Am 11.01.23 um 14:39 schrieb Rowland Penny via samba:> > On 11/01/2023 13:25, Thorsten Marquardt via samba wrote: >> Am 11.01.23 um 14:11 schrieb Rowland Penny via samba: >>> On 11/01/2023 12:35, Thorsten Marquardt via samba wrote: >>>> Hi, >>>> >>>> I plan to upgrade/replace my somewhat crippled and outdated samba 4.7.4 >>>> domain controller. The OS is an openSUSE-Leap-42.3 which had no packages >>>> for a samba-ad-dc. These packages have been introduced in successor >>>> openSUSE releases starting with Leap-15.0. Leap-15.0 comes with samba >>>> 4.7.11. So I set up a new Leap-15.0 host and joint it as a dc >>>> controller. I set up the sysvol replication (rsync), transfered the fsmo >>>> roles to the new host and switched replication source and target. >>>> Everything apeared to run fine for the moment but if I stop samba on the >>>> old server I'm getting trouble with the sysvol-share and I can't access >>>> the gpo via the windows Group Policy Management Console. The console is >>>> telling me that the old host is still the base domain controller for my >>>> domain wheras samba-tool fsmo show lists all roles are served by the new >>>> on. >>>> My plan for the future is to demote the old dc, upgrade the new one step >>>> by step (Leap 15.0 ->15.1 (samba 4.9.5) -> 15.2 (samba 4.11.14)-> 15.3 >>>> (samba 4.15.12) -> 15.4? ) and finally to set up a new second dc for >>>> failover purposes. >>>> >>>> What can I do get these problems fixed? >>>> >>>> Thanks in advance. >>>> >>>> >>>> Thorsten >>>> >>>> >>> I wonder if you are hitting this bug: >>> >>> https://bugzilla.samba.org/show_bug.cgi?id=14518 >>> >>> Rowland >>> >> the bug report refers to _ldap._tcp._pdc._msdcs.dom.tld which I don't >> have. I have _ldap._tcp.dom.tld and yes there are two listed. > If you are absolutely sure that you do not have: > > _ldap._tcp.pdc._msdcs.dom.tld > > Then you have really big problems. The 'samba_dnsupdate' script (which > runs at Samba startup and then every 10 minutes) uses the file > 'dns_update_list' to create missing dns records, one of which is this: > > # The PDC emulator > ${IF_PDC}SRV _ldap._tcp.pdc._msdcs.${DNSDOMAIN} > ${HOSTNAME} 389 > > So, if you haven't got the dns record and your DC is the holder of the > PDC_Emulator FSMO role, the script should create it. > > You can expect the other two records, one for each DC. > > Rowland >this is the result of my nslookup: thorsten at hermes:~> nslookup -querytype=srv _ldap._tcp._pdc._msdcs.my.local.dom srv-kb-primdc Server:???????? srv-kb-primdc Address:??????? 192.168.1.17#53 ** server can't find _ldap._tcp._pdc._msdcs.my.local.dom: NXDOMAIN thorsten at hermes:~> nslookup -querytype=srv _ldap._tcp._pdc._msdcs.my.local.dom srv-kb-dc1 Server:???????? srv-kb-dc1 Address:??????? 192.168.1.243#53 ** server can't find _ldap._tcp._pdc._msdcs.my.local.dom: NXDOMAIN and the result of samba-tool-fsmo show: srv-kb-dc1:~ # samba-tool fsmo show SchemaMasterRole owner: CN=NTDS Settings,CN=SRV-KB-DC1,CN=Servers,CN=Default-Firs... InfrastructureMasterRole owner: CN=NTDS Settings,CN=SRV-KB-DC1,CN=Servers,CN=Default-Firs... RidAllocationMasterRole owner: CN=NTDS Settings,CN=SRV-KB-DC1,CN=Servers,CN=Default-Firs... PdcEmulationMasterRole owner: CN=NTDS Settings,CN=SRV-KB-DC1,CN=Servers,CN=Default-Firs... DomainNamingMasterRole owner: CN=NTDS Settings,CN=SRV-KB-DC1,CN=Servers,CN=Default-Firs... DomainDnsZonesMasterRole owner: CN=NTDS Settings,CN=SRV-KB-DC1,CN=Servers,CN=Default-Firs... ForestDnsZonesMasterRole owner: CN=NTDS Settings,CN=SRV-KB-DC1,CN=Servers,CN=Default-Firs... and: srv-kb-primdc:~ # samba-tool fsmo show ldb_wrap open of secrets.ldb SchemaMasterRole owner: CN=NTDS Settings,CN=SRV-KB-DC1,CN=Servers,CN=Default-Firs... InfrastructureMasterRole owner: CN=NTDS Settings,CN=SRV-KB-DC1,CN=Servers,CN=Default-Firs... RidAllocationMasterRole owner: CN=NTDS Settings,CN=SRV-KB-DC1,CN=Servers,CN=Default-Firs... PdcEmulationMasterRole owner: CN=NTDS Settings,CN=SRV-KB-DC1,CN=Servers,CN=Default-Firs... DomainNamingMasterRole owner: CN=NTDS Settings,CN=SRV-KB-DC1,CN=Servers,CN=Default-Firs... DomainDnsZonesMasterRole owner: CN=NTDS Settings,CN=SRV-KB-DC1,CN=Servers,CN=Default-Firs... ForestDnsZonesMasterRole owner: CN=NTDS Settings,CN=SRV-KB-DC1,CN=Servers,CN=Default-Firs... Is there a chance to create the missing records by hand?
Am 11.01.23 um 15:00 schrieb Thorsten Marquardt via samba:> Am 11.01.23 um 14:39 schrieb Rowland Penny via samba: >> On 11/01/2023 13:25, Thorsten Marquardt via samba wrote: >>> Am 11.01.23 um 14:11 schrieb Rowland Penny via samba: >>>> On 11/01/2023 12:35, Thorsten Marquardt via samba wrote: >>>>> Hi, >>>>> >>>>> I plan to upgrade/replace my somewhat crippled and outdated samba 4.7.4 >>>>> domain controller. The OS is an openSUSE-Leap-42.3 which had no packages >>>>> for a samba-ad-dc. These packages have been introduced in successor >>>>> openSUSE releases starting with Leap-15.0. Leap-15.0 comes with samba >>>>> 4.7.11. So I set up a new Leap-15.0 host and joint it as a dc >>>>> controller. I set up the sysvol replication (rsync), transfered the fsmo >>>>> roles to the new host and switched replication source and target. >>>>> Everything apeared to run fine for the moment but if I stop samba on the >>>>> old server I'm getting trouble with the sysvol-share and I can't access >>>>> the gpo via the windows Group Policy Management Console. The console is >>>>> telling me that the old host is still the base domain controller for my >>>>> domain wheras samba-tool fsmo show lists all roles are served by the new >>>>> on. >>>>> My plan for the future is to demote the old dc, upgrade the new one step >>>>> by step (Leap 15.0 ->15.1 (samba 4.9.5) -> 15.2 (samba 4.11.14)-> 15.3 >>>>> (samba 4.15.12) -> 15.4? ) and finally to set up a new second dc for >>>>> failover purposes. >>>>> >>>>> What can I do get these problems fixed? >>>>> >>>>> Thanks in advance. >>>>> >>>>> >>>>> Thorsten >>>>> >>>>> >>>> I wonder if you are hitting this bug: >>>> >>>> https://bugzilla.samba.org/show_bug.cgi?id=14518 >>>> >>>> Rowland >>>> >>> the bug report refers to _ldap._tcp._pdc._msdcs.dom.tld which I don't >>> have. I have _ldap._tcp.dom.tld and yes there are two listed. >> If you are absolutely sure that you do not have: >> >> _ldap._tcp.pdc._msdcs.dom.tld >> >> Then you have really big problems. The 'samba_dnsupdate' script (which >> runs at Samba startup and then every 10 minutes) uses the file >> 'dns_update_list' to create missing dns records, one of which is this: >> >> # The PDC emulator >> ${IF_PDC}SRV _ldap._tcp.pdc._msdcs.${DNSDOMAIN} >> ${HOSTNAME} 389 >> >> So, if you haven't got the dns record and your DC is the holder of the >> PDC_Emulator FSMO role, the script should create it. >> >> You can expect the other two records, one for each DC. >> >> Rowland >> > this is the result of my nslookup: > thorsten at hermes:~> nslookup -querytype=srv > _ldap._tcp._pdc._msdcs.my.local.dom srv-kb-primdc > Server:???????? srv-kb-primdc > Address:??????? 192.168.1.17#53 > > ** server can't find _ldap._tcp._pdc._msdcs.my.local.dom: NXDOMAIN > > thorsten at hermes:~> nslookup -querytype=srv > _ldap._tcp._pdc._msdcs.my.local.dom srv-kb-dc1 > Server:???????? srv-kb-dc1 > Address:??????? 192.168.1.243#53 > > ** server can't find _ldap._tcp._pdc._msdcs.my.local.dom: NXDOMAIN > > and the result of samba-tool-fsmo show: > srv-kb-dc1:~ # samba-tool fsmo show > SchemaMasterRole owner: CN=NTDS > Settings,CN=SRV-KB-DC1,CN=Servers,CN=Default-Firs... > InfrastructureMasterRole owner: CN=NTDS > Settings,CN=SRV-KB-DC1,CN=Servers,CN=Default-Firs... > RidAllocationMasterRole owner: CN=NTDS > Settings,CN=SRV-KB-DC1,CN=Servers,CN=Default-Firs... > PdcEmulationMasterRole owner: CN=NTDS > Settings,CN=SRV-KB-DC1,CN=Servers,CN=Default-Firs... > DomainNamingMasterRole owner: CN=NTDS > Settings,CN=SRV-KB-DC1,CN=Servers,CN=Default-Firs... > DomainDnsZonesMasterRole owner: CN=NTDS > Settings,CN=SRV-KB-DC1,CN=Servers,CN=Default-Firs... > ForestDnsZonesMasterRole owner: CN=NTDS > Settings,CN=SRV-KB-DC1,CN=Servers,CN=Default-Firs... > > and: > > srv-kb-primdc:~ # samba-tool fsmo show > ldb_wrap open of secrets.ldb > SchemaMasterRole owner: CN=NTDS > Settings,CN=SRV-KB-DC1,CN=Servers,CN=Default-Firs... > InfrastructureMasterRole owner: CN=NTDS > Settings,CN=SRV-KB-DC1,CN=Servers,CN=Default-Firs... > RidAllocationMasterRole owner: CN=NTDS > Settings,CN=SRV-KB-DC1,CN=Servers,CN=Default-Firs... > PdcEmulationMasterRole owner: CN=NTDS > Settings,CN=SRV-KB-DC1,CN=Servers,CN=Default-Firs... > DomainNamingMasterRole owner: CN=NTDS > Settings,CN=SRV-KB-DC1,CN=Servers,CN=Default-Firs... > DomainDnsZonesMasterRole owner: CN=NTDS > Settings,CN=SRV-KB-DC1,CN=Servers,CN=Default-Firs... > ForestDnsZonesMasterRole owner: CN=NTDS > Settings,CN=SRV-KB-DC1,CN=Servers,CN=Default-Firs... > > > Is there a chance to create the missing records by hand? >But what I find is: thorsten at hermes:~> nslookup -querytype=srv _ldap._tcp.pdc._msdcs.my.local.dom srv-kb-dc1 Server:???????? srv-kb-dc1 Address:??????? 192.168.1.243#53 _ldap._tcp.pdc._msdcs.intern.my.local.dom? service = 0 100 389 srv-kb-primdc.my.local.dom. _ldap._tcp.pdc._msdcs.intern.my.local.dom? service = 0 100 389 srv-kb-dc1.my.local.dom. (its pdc and not _pdc). Is that the Entry I should have looked for?