redundant DNS setup with bind_dlz possible ?

Thu Apr 12 08:25:57 MDT 2012

On Thu, 2012-04-12 at 15:22 +0200, Andreas Oster wrote:
> Am 12.04.2012 13:17, schrieb Daniele Dario:
> > Hi Andreas,
> > 
> > On Thu, 2012-04-12 at 12:25 +0200, Andreas Oster wrote:
> >> Am 12.04.2012 11:53, schrieb Daniele Dario:
> >>> Hi Justin and Andrew,
> >>>
> >>> On Thu, 2012-04-12 at 05:22 -0400, Justin Foreman wrote:
> >>>> On 04/12/2012 05:11 AM, Andrew Bartlett wrote:
> >>>>> On Thu, 2012-04-12 at 05:07 -0400, Justin Foreman wrote:
> >>>>>> On 04/12/2012 04:50 AM, Andreas Oster wrote:
> >>>>>>> Am 12.04.2012 10:42, schrieb Andrew Bartlett:
> >>>>>>>> On Thu, 2012-04-12 at 07:52 +0200, Andreas Oster wrote:
> >>>>>>>>> Hello all,
> >>>>>>>>>
> >>>>>>>>> I am currently have a samba4 setup with bind9 as DNS server
> >>>>>>>>> running on the same machine using the bind_dlz module provided
> >>>>>>>>> by samba4. I am now curious if it is possible to set up a
> >>>>>>>>> redundant/second samba4/bind9 DC for redundancy. I know that
> >>>>>>>>> the AD part is no problem but what about the DNS part ? Will
> >>>>>>>>> the zone infos be replicated between the two DCs ? What do I
> >>>>>>>>> have to configure to add the new DC/bind9 as a secondary DNS ?
> >>>>>>>>> How would secure DNS updates be handled ?
> >>>>>>>>
> >>>>>>>> It should be as simple as running the samba_upgradedns script on the
> >>>>>>>> second DC (to export the new partitions to the DLZ module on the second
> >>>>>>>> DC), but there have been some reported issues with that.
> >>>>>>>>
> >>>>>>>> Andrew Bartlett
> >>>>>>> Hello Andrew,
> >>>>>>>
> >>>>>>> thank you for your fast response.
> >>>>>>> I am not sure if I do understand what needs to be done :-)
> >>>>>>>
> >>>>>>> 1) setup a new samba4 DC and join it to AD
> >>>>>>> 2) run samba_upgradedns --no-migrate
> >>>>>>> 3) setup bind9 with DLZ module
> >>>>>>> 4) start bind9
> >>>>>>>
> >>>>>>> is this correct ?
> >>>>>>>
> >>>>>>> best regards
> >>>>>>>
> >>>>>>> Andreas
> >>>>>>>
> >>>>>>
> >>>>>> I was wondering just the same thing. I have been running into issues
> >>>>>> with DLZ and a secondary Samba4 DC. I'm wondering if it's an issue with
> >>>>>> the order of operations. Should Samba be running on the second DC when
> >>>>>> samba_upgradedns is run, or not? I couldn't find any documentation
> >>>>>> specific to adding a second DC with BIND DLZ.
> >>>>>>
> >>>>>> I was thinking that the following process would work:
> >>>>>
> >>>>> Try this order:
> >>>>>
> >>>>>> 1. Provision a first Samba4 DC.
> >>>>>> 2. Configure DLZ and start BIND on the first DC.
> >>>>>> 3. Use samba-tool domain join on a second Samba4 DC.
> >>>>>> 5. Start Samba4 on the second DC.
> >>>>>
> >>>>> 4. Run samba_upgradedns on the second DC.
> >>>>>>
> >>>>>> 6. Configure DLZ and start BIND on the second DC.
> >>>>>>
> >>>>>> This has not worked. I get "No RID Set DN - Remote RID Set allocation
> >>>>>> needs refresh" at step 4. The /usr/local/samba/private/dns directory
> >>>>>> does not get created on the second DC.
> >>>>>
> >>>>> When Samba isn't running, it can't ask for a RID pool (literally, a
> >>>>> collection of RID values so it does not need to ask the RID manager for
> >>>>> them individually) to add the dns-$HOSTNAME user we use for BIND.
> >>>>>
> >>>>> Andrew Bartlett
> >>>>>
> >>>>
> >>>> Ah yes. I had tried that order as well. I just tried again and got the 
> >>>> following message (clean install):
> >>>>
> >>>> root at ds2:~# samba_upgradedns
> >>>> Reading domain information
> >>>> Looking up IPv4 addresses
> >>>> Looking up IPv6 addresses
> >>>> DNS accounts already exist
> >>>> No zone file /usr/local/samba/private/dns/us.dignitastech.com.zone
> >>>> DNS records will be automatically created
> >>>> Creating DNS partitions
> >>>> Populating DNS partitions
> >>>> Traceback (most recent call last):
> >>>>    File "/usr/local/samba/sbin/samba_upgradedns", line 406, in <module>
> >>>>      "msDS-hasMasterNCs")
> >>>> _ldb.LdbError: (1, 'Operations error')
> >>>>
> >>>> I can add more verbosity if interested.
> >>>>
> >>>> I found this earlier thread where another user appears to be having the 
> >>>> same issue.
> >>>> https://lists.samba.org/archive/samba-technical/2012-April/082591.html
> >>>>
> >>>
> >>> in the list above, I have not seen any reference between the replication
> >>> of the DNS partitions. Is it solved so it is not needed to use
> >>> samba-tool drs replicate <destinationDC> <sourceDC> <NC> to start
> >>> replication?
> >>>
> >>> If yes, to avoid wrong setups, would be best to demote the secondary DC,
> >>> upgrade it to latest git master and re-join it to the domain?
> >>>
> >>> Thanks,
> >>> Daniele.
> >>>
> >>>
> >> Hello Daniele,
> >>
> >> does this mean DNS partition information will not been replicated
> >> automatically between samba DCs ?
> >>
> >> best regards
> >>
> >> Andreas
> >>
> > 
> > before to fire samba-tool drs replicate ... if I run samba-tool drs
> > showrepl I saw only Schema, Configuration and mydomain.local as
> > replicated.
> > 
> > If I use replicate than also DomainDnsZones and ForestDnsZones partition
> > appear when I run showrepl.
> > 
> > I don't know if it means replication is running even if in showrepl I
> > don't see the DNS partitions and then if it is required to force it
> > using replicate so that's because I'm asking this to the list.
> > 
> > I've also seen that even if I forced replication of the DNS partitions,
> > after I stopped samba on the secondary DC to upgrate do latest git
> > master and restarted it, on primary DC DNS partition replication
> > desappears. This seems to me that I have something wrong.
> > 
> > The problem is that I provisioned the domain with earlier samba4 v18 or
> > latest v17 and than upgraded and I don't know if this could be the cause
> > of problems.
> > 
> > Using samba-tool dbcheck after make install I've never seen any error
> > but that's all that I've done to upgrade samba.
> > 
> > Best regards,
> > Daniele.
> > 
> > 
> > 
> Hello Daniele,
> 
> I have now set up a second DC and joined it to AD. I have seen that
> replication of ForestDnsZones and DomainDnsZones in private/sam.ldb.d is
> working, but I am missing the private/dns part. samba_upgradedns gave
> the same error as Justin has observed.
> 
> best regards
> 
> Andreas
> 

Hallo Andreas,
for me (I've just demoted the secondary DC and than reinstalled and
re-joined it to the domain) I don't see DNS zones in private/sam.ldb.d.

I guess that for you, samba-tool drs showrepl shows also the DNS zones
in the INBOUND and OUTBOUND NEIGHBORS isn't it?

Daniele.