redundant DNS setup with bind_dlz possible ?

Justin Foreman jforeman at dignitastech.com
Thu Apr 12 21:44:08 MDT 2012 

On 04/12/2012 09:08 PM, Amitay Isaacs wrote:
> On Fri, Apr 13, 2012 at 3:43 AM, Andreas Oster<aoster at novanetwork.de>  wrote:
>>
>>
>> Am 12.04.2012 16:32, schrieb Daniele Dario:
>>
>>> Hi Andreas,
>>>
>>> On
>> Thu, 2012-04-12 at 16:25 +0200, Daniele Dario wrote:
>>>
>>>> On Thu,
>> 2012-04-12 at 15:22 +0200, Andreas Oster wrote: ...
>>>>
>>>>> Hello
>> Daniele, I have now set up a second DC and joined it to AD. I have seen
>> that replication of ForestDnsZones and DomainDnsZones in
>> private/sam.ldb.d is working, but I am missing the private/dns part.
>> samba_upgradedns gave the same error as Justin has observed. best
>> regards Andreas
>>>> Hallo Andreas, for me (I've just demoted the
>> secondary DC and than reinstalled and re-joined it to the domain) I
>> don't see DNS zones in private/sam.ldb.d. I guess that for you,
>> samba-tool drs showrepl shows also the DNS zones in the INBOUND and
>> OUTBOUND NEIGHBORS isn't it? Daniele.
>>>
>>> After trying to run
>> samba_upgradedns, even if zones were not replicated,
>>> I've seen that
>> DNS zones appeared on sam.ldb.d.
>>>
>>> Can you confirm that the DNS
>> partitions are currently replicated (drs
>>> showrepl should show them)?
>>>
>>
>>> Thanks,
>>> Daniele.
>>
>> Hello Daniele,
>>
>> yes I can confirm, that I see
>> inbound replication on second DC for ForestDnsZones and DomainDnsZones
>> coming from first DC. I do see any sign of either inbound or outbound
>> replication on the first DC though.
>>
>> best regards
>>
>> Andreas
>
> Hi Andreas/Daniele,
>
> samba_upgradedns was designed mainly to upgrade old provisions using
> BIND9 flat files to using AD based DNS. As a side effect, the script
> can be also be used to "fix" the dns provision after "samba-tool
> join". However there are few requisites for this to work. If you are
> using samba_upgradedns script to "fix" the provision on second DC,
> make sure of the following:
>
> 1. Do not run samba_upgradedns immediately after join. It won't work,
> since samba_upgradedns may create new entries and on a fresh join,
> there are no RIDs allocated to second DC, so no new entries cannot be
> created.
>
> 2. Run first and second DCs, and make sure they replicate DNS
> partitions. One trick is to restart second DC after it has done
> initial replication. On the first replication, DNS partitions are
> created and on the second replication (after restart) the DNS
> partitions should get replicated. You should be able to query DNS
> records on second DC using samba-tool dns after the replication.
>
> 3. Now run samba_upgradedns script. It will detect that the partitions
> exist and will not attempt to create them, but only create private/dns
> directory with a copy of samdb to be used with BIND.
>
> The script sometimes is failing with LDB "Operations Error". I haven't
> had a chance to look at that. If you notice it again, let me know your
> set up. I will try to re-create the set up to debug this error.
>
> Amitay.

Amitay,

I followed your guidance but am still hitting the LDB Operations Error 
on the last step. One thing of note -- on the second DC, the private/dns 
folder doesn't exist for BIND to access via DLZ, so how would the 
samba-tool dns command return anything useful, as BIND can't yet run on 
the second DC? Here's the output of my queries with samba-tool dns:

Success for a host lookup on ds1:
root at ds1:~# samba-tool dns query ds1 us.dignitastech.com ds1 A 
-UadministratorPassword for [DIGNITAS\administrator]:
   Name=, Records=1, Children=0
     A: 10.0.21.100 (flags=f0, serial=1, ttl=900)

Failure on ds2:
root at ds1:~# samba-tool dns query ds2 us.dignitastech.com ds1 A 
-Uadministrator
Password for [DIGNITAS\administrator]:
ERROR(runtime): uncaught exception - (9714, 
'WERR_DNS_ERROR_NAME_DOES_NOT_EXIST')
   File 
"/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py", 
line 160, in _run
     return self.run(*args, **kwargs)
   File 
"/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/dns.py", line 
967, in run
     None)

Here's the result of the samba_upgradedns after a few restarts of the 
samba daemon on the second DC:
root at ds2:/usr/local/samba/private# samba_upgradedns
Reading domain information
Looking up IPv4 addresses
Looking up IPv6 addresses
DNS accounts already exist
No zone file /usr/local/samba/private/dns/us.dignitastech.com.zone
DNS records will be automatically created
Creating DNS partitions
Populating DNS partitions
Traceback (most recent call last):
   File "/usr/local/samba/sbin/samba_upgradedns", line 406, in <module>
     "msDS-hasMasterNCs")
_ldb.LdbError: (1, 'Operations error')

I'm running 4.0.0alpha20-GIT-81d1749 on two 64-bit Ubuntu 12.04 servers. 
Configured with configure.developer.
gcc version 4.6.3 (Ubuntu/Linaro 4.6.3-1ubuntu3)
Python 2.7.3rc2

Let me know if you require more debug info.

DNS replication is my last hurdle from being one of those "brave" sites 
to run Samba4 domain controllers in production. Looking forward to it!

-- 
Justin Foreman

More information about the samba-technical mailing list