the domain point to the new DC?  I have some printers and things
like that that I would really like time to transfer.  But if I can't I
can't....Or maybe even block with iptables any traffic from PDC to DC01 or
DC02?

On Thu, Jun 23, 2016 at 2:45 PM, Rowland penny <rpenny at samba.org>
wrote:
> On 23/06/16 19:26, Jason Waters wrote:
>
>> The built in DNS, sorry if that sounded like it was special!  So do I
>> just seize it then?  And do I do that before or after dcpromo?  Thanks
for
>> the help.
>>
>> Jason
>>
>>
> I think you are going to have to, but I would try a further slight test
> first. run this:
>
> ldbsearch --cross-ncs -H ldap://pdc -b
> "DC=DomainDnsZones,DC=fisherthompson,DC=local" -s sub
-Uadministrator
>
> This should display all your DNS records
>
> Just double check that they don't exist.
>
> If you then go on to seize the roles, use the '--force' option with
> 'samba-tool fsmo seize' , this will bypass trying to transfer the
role
> first.
>
> I would transfer anything on the windows DC that you may need, then turn
> it off. You should then be able to seize the roles. Do not bring the old DC
> back on line unless you stop the DC software from starting, I would also
> change its hostname and if possible, its ipaddress.
>
>
> Rowland
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

Seemingly Similar Threads

Search for more maybe matching threads

samba - Jun 2016 - Unable to transfer ForestDns/DomainDNS

[Samba] Unable to transfer ForestDns/DomainDNS

[Samba] Unable to transfer ForestDns/DomainDNS

[Samba] Unable to transfer ForestDns/DomainDNS

Seemingly Similar Threads