Problem: Your dns resolution does not resolve sub entrys from _msdcs

scheinig · October 14, 2019, 1:19pm

Problem:

Your dns resolution does not resolve sub entrys from _msdcs after you changed your dns/backend from samba4 to ldap

Investigation:

Check if an entry for _msdcs exists, just like this:

univention-ldapsearch relativeDomainName=_msdcs
# _msdcs, schein.ig, dns, schein.ig
dn: relativeDomainName=_msdcs,zoneName=schein.ig,cn=dns,dc=schein,dc=ig
nSRecord: master.schein.ig.
objectClass: dNSZone
objectClass: top
objectClass: univentionObject
univentionObjectType: dns/ns_record
dNSTTL: 79200
relativeDomainName: _msdcs
zoneName: schein.ig

# search result
search: 3
result: 0 Success

If this entry does not exist, this article my not serve you.

Environment

Because of this bug the S4-Connector syncs the _msdcs zone to ldap even though it should not.

Solution:

Step 1

Prevent S4-connector to sync it again to LDAP:

ucr set connector/s4/mapping/dns/ignorelist="$(ucr get connector/s4/mapping/dns/ignorelist),_msdcs"

 /etc/init.d/univention-s4-connector restart

Step 2

Delete the disturbing entry:

udm dns/ns_record delete --dn "relativeDomainName=_msdcs,zoneName=$(ucr get domainname),cn=dns,$(ucr get ldap/base)"

Step 3

Delete the Samba/AD entry

ldbdel -H /var/lib/samba/private/sam.ldb "DC=_msdcs,DC=$(ucr get domainname),CN=MicrosoftDNS,CN=System,$(ucr get ldap/base)"

If you get a message entry does not exist! from this command then it’s also ok.

Step 4

Restart bind9

systemctl restart bind9