Bug 14982 - NS-record is missing in revers zone after AD recover or demoting original DC
Summary: NS-record is missing in revers zone after AD recover or demoting original DC
Status: NEW
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: Other (show other bugs)
Version: 4.15.5
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Samba QA Contact
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2022-02-17 18:30 UTC by Stefan Kania
Modified: 2022-02-17 19:58 UTC (History)
1 user (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Stefan Kania 2022-02-17 18:30:49 UTC
Hi to all,

I have a problem recovering a domain with a revers-zone. I'm using the
following setup (but it's the same with oder Samba versions):
- Debian 11
- 4.15.5 packages from louis
- original DC-name addc-01
- new DC to recover the domain an NEW VM namend recover-dc1
the new DC is also Debian 11 an louis packages

I do the recovery with:

samba-tool domain backup restore --backup-file
/root/samba-backup-2022-01-29T14-32-38.732614.tar.bz2
--targetdir=/var/lib/samba --newservername=recover-dc1

Then I did:
- cp /var/lib/samba/etc/smb.conf /etc/samba/smb.conf
- cp /var/lib/samba/private/krb5.conf /etc (set the dc-name in the last
line)
- samba-tool ntacl sysvolreset
- add "dns" to "server services" in smb.conf
- then a samba_upgradedns
- restart samba-ad-dc
- check name resolution and the SRV-records. Everything worked fine with
the internal DNS
- then samba_upgradedns --dns-backend=BIND9_DLZ
- remove "dns" from the "server services" in smb.conf
- switch to bind9 with samba_upgradedns --dns-backend=BIND9_DLZ
- restart samba-ad-dc and bind9

Then I got the messages:
 Loading 'AD DNS Zone' using driver dlopen
 samba_dlz: started for DN DC=example,DC=net
 samba_dlz: starting configure
 samba_dlz: configured writeable zone 'example.net'
 zone 56.168.192.in-addr.arpa/NONE: has no NS records
 samba_dlz: Failed to configure zone '56.168.192.in-addr.arpa'
 loading configuration: bad zone

I switched back to the internal DNS and checked the zone with "dig":
First the forward-zone:
--------------
root@recover-dc1:~# dig ns example.net

; <<>> DiG 9.16.22-Debian <<>> ns example.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5882
;; flags: qr aa rd ad; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;example.net.                   IN      NS

;; ANSWER SECTION:
example.net.            900     IN      NS      recover-dc1.example.net.

;; AUTHORITY SECTION:
example.net.            3600    IN      SOA     recover-dc1.example.net.
hostmaster.example.net. 68 900 600 86400 3600

;; Query time: 0 msec
;; SERVER: 192.168.56.103#53(192.168.56.103)
;; WHEN: Mon Feb 07 17:39:17 CET 2022
;; MSG SIZE  rcvd: 102
--------------

Then the reverse zone:
----------------------
root@recover-dc1:~# dig ns 56.168.192.in-addr.arpa

; <<>> DiG 9.16.22-Debian <<>> ns 56.168.192.in-addr.arpa
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53249
;; flags: qr aa rd ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;56.168.192.in-addr.arpa.       IN      NS

;; AUTHORITY SECTION:
56.168.192.in-addr.arpa. 3600   IN      SOA     recover-dc1.example.net.
hostmaster.example.net. 9 900 600 86400 3600

;; Query time: 0 msec
;; SERVER: 192.168.56.103#53(192.168.56.103)
;; WHEN: Mon Feb 07 17:39:59 CET 2022
;; MSG SIZE  rcvd: 111
----------------------

No NS-record.
I added a NS-record:
samba-tool dns add recover-dc1 56.168.192.in-addr.arpa @ NS
recover-dc1.example.net -U administrator

switched back to bind9 and everything was working.

The problem with the missing NS-record in revers-zones also exists if the first DC where the revers-zone was created will be demoted. The bind9 will not start because of the missing NS-record.

For me it to solve the problem it would be good if the DC which is holding the FSMO-roles would always put as NS-record to all revers-zones.

The promlem only exits with bind9 as DNS-server and only in the reverse-zones.