[Samba] ERROR_DNS_UPDATE_FAILED and NT_STATUS_UNSUCCESSFUL

1332 views
Skip to first unread message

Bob of Donelson Trophy

unread,
Feb 7, 2015, 8:30:02 PM2/7/15
to


I have been struggling with getting a member server to join my domain.
Thanks to testing and using a VM, I can get the test member server to
join my domain. The member server on "real hardware" cannot join, well
sort of.

When I "join", I get:

net ads join -U Administrator
Enter Administrator's password:
Using short domain name -- DTS***M
Joined 'DTMBR01' to dns domain 'dts***m.lan'
DNS Update for dtmember01.dts***m.lan failed: ERROR_DNS_UPDATE_FAILED
DNS update failed: NT_STATUS_UNSUCCESSFUL

And when I "leave", I get:

net ads leave -U Administrator
Enter Administrator's password:
Deleted account for 'DTMBR01' in realm 'DTS***M.LAN'

So, I look for what where?
--

-------------------------

Bob Wooden of Donelson Trophy

615.885.2846 (main)
www.donelsontrophy.com [1]

"Everyone deserves an award!!"


Links:
------
[1] http://www.donelsontrophy.com
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

Rowland Penny

unread,
Feb 8, 2015, 4:00:04 AM2/8/15
to
On 06/02/15 18:45, Bob of Donelson Trophy wrote:
>
>
> I have been struggling with getting a member server to join my domain.
> Thanks to testing and using a VM, I can get the test member server to
> join my domain. The member server on "real hardware" cannot join, well
> sort of.
>
> When I "join", I get:
>
> net ads join -U Administrator
> Enter Administrator's password:
> Using short domain name -- DTS***M
> Joined 'DTMBR01' to dns domain 'dts***m.lan'
> DNS Update for dtmember01.dts***m.lan failed: ERROR_DNS_UPDATE_FAILED
> DNS update failed: NT_STATUS_UNSUCCESSFUL
>
> And when I "leave", I get:
>
> net ads leave -U Administrator
> Enter Administrator's password:
> Deleted account for 'DTMBR01' in realm 'DTS***M.LAN'
>
> So, I look for what where?

Hi Bob, your machine is actually joining the domain, it is the dns
adding bit that is failing, try joining again and see if you can connect
from another client, if it doesn't, run 'samba-tool dns add --help' and
from this work out how to add the computers dns records.

Rowland

buhorojo

unread,
Feb 8, 2015, 4:30:03 AM2/8/15
to
On 06/02/15 19:45, Bob of Donelson Trophy wrote:
>
>
> I have been struggling with getting a member server to join my domain.
> Thanks to testing and using a VM, I can get the test member server to
> join my domain. The member server on "real hardware" cannot join, well
> sort of.
>
> When I "join", I get:
>
> net ads join -U Administrator
> Enter Administrator's password:
> Using short domain name -- DTS***M
> Joined 'DTMBR01' to dns domain 'dts***m.lan'
> DNS Update for dtmember01.dts***m.lan failed: ERROR_DNS_UPDATE_FAILED
> DNS update failed: NT_STATUS_UNSUCCESSFUL
>
> And when I "leave", I get:
>
> net ads leave -U Administrator
> Enter Administrator's password:
> Deleted account for 'DTMBR01' in realm 'DTS***M.LAN'
>
> So, I look for what where?
The DC handling the join does not know the fqdn of the member server. Add:
127.0.0.1 dtmember01.dts***m.lan dtmember01 localhost
to /etc/hosts
then rejoin

Rowland Penny

unread,
Feb 8, 2015, 4:40:04 AM2/8/15
to
On 08/02/15 09:21, buhorojo wrote:
> On 06/02/15 19:45, Bob of Donelson Trophy wrote:
>>
>> I have been struggling with getting a member server to join my domain.
>> Thanks to testing and using a VM, I can get the test member server to
>> join my domain. The member server on "real hardware" cannot join, well
>> sort of.
>>
>> When I "join", I get:
>>
>> net ads join -U Administrator
>> Enter Administrator's password:
>> Using short domain name -- DTS***M
>> Joined 'DTMBR01' to dns domain 'dts***m.lan'
>> DNS Update for dtmember01.dts***m.lan failed: ERROR_DNS_UPDATE_FAILED
>> DNS update failed: NT_STATUS_UNSUCCESSFUL
>>
>> And when I "leave", I get:
>>
>> net ads leave -U Administrator
>> Enter Administrator's password:
>> Deleted account for 'DTMBR01' in realm 'DTS***M.LAN'
>>
>> So, I look for what where?
> The DC handling the join does not know the fqdn of the member server.
> Add:
> 127.0.0.1 dtmember01.dts***m.lan dtmember01 localhost
> to /etc/hosts
> then rejoin

DON'T do this, You can check that /etc/hosts has this:

127.0.0.1 localhost
<computer ip> dtmember01.dts***m.lan dtmember01

If you do it the way advised, your computer *will* only reply to '127.0.0.1'

Rowland

Bob of Donelson Trophy

unread,
Feb 8, 2015, 9:20:03 AM2/8/15
to


Never seen this mentioned before and it did not work. Sorry.

---

-------------------------

Bob Wooden of Donelson Trophy

615.885.2846 (main)
www.donelsontrophy.com [1]

"Everyone deserves an award!!"

On 2015-02-08 03:21, buhorojo wrote:

> On 06/02/15 19:45, Bob of Donelson Trophy wrote:
>
>> I have been struggling with getting a member server to join my domain. Thanks to testing and using a VM, I can get the test member server to join my domain. The member server on "real hardware" cannot join, well sort of. When I "join", I get: net ads join -U Administrator Enter Administrator's password: Using short domain name -- DTS***M Joined 'DTMBR01' to dns domain 'dts***m.lan' DNS Update for dtmember01.dts***m.lan failed: ERROR_DNS_UPDATE_FAILED DNS update failed: NT_STATUS_UNSUCCESSFUL And when I "leave", I get: net ads leave -U Administrator Enter Administrator's password: Deleted account for 'DTMBR01' in realm 'DTS***M.LAN' So, I look for what where?
>
> The DC handling the join does not know the fqdn of the member server. Add:
> 127.0.0.1 dtmember01.dts***m.lan dtmember01 localhost
> to /etc/hosts
> then rejoin


Bob of Donelson Trophy

unread,
Feb 8, 2015, 9:30:02 AM2/8/15
to


Once again, Bob is in 'the land of unknown bind knowledge.'

What type of data am I adding?

Shouldn't dns_update be run when adding the member server?

Is this a "simple-bind-dn"?

hum-m-m-m!

---

-------------------------

Bob Wooden of Donelson Trophy

615.885.2846 (main)
www.donelsontrophy.com [1]

"Everyone deserves an award!!"

On 2015-02-08 02:56, Rowland Penny wrote:

> On 06/02/15 18:45, Bob of Donelson Trophy wrote:
>
>> I have been struggling with getting a member server to join my domain. Thanks to testing and using a VM, I can get the test member server to join my domain. The member server on "real hardware" cannot join, well sort of. When I "join", I get: net ads join -U Administrator Enter Administrator's password: Using short domain name -- DTS***M Joined 'DTMBR01' to dns domain 'dts***m.lan' DNS Update for dtmember01.dts***m.lan failed: ERROR_DNS_UPDATE_FAILED DNS update failed: NT_STATUS_UNSUCCESSFUL And when I "leave", I get: net ads leave -U Administrator Enter Administrator's password: Deleted account for 'DTMBR01' in realm 'DTS***M.LAN' So, I look for what where?
>
> Hi Bob, your machine is actually joining the domain, it is the dns adding bit that is failing, try joining again and see if you can connect from another client, if it doesn't, run 'samba-tool dns add --help' and from this work out how to add the computers dns records.
>
> Rowland


Rowland Penny

unread,
Feb 8, 2015, 9:40:02 AM2/8/15
to
OK, test your member server DNS record in AD:

Run this on the server:

samba-tool dns query <DC FQDN> <DNS Domain> <Member Server FQDN> A

Where:

<DC FQDN> is the fully qualified domain name of the DC i.e. DC.example.com
<DNS Domain> is the domain name you are using i.e. example.com
<Member Server FQDN> is the fully qualified domain name of the Member
Server i.e. memberserver.example.com

If it isn't there, then add it:

samba-tool dns add <DC FQDN> <DNS Domain> <Member Server FQDN> A
<IPaddress>

<IPaddress> is the member server ipaddress i.e. 192.168.0.247

Rowland

Bob of Donelson Trophy

unread,
Feb 8, 2015, 2:10:03 PM2/8/15
to


Okay!!! My member server ip address is 192.168.**.56 (static).

When I run your command it is reporting the ip address of 192.168.**.55
(which is my DC02 address.)

So, I need to correct this. How do I remove the 'old member server' ip
address 192.168.**.55 reference and correct to 192.168.**.56?

---

-------------------------

Bob Wooden of Donelson Trophy

615.885.2846 (main)
www.donelsontrophy.com [1]

"Everyone deserves an award!!"

On 2015-02-08 12:50, Rowland Penny wrote:

> On 08/02/15 18:37, Bob of Donelson Trophy wrote:
>
> On DC01. Same result, have to enter password twice . . . twice?
>
> Same output complaints . . . line for line.
>
> Hum-m-m!
> ---
>
> -------------------------
>
> Bob Wooden of Donelson Trophy
>
> 615.885.2846 (main)
> www.donelsontrophy.com [1]
>
> "Everyone deserves an award!!"
>
> On 2015-02-08 12:25, Rowland Penny wrote:
> On 08/02/15 18:20, Bob of Donelson Trophy wrote:
>
> Seems very strange (to me) that I need to enter the "Password for [DTS***Mroot]:" twice?
>
> And then the second question, what is the [DTS***Mroot] password, my "root" password for the DC01 or my "domainAdministrator" password? (Tried both.)
>
> And then I get:
>
> Failed to bind to uuid 50abc2a4-5**d-40b3-9**6-ee4fd5fba076 for 50abc2a4-5**d-40b3-9**6-ee4fd5fba076@ncacn_ip_tcp:dtdc01[1024,sign] NT_STATUS_LOGON_FAILURE
> ERROR(runtime): uncaught exception - (-1073741715, 'Logon failure')
> File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 175, in _run
> return self.run(*args, **kwargs)
> File "/usr/lib/python2.7/dist-packages/samba/netcmd/dns.py", line 1056, in run
> dns_conn = dns_connect(server, self.lp, self.creds)
> File "/usr/lib/python2.7/dist-packages/samba/netcmd/dns.py", line 37, in dns_connect
> dns_conn = dnsserver.dnsserver(binding_str, lp, creds)
>
> Hum-m-m-m?
> ---
>
> -------------------------
>
> Bob Wooden of Donelson Trophy
>
> 615.885.2846 (main)
> www.donelsontrophy.com [1]
>
> "Everyone deserves an award!!"
>
> On 2015-02-08 08:37, Rowland Penny wrote:
>
> On 08/02/15 14:20, Bob of Donelson Trophy wrote:
> Once again, Bob is in 'the land of unknown bind knowledge.' What type of data am I adding? Shouldn't dns_update be run when adding the member server? Is this a "simple-bind-dn"? hum-m-m-m! --- ------------------------- Bob Wooden of Donelson Trophy 615.885.2846 (main) www.donelsontrophy.com [1] [1 [1]] "Everyone deserves an award!!" On 2015-02-08 02:56, Rowland Penny wrote: On 06/02/15 18:45, Bob of Donelson Trophy wrote: I have been struggling with getting a member server to join my domain. Thanks to testing and using a VM, I can get the test member server to join my domain. The member server on "real hardware" cannot join, well sort of. When I "join", I get: net ads join -U Administrator Enter Administrator's password: Using short domain name -- DTS***M Joined 'DTMBR01' to dns domain 'dts***m.lan' DNS Update for dtmember01.dts***m.lan failed: ERROR_DNS_UPDATE_FAILED DNS update failed: NT_STATUS_UNSUCCESSFUL And when I "leave", I get: net ads leave -U Administrator Enter
Administrator's password: Deleted account for 'DTMBR01' in realm 'DTS***M.LAN' So, I look for what where? Hi Bob, your machine is actually joining the domain, it is the dns adding bit that is failing, try joining again and see if you can connect from another client, if it doesn't, run 'samba-tool dns add --help' and from this work out how to add the computers dns records. Rowland
Links: ------ [1] http://www.donelsontrophy.com [1]

OK, test your member server DNS record in AD:

Run this on the server:

samba-tool dns query <DC FQDN> <DNS Domain> <Member Server FQDN> A

Where:

<DC FQDN> is the fully qualified domain name of the DC i.e.
DC.example.com
<DNS Domain> is the domain name you are using i.e. example.com
<Member Server FQDN> is the fully qualified domain name of the Member
Server i.e. memberserver.example.com

If it isn't there, then add it:

samba-tool dns add <DC FQDN> <DNS Domain> <Member Server FQDN> A
<IPaddress>

<IPaddress> is the member server ipaddress i.e. 192.168.0.247

Rowland

Rats, Add '-U Administrator --password=<your AD Administrator
password>' to the commands, it should work then, or try running the
commands on the DC, they should work there without the password.

Rowland OK, you have to use the Administrator password, even on the DC,
this is the command & output when run on a DC:

root@dc01:~# samba-tool dns query dc01.home.lan home.lan
memtest2.home.lan A -U Administrator --password=**********
Name=, Records=1, Children=0
A: 192.168.0.247 (flags=f0, serial=65, ttl=3600)

and again, but on a member server:

root@memtest2:~# samba-tool dns query dc01.home.lan home.lan
memtest2.home.lan A -U Administrator --password=**********
Name=, Records=1, Children=0
A: 192.168.0.247 (flags=f0, serial=65, ttl=3600)

Rowland



Links:
------
[1] http://www.donelsontrophy.com

Rowland Penny

unread,
Feb 8, 2015, 2:20:03 PM2/8/15
to
On 08/02/15 19:03, Bob of Donelson Trophy wrote:
>
>
> Okay!!! My member server ip address is 192.168.**.56 (static).
>
> When I run your command it is reporting the ip address of 192.168.**.55
> (which is my DC02 address.)
>
> So, I need to correct this. How do I remove the 'old member server' ip
> address 192.168.**.55 reference and correct to 192.168.**.56?
>

OK, how did that happen ??? (don't bother answering, that was a
rhetorical question)

To delete the record:

samba-tool dns delete <server> <zone> <name> A <data> -U Administrator
--password=<Domain Administrator password>

Where:

<server> = your DC's fully qualified hostname
<zone> = Your DNS domain name
<name> = your member servers hostname
<data> = your member servers ipaddress

Rowland

Bob of Donelson Trophy

unread,
Feb 8, 2015, 2:40:03 PM2/8/15
to


Once again, the evolution of my system (DC01, DC02 & member server)
creates a problem. (Somewhere in the past my member server had an ip
address 192.168.**.55 and that was in the dns.)

Now, the world is proper and my member server on properly joins my
domain.

Thank you, Rowland.

Now, as my DC02 ip address is 192.168.**.55, by deleting the member
server reference to the 192.168.**.55 did that mess up my DC02 dns
connection to DC01? (Don't answer that . . . give a man a fish and he
will eat once. Teach a man to fish and . . . .)

Reading the samba-tool man page and --help.

Thanks!!

---

-------------------------

Bob Wooden of Donelson Trophy

615.885.2846 (main)
www.donelsontrophy.com [1]

"Everyone deserves an award!!"

On 2015-02-08 13:18, Rowland Penny wrote:

> On 08/02/15 19:03, Bob of Donelson Trophy wrote:
>
>> Okay!!! My member server ip address is 192.168.**.56 (static). When I run your command it is reporting the ip address of 192.168.**.55 (which is my DC02 address.) So, I need to correct this. How do I remove the 'old member server' ip address 192.168.**.55 reference and correct to 192.168.**.56?
>
> OK, how did that happen ??? (don't bother answering, that was a rhetorical question)
>
> To delete the record:
>
> samba-tool dns delete <server> <zone> <name> A <data> -U Administrator --password=<Domain Administrator password>
>
> Where:
>
> <server> = your DC's fully qualified hostname
> <zone> = Your DNS domain name
> <name> = your member servers hostname
> <data> = your member servers ipaddress
>
> Rowland


buhorojo

unread,
Feb 8, 2015, 2:50:03 PM2/8/15
to
On 08/02/15 15:15, Bob of Donelson Trophy wrote:
>
>
> it did not work.
What command did you use and was the error?

Bob of Donelson Trophy

unread,
Feb 8, 2015, 3:00:03 PM2/8/15
to


Check the thread. All is good!

---

-------------------------

Bob Wooden of Donelson Trophy

615.885.2846 (main)
www.donelsontrophy.com [1]

"Everyone deserves an award!!"

On 2015-02-08 13:40, buhorojo wrote:

> On 08/02/15 15:15, Bob of Donelson Trophy wrote:
>
>> it did not work.
>
> What command did you use and was the error?


Reply all
Reply to author
Forward
0 new messages