Web lists-archives.com

Re: [Samba] Setup a Samba AD DC as an additional DC




Apologies for not replying to the thread, I just subscribed to the list,
after a day of troubleshooting this.

Regarding:
9601, 'WERR_DNS_ERROR_ZONE_DOES_NOT_EXIST'

I am experiencing the same symptoms, in a simpler environment than the
original submitter at the previous thread:

Single Windows 2008R2 Domain Controller
Schema version 47
No MS Exchange

Attempting to add a Samba 4 domain controller with the intention of
decommissioning the Windows Server.

Same symptoms from two different Samba 4 platforms:

FreeBSD 11.2 - samba 4.8.7 from packages
CentOS 7 - samba 4.9.3 compiled from source

SERVER1 = Windows Server 2008R2 Standard
SERVER3 = FreeBSD Samba Host

kinit and klist work fine.

# samba-tool domain join ad.mydomain DC -U"AD\administrator"
--dns-backend=SAMBA_INTERNAL

...
Adding DNS CNAME record
f44ee6af-47c7-4cb1-b29f-5d4470bc3063._msdcs.ad.mydomain for
SERVER3.ad.mydomain
Join failed - cleaning up
...
ERROR(runtime): uncaught exception - (9601,
'WERR_DNS_ERROR_ZONE_DOES_NOT_EXIST')
  File "/usr/local/lib/python2.7/site-packages/samba/netcmd/__init__.py",
line 176, in _run
    return self.run(*args, **kwargs)
  File "/usr/local/lib/python2.7/site-packages/samba/netcmd/domain.py",
line 706, in run
    plaintext_secrets=plaintext_secrets)
  File "/usr/local/lib/python2.7/site-packages/samba/join.py", line 1482,
in join_DC
    ctx.do_join()
  File "/usr/local/lib/python2.7/site-packages/samba/join.py", line 1390,
in do_join
    ctx.join_add_dns_records()
  File "/usr/local/lib/python2.7/site-packages/samba/join.py", line 1144,
in join_add_dns_records
    None)


So, next - try checking then adding the DC DNS record manually via:
https://wiki.samba.org/index.php/Verifying_and_Creating_a_DC_DNS_Record#Verifying_and_Creating_the_objectGUID_Record


# ldbsearch -H /var/db/samba4/private/sam.ldb '(invocationId=*)'
--cross-ncs objectguid

# record 1
dn: CN=NTDS
Settings,CN=SERVER3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ad,DC=mydomain
objectGUID: f44ee6af-47c7-4cb1-b29f-5d4470bc3063

# record 2
dn: CN=NTDS
Settings,CN=SERVER1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ad,DC=mydomain
objectGUID: f5bf75a2-8dae-4456-835e-a568910c9052

# returned 2 records
# 2 entries
# 0 referrals


# host -t CNAME f44ee6af-47c7-4cb1-b29f-5d4470bc3063._msdcs.ad.mydomain.
Host f44ee6af-47c7-4cb1-b29f-5d4470bc3063._msdcs.ad.mydomain not found:
3(NXDOMAIN)

# samba-tool dns add SERVER1 _msdcs.ad.mydomain
f44ee6af-47c7-4cb1-b29f-5d4470bc3063 CNAME SERVER3.ad.mydomain
-Uadministrator

root@server3:/var/db/samba4/private # samba-tool dns add SERVER1
_msdcs.ad.mydomain f44ee6af-47c7-4cb1-b29f-5d4470bc3063 CNAME
SERVER3.ad.mydomain -Uadministrator
Password for [AD\administrator]:
ERROR(runtime): uncaught exception - (9601,
'WERR_DNS_ERROR_ZONE_DOES_NOT_EXIST')
  File "/usr/local/lib/python2.7/site-packages/samba/netcmd/__init__.py",
line 176, in _run
    return self.run(*args, **kwargs)
  File "/usr/local/lib/python2.7/site-packages/samba/netcmd/dns.py", line
940, in run
    raise e


When I list the zones, I don't see the _msdcs zone like I do at other
domains - instead I have TrustAnchors.  But DNSSEC isn't configured at
SERVER1:

# samba-tool dns zonelist SERVER1 -U administrator

root@server3:/var/db/samba4/private # samba-tool dns zonelist SERVER1 -U
administrator
Password for [AD\administrator]:
  3 zone(s) found

  pszZoneName                 : 254.168.192.in-addr.arpa
  Flags                       : DNS_RPC_ZONE_REVERSE
  ZoneType                    : DNS_ZONE_TYPE_PRIMARY
  Version                     : 50
  dwDpFlags                   : NONE
  pszDpFqdn                   : None

  pszZoneName                 : ad.mydomain
  Flags                       : DNS_RPC_ZONE_DSINTEGRATED
DNS_RPC_ZONE_UPDATE_SECURE
  ZoneType                    : DNS_ZONE_TYPE_PRIMARY
  Version                     : 50
  dwDpFlags                   : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT
DNS_DP_ENLISTED
  pszDpFqdn                   : DomainDnsZones.ad.mydomain

  pszZoneName                 : TrustAnchors
  Flags                       : DNS_RPC_ZONE_DSINTEGRATED
  ZoneType                    : DNS_ZONE_TYPE_PRIMARY
  Version                     : 50
  dwDpFlags                   : DNS_DP_AUTOCREATED DNS_DP_FOREST_DEFAULT
DNS_DP_ENLISTED
  pszDpFqdn                   : ForestDnsZones.ad.mydomain


So this is where I'm at now.  Earlier today I found a reference on another
thread or another list which I need to find again, which suggested this
might be a bug or issue with Samba 4.8 and higher.  I have not yet tried
adding Samba 4.7 to same domain.

Hopefully this helps narrow it, and of course any suggestions to help
resolve or continue troubleshooting are appreciated.

Thanks,
Andrew
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba