redundant DNS setup with bind_dlz possible ?

[Andrew Bartlett]

On Thu, 2012-04-12 at 05:07 -0400, Justin Foreman wrote:
> On 04/12/2012 04:50 AM, Andreas Oster wrote:
> > Am 12.04.2012 10:42, schrieb Andrew Bartlett:
> >> On Thu, 2012-04-12 at 07:52 +0200, Andreas Oster wrote:
> >>> Hello all,
> >>>
> >>> I am currently have a samba4 setup with bind9 as DNS server
> >>> running on the same machine using the bind_dlz module provided
> >>> by samba4. I am now curious if it is possible to set up a
> >>> redundant/second samba4/bind9 DC for redundancy. I know that
> >>> the AD part is no problem but what about the DNS part ? Will
> >>> the zone infos be replicated between the two DCs ? What do I
> >>> have to configure to add the new DC/bind9 as a secondary DNS ?
> >>> How would secure DNS updates be handled ?
> >>
> >> It should be as simple as running the samba_upgradedns script on the
> >> second DC (to export the new partitions to the DLZ module on the second
> >> DC), but there have been some reported issues with that.
> >>
> >> Andrew Bartlett
> > Hello Andrew,
> >
> > thank you for your fast response.
> > I am not sure if I do understand what needs to be done :-)
> >
> > 1) setup a new samba4 DC and join it to AD
> > 2) run samba_upgradedns --no-migrate
> > 3) setup bind9 with DLZ module
> > 4) start bind9
> >
> > is this correct ?
> >
> > best regards
> >
> > Andreas
> >
> 
> I was wondering just the same thing. I have been running into issues 
> with DLZ and a secondary Samba4 DC. I'm wondering if it's an issue with 
> the order of operations. Should Samba be running on the second DC when 
> samba_upgradedns is run, or not? I couldn't find any documentation 
> specific to adding a second DC with BIND DLZ.
> 
> I was thinking that the following process would work:

Try this order:

> 1. Provision a first Samba4 DC.
> 2. Configure DLZ and start BIND on the first DC.
> 3. Use samba-tool domain join on a second Samba4 DC.
> 5. Start Samba4 on the second DC.

4. Run samba_upgradedns on the second DC.
> 
> 6. Configure DLZ and start BIND on the second DC.
> 
> This has not worked. I get "No RID Set DN - Remote RID Set allocation 
> needs refresh" at step 4. The /usr/local/samba/private/dns directory 
> does not get created on the second DC.

When Samba isn't running, it can't ask for a RID pool (literally, a
collection of RID values so it does not need to ask the RID manager for
them individually) to add the dns-$HOSTNAME user we use for BIND.

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org