redundant DNS setup with bind_dlz possible ?

Andreas Oster aoster at novanetwork.de
Thu Apr 12 04:25:17 MDT 2012 

Am 12.04.2012 11:53, schrieb Daniele Dario:
> Hi Justin and Andrew,
> 
> On Thu, 2012-04-12 at 05:22 -0400, Justin Foreman wrote:
>> On 04/12/2012 05:11 AM, Andrew Bartlett wrote:
>>> On Thu, 2012-04-12 at 05:07 -0400, Justin Foreman wrote:
>>>> On 04/12/2012 04:50 AM, Andreas Oster wrote:
>>>>> Am 12.04.2012 10:42, schrieb Andrew Bartlett:
>>>>>> On Thu, 2012-04-12 at 07:52 +0200, Andreas Oster wrote:
>>>>>>> Hello all,
>>>>>>>
>>>>>>> I am currently have a samba4 setup with bind9 as DNS server
>>>>>>> running on the same machine using the bind_dlz module provided
>>>>>>> by samba4. I am now curious if it is possible to set up a
>>>>>>> redundant/second samba4/bind9 DC for redundancy. I know that
>>>>>>> the AD part is no problem but what about the DNS part ? Will
>>>>>>> the zone infos be replicated between the two DCs ? What do I
>>>>>>> have to configure to add the new DC/bind9 as a secondary DNS ?
>>>>>>> How would secure DNS updates be handled ?
>>>>>>
>>>>>> It should be as simple as running the samba_upgradedns script on the
>>>>>> second DC (to export the new partitions to the DLZ module on the second
>>>>>> DC), but there have been some reported issues with that.
>>>>>>
>>>>>> Andrew Bartlett
>>>>> Hello Andrew,
>>>>>
>>>>> thank you for your fast response.
>>>>> I am not sure if I do understand what needs to be done :-)
>>>>>
>>>>> 1) setup a new samba4 DC and join it to AD
>>>>> 2) run samba_upgradedns --no-migrate
>>>>> 3) setup bind9 with DLZ module
>>>>> 4) start bind9
>>>>>
>>>>> is this correct ?
>>>>>
>>>>> best regards
>>>>>
>>>>> Andreas
>>>>>
>>>>
>>>> I was wondering just the same thing. I have been running into issues
>>>> with DLZ and a secondary Samba4 DC. I'm wondering if it's an issue with
>>>> the order of operations. Should Samba be running on the second DC when
>>>> samba_upgradedns is run, or not? I couldn't find any documentation
>>>> specific to adding a second DC with BIND DLZ.
>>>>
>>>> I was thinking that the following process would work:
>>>
>>> Try this order:
>>>
>>>> 1. Provision a first Samba4 DC.
>>>> 2. Configure DLZ and start BIND on the first DC.
>>>> 3. Use samba-tool domain join on a second Samba4 DC.
>>>> 5. Start Samba4 on the second DC.
>>>
>>> 4. Run samba_upgradedns on the second DC.
>>>>
>>>> 6. Configure DLZ and start BIND on the second DC.
>>>>
>>>> This has not worked. I get "No RID Set DN - Remote RID Set allocation
>>>> needs refresh" at step 4. The /usr/local/samba/private/dns directory
>>>> does not get created on the second DC.
>>>
>>> When Samba isn't running, it can't ask for a RID pool (literally, a
>>> collection of RID values so it does not need to ask the RID manager for
>>> them individually) to add the dns-$HOSTNAME user we use for BIND.
>>>
>>> Andrew Bartlett
>>>
>>
>> Ah yes. I had tried that order as well. I just tried again and got the 
>> following message (clean install):
>>
>> root at ds2:~# samba_upgradedns
>> Reading domain information
>> Looking up IPv4 addresses
>> Looking up IPv6 addresses
>> DNS accounts already exist
>> No zone file /usr/local/samba/private/dns/us.dignitastech.com.zone
>> DNS records will be automatically created
>> Creating DNS partitions
>> Populating DNS partitions
>> Traceback (most recent call last):
>>    File "/usr/local/samba/sbin/samba_upgradedns", line 406, in <module>
>>      "msDS-hasMasterNCs")
>> _ldb.LdbError: (1, 'Operations error')
>>
>> I can add more verbosity if interested.
>>
>> I found this earlier thread where another user appears to be having the 
>> same issue.
>> https://lists.samba.org/archive/samba-technical/2012-April/082591.html
>>
> 
> in the list above, I have not seen any reference between the replication
> of the DNS partitions. Is it solved so it is not needed to use
> samba-tool drs replicate <destinationDC> <sourceDC> <NC> to start
> replication?
> 
> If yes, to avoid wrong setups, would be best to demote the secondary DC,
> upgrade it to latest git master and re-join it to the domain?
> 
> Thanks,
> Daniele.
> 
> 
Hello Daniele,

does this mean DNS partition information will not been replicated
automatically between samba DCs ?

best regards

Andreas

More information about the samba-technical mailing list