After 4.1 to 4.2 Upgrade samba4 dns checks fail

Hi,

after upgrading UCS from 4.1-4 (errata410) to 4.2 on two different installations the samba dns checks fails

root@CKCUCS1:~# /usr/share/univention-samba4/scripts/check_essential_samba4_dns_records.sh
Host gc._msdcs not found: 3(NXDOMAIN)
Host _gc._tcp not found: 3(NXDOMAIN)
Host _ldap._tcp.gc._msdcs not found: 3(NXDOMAIN)
Host _ldap._tcp not found: 3(NXDOMAIN)
Host _ldap._tcp.dc._msdcs not found: 3(NXDOMAIN)
Host _ldap._tcp.pdc._msdcs not found: 3(NXDOMAIN)
Host _ldap._tcp.31aeb93a-0b70-4591-a197-4c1b2ca087d4.domains._msdcs not found: 3(NXDOMAIN)
Host _kerberos._tcp.dc._msdcs not found: 3(NXDOMAIN)
Host _kerberos._tcp not found: 3(NXDOMAIN)
Host _kerberos._udp not found: 3(NXDOMAIN)
Host _kpasswd._tcp not found: 3(NXDOMAIN)
Host _kpasswd._udp not found: 3(NXDOMAIN)
Located DC 'CKCUCS1' in site 'Default-First-Site-Name'
Located DC 'CKCUCS2' in site 'Default-First-Site-Name'
Host f41a48a2-21b1-464f-bf84-3c64144a3547._msdcs not found: 3(NXDOMAIN)
Host c8c04722-4c28-4bad-abb3-6b24be933df8._msdcs not found: 3(NXDOMAIN)
## Records for site Default-First-Site-Name:
Host _ldap._tcp.Default-First-Site-Name._sites not found: 3(NXDOMAIN)
Host _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs not found: 3(NXDOMAIN)
Host _kerberos._tcp.Default-First-Site-Name._sites not found: 3(NXDOMAIN)
Host _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs not found: 3(NXDOMAIN)
## Optional GC Records for site Default-First-Site-Name:
Host _gc._tcp.Default-First-Site-Name._sites not found: 3(NXDOMAIN)
Host _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs not found: 3(NXDOMAIN)
No _kerberos TXT record (ok)

in ldap dns all records are there also if i check with rsat dns tool there are all records shown

rg

Christian

Can you please restart bind and post the lines during and shortly after the restart of the service from the syslog here?

Edit:

# tailf /var/log/syslog
# service bind9 restart

I think the following information would also be helpful:

$ ucr search --brief --non-empty ^dns/backend ^dns/forwarder ^interfaces ^nameserver

May 4 12:49:28 CKCUCS1 systemd[1]: Stopping LSB: bind9 Domain Name Server (DNS)…
May 4 12:49:28 CKCUCS1 named[1916]: shutting down
May 4 12:49:28 CKCUCS1 named[1916]: stopping command channel on 127.0.0.1#953
May 4 12:49:28 CKCUCS1 named[1916]: no longer listening on ::#53
May 4 12:49:28 CKCUCS1 named[1916]: no longer listening on 127.0.0.1#53
May 4 12:49:28 CKCUCS1 named[1916]: no longer listening on 192.168.2.100#53
May 4 12:49:28 CKCUCS1 named[1916]: no longer listening on 172.17.42.1#53
May 4 12:49:28 CKCUCS1 named[1916]: samba_dlz: shutting down
May 4 12:49:28 CKCUCS1 named[1916]: exiting
May 4 12:49:33 CKCUCS1 systemd[1]: Starting LSB: bind9 Domain Name Server (DNS)…
May 4 12:49:33 CKCUCS1 bind9[69078]: Stopping bind9 Domain Name Server (DNS): proxy ldap samba4.
May 4 12:49:34 CKCUCS1 named[69099]: starting BIND 9.9.5-9+deb8u6A~4.2.0.201702281603-Debian -c /etc/bind/named.conf.samba4 -f -d 0
May 4 12:49:34 CKCUCS1 named[69099]: built with ‘–prefix=/usr’ ‘–mandir=/usr/share/man’ ‘–infodir=/usr/share/info’ ‘–sysconfdir=/etc/bind’ ‘–localstatedir=/var’ ‘–en
able-threads’ ‘–enable-largefile’ ‘–with-libtool’ ‘–enable-shared’ ‘–with-dlz-dlopen’ ‘–enable-static’ ‘–with-openssl=/usr’ ‘–with-gssapi=/usr’ ‘–with-gnu-ld’ ‘–wi
th-geoip=/usr’ ‘–with-atf=no’ ‘–enable-ipv6’ ‘–enable-rrl’ ‘–enable-filter-aaaa’ ‘CFLAGS=-fno-strict-aliasing -fno-delete-null-pointer-checks -DDIG_SIGCHASE -g -O2’
May 4 12:49:34 CKCUCS1 named[69099]: ----------------------------------------------------
May 4 12:49:34 CKCUCS1 named[69099]: BIND 9 is maintained by Internet Systems Consortium,
May 4 12:49:34 CKCUCS1 named[69099]: Inc. (ISC), a non-profit 501©(3) public-benefit
May 4 12:49:34 CKCUCS1 named[69099]: corporation. Support and training for BIND 9 are
May 4 12:49:34 CKCUCS1 named[69099]: available at https://www.isc.org/support
May 4 12:49:34 CKCUCS1 named[69099]: ----------------------------------------------------
May 4 12:49:34 CKCUCS1 named[69099]: adjusted limit on open files from 4096 to 1048576
May 4 12:49:34 CKCUCS1 named[69099]: found 4 CPUs, using 4 worker threads
May 4 12:49:34 CKCUCS1 named[69099]: using 4 UDP listeners per interface
May 4 12:49:34 CKCUCS1 named[69099]: using up to 4096 sockets
May 4 12:49:34 CKCUCS1 named[69099]: loading configuration from ‘/etc/bind/named.conf.samba4’
May 4 12:49:34 CKCUCS1 named[69099]: reading built-in trusted keys from file ‘/etc/bind/bind.keys’
May 4 12:49:34 CKCUCS1 named[69099]: using default UDP/IPv4 port range: [1024, 65535]
May 4 12:49:34 CKCUCS1 named[69099]: using default UDP/IPv6 port range: [1024, 65535]
May 4 12:49:34 CKCUCS1 named[69099]: listening on IPv6 interfaces, port 53
May 4 12:49:34 CKCUCS1 named[69099]: listening on IPv4 interface lo, 127.0.0.1#53
May 4 12:49:34 CKCUCS1 named[69099]: listening on IPv4 interface eth0, 192.168.2.100#53
May 4 12:49:34 CKCUCS1 named[69099]: listening on IPv4 interface docker0, 172.17.42.1#53
May 4 12:49:34 CKCUCS1 named[69099]: generating session key for dynamic DNS
May 4 12:49:34 CKCUCS1 named[69099]: sizing zone task pool based on 1 zones
May 4 12:49:34 CKCUCS1 named[69099]: Loading ‘samba4.zone’ using driver dlopen
May 4 12:49:34 CKCUCS1 named[69099]: samba_dlz: started for DN DC=ckc,DC=local
May 4 12:49:34 CKCUCS1 named[69099]: samba_dlz: starting configure
May 4 12:49:34 CKCUCS1 named[69099]: samba_dlz: trying partition ‘CN=MicrosoftDNS,DC=DomainDnsZones,DC=ckc,DC=local’
May 4 12:49:34 CKCUCS1 named[69099]: samba_dlz: configured writeable zone ‘2.168.192.in-addr.arpa’
May 4 12:49:34 CKCUCS1 named[69099]: samba_dlz: trying partition ‘CN=MicrosoftDNS,DC=DomainDnsZones,DC=ckc,DC=local’
May 4 12:49:34 CKCUCS1 named[69099]: samba_dlz: configured writeable zone ‘ckcsrv3.ckc-it.at’
May 4 12:49:34 CKCUCS1 named[69099]: samba_dlz: trying partition ‘CN=MicrosoftDNS,DC=DomainDnsZones,DC=ckc,DC=local’
May 4 12:49:34 CKCUCS1 named[69099]: samba_dlz: configured writeable zone ‘remote.ckc-it.at’
May 4 12:49:34 CKCUCS1 named[69099]: samba_dlz: trying partition ‘CN=MicrosoftDNS,DC=DomainDnsZones,DC=ckc,DC=local’
May 4 12:49:34 CKCUCS1 named[69099]: samba_dlz: configured writeable zone ‘ckc.local’
May 4 12:49:34 CKCUCS1 named[69099]: samba_dlz: trying partition ‘CN=MicrosoftDNS,DC=ForestDnsZones,DC=ckc,DC=local’
May 4 12:49:34 CKCUCS1 named[69099]: samba_dlz: configured writeable zone ‘_msdcs.ckc.local’
May 4 12:49:34 CKCUCS1 named[69099]: set up managed keys zone for view _default, file ‘managed-keys.bind’
May 4 12:49:34 CKCUCS1 named[69099]: automatic empty zone: 10.IN-ADDR.ARPA
May 4 12:49:34 CKCUCS1 named[69099]: automatic empty zone: 16.172.IN-ADDR.ARPA
May 4 12:49:34 CKCUCS1 named[69099]: automatic empty zone: 17.172.IN-ADDR.ARPA
May 4 12:49:34 CKCUCS1 named[69099]: automatic empty zone: 18.172.IN-ADDR.ARPA
May 4 12:49:34 CKCUCS1 named[69099]: automatic empty zone: 19.172.IN-ADDR.ARPA
May 4 12:49:34 CKCUCS1 named[69099]: automatic empty zone: 20.172.IN-ADDR.ARPA
May 4 12:49:34 CKCUCS1 named[69099]: automatic empty zone: 21.172.IN-ADDR.ARPA
May 4 12:49:34 CKCUCS1 named[69099]: automatic empty zone: 22.172.IN-ADDR.ARPA
May 4 12:49:34 CKCUCS1 named[69099]: automatic empty zone: 23.172.IN-ADDR.ARPA
May 4 12:49:34 CKCUCS1 named[69099]: automatic empty zone: 24.172.IN-ADDR.ARPA
May 4 12:49:34 CKCUCS1 named[69099]: automatic empty zone: 25.172.IN-ADDR.ARPA
May 4 12:49:34 CKCUCS1 named[69099]: automatic empty zone: 26.172.IN-ADDR.ARPA
May 4 12:49:34 CKCUCS1 named[69099]: automatic empty zone: 27.172.IN-ADDR.ARPA
May 4 12:49:34 CKCUCS1 named[69099]: automatic empty zone: 28.172.IN-ADDR.ARPA
May 4 12:49:34 CKCUCS1 named[69099]: automatic empty zone: 29.172.IN-ADDR.ARPA
May 4 12:49:34 CKCUCS1 named[69099]: automatic empty zone: 30.172.IN-ADDR.ARPA
May 4 12:49:34 CKCUCS1 named[69099]: automatic empty zone: 31.172.IN-ADDR.ARPA
May 4 12:49:34 CKCUCS1 named[69099]: automatic empty zone: 168.192.IN-ADDR.ARPA
May 4 12:49:34 CKCUCS1 named[69099]: automatic empty zone: 64.100.IN-ADDR.ARPA
May 4 12:49:34 CKCUCS1 named[69099]: automatic empty zone: 65.100.IN-ADDR.ARPA
May 4 12:49:34 CKCUCS1 named[69099]: automatic empty zone: 66.100.IN-ADDR.ARPA
May 4 12:49:34 CKCUCS1 named[69099]: automatic empty zone: 67.100.IN-ADDR.ARPA
May 4 12:49:34 CKCUCS1 named[69099]: automatic empty zone: 68.100.IN-ADDR.ARPA
May 4 12:49:34 CKCUCS1 named[69099]: automatic empty zone: 69.100.IN-ADDR.ARPA
May 4 12:49:34 CKCUCS1 named[69099]: automatic empty zone: 70.100.IN-ADDR.ARPA
May 4 12:49:34 CKCUCS1 named[69099]: automatic empty zone: 71.100.IN-ADDR.ARPA
May 4 12:49:34 CKCUCS1 named[69099]: automatic empty zone: 72.100.IN-ADDR.ARPA
May 4 12:49:34 CKCUCS1 named[69099]: automatic empty zone: 73.100.IN-ADDR.ARPA
May 4 12:49:34 CKCUCS1 named[69099]: automatic empty zone: 74.100.IN-ADDR.ARPA
May 4 12:49:34 CKCUCS1 named[69099]: automatic empty zone: 75.100.IN-ADDR.ARPA
May 4 12:49:34 CKCUCS1 named[69099]: automatic empty zone: 76.100.IN-ADDR.ARPA
May 4 12:49:34 CKCUCS1 named[69099]: automatic empty zone: 77.100.IN-ADDR.ARPA
May 4 12:49:34 CKCUCS1 named[69099]: automatic empty zone: 78.100.IN-ADDR.ARPA
May 4 12:49:34 CKCUCS1 named[69099]: automatic empty zone: 79.100.IN-ADDR.ARPA
May 4 12:49:34 CKCUCS1 named[69099]: automatic empty zone: 80.100.IN-ADDR.ARPA
May 4 12:49:34 CKCUCS1 named[69099]: automatic empty zone: 81.100.IN-ADDR.ARPA
May 4 12:49:34 CKCUCS1 named[69099]: automatic empty zone: 82.100.IN-ADDR.ARPA
May 4 12:49:34 CKCUCS1 named[69099]: automatic empty zone: 83.100.IN-ADDR.ARPA
May 4 12:49:34 CKCUCS1 named[69099]: automatic empty zone: 84.100.IN-ADDR.ARPA
May 4 12:49:34 CKCUCS1 named[69099]: automatic empty zone: 85.100.IN-ADDR.ARPA
May 4 12:49:34 CKCUCS1 named[69099]: automatic empty zone: 86.100.IN-ADDR.ARPA
May 4 12:49:34 CKCUCS1 named[69099]: automatic empty zone: 87.100.IN-ADDR.ARPA
May 4 12:49:34 CKCUCS1 named[69099]: automatic empty zone: 88.100.IN-ADDR.ARPA
May 4 12:49:34 CKCUCS1 named[69099]: automatic empty zone: 89.100.IN-ADDR.ARPA
May 4 12:49:34 CKCUCS1 named[69099]: automatic empty zone: 90.100.IN-ADDR.ARPA
May 4 12:49:34 CKCUCS1 named[69099]: automatic empty zone: 91.100.IN-ADDR.ARPA
May 4 12:49:34 CKCUCS1 named[69099]: automatic empty zone: 92.100.IN-ADDR.ARPA
May 4 12:49:34 CKCUCS1 named[69099]: automatic empty zone: 93.100.IN-ADDR.ARPA
May 4 12:49:34 CKCUCS1 named[69099]: automatic empty zone: 94.100.IN-ADDR.ARPA
May 4 12:49:34 CKCUCS1 named[69099]: automatic empty zone: 95.100.IN-ADDR.ARPA
May 4 12:49:34 CKCUCS1 named[69099]: automatic empty zone: 96.100.IN-ADDR.ARPA
May 4 12:49:34 CKCUCS1 named[69099]: automatic empty zone: 97.100.IN-ADDR.ARPA
May 4 12:49:34 CKCUCS1 named[69099]: automatic empty zone: 98.100.IN-ADDR.ARPA
May 4 12:49:34 CKCUCS1 named[69099]: automatic empty zone: 99.100.IN-ADDR.ARPA
May 4 12:49:34 CKCUCS1 named[69099]: automatic empty zone: 100.100.IN-ADDR.ARPA
May 4 12:49:34 CKCUCS1 named[69099]: automatic empty zone: 101.100.IN-ADDR.ARPA
May 4 12:49:34 CKCUCS1 named[69099]: automatic empty zone: 102.100.IN-ADDR.ARPA
May 4 12:49:34 CKCUCS1 named[69099]: automatic empty zone: 103.100.IN-ADDR.ARPA
May 4 12:49:34 CKCUCS1 named[69099]: automatic empty zone: 104.100.IN-ADDR.ARPA
May 4 12:49:34 CKCUCS1 named[69099]: automatic empty zone: 105.100.IN-ADDR.ARPA
May 4 12:49:34 CKCUCS1 named[69099]: automatic empty zone: 106.100.IN-ADDR.ARPA
May 4 12:49:34 CKCUCS1 named[69099]: automatic empty zone: 107.100.IN-ADDR.ARPA
May 4 12:49:34 CKCUCS1 named[69099]: automatic empty zone: 108.100.IN-ADDR.ARPA
May 4 12:49:34 CKCUCS1 named[69099]: automatic empty zone: 109.100.IN-ADDR.ARPA
May 4 12:49:34 CKCUCS1 named[69099]: automatic empty zone: 110.100.IN-ADDR.ARPA
May 4 12:49:34 CKCUCS1 named[69099]: automatic empty zone: 111.100.IN-ADDR.ARPA
May 4 12:49:34 CKCUCS1 named[69099]: automatic empty zone: 112.100.IN-ADDR.ARPA
May 4 12:49:34 CKCUCS1 named[69099]: automatic empty zone: 113.100.IN-ADDR.ARPA
May 4 12:49:34 CKCUCS1 named[69099]: automatic empty zone: 114.100.IN-ADDR.ARPA
May 4 12:49:34 CKCUCS1 named[69099]: automatic empty zone: 115.100.IN-ADDR.ARPA
May 4 12:49:34 CKCUCS1 named[69099]: automatic empty zone: 116.100.IN-ADDR.ARPA
May 4 12:49:34 CKCUCS1 named[69099]: automatic empty zone: 117.100.IN-ADDR.ARPA
May 4 12:49:34 CKCUCS1 named[69099]: automatic empty zone: 118.100.IN-ADDR.ARPA
May 4 12:49:34 CKCUCS1 named[69099]: automatic empty zone: 119.100.IN-ADDR.ARPA
May 4 12:49:34 CKCUCS1 named[69099]: automatic empty zone: 120.100.IN-ADDR.ARPA
May 4 12:49:34 CKCUCS1 named[69099]: automatic empty zone: 121.100.IN-ADDR.ARPA
May 4 12:49:34 CKCUCS1 named[69099]: automatic empty zone: 122.100.IN-ADDR.ARPA
May 4 12:49:34 CKCUCS1 named[69099]: automatic empty zone: 123.100.IN-ADDR.ARPA
May 4 12:49:34 CKCUCS1 named[69099]: automatic empty zone: 124.100.IN-ADDR.ARPA
May 4 12:49:34 CKCUCS1 named[69099]: automatic empty zone: 125.100.IN-ADDR.ARPA
May 4 12:49:34 CKCUCS1 named[69099]: automatic empty zone: 126.100.IN-ADDR.ARPA
May 4 12:49:34 CKCUCS1 named[69099]: automatic empty zone: 127.100.IN-ADDR.ARPA
May 4 12:49:34 CKCUCS1 named[69099]: automatic empty zone: 0.IN-ADDR.ARPA
May 4 12:49:34 CKCUCS1 named[69099]: automatic empty zone: 127.IN-ADDR.ARPA
May 4 12:49:34 CKCUCS1 named[69099]: automatic empty zone: 254.169.IN-ADDR.ARPA
May 4 12:49:34 CKCUCS1 named[69099]: automatic empty zone: 2.0.192.IN-ADDR.ARPA
May 4 12:49:34 CKCUCS1 named[69099]: automatic empty zone: 100.51.198.IN-ADDR.ARPA
May 4 12:49:34 CKCUCS1 named[69099]: automatic empty zone: 113.0.203.IN-ADDR.ARPA
May 4 12:49:34 CKCUCS1 named[69099]: automatic empty zone: 255.255.255.255.IN-ADDR.ARPA
May 4 12:49:34 CKCUCS1 named[69099]: automatic empty zone: 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA
May 4 12:49:34 CKCUCS1 named[69099]: automatic empty zone: 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA
May 4 12:49:34 CKCUCS1 named[69099]: automatic empty zone: D.F.IP6.ARPA
May 4 12:49:34 CKCUCS1 named[69099]: automatic empty zone: 8.E.F.IP6.ARPA
May 4 12:49:34 CKCUCS1 named[69099]: automatic empty zone: 9.E.F.IP6.ARPA
May 4 12:49:34 CKCUCS1 named[69099]: automatic empty zone: A.E.F.IP6.ARPA
May 4 12:49:34 CKCUCS1 named[69099]: automatic empty zone: B.E.F.IP6.ARPA
May 4 12:49:34 CKCUCS1 named[69099]: automatic empty zone: 8.B.D.0.1.0.0.2.IP6.ARPA
May 4 12:49:34 CKCUCS1 systemd[1]: Started LSB: bind9 Domain Name Server (DNS).
May 4 12:49:34 CKCUCS1 bind9[69089]: Starting bind9 Domain Name Server (DNS): samba4.
May 4 12:49:34 CKCUCS1 named[69099]: command channel listening on 127.0.0.1#953
May 4 12:49:34 CKCUCS1 named[69099]: managed-keys-zone: loaded serial 0
May 4 12:49:34 CKCUCS1 named[69099]: all zones loaded
May 4 12:49:34 CKCUCS1 named[69099]: running

Last login: Thu May 4 12:49:24 2017 from ck-desktop.ckc.local
root@CKCUCS1:~# ucr search --brief --non-empty ^dns/backend ^dns/forwarder ^interfaces ^nameserver
dns/backend: samba4
dns/forwarder1: 208.67.222.222
dns/forwarder2: 8.8.8.8
interfaces/eth0/address: 192.168.2.100
interfaces/eth0/broadcast: 192.168.2.255
interfaces/eth0/ipv6/acceptRA: false
interfaces/eth0/netmask: 255.255.255.0
interfaces/eth0/network: 192.168.2.0
interfaces/eth0/start: true
interfaces/eth0/type: static
interfaces/handler: ifplugd
interfaces/primary: eth0
nameserver/external: false
nameserver/option/timeout: 2
nameserver1: 192.168.2.100

Here is an example from my 4.2 testing environment:

Essential DNS Check
root@master-42-10:~# /usr/share/univention-samba4/scripts/check_essential_samba4_dns_records.sh
Host gc._msdcs not found: 3(NXDOMAIN)
Host _gc._tcp not found: 3(NXDOMAIN)
Host _ldap._tcp.gc._msdcs not found: 3(NXDOMAIN)
Host _ldap._tcp not found: 3(NXDOMAIN)
Host _ldap._tcp.dc._msdcs not found: 3(NXDOMAIN)
Host _ldap._tcp.pdc._msdcs not found: 3(NXDOMAIN)
Host _ldap._tcp.2fb30aa2-73d6-423f-a57b-d6bf9e53b1a1.domains._msdcs not found: 3(NXDOMAIN)
Host _kerberos._tcp.dc._msdcs not found: 3(NXDOMAIN)
Host _kerberos._tcp not found: 3(NXDOMAIN)
Host _kerberos._udp not found: 3(NXDOMAIN)
Host _kpasswd._tcp not found: 3(NXDOMAIN)
Host _kpasswd._udp not found: 3(NXDOMAIN)
Located DC 'master-42-10' in site 'Default-First-Site-Name'
Located DC 'slave-42-11' in site 'Default-First-Site-Name'
Located DC 'backup-42-12' in site 'Default-First-Site-Name'
Located DC 'slave-42-16' in site 'Default-First-Site-Name'
Located DC 'backup-42-18' in site 'Default-First-Site-Name'
Host d6bb148b-5610-4076-883f-a2fbce309286._msdcs not found: 3(NXDOMAIN)
Host 789dd1dc-c51d-43d1-8499-ccc72c443f45._msdcs not found: 3(NXDOMAIN)
Host fb6b4b9d-64b6-4b5e-a671-7cf3d1fa9a45._msdcs not found: 3(NXDOMAIN)
Host efd884d7-ada9-4d1c-9038-11aca74d6c9a._msdcs not found: 3(NXDOMAIN)
Host 1e811606-b55e-4bf8-b1e6-b00e7556c3ec._msdcs not found: 3(NXDOMAIN)
## Records for site Default-First-Site-Name:
Host _ldap._tcp.Default-First-Site-Name._sites not found: 3(NXDOMAIN)
Host _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs not found: 3(NXDOMAIN)
Host _kerberos._tcp.Default-First-Site-Name._sites not found: 3(NXDOMAIN)
Host _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs not found: 3(NXDOMAIN)
## Optional GC Records for site Default-First-Site-Name:
Host _gc._tcp.Default-First-Site-Name._sites not found: 3(NXDOMAIN)
Host _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs not found: 3(NXDOMAIN)
_kerberos.nvsx.local descriptive text "NVSX.LOCAL"

root@master-42-10:~# ucr set dns/backend='ldap' 
Setting dns/backend

root@master-42-10:~# /usr/share/univention-samba4/scripts/check_essential_samba4_dns_records.sh
Host gc._msdcs not found: 3(NXDOMAIN)
Host _gc._tcp not found: 3(NXDOMAIN)
Host _ldap._tcp.gc._msdcs not found: 3(NXDOMAIN)
Host _ldap._tcp not found: 3(NXDOMAIN)
Host _ldap._tcp.dc._msdcs not found: 3(NXDOMAIN)
Host _ldap._tcp.pdc._msdcs not found: 3(NXDOMAIN)
Host _ldap._tcp.2fb30aa2-73d6-423f-a57b-d6bf9e53b1a1.domains._msdcs not found: 3(NXDOMAIN)
Host _kerberos._tcp.dc._msdcs not found: 3(NXDOMAIN)
Host _kerberos._tcp not found: 3(NXDOMAIN)
Host _kerberos._udp not found: 3(NXDOMAIN)
Host _kpasswd._tcp not found: 3(NXDOMAIN)
Host _kpasswd._udp not found: 3(NXDOMAIN)
Located DC 'master-42-10' in site 'Default-First-Site-Name'
Located DC 'slave-42-11' in site 'Default-First-Site-Name'
Located DC 'backup-42-12' in site 'Default-First-Site-Name'
Located DC 'slave-42-16' in site 'Default-First-Site-Name'
Located DC 'backup-42-18' in site 'Default-First-Site-Name'
Host d6bb148b-5610-4076-883f-a2fbce309286._msdcs not found: 3(NXDOMAIN)
Host 789dd1dc-c51d-43d1-8499-ccc72c443f45._msdcs not found: 3(NXDOMAIN)
Host fb6b4b9d-64b6-4b5e-a671-7cf3d1fa9a45._msdcs not found: 3(NXDOMAIN)
Host efd884d7-ada9-4d1c-9038-11aca74d6c9a._msdcs not found: 3(NXDOMAIN)
Host 1e811606-b55e-4bf8-b1e6-b00e7556c3ec._msdcs not found: 3(NXDOMAIN)
## Records for site Default-First-Site-Name:
Host _ldap._tcp.Default-First-Site-Name._sites not found: 3(NXDOMAIN)
Host _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs not found: 3(NXDOMAIN)
Host _kerberos._tcp.Default-First-Site-Name._sites not found: 3(NXDOMAIN)
Host _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs not found: 3(NXDOMAIN)
## Optional GC Records for site Default-First-Site-Name:
Host _gc._tcp.Default-First-Site-Name._sites not found: 3(NXDOMAIN)
Host _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs not found: 3(NXDOMAIN)
_kerberos.nvsx.local descriptive text "NVSX.LOCAL"
Samba AD
root@master-42-10:~# univention-s4search --cross-ncs DC=d6bb148b-5610-4076-883f-a2fbce309286 --show-binary 
# record 1
dn: DC=d6bb148b-5610-4076-883f-a2fbce309286,DC=_msdcs.nvsx.local,CN=MicrosoftDNS,DC=ForestDnsZones,DC=nvsx,DC=local
objectClass: top
objectClass: dnsNode
instanceType: 4
whenCreated: 20151104113929.0Z
uSNCreated: 3687
showInAdvancedViewOnly: TRUE
name: d6bb148b-5610-4076-883f-a2fbce309286
objectGUID: 18e90043-aa75-41e7-8fce-6d9b197b55ff
objectCategory: CN=Dns-Node,CN=Schema,CN=Configuration,DC=nvsx,DC=local
dc: d6bb148b-5610-4076-883f-a2fbce309286
dnsRecord:     NDR: struct dnsp_DnssrvRpcRecord
        wDataLength              : 0x001b (27)
        wType                    : DNS_TYPE_CNAME (5)
        version                  : 0x05 (5)
        rank                     : DNS_RANK_ZONE (240)
        flags                    : 0x0000 (0)
        dwSerial                 : 0x00000001 (1)
        dwTtlSeconds             : 0x00000384 (900)
        dwReserved               : 0x00000000 (0)
        dwTimeStamp              : 0x00000000 (0)
        data                     : union dnsRecordData(case 5)
        cname                    : master-42-10.nvsx.local

whenChanged: 20170427100829.0Z
uSNChanged: 5952
distinguishedName: DC=d6bb148b-5610-4076-883f-a2fbce309286,DC=_msdcs.nvsx.local,CN=MicrosoftDNS,DC=ForestDnsZones,DC=nvsx,DC=local

# returned 1 records
# 1 entries
# 0 referrals
LDAP
root@master-42-10:~# univention-ldapsearch -LLL relativeDomainName=d6bb148b-5610-4076-883f-a2fbce309286._msdcs
dn: relativeDomainName=d6bb148b-5610-4076-883f-a2fbce309286._msdcs,zoneName=nv
 sx.local,cn=dns,dc=nvsx,dc=local
cNAMERecord: master-42-10.nvsx.local.
objectClass: top
objectClass: dNSZone
objectClass: univentionObject
univentionObjectType: dns/alias
dNSTTL: 80600
relativeDomainName: d6bb148b-5610-4076-883f-a2fbce309286._msdcs
zoneName: nvsx.local

But it should look like this: (its a 4.1-4 errate 410 installation)

root@fischer11:~# /usr/share/univention-samba4/scripts/check_essential_samba4_dns_records.sh
gc._msdcs.fischer.local has address 192.168.1.7
gc._msdcs.fischer.local has address 192.168.1.6
gc._msdcs.fischer.local has address 192.168.1.1
_gc._tcp.fischer.local has SRV record 0 0 3268 fischer12.fischer.local.
_gc._tcp.fischer.local has SRV record 0 100 3268 fischer11.fischer.local.
_ldap._tcp.gc._msdcs.fischer.local has SRV record 0 100 3268 fischer11.fischer.local.
_ldap._tcp.gc._msdcs.fischer.local has SRV record 0 0 3268 fischer12.fischer.local.
_ldap._tcp.fischer.local has SRV record 0 0 389 fischer12.fischer.local.
_ldap._tcp.fischer.local has SRV record 0 100 389 fischer11.fischer.local.
_ldap._tcp.dc._msdcs.fischer.local has SRV record 0 100 389 fischer11.fischer.local.
_ldap._tcp.dc._msdcs.fischer.local has SRV record 0 0 389 fischer12.fischer.local.
_ldap._tcp.pdc._msdcs.fischer.local has SRV record 0 100 389 fischer11.fischer.local.
_ldap._tcp.69e79d94-7945-4f05-ae32-5f01e3fd8326.domains._msdcs.fischer.local has SRV record 0 0 389 fischer12.fischer.local.
_ldap._tcp.69e79d94-7945-4f05-ae32-5f01e3fd8326.domains._msdcs.fischer.local has SRV record 0 100 389 fischer11.fischer.local.
_kerberos._tcp.dc._msdcs.fischer.local has SRV record 0 100 88 fischer11.fischer.local.
_kerberos._tcp.dc._msdcs.fischer.local has SRV record 0 0 88 fischer12.fischer.local.
_kerberos._tcp.fischer.local has SRV record 0 0 88 fischer12.fischer.local.
_kerberos._tcp.fischer.local has SRV record 0 100 88 fischer11.fischer.local.
_kerberos._udp.fischer.local has SRV record 0 100 88 fischer11.fischer.local.
_kerberos._udp.fischer.local has SRV record 0 0 88 fischer12.fischer.local.
_kpasswd._tcp.fischer.local has SRV record 0 0 464 fischer12.fischer.local.
_kpasswd._tcp.fischer.local has SRV record 0 100 464 fischer11.fischer.local.
_kpasswd._udp.fischer.local has SRV record 0 0 464 fischer12.fischer.local.
_kpasswd._udp.fischer.local has SRV record 0 100 464 fischer11.fischer.local.
Located DC 'fischer11' in site 'Default-First-Site-Name'
Located DC 'fischer12' in site 'Default-First-Site-Name'
7cc7ea43-96e6-4a6e-b089-ff12b09d9b03._msdcs.fischer.local is an alias for fischer11.fischer.local.
d2ab1adf-f224-472c-bc04-2beec4defc75._msdcs.fischer.local is an alias for fischer12.fischer.local.
## Records for site Default-First-Site-Name:
_ldap._tcp.Default-First-Site-Name._sites.fischer.local has SRV record 0 0 389 fischer12.fischer.local.
_ldap._tcp.Default-First-Site-Name._sites.fischer.local has SRV record 0 100 389 fischer11.fischer.local.
_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.fischer.local has SRV record 0 0 389 fischer12.fischer.local.
_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.fischer.local has SRV record 0 100 389 fischer11.fischer.local.
_kerberos._tcp.Default-First-Site-Name._sites.fischer.local has SRV record 0 0 88 fischer12.fischer.local.
_kerberos._tcp.Default-First-Site-Name._sites.fischer.local has SRV record 0 100 88 fischer11.fischer.local.
_kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.fischer.local has SRV record 0 100 88 fischer11.fischer.local.
_kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.fischer.local has SRV record 0 0 88 fischer12.fischer.local.
## Optional GC Records for site Default-First-Site-Name:
_gc._tcp.Default-First-Site-Name._sites.fischer.local has SRV record 0 100 3268 fischer11.fischer.local.
_gc._tcp.Default-First-Site-Name._sites.fischer.local has SRV record 0 0 3268 fischer12.fischer.local.
_ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.fischer.local has SRV record 0 0 3268 fischer12.fischer.local.
_ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.fischer.local has SRV record 0 100 3268 fischer11.fischer.local.
_kerberos.fischer.local descriptive text "FISCHER.LOCAL"

rg
Christian

I can confirm @externa1’s statement. On an UCS 4.1-4 Backup in the same testing environment it’s all fine:

Essential DNS Check 4.1-4
root@backup-42-18:~# /usr/share/univention-samba4/scripts/check_essential_samba4_dns_records.sh
gc._msdcs.nvsx.local has address 10.200.42.10
gc._msdcs.nvsx.local has address 10.200.42.11
gc._msdcs.nvsx.local has address 10.200.43.12
gc._msdcs.nvsx.local has address 10.200.42.12
gc._msdcs.nvsx.local has address 10.200.42.16
gc._msdcs.nvsx.local has address 10.200.42.18
_gc._tcp.nvsx.local has SRV record 0 100 3268 slave-42-16.nvsx.local.
_gc._tcp.nvsx.local has SRV record 0 100 3268 backup-42-12.nvsx.local.
_gc._tcp.nvsx.local has SRV record 0 100 3268 backup-42-18.nvsx.local.
_gc._tcp.nvsx.local has SRV record 0 100 3268 master-42-10.nvsx.local.
_gc._tcp.nvsx.local has SRV record 0 100 3268 slave-42-11.nvsx.local.
_ldap._tcp.gc._msdcs.nvsx.local has SRV record 0 100 3268 backup-42-12.nvsx.local.
_ldap._tcp.gc._msdcs.nvsx.local has SRV record 0 100 3268 backup-42-18.nvsx.local.
_ldap._tcp.gc._msdcs.nvsx.local has SRV record 0 100 3268 master-42-10.nvsx.local.
_ldap._tcp.gc._msdcs.nvsx.local has SRV record 0 100 3268 slave-42-11.nvsx.local.
_ldap._tcp.gc._msdcs.nvsx.local has SRV record 0 100 3268 slave-42-16.nvsx.local.
_ldap._tcp.nvsx.local has SRV record 0 100 389 backup-42-12.nvsx.local.
_ldap._tcp.nvsx.local has SRV record 0 100 389 slave-42-11.nvsx.local.
_ldap._tcp.nvsx.local has SRV record 0 100 389 slave-42-16.nvsx.local.
_ldap._tcp.nvsx.local has SRV record 0 100 389 backup-42-18.nvsx.local.
_ldap._tcp.nvsx.local has SRV record 0 100 389 master-42-10.nvsx.local.
_ldap._tcp.dc._msdcs.nvsx.local has SRV record 0 100 389 master-42-10.nvsx.local.
_ldap._tcp.dc._msdcs.nvsx.local has SRV record 0 100 389 backup-42-12.nvsx.local.
_ldap._tcp.dc._msdcs.nvsx.local has SRV record 0 100 389 slave-42-11.nvsx.local.
_ldap._tcp.dc._msdcs.nvsx.local has SRV record 0 100 389 slave-42-16.nvsx.local.
_ldap._tcp.dc._msdcs.nvsx.local has SRV record 0 100 389 backup-42-18.nvsx.local.
_ldap._tcp.pdc._msdcs.nvsx.local has SRV record 0 100 389 master-42-10.nvsx.local.
_ldap._tcp.2fb30aa2-73d6-423f-a57b-d6bf9e53b1a1.domains._msdcs.nvsx.local has SRV record 0 100 389 backup-42-18.nvsx.local.
_ldap._tcp.2fb30aa2-73d6-423f-a57b-d6bf9e53b1a1.domains._msdcs.nvsx.local has SRV record 0 100 389 master-42-10.nvsx.local.
_ldap._tcp.2fb30aa2-73d6-423f-a57b-d6bf9e53b1a1.domains._msdcs.nvsx.local has SRV record 0 100 389 backup-42-12.nvsx.local.
_ldap._tcp.2fb30aa2-73d6-423f-a57b-d6bf9e53b1a1.domains._msdcs.nvsx.local has SRV record 0 100 389 slave-42-11.nvsx.local.
_ldap._tcp.2fb30aa2-73d6-423f-a57b-d6bf9e53b1a1.domains._msdcs.nvsx.local has SRV record 0 100 389 slave-42-16.nvsx.local.
_kerberos._tcp.dc._msdcs.nvsx.local has SRV record 0 100 88 master-42-10.nvsx.local.
_kerberos._tcp.dc._msdcs.nvsx.local has SRV record 0 100 88 backup-42-12.nvsx.local.
_kerberos._tcp.dc._msdcs.nvsx.local has SRV record 0 100 88 slave-42-11.nvsx.local.
_kerberos._tcp.dc._msdcs.nvsx.local has SRV record 0 100 88 slave-42-16.nvsx.local.
_kerberos._tcp.dc._msdcs.nvsx.local has SRV record 0 100 88 backup-42-18.nvsx.local.
_kerberos._tcp.nvsx.local has SRV record 0 100 88 master-42-10.nvsx.local.
_kerberos._tcp.nvsx.local has SRV record 0 100 88 backup-42-12.nvsx.local.
_kerberos._tcp.nvsx.local has SRV record 0 100 88 slave-42-11.nvsx.local.
_kerberos._tcp.nvsx.local has SRV record 0 100 88 slave-42-16.nvsx.local.
_kerberos._tcp.nvsx.local has SRV record 0 100 88 backup-42-18.nvsx.local.
_kerberos._udp.nvsx.local has SRV record 0 100 88 slave-42-16.nvsx.local.
_kerberos._udp.nvsx.local has SRV record 0 100 88 backup-42-18.nvsx.local.
_kerberos._udp.nvsx.local has SRV record 0 100 88 master-42-10.nvsx.local.
_kerberos._udp.nvsx.local has SRV record 0 100 88 backup-42-12.nvsx.local.
_kerberos._udp.nvsx.local has SRV record 0 100 88 slave-42-11.nvsx.local.
_kpasswd._tcp.nvsx.local has SRV record 0 100 464 backup-42-18.nvsx.local.
_kpasswd._tcp.nvsx.local has SRV record 0 100 464 master-42-10.nvsx.local.
_kpasswd._tcp.nvsx.local has SRV record 0 100 464 backup-42-12.nvsx.local.
_kpasswd._tcp.nvsx.local has SRV record 0 100 464 slave-42-11.nvsx.local.
_kpasswd._tcp.nvsx.local has SRV record 0 100 464 slave-42-16.nvsx.local.
_kpasswd._udp.nvsx.local has SRV record 0 100 464 backup-42-12.nvsx.local.
_kpasswd._udp.nvsx.local has SRV record 0 100 464 slave-42-11.nvsx.local.
_kpasswd._udp.nvsx.local has SRV record 0 100 464 slave-42-16.nvsx.local.
_kpasswd._udp.nvsx.local has SRV record 0 100 464 backup-42-18.nvsx.local.
_kpasswd._udp.nvsx.local has SRV record 0 100 464 master-42-10.nvsx.local.
_kerberos.nvsx.local descriptive text "NVSX.LOCAL"

I think there is something wrong on DNS Server query it looks like the UCS4.2 requests the entries from external DNS server instead of local

If i remove the external dns server entries i get following output:

root@CKCUCS1:~# /usr/share/univention-samba4/scripts/check_essential_samba4_dns_records.sh
Host gc._msdcs not found: 2(SERVFAIL)
Host _gc._tcp not found: 2(SERVFAIL)
Host _ldap._tcp.gc._msdcs not found: 2(SERVFAIL)
Host _ldap._tcp not found: 2(SERVFAIL)
Host _ldap._tcp.dc._msdcs not found: 2(SERVFAIL)
Host _ldap._tcp.pdc._msdcs not found: 2(SERVFAIL)
Host _ldap._tcp.31aeb93a-0b70-4591-a197-4c1b2ca087d4.domains._msdcs not found: 2(SERVFAIL)
Host _kerberos._tcp.dc._msdcs not found: 2(SERVFAIL)
Host _kerberos._tcp not found: 2(SERVFAIL)
Host _kerberos._udp not found: 2(SERVFAIL)
Host _kpasswd._tcp not found: 2(SERVFAIL)
Host _kpasswd._udp not found: 2(SERVFAIL)
Located DC ‘CKCUCS1’ in site ‘Default-First-Site-Name’
Located DC ‘CKCUCS2’ in site ‘Default-First-Site-Name’
Host f41a48a2-21b1-464f-bf84-3c64144a3547._msdcs not found: 2(SERVFAIL)
Host c8c04722-4c28-4bad-abb3-6b24be933df8._msdcs not found: 2(SERVFAIL)

Records for site Default-First-Site-Name:

Host _ldap._tcp.Default-First-Site-Name._sites not found: 2(SERVFAIL)
Host _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs not found: 2(SERVFAIL)
Host _kerberos._tcp.Default-First-Site-Name._sites not found: 2(SERVFAIL)
Host _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs not found: 2(SERVFAIL)

Optional GC Records for site Default-First-Site-Name:

Host _gc._tcp.Default-First-Site-Name._sites not found: 2(SERVFAIL)
Host _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs not found: 2(SERVFAIL)
No _kerberos TXT record (ok)

rg
Christian

If i do this from workstation (win10 domain joined) it works

C:\Users\ck.CKC>ping gc._msdcs.ckc.local

Ping wird ausgeführt für gc._msdcs.ckc.local [192.168.2.101] mit 32 Bytes Daten:
Antwort von 192.168.2.101: Bytes=32 Zeit<1ms TTL=64
Antwort von 192.168.2.101: Bytes=32 Zeit<1ms TTL=64
Antwort von 192.168.2.101: Bytes=32 Zeit<1ms TTL=64
Antwort von 192.168.2.101: Bytes=32 Zeit<1ms TTL=64

Ping-Statistik für 192.168.2.101:
Pakete: Gesendet = 4, Empfangen = 4, Verloren = 0
(0% Verlust),
Ca. Zeitangaben in Millisek.:
Minimum = 0ms, Maximum = 0ms, Mittelwert = 0ms

C:\Users\ck.CKC>

same from UCS DC fails:

root@CKCUCS1:~# ping gc._msdcs.ckc.local
ping: unknown host gc._msdcs.ckc.local
root@CKCUCS1:~#

root@CKCUCS2:~# ping gc._msdcs.ckc.local
ping: unknown host gc._msdcs.ckc.local
root@CKCUCS2:~#

where the successfull reply on the workstation comes from 192.168.2.101 which is CKCUCS2 (DC-Backup with samba4) so it seems that on UCS4.2 console the local DNS server is ignored or so

rg

Christian

In the DNS System everything is fine! The DNS-Records are in the Directory (OpenLDAP as well as SambaAD).
The Problem is that DNS Requests must be FQDN - we surely will fix this in the Script and publish a fix by an upcoming Erratum.

Ok I hope so

thanks & regards

Chrstian

I am facing a similar problem, I downloaded iso 4.4 (the newest on the site) and put a Univention as Backup, it was working perfectly in a subsidiary, but after updating the security packages from 4.4-4, the DNS entries _ldap._tcp .dc._msdcs have stopped working.

Any idea how to solve it?

Before
image

After
image