On 22/03/2023 01:04, Anantha Raghava via samba wrote:> Hi,
>
> While upgrading Samba-AD fromm 4.15.9 to version 4.18, I ran into a
> peculiar problem. AD Component is up, but DNS is just not coming up.
> kinit is reporting KDC not found problem.
>
> All these years I have been compiling samba from source and for nearly 7
> years, it was working like a charm. But this upgrade activity, we ran
> into rough weather. We do not upgrade the existing servers where as, we
> retain one old server which has all FSMO roles, demote and remove others
> in the cluster, add new servers with the same IP and name. Finally I
> transfer FSMO roles to one new server, demote & remove the final server
> and add the new one with same IP and name. This time, in a cluster of
> two servers, the first one to upgrade developed problems once I seized
> the FSMO roles, demoted (removed the other dead server) & removed the
> second server. Activities I did are as follows:
>
> 1. Demoted and removed the first server. Allotted the same IP/name to
> new RHEL 8 server, compiled samba and installed. The Domain add process
> also went well. But the drs showrepl reported errors and these also got
> cleared once I did dbcheck and fix process.
>
> 2. I moved, rather seized the FSMO roles to new samba 4.18.0 on RHEL 8,
> demoted (removed other dead server as demote process reported crazy
> errors), allotted the same IP/name to new RHEL 8 Server, compiled &
> installed samba.
>
> 3. The problems started when I attempted to add the samba as an
> additional DC. It always tried to find itself (non-existent server) as a
> writeable DC. This is when I found that SOA record in new samba 4.18.0
> server was pointing to the dead server in _msdsc.example.com, which I
> could not remove either in RSAT or using samba-tool. Although there was
> new SOA entry in Forward Zone pointing to new samba 4.18.0, the domain
> join process always found itself (non-existent server) as a writeable DC.
>
> 4. I did try to modify the _msdsc records in DNS and samba-ad dns goes
> down. AD authentication is working. No client can find the DNS. Even
> RSAT cannot find DNS. Kinit on the same server cannot find DNS.
>
> Unfortunately, I have no backup of running server. The back up is from
> 4.15.9, restoring of this DB is causing samba main process to exit with
> status code 1.
>
> After much effort, I brought AD component up, but DNS is still down.
>
> Any help to restore DNS in new samba 4.18.0 is much appreciated.
>
You could try to update the SOA record with samba-tool:
samba-tool dns update <server> <zone> @ SOA "olddata"
"newdata"
Where <server> is the DC's hostname, or ipaddress, or 127.0.0.1 or
localhost
<zone> is the forest zone, usually in the format
'_msdcs.samdom.example.com' (where samdom.example.com' is your dns
domain)
"olddata" is what is there now and is the format:
"fqdn_dns fqdn_email serial refresh retry expire minimumttl"
You can obtain this with ldbsearch:
ldbsearch --cross-ncs --show-binary -H /var/lib/samba/private/sam.ldb -b
"CN=MicrosoftDNS,DC=ForestDnsZones,DC=samdom,DC=example,DC=com"
'(&(objectClass=dnsNode)(name=@))'
You will need to run that as root and obvious change it to match your
sam.ldb path and RootDSE
"newdata" is what you want to change it to and is the same format as
"olddata"
NOTE: it should work, but I have never had to try it.
As for your backup, it should work, but as they say, an untested backup
is a bad backup. How are you backing up the domain and how did you try
to restore it ?
Rowland