After 4.1 to 4.2 Upgrade samba4 dns checks fail

samba-ad
dns

#1

Hi,

after upgrading UCS from 4.1-4 (errata410) to 4.2 on two different installations the samba dns checks fails

root@CKCUCS1:~# /usr/share/univention-samba4/scripts/check_essential_samba4_dns_records.sh
Host gc._msdcs not found: 3(NXDOMAIN)
Host _gc._tcp not found: 3(NXDOMAIN)
Host _ldap._tcp.gc._msdcs not found: 3(NXDOMAIN)
Host _ldap._tcp not found: 3(NXDOMAIN)
Host _ldap._tcp.dc._msdcs not found: 3(NXDOMAIN)
Host _ldap._tcp.pdc._msdcs not found: 3(NXDOMAIN)
Host _ldap._tcp.31aeb93a-0b70-4591-a197-4c1b2ca087d4.domains._msdcs not found: 3(NXDOMAIN)
Host _kerberos._tcp.dc._msdcs not found: 3(NXDOMAIN)
Host _kerberos._tcp not found: 3(NXDOMAIN)
Host _kerberos._udp not found: 3(NXDOMAIN)
Host _kpasswd._tcp not found: 3(NXDOMAIN)
Host _kpasswd._udp not found: 3(NXDOMAIN)
Located DC 'CKCUCS1' in site 'Default-First-Site-Name'
Located DC 'CKCUCS2' in site 'Default-First-Site-Name'
Host f41a48a2-21b1-464f-bf84-3c64144a3547._msdcs not found: 3(NXDOMAIN)
Host c8c04722-4c28-4bad-abb3-6b24be933df8._msdcs not found: 3(NXDOMAIN)
## Records for site Default-First-Site-Name:
Host _ldap._tcp.Default-First-Site-Name._sites not found: 3(NXDOMAIN)
Host _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs not found: 3(NXDOMAIN)
Host _kerberos._tcp.Default-First-Site-Name._sites not found: 3(NXDOMAIN)
Host _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs not found: 3(NXDOMAIN)
## Optional GC Records for site Default-First-Site-Name:
Host _gc._tcp.Default-First-Site-Name._sites not found: 3(NXDOMAIN)
Host _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs not found: 3(NXDOMAIN)
No _kerberos TXT record (ok)

in ldap dns all records are there also if i check with rsat dns tool there are all records shown

rg

Christian


#2

Can you please restart bind and post the lines during and shortly after the restart of the service from the syslog here?

Edit:

# tailf /var/log/syslog
# service bind9 restart

#3

I think the following information would also be helpful:

$ ucr search --brief --non-empty ^dns/backend ^dns/forwarder ^interfaces ^nameserver

#4

May 4 12:49:28 CKCUCS1 systemd[1]: Stopping LSB: bind9 Domain Name Server (DNS)…
May 4 12:49:28 CKCUCS1 named[1916]: shutting down
May 4 12:49:28 CKCUCS1 named[1916]: stopping command channel on 127.0.0.1#953
May 4 12:49:28 CKCUCS1 named[1916]: no longer listening on ::#53
May 4 12:49:28 CKCUCS1 named[1916]: no longer listening on 127.0.0.1#53
May 4 12:49:28 CKCUCS1 named[1916]: no longer listening on 192.168.2.100#53
May 4 12:49:28 CKCUCS1 named[1916]: no longer listening on 172.17.42.1#53
May 4 12:49:28 CKCUCS1 named[1916]: samba_dlz: shutting down
May 4 12:49:28 CKCUCS1 named[1916]: exiting
May 4 12:49:33 CKCUCS1 systemd[1]: Starting LSB: bind9 Domain Name Server (DNS)…
May 4 12:49:33 CKCUCS1 bind9[69078]: Stopping bind9 Domain Name Server (DNS): proxy ldap samba4.
May 4 12:49:34 CKCUCS1 named[69099]: starting BIND 9.9.5-9+deb8u6A~4.2.0.201702281603-Debian -c /etc/bind/named.conf.samba4 -f -d 0
May 4 12:49:34 CKCUCS1 named[69099]: built with ‘–prefix=/usr’ ‘–mandir=/usr/share/man’ ‘–infodir=/usr/share/info’ ‘–sysconfdir=/etc/bind’ ‘–localstatedir=/var’ ‘–en
able-threads’ ‘–enable-largefile’ ‘–with-libtool’ ‘–enable-shared’ ‘–with-dlz-dlopen’ ‘–enable-static’ ‘–with-openssl=/usr’ ‘–with-gssapi=/usr’ ‘–with-gnu-ld’ ‘–wi
th-geoip=/usr’ ‘–with-atf=no’ ‘–enable-ipv6’ ‘–enable-rrl’ ‘–enable-filter-aaaa’ ‘CFLAGS=-fno-strict-aliasing -fno-delete-null-pointer-checks -DDIG_SIGCHASE -g -O2’
May 4 12:49:34 CKCUCS1 named[69099]: ----------------------------------------------------
May 4 12:49:34 CKCUCS1 named[69099]: BIND 9 is maintained by Internet Systems Consortium,
May 4 12:49:34 CKCUCS1 named[69099]: Inc. (ISC), a non-profit 501©(3) public-benefit
May 4 12:49:34 CKCUCS1 named[69099]: corporation. Support and training for BIND 9 are
May 4 12:49:34 CKCUCS1 named[69099]: available at https://www.isc.org/support
May 4 12:49:34 CKCUCS1 named[69099]: ----------------------------------------------------
May 4 12:49:34 CKCUCS1 named[69099]: adjusted limit on open files from 4096 to 1048576
May 4 12:49:34 CKCUCS1 named[69099]: found 4 CPUs, using 4 worker threads
May 4 12:49:34 CKCUCS1 named[69099]: using 4 UDP listeners per interface
May 4 12:49:34 CKCUCS1 named[69099]: using up to 4096 sockets
May 4 12:49:34 CKCUCS1 named[69099]: loading configuration from ‘/etc/bind/named.conf.samba4’
May 4 12:49:34 CKCUCS1 named[69099]: reading built-in trusted keys from file ‘/etc/bind/bind.keys’
May 4 12:49:34 CKCUCS1 named[69099]: using default UDP/IPv4 port range: [1024, 65535]
May 4 12:49:34 CKCUCS1 named[69099]: using default UDP/IPv6 port range: [1024, 65535]
May 4 12:49:34 CKCUCS1 named[69099]: listening on IPv6 interfaces, port 53
May 4 12:49:34 CKCUCS1 named[69099]: listening on IPv4 interface lo, 127.0.0.1#53
May 4 12:49:34 CKCUCS1 named[69099]: listening on IPv4 interface eth0, 192.168.2.100#53
May 4 12:49:34 CKCUCS1 named[69099]: listening on IPv4 interface docker0, 172.17.42.1#53
May 4 12:49:34 CKCUCS1 named[69099]: generating session key for dynamic DNS
May 4 12:49:34 CKCUCS1 named[69099]: sizing zone task pool based on 1 zones
May 4 12:49:34 CKCUCS1 named[69099]: Loading ‘samba4.zone’ using driver dlopen
May 4 12:49:34 CKCUCS1 named[69099]: samba_dlz: started for DN DC=ckc,DC=local
May 4 12:49:34 CKCUCS1 named[69099]: samba_dlz: starting configure
May 4 12:49:34 CKCUCS1 named[69099]: samba_dlz: trying partition ‘CN=MicrosoftDNS,DC=DomainDnsZones,DC=ckc,DC=local’
May 4 12:49:34 CKCUCS1 named[69099]: samba_dlz: configured writeable zone ‘2.168.192.in-addr.arpa’
May 4 12:49:34 CKCUCS1 named[69099]: samba_dlz: trying partition ‘CN=MicrosoftDNS,DC=DomainDnsZones,DC=ckc,DC=local’
May 4 12:49:34 CKCUCS1 named[69099]: samba_dlz: configured writeable zone ‘ckcsrv3.ckc-it.at’
May 4 12:49:34 CKCUCS1 named[69099]: samba_dlz: trying partition ‘CN=MicrosoftDNS,DC=DomainDnsZones,DC=ckc,DC=local’
May 4 12:49:34 CKCUCS1 named[69099]: samba_dlz: configured writeable zone ‘remote.ckc-it.at’
May 4 12:49:34 CKCUCS1 named[69099]: samba_dlz: trying partition ‘CN=MicrosoftDNS,DC=DomainDnsZones,DC=ckc,DC=local’
May 4 12:49:34 CKCUCS1 named[69099]: samba_dlz: configured writeable zone ‘ckc.local’
May 4 12:49:34 CKCUCS1 named[69099]: samba_dlz: trying partition ‘CN=MicrosoftDNS,DC=ForestDnsZones,DC=ckc,DC=local’
May 4 12:49:34 CKCUCS1 named[69099]: samba_dlz: configured writeable zone ‘_msdcs.ckc.local’
May 4 12:49:34 CKCUCS1 named[69099]: set up managed keys zone for view _default, file ‘managed-keys.bind’
May 4 12:49:34 CKCUCS1 named[69099]: automatic empty zone: 10.IN-ADDR.ARPA
May 4 12:49:34 CKCUCS1 named[69099]: automatic empty zone: 16.172.IN-ADDR.ARPA
May 4 12:49:34 CKCUCS1 named[69099]: automatic empty zone: 17.172.IN-ADDR.ARPA
May 4 12:49:34 CKCUCS1 named[69099]: automatic empty zone: 18.172.IN-ADDR.ARPA
May 4 12:49:34 CKCUCS1 named[69099]: automatic empty zone: 19.172.IN-ADDR.ARPA
May 4 12:49:34 CKCUCS1 named[69099]: automatic empty zone: 20.172.IN-ADDR.ARPA
May 4 12:49:34 CKCUCS1 named[69099]: automatic empty zone: 21.172.IN-ADDR.ARPA
May 4 12:49:34 CKCUCS1 named[69099]: automatic empty zone: 22.172.IN-ADDR.ARPA
May 4 12:49:34 CKCUCS1 named[69099]: automatic empty zone: 23.172.IN-ADDR.ARPA
May 4 12:49:34 CKCUCS1 named[69099]: automatic empty zone: 24.172.IN-ADDR.ARPA
May 4 12:49:34 CKCUCS1 named[69099]: automatic empty zone: 25.172.IN-ADDR.ARPA
May 4 12:49:34 CKCUCS1 named[69099]: automatic empty zone: 26.172.IN-ADDR.ARPA
May 4 12:49:34 CKCUCS1 named[69099]: automatic empty zone: 27.172.IN-ADDR.ARPA
May 4 12:49:34 CKCUCS1 named[69099]: automatic empty zone: 28.172.IN-ADDR.ARPA
May 4 12:49:34 CKCUCS1 named[69099]: automatic empty zone: 29.172.IN-ADDR.ARPA
May 4 12:49:34 CKCUCS1 named[69099]: automatic empty zone: 30.172.IN-ADDR.ARPA
May 4 12:49:34 CKCUCS1 named[69099]: automatic empty zone: 31.172.IN-ADDR.ARPA
May 4 12:49:34 CKCUCS1 named[69099]: automatic empty zone: 168.192.IN-ADDR.ARPA
May 4 12:49:34 CKCUCS1 named[69099]: automatic empty zone: 64.100.IN-ADDR.ARPA
May 4 12:49:34 CKCUCS1 named[69099]: automatic empty zone: 65.100.IN-ADDR.ARPA
May 4 12:49:34 CKCUCS1 named[69099]: automatic empty zone: 66.100.IN-ADDR.ARPA
May 4 12:49:34 CKCUCS1 named[69099]: automatic empty zone: 67.100.IN-ADDR.ARPA
May 4 12:49:34 CKCUCS1 named[69099]: automatic empty zone: 68.100.IN-ADDR.ARPA
May 4 12:49:34 CKCUCS1 named[69099]: automatic empty zone: 69.100.IN-ADDR.ARPA
May 4 12:49:34 CKCUCS1 named[69099]: automatic empty zone: 70.100.IN-ADDR.ARPA
May 4 12:49:34 CKCUCS1 named[69099]: automatic empty zone: 71.100.IN-ADDR.ARPA
May 4 12:49:34 CKCUCS1 named[69099]: automatic empty zone: 72.100.IN-ADDR.ARPA
May 4 12:49:34 CKCUCS1 named[69099]: automatic empty zone: 73.100.IN-ADDR.ARPA
May 4 12:49:34 CKCUCS1 named[69099]: automatic empty zone: 74.100.IN-ADDR.ARPA
May 4 12:49:34 CKCUCS1 named[69099]: automatic empty zone: 75.100.IN-ADDR.ARPA
May 4 12:49:34 CKCUCS1 named[69099]: automatic empty zone: 76.100.IN-ADDR.ARPA
May 4 12:49:34 CKCUCS1 named[69099]: automatic empty zone: 77.100.IN-ADDR.ARPA
May 4 12:49:34 CKCUCS1 named[69099]: automatic empty zone: 78.100.IN-ADDR.ARPA
May 4 12:49:34 CKCUCS1 named[69099]: automatic empty zone: 79.100.IN-ADDR.ARPA
May 4 12:49:34 CKCUCS1 named[69099]: automatic empty zone: 80.100.IN-ADDR.ARPA
May 4 12:49:34 CKCUCS1 named[69099]: automatic empty zone: 81.100.IN-ADDR.ARPA
May 4 12:49:34 CKCUCS1 named[69099]: automatic empty zone: 82.100.IN-ADDR.ARPA
May 4 12:49:34 CKCUCS1 named[69099]: automatic empty zone: 83.100.IN-ADDR.ARPA
May 4 12:49:34 CKCUCS1 named[69099]: automatic empty zone: 84.100.IN-ADDR.ARPA
May 4 12:49:34 CKCUCS1 named[69099]: automatic empty zone: 85.100.IN-ADDR.ARPA
May 4 12:49:34 CKCUCS1 named[69099]: automatic empty zone: 86.100.IN-ADDR.ARPA
May 4 12:49:34 CKCUCS1 named[69099]: automatic empty zone: 87.100.IN-ADDR.ARPA
May 4 12:49:34 CKCUCS1 named[69099]: automatic empty zone: 88.100.IN-ADDR.ARPA
May 4 12:49:34 CKCUCS1 named[69099]: automatic empty zone: 89.100.IN-ADDR.ARPA
May 4 12:49:34 CKCUCS1 named[69099]: automatic empty zone: 90.100.IN-ADDR.ARPA
May 4 12:49:34 CKCUCS1 named[69099]: automatic empty zone: 91.100.IN-ADDR.ARPA
May 4 12:49:34 CKCUCS1 named[69099]: automatic empty zone: 92.100.IN-ADDR.ARPA
May 4 12:49:34 CKCUCS1 named[69099]: automatic empty zone: 93.100.IN-ADDR.ARPA
May 4 12:49:34 CKCUCS1 named[69099]: automatic empty zone: 94.100.IN-ADDR.ARPA
May 4 12:49:34 CKCUCS1 named[69099]: automatic empty zone: 95.100.IN-ADDR.ARPA
May 4 12:49:34 CKCUCS1 named[69099]: automatic empty zone: 96.100.IN-ADDR.ARPA
May 4 12:49:34 CKCUCS1 named[69099]: automatic empty zone: 97.100.IN-ADDR.ARPA
May 4 12:49:34 CKCUCS1 named[69099]: automatic empty zone: 98.100.IN-ADDR.ARPA
May 4 12:49:34 CKCUCS1 named[69099]: automatic empty zone: 99.100.IN-ADDR.ARPA
May 4 12:49:34 CKCUCS1 named[69099]: automatic empty zone: 100.100.IN-ADDR.ARPA
May 4 12:49:34 CKCUCS1 named[69099]: automatic empty zone: 101.100.IN-ADDR.ARPA
May 4 12:49:34 CKCUCS1 named[69099]: automatic empty zone: 102.100.IN-ADDR.ARPA
May 4 12:49:34 CKCUCS1 named[69099]: automatic empty zone: 103.100.IN-ADDR.ARPA
May 4 12:49:34 CKCUCS1 named[69099]: automatic empty zone: 104.100.IN-ADDR.ARPA
May 4 12:49:34 CKCUCS1 named[69099]: automatic empty zone: 105.100.IN-ADDR.ARPA
May 4 12:49:34 CKCUCS1 named[69099]: automatic empty zone: 106.100.IN-ADDR.ARPA
May 4 12:49:34 CKCUCS1 named[69099]: automatic empty zone: 107.100.IN-ADDR.ARPA
May 4 12:49:34 CKCUCS1 named[69099]: automatic empty zone: 108.100.IN-ADDR.ARPA
May 4 12:49:34 CKCUCS1 named[69099]: automatic empty zone: 109.100.IN-ADDR.ARPA
May 4 12:49:34 CKCUCS1 named[69099]: automatic empty zone: 110.100.IN-ADDR.ARPA
May 4 12:49:34 CKCUCS1 named[69099]: automatic empty zone: 111.100.IN-ADDR.ARPA
May 4 12:49:34 CKCUCS1 named[69099]: automatic empty zone: 112.100.IN-ADDR.ARPA
May 4 12:49:34 CKCUCS1 named[69099]: automatic empty zone: 113.100.IN-ADDR.ARPA
May 4 12:49:34 CKCUCS1 named[69099]: automatic empty zone: 114.100.IN-ADDR.ARPA
May 4 12:49:34 CKCUCS1 named[69099]: automatic empty zone: 115.100.IN-ADDR.ARPA
May 4 12:49:34 CKCUCS1 named[69099]: automatic empty zone: 116.100.IN-ADDR.ARPA
May 4 12:49:34 CKCUCS1 named[69099]: automatic empty zone: 117.100.IN-ADDR.ARPA
May 4 12:49:34 CKCUCS1 named[69099]: automatic empty zone: 118.100.IN-ADDR.ARPA
May 4 12:49:34 CKCUCS1 named[69099]: automatic empty zone: 119.100.IN-ADDR.ARPA
May 4 12:49:34 CKCUCS1 named[69099]: automatic empty zone: 120.100.IN-ADDR.ARPA
May 4 12:49:34 CKCUCS1 named[69099]: automatic empty zone: 121.100.IN-ADDR.ARPA
May 4 12:49:34 CKCUCS1 named[69099]: automatic empty zone: 122.100.IN-ADDR.ARPA
May 4 12:49:34 CKCUCS1 named[69099]: automatic empty zone: 123.100.IN-ADDR.ARPA
May 4 12:49:34 CKCUCS1 named[69099]: automatic empty zone: 124.100.IN-ADDR.ARPA
May 4 12:49:34 CKCUCS1 named[69099]: automatic empty zone: 125.100.IN-ADDR.ARPA
May 4 12:49:34 CKCUCS1 named[69099]: automatic empty zone: 126.100.IN-ADDR.ARPA
May 4 12:49:34 CKCUCS1 named[69099]: automatic empty zone: 127.100.IN-ADDR.ARPA
May 4 12:49:34 CKCUCS1 named[69099]: automatic empty zone: 0.IN-ADDR.ARPA
May 4 12:49:34 CKCUCS1 named[69099]: automatic empty zone: 127.IN-ADDR.ARPA
May 4 12:49:34 CKCUCS1 named[69099]: automatic empty zone: 254.169.IN-ADDR.ARPA
May 4 12:49:34 CKCUCS1 named[69099]: automatic empty zone: 2.0.192.IN-ADDR.ARPA
May 4 12:49:34 CKCUCS1 named[69099]: automatic empty zone: 100.51.198.IN-ADDR.ARPA
May 4 12:49:34 CKCUCS1 named[69099]: automatic empty zone: 113.0.203.IN-ADDR.ARPA
May 4 12:49:34 CKCUCS1 named[69099]: automatic empty zone: 255.255.255.255.IN-ADDR.ARPA
May 4 12:49:34 CKCUCS1 named[69099]: automatic empty zone: 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA
May 4 12:49:34 CKCUCS1 named[69099]: automatic empty zone: 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA
May 4 12:49:34 CKCUCS1 named[69099]: automatic empty zone: D.F.IP6.ARPA
May 4 12:49:34 CKCUCS1 named[69099]: automatic empty zone: 8.E.F.IP6.ARPA
May 4 12:49:34 CKCUCS1 named[69099]: automatic empty zone: 9.E.F.IP6.ARPA
May 4 12:49:34 CKCUCS1 named[69099]: automatic empty zone: A.E.F.IP6.ARPA
May 4 12:49:34 CKCUCS1 named[69099]: automatic empty zone: B.E.F.IP6.ARPA
May 4 12:49:34 CKCUCS1 named[69099]: automatic empty zone: 8.B.D.0.1.0.0.2.IP6.ARPA
May 4 12:49:34 CKCUCS1 systemd[1]: Started LSB: bind9 Domain Name Server (DNS).
May 4 12:49:34 CKCUCS1 bind9[69089]: Starting bind9 Domain Name Server (DNS): samba4.
May 4 12:49:34 CKCUCS1 named[69099]: command channel listening on 127.0.0.1#953
May 4 12:49:34 CKCUCS1 named[69099]: managed-keys-zone: loaded serial 0
May 4 12:49:34 CKCUCS1 named[69099]: all zones loaded
May 4 12:49:34 CKCUCS1 named[69099]: running

Last login: Thu May 4 12:49:24 2017 from ck-desktop.ckc.local
root@CKCUCS1:~# ucr search --brief --non-empty ^dns/backend ^dns/forwarder ^interfaces ^nameserver
dns/backend: samba4
dns/forwarder1: 208.67.222.222
dns/forwarder2: 8.8.8.8
interfaces/eth0/address: 192.168.2.100
interfaces/eth0/broadcast: 192.168.2.255
interfaces/eth0/ipv6/acceptRA: false
interfaces/eth0/netmask: 255.255.255.0
interfaces/eth0/network: 192.168.2.0
interfaces/eth0/start: true
interfaces/eth0/type: static
interfaces/handler: ifplugd
interfaces/primary: eth0
nameserver/external: false
nameserver/option/timeout: 2
nameserver1: 192.168.2.100


#5

Here is an example from my 4.2 testing environment:

Essential DNS Check
root@master-42-10:~# /usr/share/univention-samba4/scripts/check_essential_samba4_dns_records.sh
Host gc._msdcs not found: 3(NXDOMAIN)
Host _gc._tcp not found: 3(NXDOMAIN)
Host _ldap._tcp.gc._msdcs not found: 3(NXDOMAIN)
Host _ldap._tcp not found: 3(NXDOMAIN)
Host _ldap._tcp.dc._msdcs not found: 3(NXDOMAIN)
Host _ldap._tcp.pdc._msdcs not found: 3(NXDOMAIN)
Host _ldap._tcp.2fb30aa2-73d6-423f-a57b-d6bf9e53b1a1.domains._msdcs not found: 3(NXDOMAIN)
Host _kerberos._tcp.dc._msdcs not found: 3(NXDOMAIN)
Host _kerberos._tcp not found: 3(NXDOMAIN)
Host _kerberos._udp not found: 3(NXDOMAIN)
Host _kpasswd._tcp not found: 3(NXDOMAIN)
Host _kpasswd._udp not found: 3(NXDOMAIN)
Located DC 'master-42-10' in site 'Default-First-Site-Name'
Located DC 'slave-42-11' in site 'Default-First-Site-Name'
Located DC 'backup-42-12' in site 'Default-First-Site-Name'
Located DC 'slave-42-16' in site 'Default-First-Site-Name'
Located DC 'backup-42-18' in site 'Default-First-Site-Name'
Host d6bb148b-5610-4076-883f-a2fbce309286._msdcs not found: 3(NXDOMAIN)
Host 789dd1dc-c51d-43d1-8499-ccc72c443f45._msdcs not found: 3(NXDOMAIN)
Host fb6b4b9d-64b6-4b5e-a671-7cf3d1fa9a45._msdcs not found: 3(NXDOMAIN)
Host efd884d7-ada9-4d1c-9038-11aca74d6c9a._msdcs not found: 3(NXDOMAIN)
Host 1e811606-b55e-4bf8-b1e6-b00e7556c3ec._msdcs not found: 3(NXDOMAIN)
## Records for site Default-First-Site-Name:
Host _ldap._tcp.Default-First-Site-Name._sites not found: 3(NXDOMAIN)
Host _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs not found: 3(NXDOMAIN)
Host _kerberos._tcp.Default-First-Site-Name._sites not found: 3(NXDOMAIN)
Host _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs not found: 3(NXDOMAIN)
## Optional GC Records for site Default-First-Site-Name:
Host _gc._tcp.Default-First-Site-Name._sites not found: 3(NXDOMAIN)
Host _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs not found: 3(NXDOMAIN)
_kerberos.nvsx.local descriptive text "NVSX.LOCAL"

root@master-42-10:~# ucr set dns/backend='ldap' 
Setting dns/backend

root@master-42-10:~# /usr/share/univention-samba4/scripts/check_essential_samba4_dns_records.sh
Host gc._msdcs not found: 3(NXDOMAIN)
Host _gc._tcp not found: 3(NXDOMAIN)
Host _ldap._tcp.gc._msdcs not found: 3(NXDOMAIN)
Host _ldap._tcp not found: 3(NXDOMAIN)
Host _ldap._tcp.dc._msdcs not found: 3(NXDOMAIN)
Host _ldap._tcp.pdc._msdcs not found: 3(NXDOMAIN)
Host _ldap._tcp.2fb30aa2-73d6-423f-a57b-d6bf9e53b1a1.domains._msdcs not found: 3(NXDOMAIN)
Host _kerberos._tcp.dc._msdcs not found: 3(NXDOMAIN)
Host _kerberos._tcp not found: 3(NXDOMAIN)
Host _kerberos._udp not found: 3(NXDOMAIN)
Host _kpasswd._tcp not found: 3(NXDOMAIN)
Host _kpasswd._udp not found: 3(NXDOMAIN)
Located DC 'master-42-10' in site 'Default-First-Site-Name'
Located DC 'slave-42-11' in site 'Default-First-Site-Name'
Located DC 'backup-42-12' in site 'Default-First-Site-Name'
Located DC 'slave-42-16' in site 'Default-First-Site-Name'
Located DC 'backup-42-18' in site 'Default-First-Site-Name'
Host d6bb148b-5610-4076-883f-a2fbce309286._msdcs not found: 3(NXDOMAIN)
Host 789dd1dc-c51d-43d1-8499-ccc72c443f45._msdcs not found: 3(NXDOMAIN)
Host fb6b4b9d-64b6-4b5e-a671-7cf3d1fa9a45._msdcs not found: 3(NXDOMAIN)
Host efd884d7-ada9-4d1c-9038-11aca74d6c9a._msdcs not found: 3(NXDOMAIN)
Host 1e811606-b55e-4bf8-b1e6-b00e7556c3ec._msdcs not found: 3(NXDOMAIN)
## Records for site Default-First-Site-Name:
Host _ldap._tcp.Default-First-Site-Name._sites not found: 3(NXDOMAIN)
Host _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs not found: 3(NXDOMAIN)
Host _kerberos._tcp.Default-First-Site-Name._sites not found: 3(NXDOMAIN)
Host _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs not found: 3(NXDOMAIN)
## Optional GC Records for site Default-First-Site-Name:
Host _gc._tcp.Default-First-Site-Name._sites not found: 3(NXDOMAIN)
Host _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs not found: 3(NXDOMAIN)
_kerberos.nvsx.local descriptive text "NVSX.LOCAL"
Samba AD
root@master-42-10:~# univention-s4search --cross-ncs DC=d6bb148b-5610-4076-883f-a2fbce309286 --show-binary 
# record 1
dn: DC=d6bb148b-5610-4076-883f-a2fbce309286,DC=_msdcs.nvsx.local,CN=MicrosoftDNS,DC=ForestDnsZones,DC=nvsx,DC=local
objectClass: top
objectClass: dnsNode
instanceType: 4
whenCreated: 20151104113929.0Z
uSNCreated: 3687
showInAdvancedViewOnly: TRUE
name: d6bb148b-5610-4076-883f-a2fbce309286
objectGUID: 18e90043-aa75-41e7-8fce-6d9b197b55ff
objectCategory: CN=Dns-Node,CN=Schema,CN=Configuration,DC=nvsx,DC=local
dc: d6bb148b-5610-4076-883f-a2fbce309286
dnsRecord:     NDR: struct dnsp_DnssrvRpcRecord
        wDataLength              : 0x001b (27)
        wType                    : DNS_TYPE_CNAME (5)
        version                  : 0x05 (5)
        rank                     : DNS_RANK_ZONE (240)
        flags                    : 0x0000 (0)
        dwSerial                 : 0x00000001 (1)
        dwTtlSeconds             : 0x00000384 (900)
        dwReserved               : 0x00000000 (0)
        dwTimeStamp              : 0x00000000 (0)
        data                     : union dnsRecordData(case 5)
        cname                    : master-42-10.nvsx.local

whenChanged: 20170427100829.0Z
uSNChanged: 5952
distinguishedName: DC=d6bb148b-5610-4076-883f-a2fbce309286,DC=_msdcs.nvsx.local,CN=MicrosoftDNS,DC=ForestDnsZones,DC=nvsx,DC=local

# returned 1 records
# 1 entries
# 0 referrals
LDAP
root@master-42-10:~# univention-ldapsearch -LLL relativeDomainName=d6bb148b-5610-4076-883f-a2fbce309286._msdcs
dn: relativeDomainName=d6bb148b-5610-4076-883f-a2fbce309286._msdcs,zoneName=nv
 sx.local,cn=dns,dc=nvsx,dc=local
cNAMERecord: master-42-10.nvsx.local.
objectClass: top
objectClass: dNSZone
objectClass: univentionObject
univentionObjectType: dns/alias
dNSTTL: 80600
relativeDomainName: d6bb148b-5610-4076-883f-a2fbce309286._msdcs
zoneName: nvsx.local

#6

But it should look like this: (its a 4.1-4 errate 410 installation)

root@fischer11:~# /usr/share/univention-samba4/scripts/check_essential_samba4_dns_records.sh
gc._msdcs.fischer.local has address 192.168.1.7
gc._msdcs.fischer.local has address 192.168.1.6
gc._msdcs.fischer.local has address 192.168.1.1
_gc._tcp.fischer.local has SRV record 0 0 3268 fischer12.fischer.local.
_gc._tcp.fischer.local has SRV record 0 100 3268 fischer11.fischer.local.
_ldap._tcp.gc._msdcs.fischer.local has SRV record 0 100 3268 fischer11.fischer.local.
_ldap._tcp.gc._msdcs.fischer.local has SRV record 0 0 3268 fischer12.fischer.local.
_ldap._tcp.fischer.local has SRV record 0 0 389 fischer12.fischer.local.
_ldap._tcp.fischer.local has SRV record 0 100 389 fischer11.fischer.local.
_ldap._tcp.dc._msdcs.fischer.local has SRV record 0 100 389 fischer11.fischer.local.
_ldap._tcp.dc._msdcs.fischer.local has SRV record 0 0 389 fischer12.fischer.local.
_ldap._tcp.pdc._msdcs.fischer.local has SRV record 0 100 389 fischer11.fischer.local.
_ldap._tcp.69e79d94-7945-4f05-ae32-5f01e3fd8326.domains._msdcs.fischer.local has SRV record 0 0 389 fischer12.fischer.local.
_ldap._tcp.69e79d94-7945-4f05-ae32-5f01e3fd8326.domains._msdcs.fischer.local has SRV record 0 100 389 fischer11.fischer.local.
_kerberos._tcp.dc._msdcs.fischer.local has SRV record 0 100 88 fischer11.fischer.local.
_kerberos._tcp.dc._msdcs.fischer.local has SRV record 0 0 88 fischer12.fischer.local.
_kerberos._tcp.fischer.local has SRV record 0 0 88 fischer12.fischer.local.
_kerberos._tcp.fischer.local has SRV record 0 100 88 fischer11.fischer.local.
_kerberos._udp.fischer.local has SRV record 0 100 88 fischer11.fischer.local.
_kerberos._udp.fischer.local has SRV record 0 0 88 fischer12.fischer.local.
_kpasswd._tcp.fischer.local has SRV record 0 0 464 fischer12.fischer.local.
_kpasswd._tcp.fischer.local has SRV record 0 100 464 fischer11.fischer.local.
_kpasswd._udp.fischer.local has SRV record 0 0 464 fischer12.fischer.local.
_kpasswd._udp.fischer.local has SRV record 0 100 464 fischer11.fischer.local.
Located DC 'fischer11' in site 'Default-First-Site-Name'
Located DC 'fischer12' in site 'Default-First-Site-Name'
7cc7ea43-96e6-4a6e-b089-ff12b09d9b03._msdcs.fischer.local is an alias for fischer11.fischer.local.
d2ab1adf-f224-472c-bc04-2beec4defc75._msdcs.fischer.local is an alias for fischer12.fischer.local.
## Records for site Default-First-Site-Name:
_ldap._tcp.Default-First-Site-Name._sites.fischer.local has SRV record 0 0 389 fischer12.fischer.local.
_ldap._tcp.Default-First-Site-Name._sites.fischer.local has SRV record 0 100 389 fischer11.fischer.local.
_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.fischer.local has SRV record 0 0 389 fischer12.fischer.local.
_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.fischer.local has SRV record 0 100 389 fischer11.fischer.local.
_kerberos._tcp.Default-First-Site-Name._sites.fischer.local has SRV record 0 0 88 fischer12.fischer.local.
_kerberos._tcp.Default-First-Site-Name._sites.fischer.local has SRV record 0 100 88 fischer11.fischer.local.
_kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.fischer.local has SRV record 0 100 88 fischer11.fischer.local.
_kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.fischer.local has SRV record 0 0 88 fischer12.fischer.local.
## Optional GC Records for site Default-First-Site-Name:
_gc._tcp.Default-First-Site-Name._sites.fischer.local has SRV record 0 100 3268 fischer11.fischer.local.
_gc._tcp.Default-First-Site-Name._sites.fischer.local has SRV record 0 0 3268 fischer12.fischer.local.
_ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.fischer.local has SRV record 0 0 3268 fischer12.fischer.local.
_ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.fischer.local has SRV record 0 100 3268 fischer11.fischer.local.
_kerberos.fischer.local descriptive text "FISCHER.LOCAL"

rg
Christian


#7

I can confirm @externa1’s statement. On an UCS 4.1-4 Backup in the same testing environment it’s all fine:

Essential DNS Check 4.1-4
root@backup-42-18:~# /usr/share/univention-samba4/scripts/check_essential_samba4_dns_records.sh
gc._msdcs.nvsx.local has address 10.200.42.10
gc._msdcs.nvsx.local has address 10.200.42.11
gc._msdcs.nvsx.local has address 10.200.43.12
gc._msdcs.nvsx.local has address 10.200.42.12
gc._msdcs.nvsx.local has address 10.200.42.16
gc._msdcs.nvsx.local has address 10.200.42.18
_gc._tcp.nvsx.local has SRV record 0 100 3268 slave-42-16.nvsx.local.
_gc._tcp.nvsx.local has SRV record 0 100 3268 backup-42-12.nvsx.local.
_gc._tcp.nvsx.local has SRV record 0 100 3268 backup-42-18.nvsx.local.
_gc._tcp.nvsx.local has SRV record 0 100 3268 master-42-10.nvsx.local.
_gc._tcp.nvsx.local has SRV record 0 100 3268 slave-42-11.nvsx.local.
_ldap._tcp.gc._msdcs.nvsx.local has SRV record 0 100 3268 backup-42-12.nvsx.local.
_ldap._tcp.gc._msdcs.nvsx.local has SRV record 0 100 3268 backup-42-18.nvsx.local.
_ldap._tcp.gc._msdcs.nvsx.local has SRV record 0 100 3268 master-42-10.nvsx.local.
_ldap._tcp.gc._msdcs.nvsx.local has SRV record 0 100 3268 slave-42-11.nvsx.local.
_ldap._tcp.gc._msdcs.nvsx.local has SRV record 0 100 3268 slave-42-16.nvsx.local.
_ldap._tcp.nvsx.local has SRV record 0 100 389 backup-42-12.nvsx.local.
_ldap._tcp.nvsx.local has SRV record 0 100 389 slave-42-11.nvsx.local.
_ldap._tcp.nvsx.local has SRV record 0 100 389 slave-42-16.nvsx.local.
_ldap._tcp.nvsx.local has SRV record 0 100 389 backup-42-18.nvsx.local.
_ldap._tcp.nvsx.local has SRV record 0 100 389 master-42-10.nvsx.local.
_ldap._tcp.dc._msdcs.nvsx.local has SRV record 0 100 389 master-42-10.nvsx.local.
_ldap._tcp.dc._msdcs.nvsx.local has SRV record 0 100 389 backup-42-12.nvsx.local.
_ldap._tcp.dc._msdcs.nvsx.local has SRV record 0 100 389 slave-42-11.nvsx.local.
_ldap._tcp.dc._msdcs.nvsx.local has SRV record 0 100 389 slave-42-16.nvsx.local.
_ldap._tcp.dc._msdcs.nvsx.local has SRV record 0 100 389 backup-42-18.nvsx.local.
_ldap._tcp.pdc._msdcs.nvsx.local has SRV record 0 100 389 master-42-10.nvsx.local.
_ldap._tcp.2fb30aa2-73d6-423f-a57b-d6bf9e53b1a1.domains._msdcs.nvsx.local has SRV record 0 100 389 backup-42-18.nvsx.local.
_ldap._tcp.2fb30aa2-73d6-423f-a57b-d6bf9e53b1a1.domains._msdcs.nvsx.local has SRV record 0 100 389 master-42-10.nvsx.local.
_ldap._tcp.2fb30aa2-73d6-423f-a57b-d6bf9e53b1a1.domains._msdcs.nvsx.local has SRV record 0 100 389 backup-42-12.nvsx.local.
_ldap._tcp.2fb30aa2-73d6-423f-a57b-d6bf9e53b1a1.domains._msdcs.nvsx.local has SRV record 0 100 389 slave-42-11.nvsx.local.
_ldap._tcp.2fb30aa2-73d6-423f-a57b-d6bf9e53b1a1.domains._msdcs.nvsx.local has SRV record 0 100 389 slave-42-16.nvsx.local.
_kerberos._tcp.dc._msdcs.nvsx.local has SRV record 0 100 88 master-42-10.nvsx.local.
_kerberos._tcp.dc._msdcs.nvsx.local has SRV record 0 100 88 backup-42-12.nvsx.local.
_kerberos._tcp.dc._msdcs.nvsx.local has SRV record 0 100 88 slave-42-11.nvsx.local.
_kerberos._tcp.dc._msdcs.nvsx.local has SRV record 0 100 88 slave-42-16.nvsx.local.
_kerberos._tcp.dc._msdcs.nvsx.local has SRV record 0 100 88 backup-42-18.nvsx.local.
_kerberos._tcp.nvsx.local has SRV record 0 100 88 master-42-10.nvsx.local.
_kerberos._tcp.nvsx.local has SRV record 0 100 88 backup-42-12.nvsx.local.
_kerberos._tcp.nvsx.local has SRV record 0 100 88 slave-42-11.nvsx.local.
_kerberos._tcp.nvsx.local has SRV record 0 100 88 slave-42-16.nvsx.local.
_kerberos._tcp.nvsx.local has SRV record 0 100 88 backup-42-18.nvsx.local.
_kerberos._udp.nvsx.local has SRV record 0 100 88 slave-42-16.nvsx.local.
_kerberos._udp.nvsx.local has SRV record 0 100 88 backup-42-18.nvsx.local.
_kerberos._udp.nvsx.local has SRV record 0 100 88 master-42-10.nvsx.local.
_kerberos._udp.nvsx.local has SRV record 0 100 88 backup-42-12.nvsx.local.
_kerberos._udp.nvsx.local has SRV record 0 100 88 slave-42-11.nvsx.local.
_kpasswd._tcp.nvsx.local has SRV record 0 100 464 backup-42-18.nvsx.local.
_kpasswd._tcp.nvsx.local has SRV record 0 100 464 master-42-10.nvsx.local.
_kpasswd._tcp.nvsx.local has SRV record 0 100 464 backup-42-12.nvsx.local.
_kpasswd._tcp.nvsx.local has SRV record 0 100 464 slave-42-11.nvsx.local.
_kpasswd._tcp.nvsx.local has SRV record 0 100 464 slave-42-16.nvsx.local.
_kpasswd._udp.nvsx.local has SRV record 0 100 464 backup-42-12.nvsx.local.
_kpasswd._udp.nvsx.local has SRV record 0 100 464 slave-42-11.nvsx.local.
_kpasswd._udp.nvsx.local has SRV record 0 100 464 slave-42-16.nvsx.local.
_kpasswd._udp.nvsx.local has SRV record 0 100 464 backup-42-18.nvsx.local.
_kpasswd._udp.nvsx.local has SRV record 0 100 464 master-42-10.nvsx.local.
_kerberos.nvsx.local descriptive text "NVSX.LOCAL"

#8

I think there is something wrong on DNS Server query it looks like the UCS4.2 requests the entries from external DNS server instead of local

If i remove the external dns server entries i get following output:

root@CKCUCS1:~# /usr/share/univention-samba4/scripts/check_essential_samba4_dns_records.sh
Host gc._msdcs not found: 2(SERVFAIL)
Host _gc._tcp not found: 2(SERVFAIL)
Host _ldap._tcp.gc._msdcs not found: 2(SERVFAIL)
Host _ldap._tcp not found: 2(SERVFAIL)
Host _ldap._tcp.dc._msdcs not found: 2(SERVFAIL)
Host _ldap._tcp.pdc._msdcs not found: 2(SERVFAIL)
Host _ldap._tcp.31aeb93a-0b70-4591-a197-4c1b2ca087d4.domains._msdcs not found: 2(SERVFAIL)
Host _kerberos._tcp.dc._msdcs not found: 2(SERVFAIL)
Host _kerberos._tcp not found: 2(SERVFAIL)
Host _kerberos._udp not found: 2(SERVFAIL)
Host _kpasswd._tcp not found: 2(SERVFAIL)
Host _kpasswd._udp not found: 2(SERVFAIL)
Located DC ‘CKCUCS1’ in site ‘Default-First-Site-Name’
Located DC ‘CKCUCS2’ in site ‘Default-First-Site-Name’
Host f41a48a2-21b1-464f-bf84-3c64144a3547._msdcs not found: 2(SERVFAIL)
Host c8c04722-4c28-4bad-abb3-6b24be933df8._msdcs not found: 2(SERVFAIL)

Records for site Default-First-Site-Name:

Host _ldap._tcp.Default-First-Site-Name._sites not found: 2(SERVFAIL)
Host _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs not found: 2(SERVFAIL)
Host _kerberos._tcp.Default-First-Site-Name._sites not found: 2(SERVFAIL)
Host _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs not found: 2(SERVFAIL)

Optional GC Records for site Default-First-Site-Name:

Host _gc._tcp.Default-First-Site-Name._sites not found: 2(SERVFAIL)
Host _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs not found: 2(SERVFAIL)
No _kerberos TXT record (ok)

rg
Christian


#9

If i do this from workstation (win10 domain joined) it works

C:\Users\ck.CKC>ping gc._msdcs.ckc.local

Ping wird ausgeführt für gc._msdcs.ckc.local [192.168.2.101] mit 32 Bytes Daten:
Antwort von 192.168.2.101: Bytes=32 Zeit<1ms TTL=64
Antwort von 192.168.2.101: Bytes=32 Zeit<1ms TTL=64
Antwort von 192.168.2.101: Bytes=32 Zeit<1ms TTL=64
Antwort von 192.168.2.101: Bytes=32 Zeit<1ms TTL=64

Ping-Statistik für 192.168.2.101:
Pakete: Gesendet = 4, Empfangen = 4, Verloren = 0
(0% Verlust),
Ca. Zeitangaben in Millisek.:
Minimum = 0ms, Maximum = 0ms, Mittelwert = 0ms

C:\Users\ck.CKC>

same from UCS DC fails:

root@CKCUCS1:~# ping gc._msdcs.ckc.local
ping: unknown host gc._msdcs.ckc.local
root@CKCUCS1:~#

root@CKCUCS2:~# ping gc._msdcs.ckc.local
ping: unknown host gc._msdcs.ckc.local
root@CKCUCS2:~#

where the successfull reply on the workstation comes from 192.168.2.101 which is CKCUCS2 (DC-Backup with samba4) so it seems that on UCS4.2 console the local DNS server is ignored or so

rg

Christian


#10

In the DNS System everything is fine! The DNS-Records are in the Directory (OpenLDAP as well as SambaAD).
The Problem is that DNS Requests must be FQDN - we surely will fix this in the Script and publish a fix by an upcoming Erratum.


#11

Ok I hope so

thanks & regards

Chrstian