samba - Aug 2016 - Horrible BIND9_DLZ DNS breakage after DC replaced and samba-tool domain demote --remove-other-dead-server

On Sun, 14 Aug 2016 18:02:19 +0100
Alex Crow via samba <samba at lists.samba.org> wrote:

> Hi List,
> 
> I have just reproduced this issue with Sernet Samba 4.4.5. I did a
> migration from classic on a new VM, and this time created the next DC
> on a new IP. As soon as I issued "samba-tool domain demote
> --remove-other-dead-server=<original DC name>". I could no
longer
> start named/bind. It gave the same error as above.
> 
> It seems that this command corrupts the LDB in a way that Bind DLZ
> can't see any valid records. Ideally we'd like to migrate from an
> NT-style domain, add extra DCs, and get rid of the DC used for
> migration afterwards, thereby making sure we don't have any traces of
> the old setup remaining. It's also a worry that if a DC really did
> fail and we had to remove it, that we'd still have various orphan
> records in the LDB.
> 
> I'd me most grateful for any pointers. If it's worth raising a BZ I
> will do so, but as usual I'm not sure if I'm doing things correctly
> and I don't want to pollute BZ...
> 

Ok, lets just run through this:
You have an NT4-style PDC
You classicupgrade this to a DC
You join another computer as a DC

At this point, have you checked that all DNS records etc are correct ?
Is Bind9 running on both DCs at this point.
Is everything working as expected ?

You now turn off the first DC
You now seize all FSMO roles to the remaining DC
Are you turning Bind9 off on the remaining DC at this point ?

You run the demote command and then Bind9 will not start ?

Rowland

>
> Ok, lets just run through this:
> You have an NT4-style PDC
Correct.
> You classicupgrade this to a DC
Yes, with BIND9_DLZ DNS backend.
> You join another computer as a DC
>
> At this point, have you checked that all DNS records etc are correct ?
Yes, I followed the procedure on the Wiki at:

https://wiki.samba.org/index.php/Check_and_fix_DNS_entries_on_DC_joins

I setup bind as documented and start it as soon as the domain is joined.
It works fine at this point.

In addition even after this I find essential DNS records missing, eg the
A record for the domain only exists for the initial server, not the
newly joined one. The same with all the SRV records.

So I issue this command to add them:

samba_dnsupdate --verbose

> Is Bind9 running on both DCs at this point.
> Is everything working as expected ?
Yes.
> You now turn off the first DC
> You now seize all FSMO roles to the remaining DC
I've tried this in two different ways:

1. Turn off the first DC, fsmo seize then 
--remove-other-dead-server=<original DC name>

2. Try to demote the first DC, fails to complete. then carry on as
above
> Are you turning Bind9 off on the remaining DC at this point ?
After this point I've shut down the original DC.
>
> You run the demote command and then Bind9 will not start ?
In either of these scenarios bind9 will not start as it claims there are
no records for my realm's domains.

Best regards

Alex
>
> Rowland
>
>

--
This message is intended only for the addressee and may contain
confidential information. Unless you are that person, you may not
disclose its contents or use it in any way and are requested to delete
the message along with any attachments and notify us immediately.
This email is not intended to, nor should it be taken to, constitute advice.
The information provided is correct to our knowledge & belief and must not
be used as a substitute for obtaining tax, regulatory, investment, legal or
any other appropriate advice.

"Transact" is operated by Integrated Financial Arrangements Ltd.
29 Clement's Lane, London EC4N 7AE. Tel: (020) 7608 4900 Fax: (020) 7608
5300.
(Registered office: as above; Registered in England and Wales under
number: 3727592). Authorised and regulated by the Financial Conduct
Authority (entered on the Financial Services Register; no. 190856).

BTW apologies for any Out of office replies, I'm not allowed to disable
these myself (sigh).

--
This message is intended only for the addressee and may contain
confidential information. Unless you are that person, you may not
disclose its contents or use it in any way and are requested to delete
the message along with any attachments and notify us immediately.
This email is not intended to, nor should it be taken to, constitute advice.
The information provided is correct to our knowledge & belief and must not
be used as a substitute for obtaining tax, regulatory, investment, legal or
any other appropriate advice.

"Transact" is operated by Integrated Financial Arrangements Ltd.
29 Clement's Lane, London EC4N 7AE. Tel: (020) 7608 4900 Fax: (020) 7608
5300.
(Registered office: as above; Registered in England and Wales under
number: 3727592). Authorised and regulated by the Financial Conduct
Authority (entered on the Financial Services Register; no. 190856).

On Sun, 14 Aug 2016 19:18:41 +0100
Alex Crow via samba <samba at lists.samba.org> wrote:
> 
> >
> > Ok, lets just run through this:
> > You have an NT4-style PDC
> Correct.
> > You classicupgrade this to a DC
> Yes, with BIND9_DLZ DNS backend.
> 
> > You join another computer as a DC
> >
> > At this point, have you checked that all DNS records etc are
> > correct ?
> 
> Yes, I followed the procedure on the Wiki at:
> 
> https://wiki.samba.org/index.php/Check_and_fix_DNS_entries_on_DC_joins
> 
> I setup bind as documented and start it as soon as the domain is
> joined. It works fine at this point.
> 
> In addition even after this I find essential DNS records missing, eg
> the A record for the domain only exists for the initial server, not
> the newly joined one. The same with all the SRV records.
I am going to fix this in the wiki, after you join a new DC, you need
to start and then restart Samba, this will then run 'samba_dnsupdate'
&
'samba_spnupdate'
> 
> So I issue this command to add them:
> 
> samba_dnsupdate --verbose
> 
> 
> > Is Bind9 running on both DCs at this point.
> > Is everything working as expected ?
> 
> Yes.
> 
> > You now turn off the first DC
> > You now seize all FSMO roles to the remaining DC
> 
> I've tried this in two different ways:
> 
> 1. Turn off the first DC, fsmo seize then 
> --remove-other-dead-server=<original DC name>
> 
> 2. Try to demote the first DC, fails to complete. then carry on as
> above
You can only demote a DC by running the demote command on the DC you
want to demote, that's why '--remove-other-dead-server' was written.
This is run on any DC to remove another DC, hence the 'other' part in
the argument name ;-)
  
> > Are you turning Bind9 off on the remaining DC at this point ?
> 
> After this point I've shut down the original DC.
No, are you stopping Bind that is running on the remaining DC, not the
one you have turned off.
> >
> > You run the demote command and then Bind9 will not start ?
> 
> In either of these scenarios bind9 will not start as it claims there
> are no records for my realm's domains.
Have you checked that the DNS records exist after the first DC is
removed from AD, but before you turn bind off on the remaining DC.

Rowland

Am 14.08.2016 um 20:26 schrieb Alex Crow via samba:
> BTW apologies for any Out of office replies, I'm not allowed to disable
> these myself (sigh)
they should not trigger any list mail because of the "Precedence:
list"
header and so if you get rid of "reply-all" instead just to the list 
they won't happen anyways

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL:
<http://lists.samba.org/pipermail/samba/attachments/20160814/3edb3fff/signature.sig>