[Samba] ERROR_DNS_UPDATE_FAILED and NT_STATUS_UNSUCCESSFUL

[Bob of Donelson Trophy]

I have been struggling with getting a member server to join my domain.
Thanks to testing and using a VM, I can get the test member server to
join my domain. The member server on "real hardware" cannot join, well
sort of.

When I "join", I get:

net ads join -U Administrator
Enter Administrator's password:
Using short domain name -- DTS***M
Joined 'DTMBR01' to dns domain 'dts***m.lan'
DNS Update for dtmember01.dts***m.lan failed: ERROR_DNS_UPDATE_FAILED
DNS update failed: NT_STATUS_UNSUCCESSFUL

And when I "leave", I get:

net ads leave -U Administrator
Enter Administrator's password:
Deleted account for 'DTMBR01' in realm 'DTS***M.LAN'

So, I look for what where?
--

-------------------------

Bob Wooden of Donelson Trophy

615.885.2846 (main)
www.donelsontrophy.com [1]

"Everyone deserves an award!!"


Links:
------
[1] http://www.donelsontrophy.com
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

[Rowland Penny]

On 06/02/15 18:45, Bob of Donelson Trophy wrote:
>
>
> I have been struggling with getting a member server to join my domain.
> Thanks to testing and using a VM, I can get the test member server to
> join my domain. The member server on "real hardware" cannot join, well
> sort of.
>
> When I "join", I get:
>
> net ads join -U Administrator
> Enter Administrator's password:
> Using short domain name -- DTS***M
> Joined 'DTMBR01' to dns domain 'dts***m.lan'
> DNS Update for dtmember01.dts***m.lan failed: ERROR_DNS_UPDATE_FAILED
> DNS update failed: NT_STATUS_UNSUCCESSFUL
>
> And when I "leave", I get:
>
> net ads leave -U Administrator
> Enter Administrator's password:
> Deleted account for 'DTMBR01' in realm 'DTS***M.LAN'
>
> So, I look for what where?

Hi Bob, your machine is actually joining the domain, it is the dns
adding bit that is failing, try joining again and see if you can connect
from another client, if it doesn't, run 'samba-tool dns add --help' and
from this work out how to add the computers dns records.

Rowland

[buhorojo]

On 06/02/15 19:45, Bob of Donelson Trophy wrote:
>
>
> I have been struggling with getting a member server to join my domain.
> Thanks to testing and using a VM, I can get the test member server to
> join my domain. The member server on "real hardware" cannot join, well
> sort of.
>
> When I "join", I get:
>
> net ads join -U Administrator
> Enter Administrator's password:
> Using short domain name -- DTS***M
> Joined 'DTMBR01' to dns domain 'dts***m.lan'
> DNS Update for dtmember01.dts***m.lan failed: ERROR_DNS_UPDATE_FAILED
> DNS update failed: NT_STATUS_UNSUCCESSFUL
>
> And when I "leave", I get:
>
> net ads leave -U Administrator
> Enter Administrator's password:
> Deleted account for 'DTMBR01' in realm 'DTS***M.LAN'
>
> So, I look for what where?

The DC handling the join does not know the fqdn of the member server. Add:
127.0.0.1 dtmember01.dts***m.lan dtmember01 localhost
to /etc/hosts
then rejoin

[Rowland Penny]

On 08/02/15 09:21, buhorojo wrote:
> On 06/02/15 19:45, Bob of Donelson Trophy wrote:
>>
>> I have been struggling with getting a member server to join my domain.
>> Thanks to testing and using a VM, I can get the test member server to
>> join my domain. The member server on "real hardware" cannot join, well
>> sort of.
>>
>> When I "join", I get:
>>
>> net ads join -U Administrator
>> Enter Administrator's password:
>> Using short domain name -- DTS***M
>> Joined 'DTMBR01' to dns domain 'dts***m.lan'
>> DNS Update for dtmember01.dts***m.lan failed: ERROR_DNS_UPDATE_FAILED
>> DNS update failed: NT_STATUS_UNSUCCESSFUL
>>
>> And when I "leave", I get:
>>
>> net ads leave -U Administrator
>> Enter Administrator's password:
>> Deleted account for 'DTMBR01' in realm 'DTS***M.LAN'
>>
>> So, I look for what where?
> The DC handling the join does not know the fqdn of the member server.
> Add:
> 127.0.0.1 dtmember01.dts***m.lan dtmember01 localhost
> to /etc/hosts
> then rejoin

DON'T do this, You can check that /etc/hosts has this:

127.0.0.1 localhost
<computer ip> dtmember01.dts***m.lan dtmember01

If you do it the way advised, your computer *will* only reply to '127.0.0.1'

Rowland

[Bob of Donelson Trophy]

Never seen this mentioned before and it did not work. Sorry.

---

-------------------------

Bob Wooden of Donelson Trophy

615.885.2846 (main)
www.donelsontrophy.com [1]

"Everyone deserves an award!!"

On 2015-02-08 03:21, buhorojo wrote:

> On 06/02/15 19:45, Bob of Donelson Trophy wrote:
>
>> I have been struggling with getting a member server to join my domain. Thanks to testing and using a VM, I can get the test member server to join my domain. The member server on "real hardware" cannot join, well sort of. When I "join", I get: net ads join -U Administrator Enter Administrator's password: Using short domain name -- DTS***M Joined 'DTMBR01' to dns domain 'dts***m.lan' DNS Update for dtmember01.dts***m.lan failed: ERROR_DNS_UPDATE_FAILED DNS update failed: NT_STATUS_UNSUCCESSFUL And when I "leave", I get: net ads leave -U Administrator Enter Administrator's password: Deleted account for 'DTMBR01' in realm 'DTS***M.LAN' So, I look for what where?
>
> The DC handling the join does not know the fqdn of the member server. Add:
> 127.0.0.1 dtmember01.dts***m.lan dtmember01 localhost
> to /etc/hosts
> then rejoin

Links:
------
[1] http://www.donelsontrophy.com

[Bob of Donelson Trophy]

Once again, Bob is in 'the land of unknown bind knowledge.'

What type of data am I adding?

Shouldn't dns_update be run when adding the member server?

Is this a "simple-bind-dn"?

hum-m-m-m!

---

-------------------------

Bob Wooden of Donelson Trophy

615.885.2846 (main)
www.donelsontrophy.com [1]

"Everyone deserves an award!!"

On 2015-02-08 02:56, Rowland Penny wrote:

> On 06/02/15 18:45, Bob of Donelson Trophy wrote:
>
>> I have been struggling with getting a member server to join my domain. Thanks to testing and using a VM, I can get the test member server to join my domain. The member server on "real hardware" cannot join, well sort of. When I "join", I get: net ads join -U Administrator Enter Administrator's password: Using short domain name -- DTS***M Joined 'DTMBR01' to dns domain 'dts***m.lan' DNS Update for dtmember01.dts***m.lan failed: ERROR_DNS_UPDATE_FAILED DNS update failed: NT_STATUS_UNSUCCESSFUL And when I "leave", I get: net ads leave -U Administrator Enter Administrator's password: Deleted account for 'DTMBR01' in realm 'DTS***M.LAN' So, I look for what where?
>
> Hi Bob, your machine is actually joining the domain, it is the dns adding bit that is failing, try joining again and see if you can connect from another client, if it doesn't, run 'samba-tool dns add --help' and from this work out how to add the computers dns records.
>
> Rowland

Links:
------
[1] http://www.donelsontrophy.com

[Rowland Penny]

OK, test your member server DNS record in AD:

Run this on the server:

samba-tool dns query <DC FQDN> <DNS Domain> <Member Server FQDN> A

Where:

<DC FQDN> is the fully qualified domain name of the DC i.e. DC.example.com
<DNS Domain> is the domain name you are using i.e. example.com
<Member Server FQDN> is the fully qualified domain name of the Member
Server i.e. memberserver.example.com

If it isn't there, then add it:

samba-tool dns add <DC FQDN> <DNS Domain> <Member Server FQDN> A
<IPaddress>

<IPaddress> is the member server ipaddress i.e. 192.168.0.247

Rowland

[Bob of Donelson Trophy]

Okay!!! My member server ip address is 192.168.**.56 (static).

When I run your command it is reporting the ip address of 192.168.**.55
(which is my DC02 address.)

So, I need to correct this. How do I remove the 'old member server' ip
address 192.168.**.55 reference and correct to 192.168.**.56?

---

-------------------------

Bob Wooden of Donelson Trophy

615.885.2846 (main)
www.donelsontrophy.com [1]

"Everyone deserves an award!!"

On 2015-02-08 12:50, Rowland Penny wrote:

> On 08/02/15 18:37, Bob of Donelson Trophy wrote:
>
> On DC01. Same result, have to enter password twice . . . twice?
>
> Same output complaints . . . line for line.
>
> Hum-m-m!

> ---
>
> -------------------------
>
> Bob Wooden of Donelson Trophy
>
> 615.885.2846 (main)
> www.donelsontrophy.com [1]
>
> "Everyone deserves an award!!"
>

> On 2015-02-08 12:25, Rowland Penny wrote:
> On 08/02/15 18:20, Bob of Donelson Trophy wrote:
>
> Seems very strange (to me) that I need to enter the "Password for [DTS***Mroot]:" twice?
>
> And then the second question, what is the [DTS***Mroot] password, my "root" password for the DC01 or my "domainAdministrator" password? (Tried both.)
>
> And then I get:
>
> Failed to bind to uuid 50abc2a4-5**d-40b3-9**6-ee4fd5fba076 for 50abc2a4-5**d-40b3-9**6-ee4fd5fba076@ncacn_ip_tcp:dtdc01[1024,sign] NT_STATUS_LOGON_FAILURE
> ERROR(runtime): uncaught exception - (-1073741715, 'Logon failure')
> File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 175, in _run
> return self.run(*args, **kwargs)
> File "/usr/lib/python2.7/dist-packages/samba/netcmd/dns.py", line 1056, in run
> dns_conn = dns_connect(server, self.lp, self.creds)
> File "/usr/lib/python2.7/dist-packages/samba/netcmd/dns.py", line 37, in dns_connect
> dns_conn = dnsserver.dnsserver(binding_str, lp, creds)
>
> Hum-m-m-m?

> ---
>
> -------------------------
>
> Bob Wooden of Donelson Trophy
>
> 615.885.2846 (main)
> www.donelsontrophy.com [1]
>
> "Everyone deserves an award!!"
>

> On 2015-02-08 08:37, Rowland Penny wrote:
>
> On 08/02/15 14:20, Bob of Donelson Trophy wrote:

> Once again, Bob is in 'the land of unknown bind knowledge.' What type of data am I adding? Shouldn't dns_update be run when adding the member server? Is this a "simple-bind-dn"? hum-m-m-m! --- ------------------------- Bob Wooden of Donelson Trophy 615.885.2846 (main) www.donelsontrophy.com [1] [1 [1]] "Everyone deserves an award!!" On 2015-02-08 02:56, Rowland Penny wrote: On 06/02/15 18:45, Bob of Donelson Trophy wrote: I have been struggling with getting a member server to join my domain. Thanks to testing and using a VM, I can get the test member server to join my domain. The member server on "real hardware" cannot join, well sort of. When I "join", I get: net ads join -U Administrator Enter Administrator's password: Using short domain name -- DTS***M Joined 'DTMBR01' to dns domain 'dts***m.lan' DNS Update for dtmember01.dts***m.lan failed: ERROR_DNS_UPDATE_FAILED DNS update failed: NT_STATUS_UNSUCCESSFUL And when I "leave", I get: net ads leave -U Administrator Enter

Administrator's password: Deleted account for 'DTMBR01' in realm 'DTS***M.LAN' So, I look for what where? Hi Bob, your machine is actually joining the domain, it is the dns adding bit that is failing, try joining again and see if you can connect from another client, if it doesn't, run 'samba-tool dns add --help' and from this work out how to add the computers dns records. Rowland

Links: ------ [1] http://www.donelsontrophy.com [1]

OK, test your member server DNS record in AD:

Run this on the server:

samba-tool dns query <DC FQDN> <DNS Domain> <Member Server FQDN> A

Where:

<DC FQDN> is the fully qualified domain name of the DC i.e.
DC.example.com
<DNS Domain> is the domain name you are using i.e. example.com
<Member Server FQDN> is the fully qualified domain name of the Member
Server i.e. memberserver.example.com

If it isn't there, then add it:

samba-tool dns add <DC FQDN> <DNS Domain> <Member Server FQDN> A
<IPaddress>

<IPaddress> is the member server ipaddress i.e. 192.168.0.247

Rowland

Rats, Add '-U Administrator --password=<your AD Administrator
password>' to the commands, it should work then, or try running the
commands on the DC, they should work there without the password.

Rowland OK, you have to use the Administrator password, even on the DC,
this is the command & output when run on a DC:

root@dc01:~# samba-tool dns query dc01.home.lan home.lan
memtest2.home.lan A -U Administrator --password=**********
Name=, Records=1, Children=0
A: 192.168.0.247 (flags=f0, serial=65, ttl=3600)

and again, but on a member server:

root@memtest2:~# samba-tool dns query dc01.home.lan home.lan
memtest2.home.lan A -U Administrator --password=**********
Name=, Records=1, Children=0
A: 192.168.0.247 (flags=f0, serial=65, ttl=3600)

Rowland



Links:
------
[1] http://www.donelsontrophy.com

[Rowland Penny]

On 08/02/15 19:03, Bob of Donelson Trophy wrote:
>
>
> Okay!!! My member server ip address is 192.168.**.56 (static).
>
> When I run your command it is reporting the ip address of 192.168.**.55
> (which is my DC02 address.)
>
> So, I need to correct this. How do I remove the 'old member server' ip
> address 192.168.**.55 reference and correct to 192.168.**.56?
>

OK, how did that happen ??? (don't bother answering, that was a
rhetorical question)

To delete the record:

samba-tool dns delete <server> <zone> <name> A <data> -U Administrator
--password=<Domain Administrator password>

Where:

<server> = your DC's fully qualified hostname
<zone> = Your DNS domain name
<name> = your member servers hostname
<data> = your member servers ipaddress

Rowland

[Bob of Donelson Trophy]

Once again, the evolution of my system (DC01, DC02 & member server)
creates a problem. (Somewhere in the past my member server had an ip
address 192.168.**.55 and that was in the dns.)

Now, the world is proper and my member server on properly joins my
domain.

Thank you, Rowland.

Now, as my DC02 ip address is 192.168.**.55, by deleting the member
server reference to the 192.168.**.55 did that mess up my DC02 dns
connection to DC01? (Don't answer that . . . give a man a fish and he
will eat once. Teach a man to fish and . . . .)

Reading the samba-tool man page and --help.

Thanks!!

---

-------------------------

Bob Wooden of Donelson Trophy

615.885.2846 (main)
www.donelsontrophy.com [1]

"Everyone deserves an award!!"

On 2015-02-08 13:18, Rowland Penny wrote:

> On 08/02/15 19:03, Bob of Donelson Trophy wrote:
>
>> Okay!!! My member server ip address is 192.168.**.56 (static). When I run your command it is reporting the ip address of 192.168.**.55 (which is my DC02 address.) So, I need to correct this. How do I remove the 'old member server' ip address 192.168.**.55 reference and correct to 192.168.**.56?
>
> OK, how did that happen ??? (don't bother answering, that was a rhetorical question)
>
> To delete the record:
>
> samba-tool dns delete <server> <zone> <name> A <data> -U Administrator --password=<Domain Administrator password>
>
> Where:
>
> <server> = your DC's fully qualified hostname
> <zone> = Your DNS domain name
> <name> = your member servers hostname
> <data> = your member servers ipaddress
>
> Rowland

Links:
------
[1] http://www.donelsontrophy.com

[buhorojo]

On 08/02/15 15:15, Bob of Donelson Trophy wrote:
>
>
> it did not work.
What command did you use and was the error?

[Bob of Donelson Trophy]

Check the thread. All is good!

---

-------------------------

Bob Wooden of Donelson Trophy

615.885.2846 (main)
www.donelsontrophy.com [1]

"Everyone deserves an award!!"

On 2015-02-08 13:40, buhorojo wrote:

> On 08/02/15 15:15, Bob of Donelson Trophy wrote:
>
>> it did not work.
>
> What command did you use and was the error?

Links:
------
[1] http://www.donelsontrophy.com