samba - Aug 2016 - Horrible BIND9_DLZ DNS breakage after DC replaced and samba-tool domain demote --remove-other-dead-server

On Tue, 16 Aug 2016 09:20:56 +0100
Rowland Penny via samba <samba at lists.samba.org> wrote:
> On Mon, 15 Aug 2016 19:59:56 +0100
> Rowland Penny via samba <samba at lists.samba.org> wrote:
> 
> > On Mon, 15 Aug 2016 16:02:38 +0100
> > Rowland Penny via samba <samba at lists.samba.org> wrote:
> > 
> > 
> > So, as the OP said, this is a bit of a chicken and egg situation,
> > you need the SOA records to add the SOA records via samba_dnsupdate.
> > 
> > Rowland
> > 
> > 
> 
> And after further testing, but this time using the internal DNS
> server, the problem doesn't exist, so it is a 'using Bind9 with
Samba
> problem'
> 
> Rowland
> 
After much further testing, I 'think' I have the magic incantation to
get this working ;-)

Install samba and Bind9 as normal on the second DC.
Edit /etc/resolv.conf so that the nameserver points to the first DC. 
Now join the computer as a DC, once the join is finalised and before
you start bind9 or Samba, edit /etc/resolv.conf again, but this time,
point the nameserver at the new DCs ipaddress or 127.0.0.1 i.e. itself.

Start bind9 and then samba, this should run samba_dnsupdate and add all
the missing records. You can check this with:

host -t SRV _ldap._tcp.example.com.

You should get a result similar to this:

_ldap._tcp.example.com has SRV record 0 100 389 devdc1.example.com.
_ldap._tcp.example.com has SRV record 0 100 389 devdc2.example.com.

edit /etc/resolv.conf on both DCs to use the other as a nameserver and
then itself:

DC1:

search example.com
nameserver 192.168.0.251
nameserver 127.0.0.1

DC2:

search example.com
nameserver 192.168.0.250
nameserver 127.0.0.1

Finally, restart samba on both DCs

Rowland

Thanks Rowland, just got back from holidays to see this.

It's great to have a solution but I don't think these "secret
incantations" should really be required. Do you agree with this sentiment?

Cheers

Alex


On 16/08/16 15:04, Rowland Penny via samba wrote:
> On Tue, 16 Aug 2016 09:20:56 +0100
> Rowland Penny via samba <samba at lists.samba.org> wrote:
>
>> On Mon, 15 Aug 2016 19:59:56 +0100
>> Rowland Penny via samba <samba at lists.samba.org> wrote:
>>
>>> On Mon, 15 Aug 2016 16:02:38 +0100
>>> Rowland Penny via samba <samba at lists.samba.org> wrote:
>>>
>>>
>>> So, as the OP said, this is a bit of a chicken and egg situation,
>>> you need the SOA records to add the SOA records via
samba_dnsupdate.
>>>
>>> Rowland
>>>
>>>
>> And after further testing, but this time using the internal DNS
>> server, the problem doesn't exist, so it is a 'using Bind9 with
Samba
>> problem'
>>
>> Rowland
>>
> After much further testing, I 'think' I have the magic incantation
to
> get this working ;-)
>
> Install samba and Bind9 as normal on the second DC.
> Edit /etc/resolv.conf so that the nameserver points to the first DC. 
> Now join the computer as a DC, once the join is finalised and before
> you start bind9 or Samba, edit /etc/resolv.conf again, but this time,
> point the nameserver at the new DCs ipaddress or 127.0.0.1 i.e. itself.
>
> Start bind9 and then samba, this should run samba_dnsupdate and add all
> the missing records. You can check this with:
>
> host -t SRV _ldap._tcp.example.com.
>
> You should get a result similar to this:
>
> _ldap._tcp.example.com has SRV record 0 100 389 devdc1.example.com.
> _ldap._tcp.example.com has SRV record 0 100 389 devdc2.example.com.
>
> edit /etc/resolv.conf on both DCs to use the other as a nameserver and
> then itself:
>
> DC1:
>
> search example.com
> nameserver 192.168.0.251
> nameserver 127.0.0.1
>
> DC2:
>
> search example.com
> nameserver 192.168.0.250
> nameserver 127.0.0.1
>
> Finally, restart samba on both DCs
>
> Rowland
>
--
This message is intended only for the addressee and may contain
confidential information. Unless you are that person, you may not
disclose its contents or use it in any way and are requested to delete
the message along with any attachments and notify us immediately.
This email is not intended to, nor should it be taken to, constitute advice.
The information provided is correct to our knowledge & belief and must not
be used as a substitute for obtaining tax, regulatory, investment, legal or
any other appropriate advice.

"Transact" is operated by Integrated Financial Arrangements Ltd.
29 Clement's Lane, London EC4N 7AE. Tel: (020) 7608 4900 Fax: (020) 7608
5300.
(Registered office: as above; Registered in England and Wales under
number: 3727592). Authorised and regulated by the Financial Conduct
Authority (entered on the Financial Services Register; no. 190856).

On Sun, 28 Aug 2016 21:37:57 +0100
Alex Crow via samba <samba at lists.samba.org> wrote:
> Thanks Rowland, just got back from holidays to see this.
> 
> It's great to have a solution but I don't think these "secret
> incantations" should really be required. Do you agree with this
> sentiment?
> 
> Cheers
> 
> Alex
> 
To a certain extent, yes.

The basics of it is, when you do the join, the new DC has to find
the old DC, but when you first start the new DC, it uses its own
kerberos key to update it own records in AD and so has to connect to
itself. Well that is how it appears to me.

when you provision the first DC, all its records are created during the
provision, I wonder if this could also be done when a new DC is
joined ?

Rowland