DNS domaincontroller_master

UCS - Univention Corporate Server
#1

I’m getting an error after login

The error send to the following link No domaincontroller_master SRV record and how to create it in the AD DNS

But when i go to a windows member with RSAT installed (windows 2016 server) i don’t have the option _domaincontroller_master in the service dropdown, i add it manually but i can’t see it, when try to add again i get an error beucase it already exist, but even after restart the UCS server i still have the same error
Any sugestion to solve this problem?

DNS Check
Caution! The DNS service record for...

Caution! The DNS service record for the UCS Master was not found in the DNS server.

Details are explained in the Support Database.

Thanks

1 Like
#2

Hi,

UCS can be configured for quite different scenarios, so it would be good to know first, if you are A) running a native Microsoft Active Directory server with a UCS server joined to it as member of the AD domain or B) running a standard UCS-only domain.

Just a note about the Windows side of things, you may verify that the you have the “DNS Server Tools” enabled in the list of RSAT features. As far as I can see the actual filename of the “DNS Manager” tool is dnsmgmt.msc, so it can probably be started directly by that filename. But from your description I assume you already got that sorted out. I just state it here in case it helps others that run across your posting.

#3

@requate i have two UCS servers (both working since an AD takeover (windows server 2003) since then the windows server as removed.

Now after the upgrade to 4.3 i have a lot of error that i’m trying to solve… now that issue with the DNS appear.

So i have two UCS servers one in each site, one of the servers reports that warning that i cannot solve.

#4

Ok, that’s a standard scenario, so it’s surprising that you see this issue. First please note that the Support Database entry you cited above only applies to the first of the two scenarios I mentioned above, where the UCS servers are joined as members into a native Microsoft Active Directory domain. We should improve the message and maybe also the text of the SDB entry to point this out more clearly.

Let me first summarize: I assume you have set up a UCS DC Master with the same domain name as your prior AD domain and then you have started the AD-Takeover process and, after copying the GPO files from the sysvol share, you have switched off the Microsoft AD DC and finally successfully finished the UCS side of the process. Furthermore I assume that you have set up your second UCS server with either of the two roles “Backup” or “Slave” and you probably installed the Samba AD software component too on that second server. If all of this is correct, I would first check the join status of the DC Backup/Slave. This can be done either via the UMC web interface or on the Linux command line using the tool univention-check-join-status. Actually, since your situation seems pretty far of the normal intended behavior, I would suggest checking the join status of you UCS DC Master too. The term “join status” refers to the question, if the “join scripts” of all installed software components have been run successfully.

Let’s start narrowing down your issue step by step.

#5

@requate about the join status everything is ok

The process you describe is accurate, but let me clarify… that this issues olnly happen after upgrade to 4.3.

The process was done in 2015, so i guess with univention 4.0, after that i have done the upgrades and never had problems till now.

The ad still have the functional level of 2003.

About the roles…i have the following set
MAIN SERVER
samba4/role = DC
server/role= domaincontroller_master

SECOND SERVER
samba4/role = DC
server/role= domaincontroller_slave

I have the pkg Active Directory-compatible Domain Controller installed in the main DC, not in the other…

Thanks

#6

Ok, I checked the UCS source code for the error message you get after login (I guess on the UCS Master), and I see that it only appears in the AD-Connector UMC module. This indicates that you have the AD-Connector installed on that server, maybe that’s a leftover from earlier times when you still had the Microsoft AD DC active. Anyway, this module checks if that characteristic SRV DNS record is resolvable via DNS and this check fails for some reason. You could run the following commands on the Linux command line and report if their output is empty for example or shows errors of some sort:

  • host -t srv "_domaincontroller_master._tcp.$(ucr get domainname)."
  • univention-check-join-status

You could also check if the IPs configured as nameserver look reasonable:

  • ucr search --brief nameserver[1-3]

That should probably show the IP of your UCS DC Master as nameserver1. You could check that the nameserver service is running with this command:

  • pgrep -a named

Also you could run the “System Diagnostic” UMC module in the web interface and check the returned output for useful information and report it here (maybe you want to redact/anonymize the information you post).

#7

@requate here are the outputs

root@CCMDC01:~# host -t srv "_domaincontroller_master._tcp.$(ucr get domainname)."
Host _domaincontroller_master._tcp.ccm.local. not found: 3(NXDOMAIN)
root@CCMDC01:~# univention-check-join-status
Joined successfully
root@CCMDC01:~# ucr search --brief nameserver[1-3]
nameserver1: 192.168.120.2
nameserver2: 192.168.120.20
nameserver3: <empty>
root@CCMDC01:~# pgrep -a named
1756 /usr/sbin/named -c /etc/bind/named.conf.samba4 -f -d 0
root@CCMDC01:~#

About the diagnostics i only have one reject problem


Found 1 UCS rejects and 0 S4 rejects. See Univention Support Database - How to deal with s4-connector rejects for more information.
UCS rejected:
UCS DN: ;unknown, S4 DN: not found, Filename: /var/lib/univention-connector/s4/.1522319929.525067.swp
#8

I have nearly the same situation - how did you solve it after that point? (There is one difference: I do NOT get any problems from the Systemdiagnose, except a “KDC Erreichbarkeit” for a non-existing server.)

The command line outputs are the same, i.e., the “domaincontroller_master…” is “not found”, while the nameservers and named commands provide valid entries.

#9

i won’t… the issue is still there

#10

any updates in here?

Mastodon