Bug 40494 – bind9 doesn't show *._msdcs DNS records after univention-ad-takeover

Bug 40494 - bind9 doesn't show *._msdcs DNS records after univention-ad-takeover


Summary:	bind9 doesn't show *._msdcs DNS records after univention-ad-takeover

Status:	RESOLVED DUPLICATE of bug 43692

Product:	UCS
Classification:	Unclassified
Component:	AD Takeover
Version:	UCS 4.1
Hardware:	Other Linux

Importance:	P5 normal (vote)
Target Milestone:	---
Assigned To:	Samba maintainers
QA Contact:

URL:
Keywords:

Depends on:	34184
Blocks:
	Show dependency tree / graph

Reported:	2016-01-25 14:18 CET by Arvid Requate
Modified:	2017-04-24 17:35 CEST (History)
CC List:	7 users (show)

See Also:
What kind of report is it?:	Bug Report
What type of bug is this?:	3: Simply Wrong: The implementation doesn't match the docu
Who will be affected by this bug?:	2: Will only affect a few installed domains
How will those affected feel about the bug?:	2: A Pain – users won’t like this once they notice it
User Pain:	0.069
Enterprise Customer affected?:	Yes
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:	2016121921000285
Bug group (optional):	Troubleshooting
Max CVSS v3 score:

Attachments
move_cn_system_dns_zones.sh (731 bytes, text/x-sh) 2016-01-25 14:18 CET, Arvid Requate	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Arvid Requate

2016-01-25 14:18:18 CET

Created attachment 7429 [details]
move_cn_system_dns_zones.sh

There have been two reported cases where DNS records in the _msdcs zone were not resolvable after an AD takeover (e.g. Ticket#: 2015121721000414).

In this situation /var/log/syslog shows the following messages:
============================================================
Jan 18 20:00:48 master named[7097]: samba_dlz: trying partition 'CN=MicrosoftDNS,CN=System,DC=foo,DC=local'
Jan 18 20:00:48 master named[7097]: samba_dlz: configured writeable zone '1.168.192.in-addr.arpa'
Jan 18 20:00:48 master named[7097]: samba_dlz: pre-W2k3 zone found
============================================================

The message "pre-W2k3 zone found" shows, that the dlz_bind9 module found a DNS zone in Samba/AD below the DN 'CN=MicrosoftDNS,CN=System,DC=foo,DC=local'. In cases like these the C code ignores _msdcs zones located below other partitions, like DC=ForestDnsZones:
============================================================
Jan 18 20:00:48 master named[7097]: samba_dlz: Ignoring dnsZone _msdcs.foo.local
============================================================

As a first step the attached script may be used to fix this issue manually. It searches for '(&(objectClass=dnsZone)(!(dc=RootDNSServers)))' below CN=System.

Comment 1 Arvid Requate

2017-04-24 17:35:19 CEST

Bug #43692 contains an updated version of this script.

*** This bug has been marked as a duplicate of bug 43692 ***