samba - Feb 2020 - FW: samba_kcc issue after joining the domain as a DC

On 11/02/2020 16:55, Alex via samba wrote:
>>> After some debugging, I was able to find the source of this error:
>>> ERROR(runtime): uncaught exception - (9003,
'WERR_DNS_ERROR_RCODE_NAME_ERROR')
>>>
>>> It's  thrown  during the join b/c Samba is trying to find the
DNS record for the
>>> new   DC   (the  Samba)  inside  DC=DomainDnsZones,DC=domain,DC=com
instead  of
>>> DC=ForestDnsZones,DC=domain,DC=com.
>>>
>>> Do you have any ideas why and how to deal with that?
>> As for the why, it is because that is where it should be:
>> dn:
>>
DC=DC4,DC=samdom.example.com,CN=MicrosoftDNS,DC=DomainDnsZones,DC=samdom,DC=example,DC=com
>> objectClass: top
>> objectClass: dnsNode
>> What does 'samba-tool dns zonelist IP_OF_WINDOWS_DC' show ?
> # samba-tool dns zonelist 172.26.1.81
> Password for [administrator at domain.com]:
>    2 zone(s) found
>
>    pszZoneName                 : _msdcs.domain.com
>    Flags                       : DNS_RPC_ZONE_DSINTEGRATED
DNS_RPC_ZONE_UPDATE_SECURE
>    ZoneType                    : DNS_ZONE_TYPE_PRIMARY
>    Version                     : 50
>    dwDpFlags                   : DNS_DP_AUTOCREATED DNS_DP_FOREST_DEFAULT
DNS_DP_ENLISTED
>    pszDpFqdn                   : ForestDnsZones.domain.com
>
>    pszZoneName                 : domain.com
>    Flags                       : DNS_RPC_ZONE_DSINTEGRATED
DNS_RPC_ZONE_UPDATE_SECURE
>    ZoneType                    : DNS_ZONE_TYPE_PRIMARY
>    Version                     : 50
>    dwDpFlags                   : DNS_DP_AUTOCREATED DNS_DP_FOREST_DEFAULT
DNS_DP_ENLISTED
>    pszDpFqdn                   : ForestDnsZones.domain.com
>
I have three zones, one being the reverse zone, but my domain zone is this:

 ? pszZoneName??????? : samdom.example.com
 ? Flags?????????????????????? : DNS_RPC_ZONE_DSINTEGRATED 
DNS_RPC_ZONE_UPDATE_SECURE
 ? ZoneType??????????????? : DNS_ZONE_TYPE_PRIMARY
 ? Version??????????????????? : 50
 ? dwDpFlags?????????????? : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT 
DNS_DP_ENLISTED
 ? pszDpFqdn?????????????? : DomainDnsZones.samdom.example.com

Notice the difference in the last line.

Rowland

>> # samba-tool dns zonelist 172.26.1.81
>> Password for [administrator at domain.com]:
>>    2 zone(s) found
>>
>>    pszZoneName                 : _msdcs.domain.com
>>    Flags                       : DNS_RPC_ZONE_DSINTEGRATED
DNS_RPC_ZONE_UPDATE_SECURE
>>    ZoneType                    : DNS_ZONE_TYPE_PRIMARY
>>    Version                     : 50
>>    dwDpFlags                   : DNS_DP_AUTOCREATED
DNS_DP_FOREST_DEFAULT DNS_DP_ENLISTED
>>    pszDpFqdn                   : ForestDnsZones.domain.com
>>
>>    pszZoneName                 : domain.com
>>    Flags                       : DNS_RPC_ZONE_DSINTEGRATED
DNS_RPC_ZONE_UPDATE_SECURE
>>    ZoneType                    : DNS_ZONE_TYPE_PRIMARY
>>    Version                     : 50
>>    dwDpFlags                   : DNS_DP_AUTOCREATED
DNS_DP_FOREST_DEFAULT DNS_DP_ENLISTED
>>    pszDpFqdn                   : ForestDnsZones.domain.com
>>
> I have three zones, one being the reverse zone, but my domain zone is this:
>  ? pszZoneName??????? : samdom.example.com
>  ? Flags?????????????????????? : DNS_RPC_ZONE_DSINTEGRATED 
> DNS_RPC_ZONE_UPDATE_SECURE
>  ? ZoneType??????????????? : DNS_ZONE_TYPE_PRIMARY
>  ? Version??????????????????? : 50
>  ? dwDpFlags?????????????? : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT 
> DNS_DP_ENLISTED
>  ? pszDpFqdn?????????????? : DomainDnsZones.samdom.example.com
> Notice the difference in the last line.
I see the difference. I guess it's b/c you didn't upgrade the zone to
forest-wide. Should I revert my zones to be domain-wide?

-- 
Best regards,
Alex Alex

On 11/02/2020 17:11, Alex via samba wrote:
>>> # samba-tool dns zonelist 172.26.1.81
>>> Password for [administrator at domain.com]:
>>>     2 zone(s) found
>>>
>>>     pszZoneName                 : _msdcs.domain.com
>>>     Flags                       : DNS_RPC_ZONE_DSINTEGRATED
DNS_RPC_ZONE_UPDATE_SECURE
>>>     ZoneType                    : DNS_ZONE_TYPE_PRIMARY
>>>     Version                     : 50
>>>     dwDpFlags                   : DNS_DP_AUTOCREATED
DNS_DP_FOREST_DEFAULT DNS_DP_ENLISTED
>>>     pszDpFqdn                   : ForestDnsZones.domain.com
>>>
>>>     pszZoneName                 : domain.com
>>>     Flags                       : DNS_RPC_ZONE_DSINTEGRATED
DNS_RPC_ZONE_UPDATE_SECURE
>>>     ZoneType                    : DNS_ZONE_TYPE_PRIMARY
>>>     Version                     : 50
>>>     dwDpFlags                   : DNS_DP_AUTOCREATED
DNS_DP_FOREST_DEFAULT DNS_DP_ENLISTED
>>>     pszDpFqdn                   : ForestDnsZones.domain.com
>>>
>> I have three zones, one being the reverse zone, but my domain zone is
this:
>>   ? pszZoneName??????? : samdom.example.com
>>   ? Flags?????????????????????? : DNS_RPC_ZONE_DSINTEGRATED
>> DNS_RPC_ZONE_UPDATE_SECURE
>>   ? ZoneType??????????????? : DNS_ZONE_TYPE_PRIMARY
>>   ? Version??????????????????? : 50
>>   ? dwDpFlags?????????????? : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT
>> DNS_DP_ENLISTED
>>   ? pszDpFqdn?????????????? : DomainDnsZones.samdom.example.com
>> Notice the difference in the last line.
> I see the difference. I guess it's b/c you didn't upgrade the zone
to
> forest-wide. Should I revert my zones to be domain-wide?
>
Alex, mine is correct, yours is wrong.

I could probably dump a list of dns DN's if needed.

Rowland