redundant DNS setup with bind_dlz possible ?

Daniele Dario d.dario76 at gmail.com
Thu Apr 12 05:17:20 MDT 2012 

Hi Andreas,

On Thu, 2012-04-12 at 12:25 +0200, Andreas Oster wrote:
> Am 12.04.2012 11:53, schrieb Daniele Dario:
> > Hi Justin and Andrew,
> > 
> > On Thu, 2012-04-12 at 05:22 -0400, Justin Foreman wrote:
> >> On 04/12/2012 05:11 AM, Andrew Bartlett wrote:
> >>> On Thu, 2012-04-12 at 05:07 -0400, Justin Foreman wrote:
> >>>> On 04/12/2012 04:50 AM, Andreas Oster wrote:
> >>>>> Am 12.04.2012 10:42, schrieb Andrew Bartlett:
> >>>>>> On Thu, 2012-04-12 at 07:52 +0200, Andreas Oster wrote:
> >>>>>>> Hello all,
> >>>>>>>
> >>>>>>> I am currently have a samba4 setup with bind9 as DNS server
> >>>>>>> running on the same machine using the bind_dlz module provided
> >>>>>>> by samba4. I am now curious if it is possible to set up a
> >>>>>>> redundant/second samba4/bind9 DC for redundancy. I know that
> >>>>>>> the AD part is no problem but what about the DNS part ? Will
> >>>>>>> the zone infos be replicated between the two DCs ? What do I
> >>>>>>> have to configure to add the new DC/bind9 as a secondary DNS ?
> >>>>>>> How would secure DNS updates be handled ?
> >>>>>>
> >>>>>> It should be as simple as running the samba_upgradedns script on the
> >>>>>> second DC (to export the new partitions to the DLZ module on the second
> >>>>>> DC), but there have been some reported issues with that.
> >>>>>>
> >>>>>> Andrew Bartlett
> >>>>> Hello Andrew,
> >>>>>
> >>>>> thank you for your fast response.
> >>>>> I am not sure if I do understand what needs to be done :-)
> >>>>>
> >>>>> 1) setup a new samba4 DC and join it to AD
> >>>>> 2) run samba_upgradedns --no-migrate
> >>>>> 3) setup bind9 with DLZ module
> >>>>> 4) start bind9
> >>>>>
> >>>>> is this correct ?
> >>>>>
> >>>>> best regards
> >>>>>
> >>>>> Andreas
> >>>>>
> >>>>
> >>>> I was wondering just the same thing. I have been running into issues
> >>>> with DLZ and a secondary Samba4 DC. I'm wondering if it's an issue with
> >>>> the order of operations. Should Samba be running on the second DC when
> >>>> samba_upgradedns is run, or not? I couldn't find any documentation
> >>>> specific to adding a second DC with BIND DLZ.
> >>>>
> >>>> I was thinking that the following process would work:
> >>>
> >>> Try this order:
> >>>
> >>>> 1. Provision a first Samba4 DC.
> >>>> 2. Configure DLZ and start BIND on the first DC.
> >>>> 3. Use samba-tool domain join on a second Samba4 DC.
> >>>> 5. Start Samba4 on the second DC.
> >>>
> >>> 4. Run samba_upgradedns on the second DC.
> >>>>
> >>>> 6. Configure DLZ and start BIND on the second DC.
> >>>>
> >>>> This has not worked. I get "No RID Set DN - Remote RID Set allocation
> >>>> needs refresh" at step 4. The /usr/local/samba/private/dns directory
> >>>> does not get created on the second DC.
> >>>
> >>> When Samba isn't running, it can't ask for a RID pool (literally, a
> >>> collection of RID values so it does not need to ask the RID manager for
> >>> them individually) to add the dns-$HOSTNAME user we use for BIND.
> >>>
> >>> Andrew Bartlett
> >>>
> >>
> >> Ah yes. I had tried that order as well. I just tried again and got the 
> >> following message (clean install):
> >>
> >> root at ds2:~# samba_upgradedns
> >> Reading domain information
> >> Looking up IPv4 addresses
> >> Looking up IPv6 addresses
> >> DNS accounts already exist
> >> No zone file /usr/local/samba/private/dns/us.dignitastech.com.zone
> >> DNS records will be automatically created
> >> Creating DNS partitions
> >> Populating DNS partitions
> >> Traceback (most recent call last):
> >>    File "/usr/local/samba/sbin/samba_upgradedns", line 406, in <module>
> >>      "msDS-hasMasterNCs")
> >> _ldb.LdbError: (1, 'Operations error')
> >>
> >> I can add more verbosity if interested.
> >>
> >> I found this earlier thread where another user appears to be having the 
> >> same issue.
> >> https://lists.samba.org/archive/samba-technical/2012-April/082591.html
> >>
> > 
> > in the list above, I have not seen any reference between the replication
> > of the DNS partitions. Is it solved so it is not needed to use
> > samba-tool drs replicate <destinationDC> <sourceDC> <NC> to start
> > replication?
> > 
> > If yes, to avoid wrong setups, would be best to demote the secondary DC,
> > upgrade it to latest git master and re-join it to the domain?
> > 
> > Thanks,
> > Daniele.
> > 
> > 
> Hello Daniele,
> 
> does this mean DNS partition information will not been replicated
> automatically between samba DCs ?
> 
> best regards
> 
> Andreas
> 

before to fire samba-tool drs replicate ... if I run samba-tool drs
showrepl I saw only Schema, Configuration and mydomain.local as
replicated.

If I use replicate than also DomainDnsZones and ForestDnsZones partition
appear when I run showrepl.

I don't know if it means replication is running even if in showrepl I
don't see the DNS partitions and then if it is required to force it
using replicate so that's because I'm asking this to the list.

I've also seen that even if I forced replication of the DNS partitions,
after I stopped samba on the secondary DC to upgrate do latest git
master and restarted it, on primary DC DNS partition replication
desappears. This seems to me that I have something wrong.

The problem is that I provisioned the domain with earlier samba4 v18 or
latest v17 and than upgraded and I don't know if this could be the cause
of problems.

Using samba-tool dbcheck after make install I've never seen any error
but that's all that I've done to upgrade samba.

Best regards,
Daniele.

More information about the samba-technical mailing list