samba - Dec 2018 - Setup a Samba AD DC as an additional DC

On Tue, Dec 4, 2018 at 11:46 PM Andrew Bartlett <abartlet at samba.org>
wrote:
> ...
> It is very likely 'just a bug'.  We do some DNS things trying to
make
> sure the new DC can work the moment it starts (before that, folks had a
> lot of difficulty with the new DC not being in global DNS).
>
> This is different to what windows does, and there is a variety of
> different ways DNS can be set up on windows, so clearly it isn't
> interoperable right now.
>
> Sorry about that.
> Andrew Bartlett
>

Thank you for the responses, Andrew and Barry;

I have achieved success:  it was necessary to (re)create the
_msdcs.my.domain zone at Windows DNS.  It previously did not exist, for
reasons unknown to me. I'm assuming related to the domain functional level
being upgraded over time from 2003 to 2008R2.

There are a number of guidelines out there to accomplish this, but when
doing so, but some miss a required option for Samba: you must ensure the
Replication is set to all DNS servers in the *forest. *

On Tue, Dec 4, 2018 at 11:46 PM Andrew Bartlett <abartlet at
samba.org<mailto:abartlet at samba.org>> wrote:
...
It is very likely 'just a bug'.  We do some DNS things trying to make
sure the new DC can work the moment it starts (before that, folks had a
lot of difficulty with the new DC not being in global DNS).

This is different to what windows does, and there is a variety of
different ways DNS can be set up on windows, so clearly it isn't
interoperable right now.

Sorry about that.
Andrew Bartlett

>Thank you for the responses, Andrew and Barry;
>I have achieved success:  it was necessary to (re)create the
_msdcs.my.domain zone at Windows DNS.  It previously did not exist, for reasons
unknown to >me. I'm assuming related to the domain functional level being
upgraded over time from 2003 to 2008R2.
>There are a number of guidelines out there to accomplish this, but when
doing so, but some miss a required option for Samba: you must ensure the
>Replication is set to all DNS servers in the forest.
If only this would have been my problem, yet the _msdcs.my.domain zone is in
Windows DNS.  Strange we are getting the same error.

Could not find machine account in secrets database: Failed to fetch machine
account password for DOMAIN from both secrets.ldb (Could not find entry to match
filter: '(&(flatname=DOMAIN)(objectclass=primaryDomain))' base:
'cn=Primary Domains': No such object: dsdb_search at
../source4/dsdb/common/util.c:4702) and from /var/lib/samba/private/secrets.tdb:
NT_STATUS_CANT_ACCESS_DOMAIN_INFO
ERROR(runtime): uncaught exception - (9601,
'WERR_DNS_ERROR_ZONE_DOES_NOT_EXIST')
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py",
line 177, in _run
    return self.run(*args, **kwargs)
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py", line
716, in run
    backend_store=backend_store)
  File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1500, in
join_DC
    ctx.do_join()
  File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1405, in
do_join
    ctx.join_add_dns_records()
  File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1164, in
join_add_dns_records
    None)

I’m not certain if the join fails because of one of these 2 errors or because of
both.

I’ve looked at all the AD Partitions and the DNS AD Partitions are there and
proper.  I don’t know what “Zone” it is that doesn’t exist from this DNS error
reported.

How did you figure out your problem was related to the _msdcs zone?

-Barry Adkins

On Wed, Dec 5, 2018 at 1:24 PM Barry D. Adkins <Barry at daram.com> wrote:
>
>
> If only this would have been my problem, yet the _msdcs.my.domain zone is
> in Windows DNS.  Strange we are getting the same error.
>
>
>

*_msdcs.my.domain zone is in Windows DNS*

Being 'in' DNS is not the same as it existing as it's own dns zone. 
Up
until my change today, the subdomain _msdcs existed as a subdomain under
'my.domain'.

To double check, show your output from the following command, adapted for
your windows dns server name:

# samba-tool dns zonelist SERVER1 -U administrator

one of the zones returned needs to look like this:

  pszZoneName                 : _msdcs.my.domain
  Flags                       : DNS_RPC_ZONE_DSINTEGRATED
DNS_RPC_ZONE_UPDATE_SECURE
  ZoneType                    : DNS_ZONE_TYPE_PRIMARY
  Version                     : 50
  dwDpFlags                   : DNS_DP_AUTOCREATED DNS_DP_FOREST_DEFAULT
DNS_DP_ENLISTED
  pszDpFqdn                   : ForestDnsZones.my.domain


Regarding your error with the machine account, I didn't get that, but if it
were me I'd clear the contents of /var/lib/samba/private (or whatever path
for your installation) before attempting the next join.