UCS 4.1.4: DNS system does not update the client's IP address and PTR record

You are right, Moritz
Below is some lines of the syslog data which related to “named” service as your request:

Jul 27 06:47:40 dc-1 named[3510]: samba_dlz: starting transaction on zone mydomain.xxx
Jul 27 06:47:40 dc-1 named[3510]: client 10.20.1.172#54101: update 'mydomain.xxx/IN' denied
Jul 27 06:47:40 dc-1 named[3510]: samba_dlz: cancelling transaction on zone mydomain.xxx
Jul 27 06:47:40 dc-1 named[3510]: samba_dlz: starting transaction on zone mydomain.xxx
Jul 27 06:47:40 dc-1 named[3510]: samba_dlz: allowing update of signer=HDQ-TTBSP03L\$\@mydomain.xxx name=HDQ-TTBSP03L.mydomain.xxx tcpaddr= type=AAAA key=1216-ms-7.50-22426eb6.9ea7728d-6d22-11e7-1fa9-5800e30b6b8b/160/0
Jul 27 06:47:40 dc-1 named[3510]: samba_dlz: allowing update of signer=HDQ-TTBSP03L\$\@mydomain.xxx name=HDQ-TTBSP03L.mydomain.xxx tcpaddr= type=A key=1216-ms-7.50-22426eb6.9ea7728d-6d22-11e7-1fa9-5800e30b6b8b/160/0
Jul 27 06:47:40 dc-1 named[3510]: samba_dlz: allowing update of signer=HDQ-TTBSP03L\$\@mydomain.xxx name=HDQ-TTBSP03L.mydomain.xxx tcpaddr= type=A key=1216-ms-7.50-22426eb6.9ea7728d-6d22-11e7-1fa9-5800e30b6b8b/160/0
Jul 27 06:47:40 dc-1 named[3510]: client 10.20.1.172#55210: updating zone 'mydomain.xxx/NONE': deleting rrset at 'HDQ-TTBSP03L.mydomain.xxx' AAAA
Jul 27 06:47:40 dc-1 named[3510]: client 10.20.1.172#55210: updating zone 'mydomain.xxx/NONE': deleting rrset at 'HDQ-TTBSP03L.mydomain.xxx' A
Jul 27 06:47:40 dc-1 named[3510]: samba_dlz: subtracted rdataset HDQ-TTBSP03L.mydomain.xxx 'HDQ-TTBSP03L.mydomain.xxx.#0111200#011IN#011A#01110.20.1.172'
Jul 27 06:47:40 dc-1 named[3510]: client 10.20.1.172#55210: updating zone 'mydomain.xxx/NONE': adding an RR at 'HDQ-TTBSP03L.mydomain.xxx' A
Jul 27 06:47:40 dc-1 named[3510]: samba_dlz: added rdataset HDQ-TTBSP03L.mydomain.xxx 'HDQ-TTBSP03L.mydomain.xxx.#0111200#011IN#011A#01110.20.1.172'
Jul 27 06:47:40 dc-1 named[3510]: samba_dlz: committed transaction on zone mydomain.xxx
Jul 27 06:49:48 dc-1 named[3510]: samba_dlz: starting transaction on zone mydomain.xxx
Jul 27 06:49:48 dc-1 named[3510]: client 10.20.1.172#54258: update 'mydomain.xxx/IN' denied
Jul 27 06:49:48 dc-1 named[3510]: samba_dlz: cancelling transaction on zone mydomain.xxx
Jul 27 06:49:48 dc-1 named[3510]: samba_dlz: starting transaction on zone mydomain.xxx
Jul 27 06:49:48 dc-1 named[3510]: samba_dlz: allowing update of signer=HDQ-TTBSP03L\$\@mydomain.xxx name=HDQ-TTBSP03L.mydomain.xxx tcpaddr= type=AAAA key=1216-ms-7.50-22426eb6.9ea7728d-6d22-11e7-1fa9-5800e30b6b8b/160/0
Jul 27 06:49:48 dc-1 named[3510]: samba_dlz: allowing update of signer=HDQ-TTBSP03L\$\@mydomain.xxx name=HDQ-TTBSP03L.mydomain.xxx tcpaddr= type=A key=1216-ms-7.50-22426eb6.9ea7728d-6d22-11e7-1fa9-5800e30b6b8b/160/0
Jul 27 06:49:48 dc-1 named[3510]: samba_dlz: allowing update of signer=HDQ-TTBSP03L\$\@mydomain.xxx name=HDQ-TTBSP03L.mydomain.xxx tcpaddr= type=A key=1216-ms-7.50-22426eb6.9ea7728d-6d22-11e7-1fa9-5800e30b6b8b/160/0
Jul 27 06:49:48 dc-1 named[3510]: client 10.20.1.172#52240: updating zone 'mydomain.xxx/NONE': deleting rrset at 'HDQ-TTBSP03L.mydomain.xxx' AAAA
Jul 27 06:49:48 dc-1 named[3510]: client 10.20.1.172#52240: updating zone 'mydomain.xxx/NONE': deleting rrset at 'HDQ-TTBSP03L.mydomain.xxx' A
Jul 27 06:49:48 dc-1 named[3510]: samba_dlz: subtracted rdataset HDQ-TTBSP03L.mydomain.xxx 'HDQ-TTBSP03L.mydomain.xxx.#0111200#011IN#011A#01110.20.1.172'
Jul 27 06:49:48 dc-1 named[3510]: client 10.20.1.172#52240: updating zone 'mydomain.xxx/NONE': adding an RR at 'HDQ-TTBSP03L.mydomain.xxx' A
Jul 27 06:49:48 dc-1 named[3510]: samba_dlz: added rdataset HDQ-TTBSP03L.mydomain.xxx 'HDQ-TTBSP03L.mydomain.xxx.#0111200#011IN#011A#01110.20.1.172'
Jul 27 06:49:48 dc-1 named[3510]: samba_dlz: committed transaction on zone mydomain.xxx
Jul 27 06:50:02 dc-1 /USR/SBIN/CRON[10081]: (root) CMD (/usr/sbin/jitter 60 /usr/share/univention-samba4/scripts/sysvol-sync.sh >>/var/log/univention/sysvol-sync.log 2>&1)
Jul 27 06:50:02 dc-1 /USR/SBIN/CRON[10082]: (root) CMD (if [ -x /usr/bin/mrtg ] && [ -r /etc/mrtg.cfg ] && [ -d "$(grep '^[[:space:]]*[^#]*[[:space:]]*WorkDir' /etc/mrtg.cfg | awk '{ print $NF }')" ]; then mkdir -p /var/log/mrtg ; env LANG=C /usr/bin/mrtg /etc/mrtg.cfg 2>&1 | tee -a /var/log/mrtg/mrtg.log ; fi)
Jul 27 06:50:02 dc-1 /USR/SBIN/CRON[10092]: (root) CMD (  if [ -x /usr/sbin/univention-umount-homedirs ]; then /usr/sbin/univention-umount-homedirs; fi)
Jul 27 07:47:38 dc-1 dhcpd: Not configured to listen on any interfaces!
Jul 27 07:47:42 dc-1 named[3510]: samba_dlz: starting transaction on zone mydomain.xxx
Jul 27 07:47:42 dc-1 named[3510]: client 10.20.1.172#56625: update 'mydomain.xxx/IN' denied
Jul 27 07:47:42 dc-1 named[3510]: samba_dlz: cancelling transaction on zone mydomain.xxx
Jul 27 07:47:42 dc-1 named[3510]: samba_dlz: starting transaction on zone mydomain.xxx
Jul 27 07:47:42 dc-1 named[3510]: samba_dlz: allowing update of signer=HDQ-TTBSP03L\$\@mydomain.xxx name=HDQ-TTBSP03L.mydomain.xxx tcpaddr= type=AAAA key=1216-ms-7.51-22796573.9ea7728d-6d22-11e7-1fa9-5800e30b6b8b/160/0
Jul 27 07:47:42 dc-1 named[3510]: samba_dlz: allowing update of signer=HDQ-TTBSP03L\$\@mydomain.xxx name=HDQ-TTBSP03L.mydomain.xxx tcpaddr= type=A key=1216-ms-7.51-22796573.9ea7728d-6d22-11e7-1fa9-5800e30b6b8b/160/0
Jul 27 07:47:42 dc-1 named[3510]: samba_dlz: allowing update of signer=HDQ-TTBSP03L\$\@mydomain.xxx name=HDQ-TTBSP03L.mydomain.xxx tcpaddr= type=A key=1216-ms-7.51-22796573.9ea7728d-6d22-11e7-1fa9-5800e30b6b8b/160/0
Jul 27 07:47:42 dc-1 named[3510]: client 10.20.1.172#60445: updating zone 'mydomain.xxx/NONE': deleting rrset at 'HDQ-TTBSP03L.mydomain.xxx' AAAA
Jul 27 07:47:42 dc-1 named[3510]: client 10.20.1.172#60445: updating zone 'mydomain.xxx/NONE': deleting rrset at 'HDQ-TTBSP03L.mydomain.xxx' A
Jul 27 07:47:42 dc-1 named[3510]: samba_dlz: subtracted rdataset HDQ-TTBSP03L.mydomain.xxx 'HDQ-TTBSP03L.mydomain.xxx.#0111200#011IN#011A#01110.20.1.172'
Jul 27 07:47:42 dc-1 named[3510]: client 10.20.1.172#60445: updating zone 'mydomain.xxx/NONE': adding an RR at 'HDQ-TTBSP03L.mydomain.xxx' A
Jul 27 07:47:42 dc-1 named[3510]: samba_dlz: added rdataset HDQ-TTBSP03L.mydomain.xxx 'HDQ-TTBSP03L.mydomain.xxx.#0111200#011IN#011A#01110.20.1.172'
Jul 27 07:47:42 dc-1 named[3510]: samba_dlz: committed transaction on zone mydomain.xxx
Jul 27 07:47:46 dc-1 named[3510]: samba_dlz: starting transaction on zone mydomain.xxx
Jul 27 07:47:46 dc-1 named[3510]: client 10.20.1.172#49630: update 'mydomain.xxx/IN' denied
Jul 27 07:47:46 dc-1 named[3510]: samba_dlz: cancelling transaction on zone mydomain.xxx
Jul 27 07:47:46 dc-1 named[3510]: samba_dlz: starting transaction on zone mydomain.xxx
Jul 27 07:47:46 dc-1 named[3510]: samba_dlz: allowing update of signer=HDQ-TTBSP03L\$\@mydomain.xxx name=HDQ-TTBSP03L.mydomain.xxx tcpaddr= type=AAAA key=1216-ms-7.51-22796573.9ea7728d-6d22-11e7-1fa9-5800e30b6b8b/160/0
Jul 27 07:47:46 dc-1 named[3510]: samba_dlz: allowing update of signer=HDQ-TTBSP03L\$\@mydomain.xxx name=HDQ-TTBSP03L.mydomain.xxx tcpaddr= type=A key=1216-ms-7.51-22796573.9ea7728d-6d22-11e7-1fa9-5800e30b6b8b/160/0
Jul 27 07:47:46 dc-1 named[3510]: samba_dlz: allowing update of signer=HDQ-TTBSP03L\$\@mydomain.xxx name=HDQ-TTBSP03L.mydomain.xxx tcpaddr= type=AAAA key=1216-ms-7.51-22796573.9ea7728d-6d22-11e7-1fa9-5800e30b6b8b/160/0
Jul 27 07:47:46 dc-1 named[3510]: samba_dlz: allowing update of signer=HDQ-TTBSP03L\$\@mydomain.xxx name=HDQ-TTBSP03L.mydomain.xxx tcpaddr= type=A key=1216-ms-7.51-22796573.9ea7728d-6d22-11e7-1fa9-5800e30b6b8b/160/0
Jul 27 07:47:46 dc-1 named[3510]: client 10.20.1.172#60918: updating zone 'mydomain.xxx/NONE': deleting rrset at 'HDQ-TTBSP03L.mydomain.xxx' AAAA
Jul 27 07:47:46 dc-1 named[3510]: client 10.20.1.172#60918: updating zone 'mydomain.xxx/NONE': deleting rrset at 'HDQ-TTBSP03L.mydomain.xxx' A
Jul 27 07:47:46 dc-1 named[3510]: samba_dlz: subtracted rdataset HDQ-TTBSP03L.mydomain.xxx 'HDQ-TTBSP03L.mydomain.xxx.#0111200#011IN#011A#01110.20.1.172'
Jul 27 07:47:46 dc-1 named[3510]: client 10.20.1.172#60918: updating zone 'mydomain.xxx/NONE': adding an RR at 'HDQ-TTBSP03L.mydomain.xxx' AAAA
Jul 27 07:47:46 dc-1 named[3510]: samba_dlz: added rdataset HDQ-TTBSP03L.mydomain.xxx 'HDQ-TTBSP03L.mydomain.xxx.#0111200#011IN#011AAAA#011fec0::8d2c:3b33:7b42:bd56'
Jul 27 07:47:46 dc-1 named[3510]: client 10.20.1.172#60918: updating zone 'mydomain.xxx/NONE': adding an RR at 'HDQ-TTBSP03L.mydomain.xxx' A
Jul 27 07:47:46 dc-1 named[3510]: samba_dlz: added rdataset HDQ-TTBSP03L.mydomain.xxx 'HDQ-TTBSP03L.mydomain.xxx.#0111200#011IN#011A#01110.20.1.172'
Jul 27 07:47:46 dc-1 named[3510]: samba_dlz: subtracted rdataset mydomain.xxx 'mydomain.xxx.#01110800#011IN#011SOA#011dc-1.mydomain.xxx. root.mydomain.xxx. 2507 28800 7200 604800 3600'
Jul 27 07:47:46 dc-1 named[3510]: samba_dlz: added rdataset mydomain.xxx 'mydomain.xxx.#01110800#011IN#011SOA#011dc-1.mydomain.xxx. root.mydomain.xxx. 2508 28800 7200 604800 3600'
Jul 27 07:47:46 dc-1 named[3510]: samba_dlz: committed transaction on zone mydomain.xxx
Jul 27 07:47:49 dc-1 named[3510]: samba_dlz: starting transaction on zone mydomain.xxx
Jul 27 07:47:49 dc-1 named[3510]: client 10.20.1.172#63515: update 'mydomain.xxx/IN' denied
Jul 27 07:47:49 dc-1 named[3510]: samba_dlz: cancelling transaction on zone mydomain.xxx
Jul 27 07:47:49 dc-1 named[3510]: samba_dlz: starting transaction on zone mydomain.xxx
Jul 27 07:47:49 dc-1 named[3510]: samba_dlz: allowing update of signer=HDQ-TTBSP03L\$\@mydomain.xxx name=HDQ-TTBSP03L.mydomain.xxx tcpaddr= type=AAAA key=1216-ms-7.51-22796573.9ea7728d-6d22-11e7-1fa9-5800e30b6b8b/160/0
Jul 27 07:47:49 dc-1 named[3510]: samba_dlz: allowing update of signer=HDQ-TTBSP03L\$\@mydomain.xxx name=HDQ-TTBSP03L.mydomain.xxx tcpaddr= type=A key=1216-ms-7.51-22796573.9ea7728d-6d22-11e7-1fa9-5800e30b6b8b/160/0
Jul 27 07:47:49 dc-1 named[3510]: samba_dlz: allowing update of signer=HDQ-TTBSP03L\$\@mydomain.xxx name=HDQ-TTBSP03L.mydomain.xxx tcpaddr= type=AAAA key=1216-ms-7.51-22796573.9ea7728d-6d22-11e7-1fa9-5800e30b6b8b/160/0
Jul 27 07:47:49 dc-1 named[3510]: samba_dlz: allowing update of signer=HDQ-TTBSP03L\$\@mydomain.xxx name=HDQ-TTBSP03L.mydomain.xxx tcpaddr= type=A key=1216-ms-7.51-22796573.9ea7728d-6d22-11e7-1fa9-5800e30b6b8b/160/0
Jul 27 07:47:49 dc-1 named[3510]: client 10.20.1.172#54464: updating zone 'mydomain.xxx/NONE': deleting rrset at 'HDQ-TTBSP03L.mydomain.xxx' AAAA
Jul 27 07:47:49 dc-1 named[3510]: samba_dlz: subtracted rdataset HDQ-TTBSP03L.mydomain.xxx 'HDQ-TTBSP03L.mydomain.xxx.#0111200#011IN#011AAAA#011fec0::8d2c:3b33:7b42:bd56'
Jul 27 07:47:49 dc-1 named[3510]: client 10.20.1.172#54464: updating zone 'mydomain.xxx/NONE': deleting rrset at 'HDQ-TTBSP03L.mydomain.xxx' A
Jul 27 07:47:49 dc-1 named[3510]: samba_dlz: subtracted rdataset HDQ-TTBSP03L.mydomain.xxx 'HDQ-TTBSP03L.mydomain.xxx.#0111200#011IN#011A#01110.20.1.172'
Jul 27 07:47:49 dc-1 named[3510]: client 10.20.1.172#54464: updating zone 'mydomain.xxx/NONE': adding an RR at 'HDQ-TTBSP03L.mydomain.xxx' AAAA
Jul 27 07:47:49 dc-1 named[3510]: samba_dlz: added rdataset HDQ-TTBSP03L.mydomain.xxx 'HDQ-TTBSP03L.mydomain.xxx.#0111200#011IN#011AAAA#011fec0::8d2c:3b33:7b42:bd56'
Jul 27 07:47:49 dc-1 named[3510]: client 10.20.1.172#54464: updating zone 'mydomain.xxx/NONE': adding an RR at 'HDQ-TTBSP03L.mydomain.xxx' A
Jul 27 07:47:49 dc-1 named[3510]: samba_dlz: added rdataset HDQ-TTBSP03L.mydomain.xxx 'HDQ-TTBSP03L.mydomain.xxx.#0111200#011IN#011A#01110.20.1.172'
Jul 27 07:47:49 dc-1 named[3510]: samba_dlz: committed transaction on zone mydomain.xxx

There is somthing wrong with the system which it deny the update to DNS database.

No, those messages look OK to me, even though there are messages of denied updates. However, the important thing is that the signed updates to work (e.g. starting at 06:49:48 with samba_dlz: starting transaction on zone mydomain.xxx and samba_dlz: allowing update of signer=… up to the following samba_dlz: committed transaction on zone mydomain.xxx).

What I don’t see are any messages about PTR records.

Can you please do the following:

  1. Visit the Univention Directory Management console,
  2. Navigate to the machine account of one of your currently running Windows clients and edit that entry,
  3. In the section “DNS FOrward and Reverse Lookup Zone” add an entry for “DNS reverse zone” (I’m betting there are currently no entries) and save the entry,
  4. Wait and watch the syslog until the client updates its records again and see if it tries to update the PTR that time.

Hi Moritz,
Sorry for my late respond. I did as you told exactly but the same log as the above. It has been over 20 mins and there is nothing which related to update the PTR. I’ve also checked setting of computer which having PTR record. It has the value in “DNS reverse zone” as your guess. Maybe this issue relate to turn on/off DHCP Service (I use UCS as DHCP Server before). I will try to make UCS as the DHCP server (again) for the local network to check if there is any changes and let you know later. Appreciate for your help

Just a thought. Can you please execute the following command on your UCS DC Master and verify that it doesn’t output anything?

find /var/lib/univention-connector -type f -size 0

Yes, there’s no output.

OK, that was just to make sure that you’re not hitting a certain bug in the Samba connector. No output is good output :smile:

I don’t know exactly how Windows decides which server to contact for the updates. In our domain the DHCP server is just a UCS member server, not the DC master, but the PTR our Windows clients send are handled by the DC master (which is our sole Active Directory domain controller). Therefore I doubt changing the DHCP server will achieve much — but you can give it a try, of course.

Hi @Moritz_Bunkus
UCS is DHCP server but this issue has not been solved, pls help me solve this. Tks

Below is the current value of a computer:
ucs-computer-PTR-error

Hey,

does the machine you’re showing the screenshot of have an A or AAAA record in DNS?

What’s the output of univention-ldapsearch '(&(objectClass=univentionWindows)(cn=NameOfTheComputer)) ' (replace NameOfTheComputer with the machine’s name, obviously)?

What’s the output of univention-s4search -b CN=MicrosoftDNS,CN=System,$(ucr get samba4/ldap/base) -s one dn?

mosu

Hi @Moritz_Bunkus

  1. Q: does the machine you’re showing the screenshot of have an A or AAAA record in DNS? A: Yes, almost members have Host Record in DNS, not all, but almost
  2. Q: What’s the output of univention-ldapsearch '(&(objectClass=univentionWindows)(cn=NameOfTheComputer)) ’ (replace NameOfTheComputer with the machine’s name, obviously)?
    A: below is the output
root@ucs-1:~# univention-ldapsearch '(&(objectClass=univentionWindows)(cn=YYY-HANGDI01))'
# extended LDIF
#
# LDAPv3
# base <dc=mycompany,dc=xxx> (default) with scope subtree
# filter: (&(objectClass=univentionWindows)(cn=YYY-HANGDI01))
# requesting: ALL
#

# YYY-HANGDI01, STAFF, MAYTINH, MYCOMPANY, mycompany.xxx
dn: cn=YYY-HANGDI01,ou=STAFF,ou=MAYTINH,ou=MYCOMPANY,dc=mycompany,dc=xxx
univentionServerRole: windows_client
displayName: YYY-HANGDI01
krb5PrincipalName: host/YYY-HANGDI01.mycompany.xxx@mycompany.xxx
objectClass: krb5KDCEntry
objectClass: top
objectClass: univentionHost
objectClass: univentionObject
objectClass: sambaSamAccount
objectClass: person
objectClass: shadowAccount
objectClass: univentionWindows
objectClass: krb5Principal
objectClass: posixAccount
loginShell: /bin/false
univentionObjectType: computers/windows
uidNumber: 2302
krb5KDCFlags: 126
sambaAcctFlags: [W          ]
krb5MaxRenew: 604800
sn: YYY-HANGDI01
homeDirectory: /dev/null
sambaSID: S-1-5-21-4207580657-3862206303-1239993745-2139
krb5MaxLife: 86400
uid: YYY-HANGDI01$
gidNumber: 1005
sambaPrimaryGroupSID: S-1-5-21-4207580657-3862206303-1239993745-11011
univentionOperatingSystem: Windows 10 Pro
cn: YYY-HANGDI01
univentionOperatingSystemVersion: 10.0 (16299)
sambaNTPassword: C1B06C03F621DF2D485756EDB887F9D8
krb5Key:: MB2hGzAZoAMCARehEgQQwbBsA/Yh3y1IV1btuIf52A==
krb5Key:: MF2hKzApoAMCARKhIgQgGp4U2m1XicWIVfDOwNHeVB5+S90Gk/eVBekJvZZaH9eiLjAs
 oAMCAQOhJQQjTkFTQ08uTE9HaG9zdGhhbi1oYW5nZGkwMS5uYXNjby5sb2c=
krb5Key:: ME2hGzAZoAMCARGhEgQQF2HM1eE9rLUgAGzJYRvPUaIuMCygAwIBA6ElBCNOQVNDTy5M
 T0dob3N0aGFuLWhhbmdkaTAxLm5hc2NvLmxvZw==
krb5Key:: MEWhEzARoAMCAQOhCgQIZAie2ozNUVuiLjAsoAMCAQOhJQQjTkFTQ08uTE9HaG9zdGhh
 bi1oYW5nZGkwMS5uYXNjby5sb2c=
krb5Key:: MEWhEzARoAMCAQGhCgQIZAie2ozNUVuiLjAsoAMCAQOhJQQjTkFTQ08uTE9HaG9zdGhh
 bi1oYW5nZGkwMS5uYXNjby5sb2c=
krb5KeyVersionNumber: 4
shadowLastChange: 17549
sambaPwdLastSet: 1516252642

# search result
search: 3
result: 0 Success

# numResponses: 2
# numEntries: 1
root@ucs-1:~#

  1. Q: What’s the output of univention-s4search -b CN=MicrosoftDNS,CN=System,$(ucr get samba4/ldap/base) -s one dn?
    A: below is the output
root@ucs-1:~# univention-s4search -b CN=MicrosoftDNS,CN=System,$(ucr get samba4/ldap/base) -s one dn
# record 1
dn: DC=ucs-1DNSServers,CN=MicrosoftDNS,CN=System,DC=mycompany,DC=xxx

# returned 1 records
# 1 entries
# 0 referrals
root@ucs-1:~#

Thanks for the information. Unfortunately the commands I pasted weren’t exactly what I actually wanted. Here are some more questions & commands:

  1. Output of: univention-s4search --cross-ncs -b CN=MicrosoftDNS,DC=DomainDnsZones,$(ucr get samba4/ldap/base) -s one dn
  2. Output of: univention-s4search --cross-ncs -b CN=MicrosoftDNS,DC=DomainDnsZones,$(ucr get samba4/ldap/base) -s one dn
  3. How was the UCS system first implemented? As a new UCS domain, or maybe as a takeover of a former Windows-
    or Samba-based ActiveDirectory domain?

Thanks.

mosu

Hi @Moritz_Bunkus
Below is my answer:

  1. Question 1 and 2 is the same command
  2. Output of: univention-s4search --cross-ncs -b CN=MicrosoftDNS,DC=DomainDnsZones,$(ucr get samba4/ldap/base) -s one dn
root@ucs-1:~# univention-s4search --cross-ncs -b CN=MicrosoftDNS,DC=DomainDnsZones,$(ucr get samba4/ldap/base) -s one dn
# record 1
dn: DC=RootDNSServers,CN=MicrosoftDNS,DC=DomainDnsZones,DC=mycompany,DC=xxx

# record 2
dn: DC=mycompany.xxx,CN=MicrosoftDNS,DC=DomainDnsZones,DC=mycompany,DC=xxx

# record 3
dn: DC=1.20.10.in-addr.arpa,CN=MicrosoftDNS,DC=DomainDnsZones,DC=mycompany,DC=xxx

# record 4
dn: DC=3.20.10.in-addr.arpa,CN=MicrosoftDNS,DC=DomainDnsZones,DC=mycompany,DC=xxx

# record 5
dn: DC=1.30.10.in-addr.arpa,CN=MicrosoftDNS,DC=DomainDnsZones,DC=mycompany,DC=xxx

# record 6
dn: DC=1.40.10.in-addr.arpa,CN=MicrosoftDNS,DC=DomainDnsZones,DC=mycompany,DC=xxx

# returned 6 records
# 6 entries
# 0 referrals
root@ucs-1:~#

3.How was the UCS system first implemented?
A: This current UCS system is new deployment from the beginning, not the AD Takeover

Hey,

oh duh, I actually wanted to paste different search queries. But never mind.

The output looks sane so far.

I’m somewhat at a loss at the moment, but let’s try to dig deeper. Please have a look at the file /etc/univention/connector/s4/mapping.py on your DC Master. It should contain a section about synchronizing DNS entries that starts like this:

        'dns': univention.s4connector.property (

Please paste that whole section (the next one is the one with msGPO). Thanks.

Kind regards,
mosu

Additionally: please have a look at the log file /var/log/univention/connector-s4.log. Whenever a Windows computer updates its IP address (via the aforementioned samba_dlz module), lines similar to this should occur:

31.01.2018 08:23:22,114 LDAP        (PROCESS): sync to ucs:   [windowscomputer] [    modify] cn=kheldar,cn=computers,dc=int,dc=mbu-test,dc=intranet
31.01.2018 08:23:22,163 LDAP        (PROCESS): sync to ucs:   [           dns] [    modify] relativedomainname=kheldar,zonename=mbu-test.intranet,cn=dns,dc=int,dc=mbu-test,dc=intranet
31.01.2018 08:23:22,168 LDAP        (PROCESS): sync to ucs:   [           dns] [    modify] zonename=mbu-test.intranet,cn=dns,dc=int,dc=mbu-test,dc=intranet
31.01.2018 08:23:28,222 LDAP        (PROCESS): sync from ucs: [           dns] [    modify] dc=@,dc=mbu-test.intranet,cn=microsoftdns,dc=domaindnszones,DC=int,dc=mbu-test,dc=intranet
31.01.2018 08:23:29,327 LDAP        (PROCESS): sync to ucs:   [           dns] [    modify] zonename=mbu-test.intranet,cn=dns,dc=int,dc=mbu-test,dc=intranet
31.01.2018 08:23:29,333 LDAP        (PROCESS): sync to ucs:   [           dns] [       add] relativeDomainName=@._msdcs,zoneName=mbu-test.intranet,cn=dns,dc=int,dc=mbu-test,dc=intranet

Can you please look for similar entries and paste them here? Maybe there are some kind of error messages.

Last but not least: does the command univention-s4connector-list-rejected list any rejects?

Kind regards,
mosu

Hi @Moritz_Bunkus
Below is the content of section dns as your request:

        'dns': univention.s4connector.property (
                        ucs_default_dn='cn=dns,dc=mycompany,dc=xxx',
                        con_default_dn='CN=MicrosoftDNS,DC=DomainDnsZones,DC=MYCOMPANY,DC=XXX',
                        ucs_module='dns/dns',

                        identify=univention.s4connector.s4.dns.identify,
                        sync_mode='sync',

                        scope='sub',

                        con_search_filter='(|(objectClass=dnsNode)(objectClass=dnsZone))',

                        dn_mapping_function=[ univention.s4connector.s4.dns.dns_dn_mapping ],

                        ignore_filter='(|(DC=_ldap._tcp.Default-First-Site-Name._site))',
                        ignore_subtree = global_ignore_subtree,

                        con_sync_function = univention.s4connector.s4.dns.ucs2con,
                        ucs_sync_function = univention.s4connector.s4.dns.con2ucs,

                ),

        'msGPO': univention.s4connector.property (
                        ucs_module='container/msgpo',

One more thing, I’ve changed the Default First Site name when configuring via RSAT on Windows computer, below is the result of check dns record command:

root@hq-dc1:~# samba-tool drs showrepl | more
HeadOffice\HQ-DC1
DSA Options: 0x00000001
DSA object GUID: 4d041a2c-6e12-43ba-a29b-bfddc18a4d9d
DSA invocationId: ac32b280-d8a3-48ff-975d-9964e018a352

==== INBOUND NEIGHBORS ====

DC=ForestDnsZones,DC=mycompany,DC=xxx
        HeadOffice\HQ-DC2 via RPC
                DSA object GUID: a9187536-0d63-465b-9866-54a37bfbc494
                Last attempt @ Fri Feb  2 15:31:07 2018 ICT was successful
                0 consecutive failure(s).
                Last success @ Fri Feb  2 15:31:07 2018 ICT

DC=ForestDnsZones,DC=mycompany,DC=xxx
        CNMB\CNMB-DC1 via RPC
                DSA object GUID: 7d886dc9-7df1-44a1-886a-3967de5867f0
                Last attempt @ Fri Feb  2 15:31:07 2018 ICT was successful
                0 consecutive failure(s).
                Last success @ Fri Feb  2 15:31:07 2018 ICT

DC=ForestDnsZones,DC=mycompany,DC=xxx
        CNMN\CNMN-DC02 via RPC
                DSA object GUID: 9cf7cf92-83ad-431e-8177-41d7f88e409d
                Last attempt @ Fri Feb  2 15:31:07 2018 ICT was successful
                0 consecutive failure(s).
                Last success @ Fri Feb  2 15:31:07 2018 ICT

DC=ForestDnsZones,DC=mycompany,DC=xxx
        CNMT\CNMT-DC02 via RPC
                DSA object GUID: 8e7f7bc5-8c7f-460b-a1b9-3075c9dd3e12
                Last attempt @ Fri Feb  2 15:31:07 2018 ICT was successful
                0 consecutive failure(s).
                Last success @ Fri Feb  2 15:31:07 2018 ICT

DC=DomainDnsZones,DC=mycompany,DC=xxx
        HeadOffice\HQ-DC2 via RPC
                DSA object GUID: a9187536-0d63-465b-9866-54a37bfbc494
                Last attempt @ Fri Feb  2 15:35:21 2018 ICT was successful
                0 consecutive failure(s).
                Last success @ Fri Feb  2 15:35:21 2018 ICT

DC=DomainDnsZones,DC=mycompany,DC=xxx
        CNMB\CNMB-DC1 via RPC
                DSA object GUID: 7d886dc9-7df1-44a1-886a-3967de5867f0
                Last attempt @ Fri Feb  2 15:35:11 2018 ICT was successful
                0 consecutive failure(s).
                Last success @ Fri Feb  2 15:35:11 2018 ICT

DC=DomainDnsZones,DC=mycompany,DC=xxx
        CNMN\CNMN-DC02 via RPC
                DSA object GUID: 9cf7cf92-83ad-431e-8177-41d7f88e409d
                Last attempt @ Fri Feb  2 15:35:12 2018 ICT was successful
                0 consecutive failure(s).
                Last success @ Fri Feb  2 15:35:12 2018 ICT

DC=DomainDnsZones,DC=mycompany,DC=xxx
        CNMT\CNMT-DC02 via RPC
                DSA object GUID: 8e7f7bc5-8c7f-460b-a1b9-3075c9dd3e12
                Last attempt @ Fri Feb  2 15:35:12 2018 ICT was successful
                0 consecutive failure(s).
                Last success @ Fri Feb  2 15:35:12 2018 ICT

DC=mycompany,DC=xxx
        HeadOffice\HQ-DC2 via RPC
                DSA object GUID: a9187536-0d63-465b-9866-54a37bfbc494
                Last attempt @ Fri Feb  2 15:31:08 2018 ICT was successful
                0 consecutive failure(s).
                Last success @ Fri Feb  2 15:31:08 2018 ICT

DC=mycompany,DC=xxx
        CNMB\CNMB-DC1 via RPC
                DSA object GUID: 7d886dc9-7df1-44a1-886a-3967de5867f0
                Last attempt @ Fri Feb  2 15:31:08 2018 ICT was successful
                0 consecutive failure(s).
                Last success @ Fri Feb  2 15:31:08 2018 ICT

DC=mycompany,DC=xxx
        CNMN\CNMN-DC02 via RPC
                DSA object GUID: 9cf7cf92-83ad-431e-8177-41d7f88e409d
                Last attempt @ Fri Feb  2 15:31:08 2018 ICT was successful
                0 consecutive failure(s).
                Last success @ Fri Feb  2 15:31:08 2018 ICT

DC=mycompany,DC=xxx
        CNMT\CNMT-DC02 via RPC
                DSA object GUID: 8e7f7bc5-8c7f-460b-a1b9-3075c9dd3e12
                Last attempt @ Fri Feb  2 15:31:08 2018 ICT was successful
                0 consecutive failure(s).
                Last success @ Fri Feb  2 15:31:08 2018 ICT

CN=Schema,CN=Configuration,DC=mycompany,DC=xxx
        HeadOffice\HQ-DC2 via RPC
                DSA object GUID: a9187536-0d63-465b-9866-54a37bfbc494
                Last attempt @ Fri Feb  2 15:31:08 2018 ICT was successful
                0 consecutive failure(s).
                Last success @ Fri Feb  2 15:31:08 2018 ICT

CN=Schema,CN=Configuration,DC=mycompany,DC=xxx
        CNMB\CNMB-DC1 via RPC
                DSA object GUID: 7d886dc9-7df1-44a1-886a-3967de5867f0
                Last attempt @ Fri Feb  2 15:31:08 2018 ICT was successful
                0 consecutive failure(s).
                Last success @ Fri Feb  2 15:31:08 2018 ICT

CN=Schema,CN=Configuration,DC=mycompany,DC=xxx
        CNMN\CNMN-DC02 via RPC
                DSA object GUID: 9cf7cf92-83ad-431e-8177-41d7f88e409d
                Last attempt @ Fri Feb  2 15:31:09 2018 ICT was successful
                0 consecutive failure(s).
                Last success @ Fri Feb  2 15:31:09 2018 ICT

CN=Schema,CN=Configuration,DC=mycompany,DC=xxx
        CNMT\CNMT-DC02 via RPC
                DSA object GUID: 8e7f7bc5-8c7f-460b-a1b9-3075c9dd3e12
                Last attempt @ Fri Feb  2 15:31:09 2018 ICT was successful
                0 consecutive failure(s).
                Last success @ Fri Feb  2 15:31:09 2018 ICT

CN=Configuration,DC=mycompany,DC=xxx
        HeadOffice\HQ-DC2 via RPC
                DSA object GUID: a9187536-0d63-465b-9866-54a37bfbc494
                Last attempt @ Fri Feb  2 15:31:09 2018 ICT was successful
                0 consecutive failure(s).
                Last success @ Fri Feb  2 15:31:09 2018 ICT

CN=Configuration,DC=mycompany,DC=xxx
        CNMB\CNMB-DC1 via RPC
                DSA object GUID: 7d886dc9-7df1-44a1-886a-3967de5867f0
                Last attempt @ Fri Feb  2 15:31:09 2018 ICT was successful
                0 consecutive failure(s).
                Last success @ Fri Feb  2 15:31:09 2018 ICT

CN=Configuration,DC=mycompany,DC=xxx
        CNMN\CNMN-DC02 via RPC
                DSA object GUID: 9cf7cf92-83ad-431e-8177-41d7f88e409d
                Last attempt @ Fri Feb  2 15:31:09 2018 ICT was successful
                0 consecutive failure(s).
                Last success @ Fri Feb  2 15:31:09 2018 ICT

CN=Configuration,DC=mycompany,DC=xxx
        CNMT\CNMT-DC02 via RPC
                DSA object GUID: 8e7f7bc5-8c7f-460b-a1b9-3075c9dd3e12
                Last attempt @ Fri Feb  2 15:31:09 2018 ICT was successful
                0 consecutive failure(s).
                Last success @ Fri Feb  2 15:31:09 2018 ICT

==== OUTBOUND NEIGHBORS ====

DC=ForestDnsZones,DC=mycompany,DC=xxx
        CNMB\CNMB-DC1 via RPC
                DSA object GUID: 7d886dc9-7df1-44a1-886a-3967de5867f0
                Last attempt @ NTTIME(0) was successful
                0 consecutive failure(s).
                Last success @ NTTIME(0)

DC=ForestDnsZones,DC=mycompany,DC=xxx
        CNMN\CNMN-DC02 via RPC
                DSA object GUID: 9cf7cf92-83ad-431e-8177-41d7f88e409d
                Last attempt @ NTTIME(0) was successful
                0 consecutive failure(s).
                Last success @ NTTIME(0)

DC=ForestDnsZones,DC=mycompany,DC=xxx
        HeadOffice\HQ-DC2 via RPC
                DSA object GUID: a9187536-0d63-465b-9866-54a37bfbc494
                Last attempt @ NTTIME(0) was successful
                0 consecutive failure(s).
                Last success @ NTTIME(0)

DC=ForestDnsZones,DC=mycompany,DC=xxx
        CNMT\CNMT-DC02 via RPC
                DSA object GUID: 8e7f7bc5-8c7f-460b-a1b9-3075c9dd3e12
                Last attempt @ NTTIME(0) was successful
                0 consecutive failure(s).
                Last success @ NTTIME(0)

DC=DomainDnsZones,DC=mycompany,DC=xxx
        HeadOffice\HQ-DC2 via RPC
                DSA object GUID: a9187536-0d63-465b-9866-54a37bfbc494
                Last attempt @ NTTIME(0) was successful
                0 consecutive failure(s).
                Last success @ NTTIME(0)

DC=DomainDnsZones,DC=mycompany,DC=xxx
        CNMB\CNMB-DC1 via RPC
                DSA object GUID: 7d886dc9-7df1-44a1-886a-3967de5867f0
                Last attempt @ NTTIME(0) was successful
                0 consecutive failure(s).
                Last success @ NTTIME(0)

DC=DomainDnsZones,DC=mycompany,DC=xxx
        CNMT\CNMT-DC02 via RPC
                DSA object GUID: 8e7f7bc5-8c7f-460b-a1b9-3075c9dd3e12
                Last attempt @ NTTIME(0) was successful
                0 consecutive failure(s).
                Last success @ NTTIME(0)

DC=DomainDnsZones,DC=mycompany,DC=xxx
        CNMN\CNMN-DC02 via RPC
                DSA object GUID: 9cf7cf92-83ad-431e-8177-41d7f88e409d
                Last attempt @ NTTIME(0) was successful
                0 consecutive failure(s).
                Last success @ NTTIME(0)

DC=mycompany,DC=xxx
        CNMB\CNMB-DC1 via RPC
                DSA object GUID: 7d886dc9-7df1-44a1-886a-3967de5867f0
                Last attempt @ NTTIME(0) was successful
                0 consecutive failure(s).
                Last success @ NTTIME(0)

DC=mycompany,DC=xxx
        CNMN\CNMN-DC02 via RPC
                DSA object GUID: 9cf7cf92-83ad-431e-8177-41d7f88e409d
                Last attempt @ NTTIME(0) was successful
                0 consecutive failure(s).
                Last success @ NTTIME(0)

DC=mycompany,DC=xxx
        HeadOffice\HQ-DC2 via RPC
                DSA object GUID: a9187536-0d63-465b-9866-54a37bfbc494
                Last attempt @ NTTIME(0) was successful
                0 consecutive failure(s).
                Last success @ NTTIME(0)

DC=mycompany,DC=xxx
        CNMT\CNMT-DC02 via RPC
                DSA object GUID: 8e7f7bc5-8c7f-460b-a1b9-3075c9dd3e12
                Last attempt @ NTTIME(0) was successful
                0 consecutive failure(s).
                Last success @ NTTIME(0)

CN=Schema,CN=Configuration,DC=mycompany,DC=xxx
        CNMB\CNMB-DC1 via RPC
                DSA object GUID: 7d886dc9-7df1-44a1-886a-3967de5867f0
                Last attempt @ NTTIME(0) was successful
                0 consecutive failure(s).
                Last success @ NTTIME(0)

CN=Schema,CN=Configuration,DC=mycompany,DC=xxx
        CNMN\CNMN-DC02 via RPC
                DSA object GUID: 9cf7cf92-83ad-431e-8177-41d7f88e409d
                Last attempt @ NTTIME(0) was successful
                0 consecutive failure(s).
                Last success @ NTTIME(0)

CN=Schema,CN=Configuration,DC=mycompany,DC=xxx
        HeadOffice\HQ-DC2 via RPC
                DSA object GUID: a9187536-0d63-465b-9866-54a37bfbc494
                Last attempt @ NTTIME(0) was successful
                0 consecutive failure(s).
                Last success @ NTTIME(0)

CN=Schema,CN=Configuration,DC=mycompany,DC=xxx
        CNMT\CNMT-DC02 via RPC
                DSA object GUID: 8e7f7bc5-8c7f-460b-a1b9-3075c9dd3e12
                Last attempt @ NTTIME(0) was successful
                0 consecutive failure(s).
                Last success @ NTTIME(0)

CN=Configuration,DC=mycompany,DC=xxx
        CNMB\CNMB-DC1 via RPC
                DSA object GUID: 7d886dc9-7df1-44a1-886a-3967de5867f0
                Last attempt @ NTTIME(0) was successful
                0 consecutive failure(s).
                Last success @ NTTIME(0)

CN=Configuration,DC=mycompany,DC=xxx
        CNMN\CNMN-DC02 via RPC
                DSA object GUID: 9cf7cf92-83ad-431e-8177-41d7f88e409d
                Last attempt @ NTTIME(0) was successful
                0 consecutive failure(s).
                Last success @ NTTIME(0)

CN=Configuration,DC=mycompany,DC=xxx
        HeadOffice\HQ-DC2 via RPC
                DSA object GUID: a9187536-0d63-465b-9866-54a37bfbc494
                Last attempt @ NTTIME(0) was successful
                0 consecutive failure(s).
                Last success @ NTTIME(0)

CN=Configuration,DC=mycompany,DC=xxx
        CNMT\CNMT-DC02 via RPC
                DSA object GUID: 8e7f7bc5-8c7f-460b-a1b9-3075c9dd3e12
                Last attempt @ NTTIME(0) was successful
                0 consecutive failure(s).
                Last success @ NTTIME(0)
==== KCC CONNECTION OBJECTS ====

Connection --
        Connection name: 02e5eb0e-9601-4fd9-a55c-b7c9aaadd5b7
        Enabled        : TRUE
        Server DNS name : cnmb-dc1.mycompany.xxx
        Server DN name  : CN=NTDS Settings,CN=CNMB-DC1,CN=Servers,CN=CNMB,CN=Sites,CN=Configuration,DC=mycompany,DC=xxx
                TransportType: RPC
                options: 0x00000001
Warning: No NC replicated for Connection!
Connection --
        Connection name: 6f6927bc-5887-450f-96ef-fa6274a9784e
        Enabled        : TRUE
        Server DNS name : cnmt-dc02.mycompany.xxx
        Server DN name  : CN=NTDS Settings,CN=CNMT-DC02,CN=Servers,CN=CNMT,CN=Sites,CN=Configuration,DC=mycompany,DC=xxx
                TransportType: RPC
                options: 0x00000001
Warning: No NC replicated for Connection!
Connection --
        Connection name: a999e0cf-5e24-4c3a-ac25-dda773c85a8e
        Enabled        : TRUE
        Server DNS name : cnmn-dc02.mycompany.xxx
        Server DN name  : CN=NTDS Settings,CN=CNMN-DC02,CN=Servers,CN=CNMN,CN=Sites,CN=Configuration,DC=mycompany,DC=xxx
                TransportType: RPC
                options: 0x00000001
Warning: No NC replicated for Connection!
Connection --
        Connection name: ec882737-8ecd-4192-928a-17286234c298
        Enabled        : TRUE
        Server DNS name : hq-dc2.mycompany.xxx
        Server DN name  : CN=NTDS Settings,CN=HQ-DC2,CN=Servers,CN=HeadOffice,CN=Sites,CN=Configuration,DC=mycompany,DC=xxx
                TransportType: RPC
                options: 0x00000001
Warning: No NC replicated for Connection!

i have the same problem:

root@ucs:/var/cache/bind# univention-s4connector-list-rejected

UCS rejected


S4 rejected

    1:    S4 DN: DC=@,DC=gr.gc,CN=MicrosoftDNS,DC=DomainDnsZones,DC=gr,DC=gc
         UCS DN: zonename=gr.gc,cn=dns,dc=gr,dc=gc

        last synced USN: 402017

Does this article help? Windows 7 reverse lookup dns registration

1 Like

OMG it did the trick
Thank you so much @Moritz_Bunkus
:heart_eyes:

Great!

I don’t deserve the praise in this case, though; I would never have thought of that myself if Stefan Gohmann hadn’t posted that link in a related topic a couple of days ago.

1 Like