redundant DNS setup with bind_dlz possible ?

Thu Apr 12 07:22:05 MDT 2012

Am 12.04.2012 13:17, schrieb Daniele Dario:
> Hi Andreas,
> 
> On Thu, 2012-04-12 at 12:25 +0200, Andreas Oster wrote:
>> Am 12.04.2012 11:53, schrieb Daniele Dario:
>>> Hi Justin and Andrew,
>>>
>>> On Thu, 2012-04-12 at 05:22 -0400, Justin Foreman wrote:
>>>> On 04/12/2012 05:11 AM, Andrew Bartlett wrote:
>>>>> On Thu, 2012-04-12 at 05:07 -0400, Justin Foreman wrote:
>>>>>> On 04/12/2012 04:50 AM, Andreas Oster wrote:
>>>>>>> Am 12.04.2012 10:42, schrieb Andrew Bartlett:
>>>>>>>> On Thu, 2012-04-12 at 07:52 +0200, Andreas Oster wrote:
>>>>>>>>> Hello all,
>>>>>>>>>
>>>>>>>>> I am currently have a samba4 setup with bind9 as DNS server
>>>>>>>>> running on the same machine using the bind_dlz module provided
>>>>>>>>> by samba4. I am now curious if it is possible to set up a
>>>>>>>>> redundant/second samba4/bind9 DC for redundancy. I know that
>>>>>>>>> the AD part is no problem but what about the DNS part ? Will
>>>>>>>>> the zone infos be replicated between the two DCs ? What do I
>>>>>>>>> have to configure to add the new DC/bind9 as a secondary DNS ?
>>>>>>>>> How would secure DNS updates be handled ?
>>>>>>>>
>>>>>>>> It should be as simple as running the samba_upgradedns script on the
>>>>>>>> second DC (to export the new partitions to the DLZ module on the second
>>>>>>>> DC), but there have been some reported issues with that.
>>>>>>>>
>>>>>>>> Andrew Bartlett
>>>>>>> Hello Andrew,
>>>>>>>
>>>>>>> thank you for your fast response.
>>>>>>> I am not sure if I do understand what needs to be done :-)
>>>>>>>
>>>>>>> 1) setup a new samba4 DC and join it to AD
>>>>>>> 2) run samba_upgradedns --no-migrate
>>>>>>> 3) setup bind9 with DLZ module
>>>>>>> 4) start bind9
>>>>>>>
>>>>>>> is this correct ?
>>>>>>>
>>>>>>> best regards
>>>>>>>
>>>>>>> Andreas
>>>>>>>
>>>>>>
>>>>>> I was wondering just the same thing. I have been running into issues
>>>>>> with DLZ and a secondary Samba4 DC. I'm wondering if it's an issue with
>>>>>> the order of operations. Should Samba be running on the second DC when
>>>>>> samba_upgradedns is run, or not? I couldn't find any documentation
>>>>>> specific to adding a second DC with BIND DLZ.
>>>>>>
>>>>>> I was thinking that the following process would work:
>>>>>
>>>>> Try this order:
>>>>>
>>>>>> 1. Provision a first Samba4 DC.
>>>>>> 2. Configure DLZ and start BIND on the first DC.
>>>>>> 3. Use samba-tool domain join on a second Samba4 DC.
>>>>>> 5. Start Samba4 on the second DC.
>>>>>
>>>>> 4. Run samba_upgradedns on the second DC.
>>>>>>
>>>>>> 6. Configure DLZ and start BIND on the second DC.
>>>>>>
>>>>>> This has not worked. I get "No RID Set DN - Remote RID Set allocation
>>>>>> needs refresh" at step 4. The /usr/local/samba/private/dns directory
>>>>>> does not get created on the second DC.
>>>>>
>>>>> When Samba isn't running, it can't ask for a RID pool (literally, a
>>>>> collection of RID values so it does not need to ask the RID manager for
>>>>> them individually) to add the dns-$HOSTNAME user we use for BIND.
>>>>>
>>>>> Andrew Bartlett
>>>>>
>>>>
>>>> Ah yes. I had tried that order as well. I just tried again and got the 
>>>> following message (clean install):
>>>>
>>>> root at ds2:~# samba_upgradedns
>>>> Reading domain information
>>>> Looking up IPv4 addresses
>>>> Looking up IPv6 addresses
>>>> DNS accounts already exist
>>>> No zone file /usr/local/samba/private/dns/us.dignitastech.com.zone
>>>> DNS records will be automatically created
>>>> Creating DNS partitions
>>>> Populating DNS partitions
>>>> Traceback (most recent call last):
>>>>    File "/usr/local/samba/sbin/samba_upgradedns", line 406, in <module>
>>>>      "msDS-hasMasterNCs")
>>>> _ldb.LdbError: (1, 'Operations error')
>>>>
>>>> I can add more verbosity if interested.
>>>>
>>>> I found this earlier thread where another user appears to be having the 
>>>> same issue.
>>>> https://lists.samba.org/archive/samba-technical/2012-April/082591.html
>>>>
>>>
>>> in the list above, I have not seen any reference between the replication
>>> of the DNS partitions. Is it solved so it is not needed to use
>>> samba-tool drs replicate <destinationDC> <sourceDC> <NC> to start
>>> replication?
>>>
>>> If yes, to avoid wrong setups, would be best to demote the secondary DC,
>>> upgrade it to latest git master and re-join it to the domain?
>>>
>>> Thanks,
>>> Daniele.
>>>
>>>
>> Hello Daniele,
>>
>> does this mean DNS partition information will not been replicated
>> automatically between samba DCs ?
>>
>> best regards
>>
>> Andreas
>>
> 
> before to fire samba-tool drs replicate ... if I run samba-tool drs
> showrepl I saw only Schema, Configuration and mydomain.local as
> replicated.
> 
> If I use replicate than also DomainDnsZones and ForestDnsZones partition
> appear when I run showrepl.
> 
> I don't know if it means replication is running even if in showrepl I
> don't see the DNS partitions and then if it is required to force it
> using replicate so that's because I'm asking this to the list.
> 
> I've also seen that even if I forced replication of the DNS partitions,
> after I stopped samba on the secondary DC to upgrate do latest git
> master and restarted it, on primary DC DNS partition replication
> desappears. This seems to me that I have something wrong.
> 
> The problem is that I provisioned the domain with earlier samba4 v18 or
> latest v17 and than upgraded and I don't know if this could be the cause
> of problems.
> 
> Using samba-tool dbcheck after make install I've never seen any error
> but that's all that I've done to upgrade samba.
> 
> Best regards,
> Daniele.
> 
> 
> 
Hello Daniele,

I have now set up a second DC and joined it to AD. I have seen that
replication of ForestDnsZones and DomainDnsZones in private/sam.ldb.d is
working, but I am missing the private/dns part. samba_upgradedns gave
the same error as Justin has observed.

best regards

Andreas