redundant DNS setup with bind_dlz possible ?

Thu Apr 12 03:53:19 MDT 2012

Hi Justin and Andrew,

On Thu, 2012-04-12 at 05:22 -0400, Justin Foreman wrote:
> On 04/12/2012 05:11 AM, Andrew Bartlett wrote:
> > On Thu, 2012-04-12 at 05:07 -0400, Justin Foreman wrote:
> >> On 04/12/2012 04:50 AM, Andreas Oster wrote:
> >>> Am 12.04.2012 10:42, schrieb Andrew Bartlett:
> >>>> On Thu, 2012-04-12 at 07:52 +0200, Andreas Oster wrote:
> >>>>> Hello all,
> >>>>>
> >>>>> I am currently have a samba4 setup with bind9 as DNS server
> >>>>> running on the same machine using the bind_dlz module provided
> >>>>> by samba4. I am now curious if it is possible to set up a
> >>>>> redundant/second samba4/bind9 DC for redundancy. I know that
> >>>>> the AD part is no problem but what about the DNS part ? Will
> >>>>> the zone infos be replicated between the two DCs ? What do I
> >>>>> have to configure to add the new DC/bind9 as a secondary DNS ?
> >>>>> How would secure DNS updates be handled ?
> >>>>
> >>>> It should be as simple as running the samba_upgradedns script on the
> >>>> second DC (to export the new partitions to the DLZ module on the second
> >>>> DC), but there have been some reported issues with that.
> >>>>
> >>>> Andrew Bartlett
> >>> Hello Andrew,
> >>>
> >>> thank you for your fast response.
> >>> I am not sure if I do understand what needs to be done :-)
> >>>
> >>> 1) setup a new samba4 DC and join it to AD
> >>> 2) run samba_upgradedns --no-migrate
> >>> 3) setup bind9 with DLZ module
> >>> 4) start bind9
> >>>
> >>> is this correct ?
> >>>
> >>> best regards
> >>>
> >>> Andreas
> >>>
> >>
> >> I was wondering just the same thing. I have been running into issues
> >> with DLZ and a secondary Samba4 DC. I'm wondering if it's an issue with
> >> the order of operations. Should Samba be running on the second DC when
> >> samba_upgradedns is run, or not? I couldn't find any documentation
> >> specific to adding a second DC with BIND DLZ.
> >>
> >> I was thinking that the following process would work:
> >
> > Try this order:
> >
> >> 1. Provision a first Samba4 DC.
> >> 2. Configure DLZ and start BIND on the first DC.
> >> 3. Use samba-tool domain join on a second Samba4 DC.
> >> 5. Start Samba4 on the second DC.
> >
> > 4. Run samba_upgradedns on the second DC.
> >>
> >> 6. Configure DLZ and start BIND on the second DC.
> >>
> >> This has not worked. I get "No RID Set DN - Remote RID Set allocation
> >> needs refresh" at step 4. The /usr/local/samba/private/dns directory
> >> does not get created on the second DC.
> >
> > When Samba isn't running, it can't ask for a RID pool (literally, a
> > collection of RID values so it does not need to ask the RID manager for
> > them individually) to add the dns-$HOSTNAME user we use for BIND.
> >
> > Andrew Bartlett
> >
> 
> Ah yes. I had tried that order as well. I just tried again and got the 
> following message (clean install):
> 
> root at ds2:~# samba_upgradedns
> Reading domain information
> Looking up IPv4 addresses
> Looking up IPv6 addresses
> DNS accounts already exist
> No zone file /usr/local/samba/private/dns/us.dignitastech.com.zone
> DNS records will be automatically created
> Creating DNS partitions
> Populating DNS partitions
> Traceback (most recent call last):
>    File "/usr/local/samba/sbin/samba_upgradedns", line 406, in <module>
>      "msDS-hasMasterNCs")
> _ldb.LdbError: (1, 'Operations error')
> 
> I can add more verbosity if interested.
> 
> I found this earlier thread where another user appears to be having the 
> same issue.
> https://lists.samba.org/archive/samba-technical/2012-April/082591.html
> 

in the list above, I have not seen any reference between the replication
of the DNS partitions. Is it solved so it is not needed to use
samba-tool drs replicate <destinationDC> <sourceDC> <NC> to start
replication?

If yes, to avoid wrong setups, would be best to demote the secondary DC,
upgrade it to latest git master and re-join it to the domain?

Thanks,
Daniele.