redundant DNS setup with bind_dlz possible ?

Thu Apr 12 22:29:38 MDT 2012

On Fri, Apr 13, 2012 at 1:44 PM, Justin Foreman
<jforeman at dignitastech.com> wrote:
> On 04/12/2012 09:08 PM, Amitay Isaacs wrote:
>>
>> On Fri, Apr 13, 2012 at 3:43 AM, Andreas Oster<aoster at novanetwork.de>
>>  wrote:
>>>
>>>
>>>
>>> Am 12.04.2012 16:32, schrieb Daniele Dario:
>>>
>>>> Hi Andreas,
>>>>
>>>> On
>>>
>>> Thu, 2012-04-12 at 16:25 +0200, Daniele Dario wrote:
>>>>
>>>>
>>>>> On Thu,
>>>
>>> 2012-04-12 at 15:22 +0200, Andreas Oster wrote: ...
>>>>>
>>>>>
>>>>>> Hello
>>>
>>> Daniele, I have now set up a second DC and joined it to AD. I have seen
>>> that replication of ForestDnsZones and DomainDnsZones in
>>> private/sam.ldb.d is working, but I am missing the private/dns part.
>>> samba_upgradedns gave the same error as Justin has observed. best
>>> regards Andreas
>>>>>
>>>>> Hallo Andreas, for me (I've just demoted the
>>>
>>> secondary DC and than reinstalled and re-joined it to the domain) I
>>> don't see DNS zones in private/sam.ldb.d. I guess that for you,
>>> samba-tool drs showrepl shows also the DNS zones in the INBOUND and
>>> OUTBOUND NEIGHBORS isn't it? Daniele.
>>>>
>>>>
>>>> After trying to run
>>>
>>> samba_upgradedns, even if zones were not replicated,
>>>>
>>>> I've seen that
>>>
>>> DNS zones appeared on sam.ldb.d.
>>>>
>>>>
>>>> Can you confirm that the DNS
>>>
>>> partitions are currently replicated (drs
>>>>
>>>> showrepl should show them)?
>>>>
>>>
>>>> Thanks,
>>>> Daniele.
>>>
>>>
>>> Hello Daniele,
>>>
>>> yes I can confirm, that I see
>>> inbound replication on second DC for ForestDnsZones and DomainDnsZones
>>> coming from first DC. I do see any sign of either inbound or outbound
>>> replication on the first DC though.
>>>
>>> best regards
>>>
>>> Andreas
>>
>>
>> Hi Andreas/Daniele,
>>
>> samba_upgradedns was designed mainly to upgrade old provisions using
>> BIND9 flat files to using AD based DNS. As a side effect, the script
>> can be also be used to "fix" the dns provision after "samba-tool
>> join". However there are few requisites for this to work. If you are
>> using samba_upgradedns script to "fix" the provision on second DC,
>> make sure of the following:
>>
>> 1. Do not run samba_upgradedns immediately after join. It won't work,
>> since samba_upgradedns may create new entries and on a fresh join,
>> there are no RIDs allocated to second DC, so no new entries cannot be
>> created.
>>
>> 2. Run first and second DCs, and make sure they replicate DNS
>> partitions. One trick is to restart second DC after it has done
>> initial replication. On the first replication, DNS partitions are
>> created and on the second replication (after restart) the DNS
>> partitions should get replicated. You should be able to query DNS
>> records on second DC using samba-tool dns after the replication.
>>
>> 3. Now run samba_upgradedns script. It will detect that the partitions
>> exist and will not attempt to create them, but only create private/dns
>> directory with a copy of samdb to be used with BIND.
>>
>> The script sometimes is failing with LDB "Operations Error". I haven't
>> had a chance to look at that. If you notice it again, let me know your
>> set up. I will try to re-create the set up to debug this error.
>>
>> Amitay.
>
>
> Amitay,
>
> I followed your guidance but am still hitting the LDB Operations Error on
> the last step. One thing of note -- on the second DC, the private/dns folder
> doesn't exist for BIND to access via DLZ, so how would the samba-tool dns
> command return anything useful, as BIND can't yet run on the second DC?
> Here's the output of my queries with samba-tool dns:

samba-tool dns command uses RPC interface and does not use DNS
protocol. So if the partitions are replicated, you should be able to
see query DNS records.

>
> Success for a host lookup on ds1:
> root at ds1:~# samba-tool dns query ds1 us.dignitastech.com ds1 A
> -UadministratorPassword for [DIGNITAS\administrator]:
>  Name=, Records=1, Children=0
>    A: 10.0.21.100 (flags=f0, serial=1, ttl=900)
>
> Failure on ds2:
> root at ds1:~# samba-tool dns query ds2 us.dignitastech.com ds1 A
> -Uadministrator
> Password for [DIGNITAS\administrator]:
> ERROR(runtime): uncaught exception - (9714,
> 'WERR_DNS_ERROR_NAME_DOES_NOT_EXIST')
>  File
> "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py",
> line 160, in _run
>    return self.run(*args, **kwargs)
>  File "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/dns.py",
> line 967, in run
>    None)

This just means that the name you are querying does not exist, which
is explained if the DNS partitions have not been replicated. Alternate
way is to search for dns zone records is

ldbsearch -H /path/to/sam.ldb -b
"DC=DomainDnsZones,DC=us,DC=dignitastech,DC=com"
"(objectClass=dnsZone)"

If it returns the dns zones, then the DNS information has been
replicated from DC1. You can also use "(objectClass=dnsNode)" to
search for actual DNS records.

> Here's the result of the samba_upgradedns after a few restarts of the samba
> daemon on the second DC:
> root at ds2:/usr/local/samba/private# samba_upgradedns
>
> Reading domain information
> Looking up IPv4 addresses
> Looking up IPv6 addresses
> DNS accounts already exist
> No zone file /usr/local/samba/private/dns/us.dignitastech.com.zone
> DNS records will be automatically created
> Creating DNS partitions
> Populating DNS partitions
> Traceback (most recent call last):
>  File "/usr/local/samba/sbin/samba_upgradedns", line 406, in <module>
>    "msDS-hasMasterNCs")
> _ldb.LdbError: (1, 'Operations error')
>
> I'm running 4.0.0alpha20-GIT-81d1749 on two 64-bit Ubuntu 12.04 servers.
> Configured with configure.developer.
> gcc version 4.6.3 (Ubuntu/Linaro 4.6.3-1ubuntu3)
> Python 2.7.3rc2
>
> Let me know if you require more debug info.

I would not run samba_upgradedns, till I know that DNS partitions have
replicated. As you can see from the output of samba_upgradedns, it is
creating and populating DNS partitions which is clearly wrong. This
might put the sam database in a "bad" state, from which it might not
recover.

> DNS replication is my last hurdle from being one of those "brave" sites to
> run Samba4 domain controllers in production. Looking forward to it!

Before running BIND on the second DC (dc2), try enabling internal DNS
server (services = +dns). This requires the least amount of set up. As
soon as your DNS partitions get replicated, this should start working.
Once you confirm that this is working, then you can run
samba_upgradedns to create private/dns directory for BIND use. Please
make sure that you are using only one DNS server on dc2, i.e. either
enable Samba's internal dns server or use BIND. Do not try to start
both of them at the same time, that will not work.

Amitay.