samba - Mar 2025 - DNS management error accessing the domain zone

Hi everyone,

We have an Active Directory environment with a WS 2008 R2 functional
level. There are two Windows Server 2012 R2 systems, we started the
task of migrating these servers to Samba and we've added a Samba
domain controller (Version 4.19.5) under Ubuntu 24.04.

So we have:
SERVER1 (IP 172.30.16.10): Windows Server 2012 R2 Domain Controller
SERVER2 (IP 172.30.16.11): Windows Server 2012 R2 Domain Controller
SERVER3 (IP 172.30.16.14): Samba Domain Controller

Domain name: example.local

When we try to connect to SERVER3 (Samba DC) using the Windows DNS
Management Tool to manage the DNS server, we get an error when trying
to access the example.local forward lookup zone.

This error does not occur when accessing the _msdcs.example.local zone.

The error indicated by the Windows DNS tool is:
Zone Not Loaded by DNS Server

The DNS server encountered a problem while attempting to load the
zone. The transfer of zone data from the master server failed.

We ran the command to fix some errors detected by dbcheck:
# samba-tool dbcheck --cross-ncs --fix

In the Samba service log, we observed these errors that we consider relevant:
dnsserver: Invalid zone operation IsSigneddnsserver

ndr_pull_uint32: ndr_pull_error(Buffer Size Error): Pull bytes 4
(librpc/ndr/ndr_basic.c:193) at librpc/ndr/ndr_basic.c:193

Replications work correctly.

Here you have a copy of the main configuration files:

/etc/samba/smb.conf
# Global parameters
[global]
log level = 3
netbios name = SERVER3
realm = EXAMPLE.LOCAL
server role = active directory domain controller
workgroup = EXAMPLE
dns forwarder = 8.8.8.8
idmap_ldb:use rfc2307  = no

[sysvol]
path = /var/lib/samba/sysvol
read only = No

[netlogon]
path = /var/lib/samba/sysvol/example.local/scripts
read only = No


/etc/krb5.conf
[libdefaults]
default_realm = EXAMPLE.LOCAL
dns_lookup_realm = false
dns_lookup_kdc = true

[realms]
EXAMPLE.LOCAL = {
default_domain = example.local
}

[domain_realm]
SERVER3 = EXAMPLE.LOCAL


/etc/hosts
127.0.0.1 localhost
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
# --- BEGIN PVE ---
172.30.16.14 server3.example.local server
# --- END PVE ---


/etc/resolv.conf
# --- BEGIN PVE ---
search example.local
nameserver 172.30.16.10
# --- END PVE ---


Any ideas that might help us resolve this issue?

On Wed, 19 Mar 2025 16:43:59 -0300
Nicol?s Hermida via samba <samba at lists.samba.org> wrote:
> Hi everyone,
> 
> We have an Active Directory environment with a WS 2008 R2 functional
> level. There are two Windows Server 2012 R2 systems, we started the
> task of migrating these servers to Samba and we've added a Samba
> domain controller (Version 4.19.5) under Ubuntu 24.04.
> 
> So we have:
> SERVER1 (IP 172.30.16.10): Windows Server 2012 R2 Domain Controller
> SERVER2 (IP 172.30.16.11): Windows Server 2012 R2 Domain Controller
> SERVER3 (IP 172.30.16.14): Samba Domain Controller
> 
> Domain name: example.local
> 
> When we try to connect to SERVER3 (Samba DC) using the Windows DNS
> Management Tool to manage the DNS server, we get an error when trying
> to access the example.local forward lookup zone.
> 
> This error does not occur when accessing the _msdcs.example.local
> zone.
> 
> The error indicated by the Windows DNS tool is:
> Zone Not Loaded by DNS Server
> 
> The DNS server encountered a problem while attempting to load the
> zone. The transfer of zone data from the master server failed.
> 
> We ran the command to fix some errors detected by dbcheck:
> # samba-tool dbcheck --cross-ncs --fix
> 
> In the Samba service log, we observed these errors that we consider
> relevant: dnsserver: Invalid zone operation IsSigneddnsserver
> 
> ndr_pull_uint32: ndr_pull_error(Buffer Size Error): Pull bytes 4
> (librpc/ndr/ndr_basic.c:193) at librpc/ndr/ndr_basic.c:193
> 
> Replications work correctly.
> 
> Here you have a copy of the main configuration files:
> 
> /etc/resolv.conf
> # --- BEGIN PVE ---
> search example.local
> nameserver 172.30.16.10
> # --- END PVE ---
> 
> 
> Any ideas that might help us resolve this issue?
> 
A couple of things you can try, first, point the Samba DC at itself for
its nameserver, change 'nameserver 172.30.16.10' to 'nameserver
172.30.16.14'

The second is to compare the forward zone dns records on the Samba DC
with the records on one of the Windows DCs.

I also hope that 'example.local' is sanitising for the real AD dns
domain and that it really doesn't use the '.local' TLD.

Rowland