samba - May 2022 - How to determine DNS anomaly

On Fri, 2022-05-06 at 08:54 +0200, Hakim Liso via samba
wrote:
> Resolve conf Looks like this for MY.DOMAIN
> 
> DC01 192.168.50.11
> search MY
> nameserver 10.0.1.9
> nameserver 192.168.50.11
> 
> DC02 10.0.1.9
> search MY
> nameserver 192.168.50.11
> nameserver 10.0.1.9
As I said, a DC should use itself as it its nameserver, so I would
remove 'nameserver 10.0.1.9' from /etc/resolv.conf on DC01 and
'nameserver 192.168.50.11' from /etc/resolv.conf on DC02. Also the
search line should use the dns domain, not the NetBios domain name,
'MY' is wrong, 'my.domain' would be correct.
> 
> But this was working without any Problems with the private ips before
> the Errors on the backup appeared. I doubt changing the own ips to
> the loopback address will fix my issues.
> I?ve expanded testing and it seems only ldap lookup doesnt work for
> dc02 and i noticed that there keeps on being a static A Record
> generated Dc01 10.0.1.9, which seems wrong. 
That is possibly because of your incorrect resolv.conf files.
> 
> Server:         192.168.50.11
> Address:        192.168.50.11#53
> 
> Name:   dc01.my.domain
> Address: 192.168.50.11
> Name:   dc01.my.domain
> Address: 10.0.1.9
> 
> I kept deleting it but it keeps come back. So something must be wrong
> with Dynamic DNS
> 
> Also there wasnt any NS entry in the Reverse lookup of the dc02s Site
> but i guess that was because i didnt join the dc in a specific site. 
Yes, why are you using 'sites', are your DC's in different locations
?
> Nevertheless the Entries did not complement.
> 
> Also there is entries for DC01 only in Site 2/_tcp for
> _gc,_ldap,_kerberos which has to be switched with dc02 i guess. Also
> the my.domain/_tcp contains gc,Kerberos,kpasswd,ldap entries for DC01
> only. DNS Update does not seem to have the Right entries.
Fix your /etc/resolv.conf files and they should get created correctly.

Rowland

Hello im not sure if the mail arrived. So here i go.

Good Morning,

luckily there is the delete empty lines option in np++.
The Network config you mentioned is the same exact i had when i contacted the
list actually.
I really felt that ?yeah, again..?.
Looking at the 192.168.50.1 (Site1 Gateway) as Default route for both, im
guessing you copied it?
Im actually not sure if the Default route is supposed or required anyways. 
I?ve done the mentioned changes and a dbcheck doesnt throw any Errors. The
replication still doesnt seem to be working properly though.

DC01 Showrepl

Location1\dc01
DSA Options: 0x00000001
DSA object GUID: a452ed54-667a-43d3-9182-21d84a4919a4
DSA invocationId: 4acdfe5f-21fc-44cb-92df-e2ce461b2594
==== INBOUND NEIGHBORS ===DC=DomainDnsZones,DC=my,DC=domain
??????? Location2\dc02 via RPC
??????????????? DSA object GUID: 72041d70-edc8-4609-ba97-caf97ed84c23
??????????????? Last attempt @ Wed May? 4 13:06:12 2022 CEST failed, result 64
(WERR_NETNAME_DELETED)
??????????????? 1 consecutive failure(s).
??????????????? Last success @ NTTIME(0)
CN=Configuration,DC=my,DC=domain
??????? Location2\dc02 via RPC
??????????????? DSA object GUID: 72041d70-edc8-4609-ba97-caf97ed84c23
??????????????? Last attempt @ Fri May? 6 15:49:39 2022 CEST failed, result 64
(WERR_NETNAME_DELETED)
??????????????? 1 consecutive failure(s).
??????????????? Last success @ NTTIME(0)
CN=Configuration,DC=my,DC=domain
??????? Location1\dc01 via RPC
??????????????? DSA object GUID: a452ed54-667a-43d3-9182-21d84a4919a4
??????????????? Last attempt @ Mon May? 9 08:49:06 2022 CEST was successful
??????????????? 0 consecutive failure(s).
??????????????? Last success @ Mon May? 9 08:49:06 2022 CEST
DC=ForestDnsZones,DC=my,DC=domain
??????? Location2\dc02 via RPC
??????????????? DSA object GUID: 72041d70-edc8-4609-ba97-caf97ed84c23
??????????????? Last attempt @ NTTIME(0) was successful
??????????????? 0 consecutive failure(s).
??????????????? Last success @ NTTIME(0)
DC=ForestDnsZones,DC=my,DC=domain
??????? Location1\dc01 via RPC
??????????????? DSA object GUID: a452ed54-667a-43d3-9182-21d84a4919a4
??????????????? Last attempt @ Mon May? 9 08:47:46 2022 CEST was successful
??????????????? 0 consecutive failure(s).
??????? ????????Last success @ Mon May? 9 08:47:46 2022 CEST
CN=Schema,CN=Configuration,DC=my,DC=domain
??????? Location2\dc02 via RPC
??????????????? DSA object GUID: 72041d70-edc8-4609-ba97-caf97ed84c23
??????????????? Last attempt @ NTTIME(0) was successful
?? ?????????????0 consecutive failure(s).
??????????????? Last success @ NTTIME(0)
CN=Schema,CN=Configuration,DC=my,DC=domain
??????? Location1\dc01 via RPC
??????????????? DSA object GUID: a452ed54-667a-43d3-9182-21d84a4919a4
??????????????? Last attempt @ Mon May? 9 08:50:22 2022 CEST was successful
??????????????? 0 consecutive failure(s).
??????????????? Last success @ Mon May? 9 08:50:22 2022 CEST
DC=my,DC=domain
??????? Location2\dc02 via RPC
??????????????? DSA object GUID: 72041d70-edc8-4609-ba97-caf97ed84c23
??????????????? Last attempt @ NTTIME(0) was successful
??????????????? 0 consecutive failure(s).
??????????????? Last success @ NTTIME(0)
DC=my,DC=domain
??????? Location1\dc01 via RPC
??????????????? DSA object GUID: a452ed54-667a-43d3-9182-21d84a4919a4
??????????????? Last attempt @ Mon May? 9 08:51:21 2022 CEST was successful
??????????????? 0 consecutive failure(s).
??????????????? Last success @ Mon May? 9 08:51:21 2022 CEST
==== OUTBOUND NEIGHBORS ======= KCC CONNECTION OBJECTS ===Connection --
??????? Connection name: 1c2e8f02-9175-4e72-aef0-e9c5f1644072
??????? Enabled??????? : TRUE
??????? Server DNS name : dc02.my.domain
??????? Server DN name? : CN=NTDS
Settings,CN=dc02,CN=Servers,CN=Location2,CN=Sites,CN=Configuration,DC=my,DC=domain
??????????????? TransportType: RPC
??????????????? options: 0x00000001
Warning: No NC replicated for Connection!

DC02 Showrepl

Location1\dc01
DSA Options: 0x00000001
DSA object GUID: a452ed54-667a-43d3-9182-21d84a4919a4
DSA invocationId: 4acdfe5f-21fc-44cb-92df-e2ce461b2594
==== INBOUND NEIGHBORS ===DC=DomainDnsZones,DC=my,DC=domain
??????? Location2\dc02 via RPC
??????????????? DSA object GUID: 72041d70-edc8-4609-ba97-caf97ed84c23
??????????????? Last attempt @ Fri May? 6 15:16:35 2022 CEST failed, result 2
(WERR_FILE_NOT_FOUND)
??????????????? 1 consecutive failure(s).
??????????????? Last success @ NTTIME(0)
CN=Configuration,DC=my,DC=domain
??????? Location2\dc02 via RPC
??????????????? DSA object GUID: 72041d70-edc8-4609-ba97-caf97ed84c23
??????????????? Last attempt @ Fri May? 6 15:17:15 2022 CEST failed, result 2
(WERR_FILE_NOT_FOUND)
??????????????? 1 consecutive failure(s).
??????????????? Last success @ NTTIME(0)
CN=Configuration,DC=my,DC=domain
??????? Location1\dc01 via RPC
??????????????? DSA object GUID: a452ed54-667a-43d3-9182-21d84a4919a4
??????????????? Last attempt @ Mon May? 9 08:45:26 2022 CEST failed, result 8453
(WERR_DS_DRA_ACCESS_DENIED)
??????????????? 2 consecutive failure(s).
??????????????? Last success @ Mon May? 9 08:45:26 2022 CEST
DC=ForestDnsZones,DC=my,DC=domain
??????? Location2\dc02 via RPC
??????????????? DSA object GUID: 72041d70-edc8-4609-ba97-caf97ed84c23
??????????????? Last attempt @ Fri May? 6 15:16:55 2022 CEST failed, result 2
(WERR_FILE_NOT_FOUND)
??????????????? 1 consecutive failure(s).
??????????????? Last success @ NTTIME(0)
CN=Schema,CN=Configuration,DC=my,DC=domain
??????? Location2\dc02 via RPC
??????????????? DSA object GUID: 72041d70-edc8-4609-ba97-caf97ed84c23
??????????????? Last attempt @ NTTIME(0) was successful
??????????????? 0 consecutive failure(s).
??????????????? Last success @ NTTIME(0)
CN=Schema,CN=Configuration,DC=my,DC=domain
??????? Location1\dc01 via RPC
??????????????? DSA object GUID: a452ed54-667a-43d3-9182-21d84a4919a4
??????????????? Last attempt @ Mon May? 9 08:45:54 2022 CEST failed, result 8453
(WERR_DS_DRA_ACCESS_DENIED)
?? ?????????????1 consecutive failure(s).
??????????????? Last success @ Mon May? 9 08:45:54 2022 CEST
DC=my,DC=domain
??????? Location2\dc02 via RPC
??????????????? DSA object GUID: 72041d70-edc8-4609-ba97-caf97ed84c23
??????????????? Last attempt @ NTTIME(0) was successful
??????????????? 0 consecutive failure(s).
??????????????? Last success @ NTTIME(0)
DC=my,DC=domain
??????? Location1\dc01 via RPC
??????????????? DSA object GUID: a452ed54-667a-43d3-9182-21d84a4919a4
??????????????? Last attempt @ Mon May ?9 08:46:21 2022 CEST failed, result 8453
(WERR_DS_DRA_ACCESS_DENIED)
??????????????? 1 consecutive failure(s).
??????????????? Last success @ Mon May? 9 08:46:21 2022 CEST
==== OUTBOUND NEIGHBORS ===DC=DomainDnsZones,DC=my,DC=domain
??????? Location1\dc01 via RPC
??????????????? DSA object GUID: a452ed54-667a-43d3-9182-21d84a4919a4
??????????????? Last attempt @ NTTIME(0) was successful
??????????????? 0 consecutive failure(s).
??????????????? Last success @ NTTIME(0)
CN=Configuration,DC=my,DC=domain
?? ?????Location1\dc01 via RPC
??????????????? DSA object GUID: a452ed54-667a-43d3-9182-21d84a4919a4
??????????????? Last attempt @ NTTIME(0) was successful
??????????????? 0 consecutive failure(s).
??????????????? Last success @ NTTIME(0)
DC=ForestDnsZones,DC=my,DC=domain
??????? Location1\dc01 via RPC
??????????????? DSA object GUID: a452ed54-667a-43d3-9182-21d84a4919a4
??????????????? Last attempt @ NTTIME(0) was successful
??????????????? 0 consecutive failure(s).
??????????????? Last success @ NTTIME(0)
CN=Schema,CN=Configuration,DC=my,DC=domain
??????? Location1\dc01 via RPC
??????????????? DSA object GUID: a452ed54-667a-43d3-9182-21d84a4919a4
??????????????? Last attempt @ NTTIME(0) was successful
???????????? ???0 consecutive failure(s).
??????????????? Last success @ NTTIME(0)
DC=my,DC=domain
??????? Location1\dc01 via RPC
??????????????? DSA object GUID: a452ed54-667a-43d3-9182-21d84a4919a4
??????????????? Last attempt @ NTTIME(0) was successful
???????????? ???0 consecutive failure(s).
??????????????? Last success @ NTTIME(0)
==== KCC CONNECTION OBJECTS ===Connection --
??????? Connection name: 1c2e8f02-9175-4e72-aef0-e9c5f1644072
??????? Enabled??????? : TRUE
??????? Server DNS name : dc02.my.domain
????? ??Server DN name? : CN=NTDS
Settings,CN=dc02,CN=Servers,CN=Location2,CN=Sites,CN=Configuration,DC=my,DC=domain
??????????????? TransportType: RPC
??????????????? options: 0x00000001
Warning: No NC replicated for Connection

drs replicate dc02 dc01 dc=my, DC=domain gives 

sudo samba-tool drs replicate dc02 dc01 DC=my,DC=domain
ldb_wrap open of secrets.ldb
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'http_negotiate' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
Using binding ncacn_ip_tcp:dc02[,seal]
resolve_lmhosts: Attempting lmhosts lookup for name dc02<0x20>
resolve_lmhosts: Attempting lmhosts lookup for name dc02<0x20>
resolve_lmhosts: Attempting lmhosts lookup for name dc02<0x20>
ERROR(<class 'samba.drs_utils.drsException'>): DsReplicaSync
failed - drsException: DsReplicaSync failed (8453,
'WERR_DS_DRA_ACCESS_DENIED')
? File "/usr/lib/python3/dist-packages/samba/netcmd/drs.py", line 577,
in run
??? drs_utils.sendDsReplicaSync(server_bind, server_bind_handle,
source_dsa_guid, NC, req_options)
? File "/usr/lib/python3/dist-packages/samba/drs_utils.py", line 92,
in sendDsReplicaSync
??? raise drsException("DsReplicaSync failed %s" % estr)

Thanks in Advance

Greetings