[Samba] DNS replication and BDCs

"David González Herrera - [DGHVoIP]" info at dghvoip.com
Fri Jun 21 15:42:44 MDT 2013 

Hi Marc, comments below.

On 6/20/2013 5:26 PM, Marc Muehlfeld wrote:
> Hello David,
>
> Am 20.06.2013 19:55, schrieb "David González Herrera - [DGHVoIP]":
>> I would like youi to point me or tell me how do I create a fail-over or
>> high availability system so that when one of the DCs is down the other
>> takes over Auth tasks and obviously DNS.
>>
>> I've thought a solution would be to make a slave BIND DNS on another
>> slaver and replicate the Samba Zone and add aappropriate NS and A
>> records to the main zone so that clients can query another DNS for the
>> zone and not fail as I faced yesterday. This is a production environment
>> scenario and I have many servers authenticating users against the samba
>> server so if this fails everything else does.
>
> When you join a second DC to the AD 
> (http://wiki.samba.org/index.php/Samba4/HOWTO/Join_a_domain_as_a_DC), 
> then the DNS part is also automatically replicated.
Alright I have done that on the second DC but using internal, I get this 
if I dig the zone.

root at bdc:~# dig @10.10.10.20 AXFR example.local

; <<>> DiG 9.9.2-P2 <<>> @10.10.10.20 AXFR example.local
; (1 server found)
;; global options: +cmd
; Transfer failed.
root at bdc:~# dig @10.10.10.5 AXFR example.local

; <<>> DiG 9.9.2-P2 <<>> @10.10.10.5 AXFR example.local
; (1 server found)
;; global options: +cmd
example.local.         3600    IN      SOA     samba.example.local. 
hostmaster.example.local. 65 900 600 86400 0
example.local.         900     IN      NS      samba.example.local.
example.local.         900     IN      A       10.10.10.5
example.local.         900     IN      A       21x.xxx.xxx.xxx
example.local.         900     IN      A       10.10.10.20
example.local.         900     IN      A       10.10.10.15
example.local.         900     IN      A       192.168.5.5
bdc.example.local.     900     IN      A       10.10.10.20
bdc.example.local.     900     IN      A       192.168.5.5
w2k8.example.local.    1200    IN      A       10.10.10.15
samba.example.local.   900     IN      A       10.10.10.5
samba.example.local.   900     IN      A       21x.xxx.xxx.xxx
DGHPC.example.local.   1200    IN      AAAA    2002:505:5bd::505:5bd
DGHPC.example.local.   1200    IN      A       192.168.5.211
DGHPC.example.local.   1200    IN      A       5.5.5.189
_msdcs.example.local.  900     IN      NS      samba.example.local.
_gc._tcp.example.local. 900    IN      SRV     0 100 3268 
samba.example.local.
_gc._tcp.example.local. 900    IN      SRV     0 100 3268 
W2K8.example.local.
_gc._tcp.example.local. 900    IN      SRV     0 100 3268 bdc.example.local.
_ldap._tcp.example.local. 900  IN      SRV     0 100 389 
samba.example.local.
_ldap._tcp.example.local. 900  IN      SRV     0 100 389 W2K8.example.local.
_ldap._tcp.example.local. 900  IN      SRV     0 100 389 bdc.example.local.
_kpasswd._udp.example.local. 900 IN    SRV     0 100 464 
samba.example.local.
_kpasswd._udp.example.local. 900 IN    SRV     0 100 464 W2K8.example.local.
_kpasswd._udp.example.local. 900 IN    SRV     0 100 464 bdc.example.local.
_kpasswd._tcp.example.local. 900 IN    SRV     0 100 464 
samba.example.local.
_kpasswd._tcp.example.local. 900 IN    SRV     0 100 464 W2K8.example.local.
_kpasswd._tcp.example.local. 900 IN    SRV     0 100 464 bdc.example.local.
_kerberos._udp.example.local. 900 IN   SRV     0 100 88 samba.example.local.
_kerberos._udp.example.local. 900 IN   SRV     0 100 88 W2K8.example.local.
_kerberos._udp.example.local. 900 IN   SRV     0 100 88 bdc.example.local.
_kerberos._tcp.example.local. 900 IN   SRV     0 100 88 samba.example.local.
_kerberos._tcp.example.local. 900 IN   SRV     0 100 88 W2K8.example.local.
_kerberos._tcp.example.local. 900 IN   SRV     0 100 88 bdc.example.local.
ForestDnsZones.example.local. 900 IN   A       10.10.10.5
DomainDnsZones.example.local. 900 IN   A       10.10.10.5
_ldap._tcp.ForestDnsZones.example.local. 900 IN SRV 0 100 389 
samba.example.local.
_ldap._tcp.DomainDnsZones.example.local. 900 IN SRV 0 100 389 
samba.example.local.
_gc._tcp.Default-First-Site-Name._sites.example.local. 900 IN SRV 0 100 
3268 samba.example.local.
_gc._tcp.Default-First-Site-Name._sites.example.local. 900 IN SRV 0 100 
3268 W2K8.example.local.
_gc._tcp.Default-First-Site-Name._sites.example.local. 900 IN SRV 0 100 
3268 bdc.example.local.
_ldap._tcp.Default-First-Site-Name._sites.example.local. 900 IN SRV 0 
100 389 samba.example.local.
_ldap._tcp.Default-First-Site-Name._sites.example.local. 900 IN SRV 0 
100 389 W2K8.example.local.
_ldap._tcp.Default-First-Site-Name._sites.example.local. 900 IN SRV 0 
100 389 bdc.example.local.
_kerberos._tcp.Default-First-Site-Name._sites.example.local. 900 IN SRV 
0 100 88 samba.example.local.
_kerberos._tcp.Default-First-Site-Name._sites.example.local. 900 IN SRV 
0 100 88 W2K8.example.local.
_kerberos._tcp.Default-First-Site-Name._sites.example.local. 900 IN SRV 
0 100 88 bdc.example.local.
_ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.example.local. 
900 INSRV 0 100 389 samba.example.local.
_ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones.example.local. 
900 INSRV 0 100 389 samba.example.local.
example.local.         3600    IN      SOA     samba.example.local. 
hostmaster.example.local. 65 900 600 86400 0
;; Query time: 5 msec
;; SERVER: 10.10.10.5#53(10.10.10.5)
;; WHEN: Fri Jun 21 17:31:13 2013
;; XFR size: 50 records (messages 1, bytes 1886)

The zone looks good so I guess the key is what you say on cients being 
them services or real workstations. I guess that's my whole issue.

I really appreciate your help Marc, I was like crazy trying to add a 
slave server and did in fact.

Now I'd like to remove the public IP 21x.xxx.xxx.xxx from the zone I use:

samba-tool dns delete samba.example.local example.local 
samba.example.local NS 21x.xxx.xxx.xxx -U Administrator
samba-tool dns delete samba.example.local example.local 
samba.example.local A 21x.xxx.xxx.xxx -U Administrator

They all succeed, but I keep seeing that when I dig the zone as you can 
see on the previous dig.

>
> As you already have a second DC, please check, if Samba (or BIND) is 
> listening on port 53 to answer DNS queries.
>
> # netstat -taunp | grep ":53"

root at bdc:~# netstat -taunp | grep ":53"
tcp        0      0 0.0.0.0:53              0.0.0.0:* LISTEN      
12576/samba
tcp        0      0 10.10.10.20:1024        10.10.10.15:53882 
ESTABLISHED 12576/samba
udp        0      0 0.0.0.0:53 0.0.0.0:*                           
12576/samba

>
> Then you only have to configure your clients, to use the second 
> machine as DNS server, too.
This is what concerns me the most, as I'm connecting services as 
Postfix/Dovecot,OpenVPN I was using the IP of the PDC 10.10.10.5. Can I 
use "example.local" on my LDAP/AD clients configuration?. And will it be 
like round robin-dns, if one server doesn't respond will the pther take 
over?.

What I'm looking for is redundancy.
>
> There's nothing special you have to do here.
>
> You can use BIND or the internal DNS on the other DCs. It don't need 
> to be the same than on your first one.
Alright I'll try that with my services and let you know what were the 
results.

Cheers
>
>
> Regards,
> Marc


-- 
David Gonzalez
DGHVoIP
USA:
MOBILE: +1.646.559.6200
COL: +57.1.382.6718
COL: +57.4.247.0985
URL: www.dghvoip.com
Skype: davidgonzalezh

More information about the samba mailing list