DC serves old DNS data hours after update via UMC

MKunert · December 29, 2017, 6:36pm

Hello folks,
what am I missing?

Used Univention Management Console (UMC) to update a significant amount of DNS host and corresponding pointer records on primary DC (Domain -> DNS …)
Waited some time (even restarted bind9 via system -> system services …)
Queried samba dns data via DC root console:

root@mypdc:~# samba-tool dns query localhost <mydomain> @ ALL -U Administrator
Password for [\Administrator]:
  Name=, Records=5, Children=0
    SOA: serial=147, refresh=28800, retry=7200, expire=604800, minttl=3600, ns=<mypdc>.<mydomain>., email=root.<mydomain>. (flags=600000f0, serial=146, ttl=10800)
    NS: <mypdc>.<mydomain>. (flags=600000f0, serial=146, ttl=900)
    A: <mypdcip> (flags=600000f0, serial=146, ttl=900)
  Name=_sites, Records=0, Children=1
  Name=_tcp, Records=0, Children=6
  Name=_udp, Records=0, Children=2
  Name=<client1>, Records=1, Children=0
    A: <client1ip> (flags=f0, serial=1, ttl=900)
<snip>

This shows all the old entries I just changed and no new data …

Am I too impatient or is there a way to make samba “understand” the changes entered in UMC?

MKunert · December 30, 2017, 3:09am

Update: there’s definitively something wrong with ucs/s4 synchronisation. The system error diagnosis tab in UMC shows some python error where there should be concise diagnostic information:
Bildschirmfoto vom 2017-12-30 03-49-54
(There is an additional KDC warning concerning the old master I migrated from some months ago, but that seems to be less of a hassle)
The enclosed link (“Univention Support Database - How to deal with s4-connector rejects”) suggests to initiate the analysis of s4-connector rejects with a corresponding list command, but that yields dubious results on my pdc:

root@mypdc:~# univention-s4connector-list-rejected
Failed to get SID from S4: 'objectSid'

This does not really push me in the direction of a workable remedy. What are the best steps to get my system “unstuck”?

MKunert · December 30, 2017, 11:59pm

Update #2: Studying remotely related posts here lead to the conclusion that my system is beyond repair. To narrow down the culprit, I reverted from my current version system (ucs 4.2-3) to a sufficiently dated backup (4.2-0 errata15 “Lesum”).
The system does not show any errors on the system error diagnosis tab now!

Bad news is: the s4-connector is not running, and univention-s4connector-list-rejected has the same issues with objectSid as before the roll-back…

Will start a new thread now as this is not related to DNS in any way any more.