Alex Crow
2016-Aug-12 17:00 UTC
[Samba] Horrible BIND9_DLZ DNS breakage after DC replaced and samba-tool domain demote --remove-other-dead-server
Hi List, We are running through testing our migration to Samba4/AD domain and hit an odd issue. We set up one new VM as a legacy PDC and performed a migration on this machine. All went fine. We added a second DC with no issues. We then simulated the first DC going away by unplugging the VM NIC and did an FSMO seize. The next step was to reinstall the original VM from scratch as a new DC on the same IP as the original, which also worked well. However there were many missing DNS records on this and the previous second DC, which we fixed by running "samba_dnsupdate --verbose". We then tried to use "samba-tool domain demote --remove-other-dead-server=<original DC name>" which seemed to run successfully. However the next time named was restarted it complained that the main forward zone had no records, on both new DCs, and could not complete the startup sequence: Aug 12 14:44:56 samba4-dc-1 named[2483]: samba_dlz: started for DN DC=samba,DC=ifa,DC=net Aug 12 14:44:56 samba4-dc-1 named[2483]: samba_dlz: starting configure Aug 12 14:44:56 samba4-dc-1 named[2483]: zone samba.ifa.net/NONE: has no NS records I've checked with ldbedit and there seems to be nothing corrupted or obviously wrong. There is a correct FSMO role for both DNS roles, but still no joy. Does anyone have any ideas or has anyone else experienced a similar issue? Best regards Alex -- This message is intended only for the addressee and may contain confidential information. Unless you are that person, you may not disclose its contents or use it in any way and are requested to delete the message along with any attachments and notify us immediately. This email is not intended to, nor should it be taken to, constitute advice. The information provided is correct to our knowledge & belief and must not be used as a substitute for obtaining tax, regulatory, investment, legal or any other appropriate advice. "Transact" is operated by Integrated Financial Arrangements Ltd. 29 Clement's Lane, London EC4N 7AE. Tel: (020) 7608 4900 Fax: (020) 7608 5300. (Registered office: as above; Registered in England and Wales under number: 3727592). Authorised and regulated by the Financial Conduct Authority (entered on the Financial Services Register; no. 190856).
Alex Crow
2016-Aug-14 17:02 UTC
[Samba] Horrible BIND9_DLZ DNS breakage after DC replaced and samba-tool domain demote --remove-other-dead-server
On 12/08/16 18:00, Alex Crow via samba wrote:> Hi List, > > We are running through testing our migration to Samba4/AD domain and > hit an odd issue. > > We set up one new VM as a legacy PDC and performed a migration on this > machine. All went fine. We added a second DC with no issues. We then > simulated the first DC going away by unplugging the VM NIC and did an > FSMO seize. > > The next step was to reinstall the original VM from scratch as a new > DC on the same IP as the original, which also worked well. However > there were many missing DNS records on this and the previous second > DC, which we fixed by running "samba_dnsupdate --verbose". > > We then tried to use "samba-tool domain demote > --remove-other-dead-server=<original DC name>" which seemed to run > successfully. However the next time named was restarted it complained > that the main forward zone had no records, on both new DCs, and could > not complete the startup sequence: > > Aug 12 14:44:56 samba4-dc-1 named[2483]: samba_dlz: started for DN > DC=samba,DC=ifa,DC=net > Aug 12 14:44:56 samba4-dc-1 named[2483]: samba_dlz: starting configure > Aug 12 14:44:56 samba4-dc-1 named[2483]: zone samba.ifa.net/NONE: has > no NS records > > I've checked with ldbedit and there seems to be nothing corrupted or > obviously wrong. There is a correct FSMO role for both DNS roles, but > still no joy. > > Does anyone have any ideas or has anyone else experienced a similar > issue? > > Best regards > > Alex > >Hi List, I have just reproduced this issue with Sernet Samba 4.4.5. I did a migration from classic on a new VM, and this time created the next DC on a new IP. As soon as I issued "samba-tool domain demote --remove-other-dead-server=<original DC name>". I could no longer start named/bind. It gave the same error as above. It seems that this command corrupts the LDB in a way that Bind DLZ can't see any valid records. Ideally we'd like to migrate from an NT-style domain, add extra DCs, and get rid of the DC used for migration afterwards, thereby making sure we don't have any traces of the old setup remaining. It's also a worry that if a DC really did fail and we had to remove it, that we'd still have various orphan records in the LDB. I'd me most grateful for any pointers. If it's worth raising a BZ I will do so, but as usual I'm not sure if I'm doing things correctly and I don't want to pollute BZ... Best regards Alex -- This message is intended only for the addressee and may contain confidential information. Unless you are that person, you may not disclose its contents or use it in any way and are requested to delete the message along with any attachments and notify us immediately. This email is not intended to, nor should it be taken to, constitute advice. The information provided is correct to our knowledge & belief and must not be used as a substitute for obtaining tax, regulatory, investment, legal or any other appropriate advice. "Transact" is operated by Integrated Financial Arrangements Ltd. 29 Clement's Lane, London EC4N 7AE. Tel: (020) 7608 4900 Fax: (020) 7608 5300. (Registered office: as above; Registered in England and Wales under number: 3727592). Authorised and regulated by the Financial Conduct Authority (entered on the Financial Services Register; no. 190856).
Rowland Penny
2016-Aug-14 18:01 UTC
[Samba] Horrible BIND9_DLZ DNS breakage after DC replaced and samba-tool domain demote --remove-other-dead-server
On Sun, 14 Aug 2016 18:02:19 +0100 Alex Crow via samba <samba at lists.samba.org> wrote:> Hi List, > > I have just reproduced this issue with Sernet Samba 4.4.5. I did a > migration from classic on a new VM, and this time created the next DC > on a new IP. As soon as I issued "samba-tool domain demote > --remove-other-dead-server=<original DC name>". I could no longer > start named/bind. It gave the same error as above. > > It seems that this command corrupts the LDB in a way that Bind DLZ > can't see any valid records. Ideally we'd like to migrate from an > NT-style domain, add extra DCs, and get rid of the DC used for > migration afterwards, thereby making sure we don't have any traces of > the old setup remaining. It's also a worry that if a DC really did > fail and we had to remove it, that we'd still have various orphan > records in the LDB. > > I'd me most grateful for any pointers. If it's worth raising a BZ I > will do so, but as usual I'm not sure if I'm doing things correctly > and I don't want to pollute BZ... >Ok, lets just run through this: You have an NT4-style PDC You classicupgrade this to a DC You join another computer as a DC At this point, have you checked that all DNS records etc are correct ? Is Bind9 running on both DCs at this point. Is everything working as expected ? You now turn off the first DC You now seize all FSMO roles to the remaining DC Are you turning Bind9 off on the remaining DC at this point ? You run the demote command and then Bind9 will not start ? Rowland
Apparently Analagous Threads
- Horrible BIND9_DLZ DNS breakage after DC replaced and samba-tool domain demote --remove-other-dead-server
- Horrible BIND9_DLZ DNS breakage after DC replaced and samba-tool domain demote --remove-other-dead-server
- Horrible BIND9_DLZ DNS breakage after DC replaced and samba-tool domain demote --remove-other-dead-server
- Horrible BIND9_DLZ DNS breakage after DC replaced and samba-tool domain demote --remove-other-dead-server
- Horrible BIND9_DLZ DNS breakage after DC replaced and samba-tool domain demote --remove-other-dead-server