samba - Dec 2019 - Replication not working for remote Domain Controller

Il giorno mar 17 dic 2019 alle ore 17:49 Rowland penny via samba <
samba at lists.samba.org> ha scritto:

In the last year this has come up a few times, try reading
this
>
>
https://support.microsoft.com/en-gb/help/817470/how-to-reconfigure-an-msdcs-subdomain-to-a-forest-wide-dns-application
> It looks like we need a tool to correct AD :-(
>
Thanks! I will read that article.

Do you think that this could be the same reason why sometimes I'm having
clients that are losing their trust connection with the domain controller
(so users cannot login anymore) and I need to rejoin it to the domain?

Also, showrepl on DC4 is returning the following error:

=================================8<
============================================= KCC CONNECTION OBJECTS ===
Connection --
Connection name: 15ff6132-37b4-458a-ac13-a2fe2fedb7bc
Enabled        : TRUE
Server DNS name : dc2.my.domain.com
Server DN name  : CN=NTDS
Settings,CN=DC2,CN=Servers,CN=mydomain,CN=Sites,CN=Configuration,DC=my,DC=domain,DC=com
TransportType: RPC
options: 0x00000001
Warning: No NC replicated for Connection!
Connection --
Connection name: 365283e3-885d-4610-8929-91e3372530da
Enabled        : TRUE
Server DNS name : dc1.my.domain.com
Server DN name  : CN=NTDS
Settings,CN=DC1,CN=Servers,CN=mydomain,CN=Sites,CN=Configuration,DC=my,DC=domain,DC=com
TransportType: RPC
options: 0x00000001
Warning: No NC replicated for Connection!
Connection --
ERROR(<type 'exceptions.IndexError'>): uncaught exception - list
index out
of range
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py",
line
176, in _run
    return self.run(*args, **kwargs)
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/drs.py", line
180, in
run
    c_server_dns = c_server_res[0]["dnsHostName"][0]
=================================8< =========================================
Do you think I will be able to repair the Active Directory with the
document from the provided link or do you think it would be better to
provision a new Active Directory from scratch with a different domain?

Thank you very much for your help!
Bye

On 18/12/2019 09:16, shacky wrote:
> Il giorno mar 17 dic 2019 alle ore 17:49 Rowland penny via samba 
> <samba at lists.samba.org <mailto:samba at lists.samba.org>> ha
scritto:
>
>     In the last year this has come up a few times, try reading this
>    
https://support.microsoft.com/en-gb/help/817470/how-to-reconfigure-an-msdcs-subdomain-to-a-forest-wide-dns-application
>     It looks like we need a tool to correct AD :-(
>
>
> Thanks! I will read that article.
>
> Do you think that this could be the same reason why sometimes I'm 
> having clients that are losing their trust connection with the domain 
> controller (so users cannot login anymore) and I need to rejoin it to 
> the domain?
>
> Also, showrepl on DC4 is returning the following error:
>
> ================================== 
> 8<?=========================================> ==== KCC CONNECTION
OBJECTS ===>
> Connection --
> Connection name: 15ff6132-37b4-458a-ac13-a2fe2fedb7bc
> Enabled ? ? ? ?: TRUE
> Server DNS name : dc2.my.domain.com <http://dc2.my.domain.com>
> Server DN name ?: CN=NTDS 
>
Settings,CN=DC2,CN=Servers,CN=mydomain,CN=Sites,CN=Configuration,DC=my,DC=domain,DC=com
> TransportType: RPC
> options: 0x00000001
> Warning: No NC replicated for Connection!
> Connection --
> Connection name: 365283e3-885d-4610-8929-91e3372530da
> Enabled ? ? ? ?: TRUE
> Server DNS name : dc1.my.domain.com <http://dc1.my.domain.com>
> Server DN name ?: CN=NTDS 
>
Settings,CN=DC1,CN=Servers,CN=mydomain,CN=Sites,CN=Configuration,DC=my,DC=domain,DC=com
> TransportType: RPC
> options: 0x00000001
> Warning: No NC replicated for Connection!
> Connection --
> ERROR(<type 'exceptions.IndexError'>): uncaught exception -
list index
> out of range
> ? File
"/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py",
> line 176, in _run
> ? ? return self.run(*args, **kwargs)
> ? File "/usr/lib/python2.7/dist-packages/samba/netcmd/drs.py",
line
> 180, in run
> ? ? c_server_dns = c_server_res[0]["dnsHostName"][0]
> ================================== 
> 8<?=========================================>
> Do you think I will be able to repair the Active Directory with the 
> document from the provided link or do you think it would be better to 
> provision a new Active Directory from scratch with a different domain?
>
> Thank you very much for your help!
> Bye
I have been doing a bit of investigation and I 'think' we do have a tool
;-)

If you examine 'samba_upgradedns', at the top it says this:

# Upgrade DNS provision from BIND9_FLATFILE to BIND9_DLZ or SAMBA_INTERNAL

I think if you use it to upgrade to either BIND_DLZ or SAMBA_INTERNAL, 
it should create the required AD objects.

Is there any way that you could clone a DC and sandbox it (you will 
probably have to forcibly demote the other DCs) and then run 
samba_upgradedns against it ?

Hopefully, this would create the required AD objects, but do not try 
this on a production DC!

Rowland

>
> I have been doing a bit of investigation and I 'think' we do have a
tool
> ;-)
>
Gooooooooddd!! :-)

> If you examine 'samba_upgradedns', at the top it says this:
> # Upgrade DNS provision from BIND9_FLATFILE to BIND9_DLZ or SAMBA_INTERNAL
> I think if you use it to upgrade to either BIND_DLZ or SAMBA_INTERNAL,
> it should create the required AD objects.
>
I'm using BIND9_DLZ because Bind is running on my Zentyal PDCs and the DNS
service is disabled on Samba on every domain controller:

====================server services = -dns
====================
Is there any way that you could clone a DC and sandbox it (you
will
> probably have to forcibly demote the other DCs) and then run
> samba_upgradedns against it ?
>
Yes, I can clone the dc1 virtual machine, remove it from the network, try
to upgrade the DNS, demote all other domain controllers, and then recheck
with ldbsearch.

Do you think that this could be the cause of other two problems I reported
in my previous email?

I also checked the schema version and it seems to be Windows Server 2012R2:

====================root at dc1:/ (10:55:28)# ldbsearch -H
/var/lib/samba/private/sam.ldb -b
'cn=Schema,cn=Configuration,dc=my,dc=domain,dc=com' -s base
objectVersion
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
# record 1
dn: CN=Schema,CN=Configuration,DC=my,DC=domain,DC=com
objectVersion: 47

# returned 1 records
# 1 entries
# 0 referrals
====================
Thanks again!
Bye

On 18/12/2019 11:56, shacky wrote:
> Hi Rowland,
>
>     I have been doing a bit of investigation and I 'think' we do
have
>     a tool ;-)
>     If you examine 'samba_upgradedns', at the top it says this:
>     # Upgrade DNS provision from BIND9_FLATFILE to BIND9_DLZ or
>     SAMBA_INTERNAL
>     I think if you use it to upgrade to either BIND_DLZ or
>     SAMBA_INTERNAL,
>     it should create the required AD objects.
>
>
> I cloned the DC in a sandbox and tries samba_upgradedns:
>
> ==============================================> root at dc1:/ #
samba_upgradedns --dns-backend=BIND9_DLZ
> lpcfg_load: refreshing parameters from /etc/samba/smb.conf
> Reading domain information
> lpcfg_load: refreshing parameters from /etc/samba/smb.conf
> DNS accounts already exist
> No zone file /var/lib/samba/private/dns/MY.DOMAIN.COM.zone
> DNS records will be automatically created
> DNS partitions already exist
> dns-dc1 account already exists
> See /var/lib/samba/private/named.conf for an example configuration 
> include file for BIND
> and /var/lib/samba/private/named.txt for further documentation 
> required for secure DNS updates
> Finished upgrading DNS
> ==============================================>
> But after that ldbsearch output is empty anyway:
>
> ==============================================> root at dc1:/
(17:23:33)# ldbsearch --cross-ncs -H
> /var/lib/samba/private/sam.ldb -b 'DC=my.domain.com 
>
<http://my.domain.com/>,CN=MicrosoftDNS,DC=DomainDnsZones,DC=my,DC=domain,DC=com'
> -s sub '(objectclass=dnsnode)' | grep dn
>
> root at dc1:/ (17:23:36)#
> ==============================================>
> :-(
I think I understand what is happening. It checks if a couple of records 
exist and if they don't, it creates them along with other missing 
records, but it looks like they do exist, but the other records don't.

You can check this with:

ldbsearch --cross-ncs -H /var/lib/samba/private/sam.ldb -b 
'dc=samdom,dc=example,dc=com' -s sub 
'(|(dnsRoot=DomainDnsZones.samdom.example.com)(dnsRoot=ForestDnsZones.samdom.example.com))'
nCName

I can probably use parts of samba_upgradedns to add your missing 
records, just have to decide what parts to use ;-)

Rowland

Hi, sorry for the late reply!
Here are the result of the command:

=====================================================================root at
dc1:/ (20:39:47)# ldbsearch --cross-ncs -H
/var/lib/samba/private/sam.ldb -b 'dc=my,dc=domain,dc=com' -s sub
'(|(dnsRoot=DomainDnsZones.my.domain.com)(dnsRootForestDnsZones.my.domain.com))'
nCName
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
# record 1
dn:
CN=8aa53516-60b1-4be7-b9fd-d73e4c3f2fd2,CN=Partitions,CN=Configuration,DC=my,DC=domain,DC=com
nCName: DC=DomainDnsZones,DC=my,DC=domain,DC=com

# record 2
dn:
CN=b1601ad2-0321-401b-9d02-ca9827e133af,CN=Partitions,CN=Configuration,DC=my,DC=domain,DC=com
nCName: DC=ForestDnsZones,DC=my,DC=domain,DC=com

# returned 2 records
# 2 entries
# 0 referrals
=====================================================================
I checked into the Windows DNS client application, and in fact some DNS
records seems to be present:

- _kerberos.dc._msdcs.my.domain.com (SRV) -> dc1.my.domain.com
- _kerberos.dc._msdcs.my.domain.com (SRV) -> dc2.my.domain.com
- _ldap.dc._msdcs.my.domain.com (SRV) -> dc1.my.domain.com
- _ldap.dc._msdcs.my.domain.com (SRV) -> dc2.my.domain.com
- _kerberos.mysite._sites.dc._msdcs.my.domain.com (SRV) -> dc1.my.domain.com
- _kerberos.mysite._sites.dc._msdcs.my.domain.com (SRV) -> dc2.my.domain.com
- _ldap.mysite._sites.dc._msdcs.my.domain.com (SRV) -> dc1.my.domain.com
- _ldap.mysite._sites.dc._msdcs.my.domain.com (SRV) -> dc2.my.domain.com
... and so on

Thanks!

Il giorno mer 18 dic 2019 alle ore 14:35 Rowland penny via samba <
samba at lists.samba.org> ha scritto:
> On 18/12/2019 11:56, shacky wrote:
> > Hi Rowland,
> >
> >     I have been doing a bit of investigation and I 'think' we
do have
> >     a tool ;-)
> >     If you examine 'samba_upgradedns', at the top it says
this:
> >     # Upgrade DNS provision from BIND9_FLATFILE to BIND9_DLZ or
> >     SAMBA_INTERNAL
> >     I think if you use it to upgrade to either BIND_DLZ or
> >     SAMBA_INTERNAL,
> >     it should create the required AD objects.
> >
> >
> > I cloned the DC in a sandbox and tries samba_upgradedns:
> >
> > ==============================================> > root at dc1:/
# samba_upgradedns --dns-backend=BIND9_DLZ
> > lpcfg_load: refreshing parameters from /etc/samba/smb.conf
> > Reading domain information
> > lpcfg_load: refreshing parameters from /etc/samba/smb.conf
> > DNS accounts already exist
> > No zone file /var/lib/samba/private/dns/MY.DOMAIN.COM.zone
> > DNS records will be automatically created
> > DNS partitions already exist
> > dns-dc1 account already exists
> > See /var/lib/samba/private/named.conf for an example configuration
> > include file for BIND
> > and /var/lib/samba/private/named.txt for further documentation
> > required for secure DNS updates
> > Finished upgrading DNS
> > ==============================================> >
> > But after that ldbsearch output is empty anyway:
> >
> > ==============================================> > root at dc1:/
(17:23:33)# ldbsearch --cross-ncs -H
> > /var/lib/samba/private/sam.ldb -b 'DC=my.domain.com
> >
<http://my.domain.com/>,CN=MicrosoftDNS,DC=DomainDnsZones,DC=my,DC=domain,DC=com'
>
> > -s sub '(objectclass=dnsnode)' | grep dn
> >
> > root at dc1:/ (17:23:36)#
> > ==============================================> >
> > :-(
>
> I think I understand what is happening. It checks if a couple of records
> exist and if they don't, it creates them along with other missing
> records, but it looks like they do exist, but the other records don't.
>
> You can check this with:
>
> ldbsearch --cross-ncs -H /var/lib/samba/private/sam.ldb -b
> 'dc=samdom,dc=example,dc=com' -s sub
> '(|(dnsRoot=DomainDnsZones.samdom.example.com)(dnsRoot>
ForestDnsZones.samdom.example.com))'
> nCName
>
> I can probably use parts of samba_upgradedns to add your missing
> records, just have to decide what parts to use ;-)
>
> Rowland
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>