Dns-systemname won't be created and synchronised

ZA-S · July 30, 2019, 11:13am

German:

Hallo,
wir haben einen Backup Domänecontroller der UCS Domäne hinzugefügt und es wurde kein dns-“systemname” Nutzer automatisch erstellt. Außerdem wird auch bei einer Systemdiagnose auf dem Domain Master als Fehler angegeben das, dass dazugehörige S4 Objekt nicht synchronsiert wird. Ist dieser Nutzer wichtig? Weil dieser Backup Controller soll der neue Master werden. Kann man die Erstellung irgendwie nochmal triggern oder so? Die Join Scripte hab ich bereits nochmal alle erfolgreich ausgeführt.

root@vpucs01:~# univention-s4connector-list-rejected

UCS rejected


S4 rejected

    1:    S4 DN: CN=dns-vpdcm02,CN=Users,DC=rz,DC=example,DC=com
         UCS DN: uid=dns-vpdcm02,cn=users,dc=rz,dc=example,dc=com

        last synced USN: 16756

English:

Hello, after we joined with a backup domaincontroller the dns-“systemname” user wasn’t created, also after using the system diagnose tool on the domain master there is a message that the s4 object for this user isnt synchronised. Is this user important and how can I trigger the process to create this user?

Moritz_Bunkus · July 30, 2019, 11:56am

Did you install the “Active Directory compatible domain controller” app on your new machine? That component is the one creating the dns-<hostname> account.

Please also verify if all the join scripts on your new machine have been run successfully by running univention-check-join-status as root. The join script creating dns-<hostname> is 98univention-samba4-dns.inst. That script screams loudly if it cannot create that DNS account. And yes, that one is rather important.

Please also provide the content of /var/log/univention/join.log from the new machine.

ZA-S · July 31, 2019, 9:06am

Hello Moritz,

thank you for your help. Yes the activate directory compatible domain controller was installed. But we decided to create a new domain because our old domain had also some other problems and many other reasons.

One last question. We now created a brand new domain and already have the domain master and backup running and noticed that no “dns-” user is created for both machines. The system diagnostic tool has no problems. Is this normal or do we need to fix something?

Moritz_Bunkus · July 31, 2019, 9:09am

Like I said, those accounts are only created if the “Active Directory compatible domain controller” app is installed. Those accounts are only needed for that app.

ZA-S · July 31, 2019, 9:15am

On both server the “Active Directory compatible domain controller” app is installed.

domain master:
# univention-app info
UCS: 4.4-1 errata196
Installed: dhcp-server=12.0 samba4=4.10
Upgradable:

domain backup:
# univention-app info
UCS: 4.4-1 errata196
Installed: samba4=4.10
Upgradable:

univention

Moritz_Bunkus · July 31, 2019, 9:20am

Certain user accounts are created not to be visible by default in the UMC in order to prevent accidental misconfiguration (e.g. deleting them). It’s possible the dns-<hostname> accounts fall into the same category. When in doubt, check by doing direct LDAP searches, e.g. univention-ldapsearch 'uid=dns-*'

ZA-S · July 31, 2019, 9:22am

Thanks a lot. I found both user accounts and both had a “hidden” flag so you were right.