[Samba] DNS replication and BDCs
"David González Herrera - [DGHVoIP]"
info at dghvoip.com
Fri Jun 21 15:42:44 MDT 2013
Hi Marc, comments below.
On 6/20/2013 5:26 PM, Marc Muehlfeld wrote:
> Hello David,
>
> Am 20.06.2013 19:55, schrieb "David González Herrera - [DGHVoIP]":
>> I would like youi to point me or tell me how do I create a fail-over or
>> high availability system so that when one of the DCs is down the other
>> takes over Auth tasks and obviously DNS.
>>
>> I've thought a solution would be to make a slave BIND DNS on another
>> slaver and replicate the Samba Zone and add aappropriate NS and A
>> records to the main zone so that clients can query another DNS for the
>> zone and not fail as I faced yesterday. This is a production environment
>> scenario and I have many servers authenticating users against the samba
>> server so if this fails everything else does.
>
> When you join a second DC to the AD
> (http://wiki.samba.org/index.php/Samba4/HOWTO/Join_a_domain_as_a_DC),
> then the DNS part is also automatically replicated.
Alright I have done that on the second DC but using internal, I get this
if I dig the zone.
root at bdc:~# dig @10.10.10.20 AXFR example.local
; <<>> DiG 9.9.2-P2 <<>> @10.10.10.20 AXFR example.local
; (1 server found)
;; global options: +cmd
; Transfer failed.
root at bdc:~# dig @10.10.10.5 AXFR example.local
; <<>> DiG 9.9.2-P2 <<>> @10.10.10.5 AXFR example.local
; (1 server found)
;; global options: +cmd
example.local. 3600 IN SOA samba.example.local.
hostmaster.example.local. 65 900 600 86400 0
example.local. 900 IN NS samba.example.local.
example.local. 900 IN A 10.10.10.5
example.local. 900 IN A 21x.xxx.xxx.xxx
example.local. 900 IN A 10.10.10.20
example.local. 900 IN A 10.10.10.15
example.local. 900 IN A 192.168.5.5
bdc.example.local. 900 IN A 10.10.10.20
bdc.example.local. 900 IN A 192.168.5.5
w2k8.example.local. 1200 IN A 10.10.10.15
samba.example.local. 900 IN A 10.10.10.5
samba.example.local. 900 IN A 21x.xxx.xxx.xxx
DGHPC.example.local. 1200 IN AAAA 2002:505:5bd::505:5bd
DGHPC.example.local. 1200 IN A 192.168.5.211
DGHPC.example.local. 1200 IN A 5.5.5.189
_msdcs.example.local. 900 IN NS samba.example.local.
_gc._tcp.example.local. 900 IN SRV 0 100 3268
samba.example.local.
_gc._tcp.example.local. 900 IN SRV 0 100 3268
W2K8.example.local.
_gc._tcp.example.local. 900 IN SRV 0 100 3268 bdc.example.local.
_ldap._tcp.example.local. 900 IN SRV 0 100 389
samba.example.local.
_ldap._tcp.example.local. 900 IN SRV 0 100 389 W2K8.example.local.
_ldap._tcp.example.local. 900 IN SRV 0 100 389 bdc.example.local.
_kpasswd._udp.example.local. 900 IN SRV 0 100 464
samba.example.local.
_kpasswd._udp.example.local. 900 IN SRV 0 100 464 W2K8.example.local.
_kpasswd._udp.example.local. 900 IN SRV 0 100 464 bdc.example.local.
_kpasswd._tcp.example.local. 900 IN SRV 0 100 464
samba.example.local.
_kpasswd._tcp.example.local. 900 IN SRV 0 100 464 W2K8.example.local.
_kpasswd._tcp.example.local. 900 IN SRV 0 100 464 bdc.example.local.
_kerberos._udp.example.local. 900 IN SRV 0 100 88 samba.example.local.
_kerberos._udp.example.local. 900 IN SRV 0 100 88 W2K8.example.local.
_kerberos._udp.example.local. 900 IN SRV 0 100 88 bdc.example.local.
_kerberos._tcp.example.local. 900 IN SRV 0 100 88 samba.example.local.
_kerberos._tcp.example.local. 900 IN SRV 0 100 88 W2K8.example.local.
_kerberos._tcp.example.local. 900 IN SRV 0 100 88 bdc.example.local.
ForestDnsZones.example.local. 900 IN A 10.10.10.5
DomainDnsZones.example.local. 900 IN A 10.10.10.5
_ldap._tcp.ForestDnsZones.example.local. 900 IN SRV 0 100 389
samba.example.local.
_ldap._tcp.DomainDnsZones.example.local. 900 IN SRV 0 100 389
samba.example.local.
_gc._tcp.Default-First-Site-Name._sites.example.local. 900 IN SRV 0 100
3268 samba.example.local.
_gc._tcp.Default-First-Site-Name._sites.example.local. 900 IN SRV 0 100
3268 W2K8.example.local.
_gc._tcp.Default-First-Site-Name._sites.example.local. 900 IN SRV 0 100
3268 bdc.example.local.
_ldap._tcp.Default-First-Site-Name._sites.example.local. 900 IN SRV 0
100 389 samba.example.local.
_ldap._tcp.Default-First-Site-Name._sites.example.local. 900 IN SRV 0
100 389 W2K8.example.local.
_ldap._tcp.Default-First-Site-Name._sites.example.local. 900 IN SRV 0
100 389 bdc.example.local.
_kerberos._tcp.Default-First-Site-Name._sites.example.local. 900 IN SRV
0 100 88 samba.example.local.
_kerberos._tcp.Default-First-Site-Name._sites.example.local. 900 IN SRV
0 100 88 W2K8.example.local.
_kerberos._tcp.Default-First-Site-Name._sites.example.local. 900 IN SRV
0 100 88 bdc.example.local.
_ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.example.local.
900 INSRV 0 100 389 samba.example.local.
_ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones.example.local.
900 INSRV 0 100 389 samba.example.local.
example.local. 3600 IN SOA samba.example.local.
hostmaster.example.local. 65 900 600 86400 0
;; Query time: 5 msec
;; SERVER: 10.10.10.5#53(10.10.10.5)
;; WHEN: Fri Jun 21 17:31:13 2013
;; XFR size: 50 records (messages 1, bytes 1886)
The zone looks good so I guess the key is what you say on cients being
them services or real workstations. I guess that's my whole issue.
I really appreciate your help Marc, I was like crazy trying to add a
slave server and did in fact.
Now I'd like to remove the public IP 21x.xxx.xxx.xxx from the zone I use:
samba-tool dns delete samba.example.local example.local
samba.example.local NS 21x.xxx.xxx.xxx -U Administrator
samba-tool dns delete samba.example.local example.local
samba.example.local A 21x.xxx.xxx.xxx -U Administrator
They all succeed, but I keep seeing that when I dig the zone as you can
see on the previous dig.
>
> As you already have a second DC, please check, if Samba (or BIND) is
> listening on port 53 to answer DNS queries.
>
> # netstat -taunp | grep ":53"
root at bdc:~# netstat -taunp | grep ":53"
tcp 0 0 0.0.0.0:53 0.0.0.0:* LISTEN
12576/samba
tcp 0 0 10.10.10.20:1024 10.10.10.15:53882
ESTABLISHED 12576/samba
udp 0 0 0.0.0.0:53 0.0.0.0:*
12576/samba
>
> Then you only have to configure your clients, to use the second
> machine as DNS server, too.
This is what concerns me the most, as I'm connecting services as
Postfix/Dovecot,OpenVPN I was using the IP of the PDC 10.10.10.5. Can I
use "example.local" on my LDAP/AD clients configuration?. And will it be
like round robin-dns, if one server doesn't respond will the pther take
over?.
What I'm looking for is redundancy.
>
> There's nothing special you have to do here.
>
> You can use BIND or the internal DNS on the other DCs. It don't need
> to be the same than on your first one.
Alright I'll try that with my services and let you know what were the
results.
Cheers
>
>
> Regards,
> Marc
--
David Gonzalez
DGHVoIP
USA:
MOBILE: +1.646.559.6200
COL: +57.1.382.6718
COL: +57.4.247.0985
URL: www.dghvoip.com
Skype: davidgonzalezh
More information about the samba
mailing list