Problem in replicating the _ldap._tcp.dc._msdcs key. for UCS Backup

Good night friends, I’m opening this post here because I’m facing a problem that according to friends of mine who are Microsoft system administrators should not be occurring …

I have the following environment, matrix with UCS Master IP 192.168.0.250 and an instance in the branch with UCS Backup IP 172.16.90.2, both in the newest version currently at 4.4-6 errata767.

The integration between both works normally, when I create a DNS entry on the Master it replicates to the slave, but the entry: “_ldap._tcp.dc._msdcs” is not replicated and returns an error as if it did not exist.

I entered the web interface on Master and Backup and went to the DNS tab and went to see it and although Backup took longer to load DNS entries, it showed the entry, as if it had replicated, but it is not solving it.

I need this from there because in the branch I use the main DNS Server 172.16.90.2 and when I do that and try to add a computer to the domain, it informs that the _ldap._tcp.dc._msdcs.domain.local entry does not exist.

Following are some prints of DNS responses via nslookup on the terminal (in Portuguese) and the screens of the DNS web interface.

nslookup UCS Master
image

nslookup UCS Backup
image

DNS Server Master
image

DNS Server Backup
image

Does anyone have any idea why this and how to solve it? Monday I will have to put dozens of machines in the domain and I want to avoid putting the DNS Server with a delay of 120ms via VPN as the main DNS Server of most of the company’s machines.

Hi, this looks like you have a problem with Samba/DNS on the DC Backup or with Samba/AD DRS replication. If you have Linux console skills, it would be good to open an ssh session to DC Backup and check the output of the following commands:

ucr search dns/backend  connector/s4/mapping/dns/position
univention-s4search DC=_ldap._tcp.dc --cross-ncs
univention-s4search DC=_ldap._tcp.dc._msdcs --cross-ncs
samba-tool drs showrepl

In Master:

root@srv-adds01:~# ucr search dns/backend  connector/s4/mapping/dns/position
connector/s4/mapping/dns/position: <empty>
 This variable determins the base DN of DNS objects in the Samba directory service. When set to 'legacy', the S4 Connector writes new DNS zones in Samba4 below CN=System instead of below DC=DomainDnsZones. This variable should only be modified once after manual migration of the DNS objects, if it still has the value 'legacy'.

dns/backend: samba4
 Bind can use different backends for its configuration: 'ldap' configures the use of the UCS OpenLDAP directory. 'samba4' uses the Samba 4 LDB database. When using the Samba backend, a search is performed in the LDAP for every DNS request. With the OpenLDAP backend, a search is only performed in the directory service if the DNS data has changed. On domain controllers running 'samba4', the backend must not be changed to 'ldap'.

root@srv-adds01:~# univention-s4search DC=_ldap._tcp.dc --cross-ncs
# record 1
dn: DC=_ldap._tcp.dc,DC=_msdcs.domain.local,CN=MicrosoftDNS,DC=ForestDnsZones,DC=domain,DC=local
objectClass: top
objectClass: dnsNode
instanceType: 4
whenCreated: 20200813182038.0Z
whenChanged: 20200813182038.0Z
uSNCreated: 3761
uSNChanged: 3761
showInAdvancedViewOnly: TRUE
name: _ldap._tcp.dc
objectGUID: b75a2960-6e24-4a51-b060-44554e4be23f
dnsRecord:: IQAhAAXwAAABAAAAAAADhAAAAAAAAAAAAAAAZAGFGQMKc3J2LWFkZHMwMQZjc2Fncm
 8FbG9jYWwA
objectCategory: CN=Dns-Node,CN=Schema,CN=Configuration,DC=domain,DC=local
dc: _ldap._tcp.dc
distinguishedName: DC=_ldap._tcp.dc,DC=_msdcs.domain.local,CN=MicrosoftDNS,DC=
 ForestDnsZones,DC=domain,DC=local

# returned 1 records
# 1 entries
# 0 referrals
root@srv-adds01:~# univention-s4search DC=_ldap._tcp.dc._msdcs --cross-ncs
# returned 0 records
# 0 entries
# 0 referrals
root@srv-adds01:~# samba-tool drs showrepl
Default-First-Site-Name\SRV-ADDS01
DSA Options: 0x00000001
DSA object GUID: bf771b69-0479-4136-825e-2bf2648ec7ac
DSA invocationId: 02f2ace3-790f-4a4e-b901-c1a45b1016d5

==== INBOUND NEIGHBORS ====

==== OUTBOUND NEIGHBORS ====

==== KCC CONNECTION OBJECTS ====

In Backup

root@srv-adds02:~# ucr search dns/backend  connector/s4/mapping/dns/position
dns/backend: ldap
 Bind can use different backends for its configuration: 'ldap' configures the use of the UCS OpenLDAP directory. 'samba4' uses the Samba 4 LDB database. When using the Samba backend, a search is performed in the LDAP for every DNS request. With the OpenLDAP backend, a search is only performed in the directory service if the DNS data has changed. On domain controllers running 'samba4', the backend must not be changed to 'ldap'.

root@srv-adds02:~# univention-s4search DC=_ldap._tcp.dc._msdcs --cross-ncs
-bash: univention-s4search: command not found
root@srv-adds02:~# univention-s4search DC=_ldap._tcp.dc._msdcs --cross-ncs
-bash: univention-s4search: command not found
root@srv-adds02:~# samba-tool drs showrepl
ERROR(<class 'samba.drs_utils.drsException'>): DRS connection to srv-adds02. failed - drsException: DRS connection to srv-adds02. failed: (3221225524, 'The object name is not found.')
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/drs.py", line 54, in drsuapi_connect
    (ctx.drsuapi, ctx.drsuapi_handle, ctx.bind_supported_extensions) = drs_utils.drsuapi_connect(ctx.server, ctx.lp, ctx.creds)
  File "/usr/lib/python2.7/dist-packages/samba/drs_utils.py", line 63, in drsuapi_connect
    raise drsException("DRS connection to %s failed: %s" % (server, e))

Ok, looks like you don’t have Samba/AD installed on the DC-Backup. That would be required for AD-compatibility, otherwise the nameserver may respond differently for these special AD-specific _msdcs records. More importantly: Even if that would work, you will face Kerberos authentication issues if you use mixed Samba/Non-Samba Domain controllers. You can check the installed apps by running

univention-app info

Sorry for the delay to answer, the 12th was a holiday in Brazil and yesterday dozens of calls to answer.

Follows the information of the Master

root@srv-adds01:~# univention-app info
UCS: 4.4-6 errata767
Installed: radius=5.0 samba4=4.10
Upgradable:

Backup

root@srv-adds02:~# univention-app info
UCS: 4.4-6 errata767
Installed:
Upgradable:

In order to solve the problem, which packages do I have to install? I say this because when I selected the option Domain Backup, I imagined that all the necessary packages would be selected automatically.

And another question, is the process just going to the store and installing the packages or is it necessary to do some other process so that it pulls the necessary information to work completely as a 100% functional domain backup?

Today I went through a VPN problem offline and to avoid problems I backed up the VM of the headquarters and branch and performed the installation of the Compatible Activer Directory Domain Controller and apparently it worked!

Thank you very much for your help and sorry for a post for such a simple mistake.

However, if I can give you an idea to improve Univention, whenever the user selects the Active Directory Backup option, it is recommended to force the installation of the necessary modules as in other tools, this avoids silly errors like this one.

Hug and lots of health!

There is nothing to improve - you’re missinterpreting the Domains - UCS has it’s own LDAP Domain where the 1st server gets the domain master. On every additional server you can select the role DC Backup Server this has nothing to do with SAMBA (MS AD) its only an UCS LDAP Domain Backup Server role.
In a SAMBA or MS AD Domain you never ever have a DC Backup role as there are all DC’s equal.

So if you install an additional UCS Server in the domain it does not make sense to auto install SAMBA on an DC Backup server as you don’t need samba when not using Active Directory services in the domain

rg
Christian

1 Like

Thank you very much for the explanation!

1 Like

The purpose of a DC Backup is to serve as a 1:1 replacement of the DC Master, in case that becomes permanently unavailable. As a consequence, the DC Backup it is recommended to install the same apps/components/packages as on the DC Master.

Installing Samba/AD additionally on a DC Backup or a DC Slave can help spread the load (mainly authentication, DNS, GPOs) between the Samba/AD DCs. As @externa1 explained, Samba/AD DCs have a multimaster replication mechanism, so dynamic DNS-Updates also spread across the available Samba/AD DCs. This also improves availability of the services.

Long story short: It could make sense to install Samba/AD also on the DC Backup.

1 Like
Mastodon