redundant DNS setup with bind_dlz possible ?

Andreas Oster aoster at novanetwork.de
Fri Apr 13 00:57:16 MDT 2012


Am 13.04.2012 08:09, schrieb Andreas Oster:
> Am 13.04.2012 03:08, schrieb Amitay Isaacs:
>> On Fri, Apr 13, 2012 at 3:43 AM, Andreas Oster <aoster at novanetwork.de> wrote:
>>>
>>> Am 12.04.2012 16:32, schrieb Daniele Dario:
>>>
>>>> Hi Andreas,
>>>>
>>>> On
>>> Thu, 2012-04-12 at 16:25 +0200, Daniele Dario wrote:
>>>>> On Thu,
>>> 2012-04-12 at 15:22 +0200, Andreas Oster wrote: ...
>>>>>> Hello
>>> Daniele, I have now set up a second DC and joined it to AD. I have seen
>>> that replication of ForestDnsZones and DomainDnsZones in
>>> private/sam.ldb.d is working, but I am missing the private/dns part.
>>> samba_upgradedns gave the same error as Justin has observed. best
>>> regards Andreas
>>>>> Hallo Andreas, for me (I've just demoted the
>>> secondary DC and than reinstalled and re-joined it to the domain) I
>>> don't see DNS zones in private/sam.ldb.d. I guess that for you,
>>> samba-tool drs showrepl shows also the DNS zones in the INBOUND and
>>> OUTBOUND NEIGHBORS isn't it? Daniele.
>>>> After trying to run
>>> samba_upgradedns, even if zones were not replicated,
>>>> I've seen that
>>> DNS zones appeared on sam.ldb.d.
>>>> Can you confirm that the DNS
>>> partitions are currently replicated (drs
>>>> showrepl should show them)?
>>>>
>>>> Thanks,
>>>> Daniele.
>>> Hello Daniele,
>>>
>>> yes I can confirm, that I see
>>> inbound replication on second DC for ForestDnsZones and DomainDnsZones
>>> coming from first DC. I do see any sign of either inbound or outbound
>>> replication on the first DC though.
>>>
>>> best regards
>>>
>>> Andreas
>> Hi Andreas/Daniele,
>>
>> samba_upgradedns was designed mainly to upgrade old provisions using
>> BIND9 flat files to using AD based DNS. As a side effect, the script
>> can be also be used to "fix" the dns provision after "samba-tool
>> join". However there are few requisites for this to work. If you are
>> using samba_upgradedns script to "fix" the provision on second DC,
>> make sure of the following:
>>
>> 1. Do not run samba_upgradedns immediately after join. It won't work,
>> since samba_upgradedns may create new entries and on a fresh join,
>> there are no RIDs allocated to second DC, so no new entries cannot be
>> created.
>>
>> 2. Run first and second DCs, and make sure they replicate DNS
>> partitions. One trick is to restart second DC after it has done
>> initial replication. On the first replication, DNS partitions are
>> created and on the second replication (after restart) the DNS
>> partitions should get replicated. You should be able to query DNS
>> records on second DC using samba-tool dns after the replication.
>>
>> 3. Now run samba_upgradedns script. It will detect that the partitions
>> exist and will not attempt to create them, but only create private/dns
>> directory with a copy of samdb to be used with BIND.
>>
>> The script sometimes is failing with LDB "Operations Error". I haven't
>> had a chance to look at that. If you notice it again, let me know your
>> set up. I will try to re-create the set up to debug this error.
>>
>> Amitay.
> 
> Hello Amitay,
> 
> thank you for these informations, I will demote my second DC and start again
> from scratch with your tips.
> 
> Thank you for your kind help.
> 
> best regards
> 
> Andreas
> 
Hello all,

I have just tried to demote the second DC but got the following error:

INFO: Current debug levels:
  all: 10
  tdb: 10
  printdrivers: 10
  lanman: 10
  smb: 10
  rpc_parse: 10
  rpc_srv: 10
  rpc_cli: 10
  passdb: 10
  sam: 10
  auth: 10
  winbind: 10
  vfs: 10
  idmap: 10
  quota: 10
  acls: 10
  locking: 10
  msdfs: 10
  dmapi: 10
  registry: 10
lpcfg_load: refreshing parameters from /usr/local/samba/etc/smb.conf
params.c:pm_process() - Processing configuration file
"/usr/local/samba/etc/smb.conf"
Processing section "[global]"
Processing section "[netlogon]"
Processing section "[sysvol]"
pm_process() returned Yes
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'schannel' registered
GENSEC backend 'spnego' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
added interface eth0 ip=fe80::20c:29ff:feee:d7be%eth0
bcast=fe80::ffff:ffff:ffff:ffff%eth0 netmask=ffff:ffff:ffff:ffff::
added interface eth0 ip=10.2.1.5 bcast=10.2.1.255 netmask=255.255.255.0
added interface eth0 ip=fe80::20c:29ff:feee:d7be%eth0
bcast=fe80::ffff:ffff:ffff:ffff%eth0 netmask=ffff:ffff:ffff:ffff::
added interface eth0 ip=10.2.1.5 bcast=10.2.1.255 netmask=255.255.255.0
Security token SIDs (1):
  SID[  0]: S-1-5-18
 Privileges (0xFFFFFFFFFFFFFFFF):
  Privilege[  0]: SeMachineAccountPrivilege
  Privilege[  1]: SeTakeOwnershipPrivilege
  Privilege[  2]: SeBackupPrivilege
  Privilege[  3]: SeRestorePrivilege
  Privilege[  4]: SeRemoteShutdownPrivilege
  Privilege[  5]: SePrintOperatorPrivilege
  Privilege[  6]: SeAddUsersPrivilege
  Privilege[  7]: SeDiskOperatorPrivilege
  Privilege[  8]: SeSecurityPrivilege
  Privilege[  9]: SeSystemtimePrivilege
  Privilege[ 10]: SeShutdownPrivilege
  Privilege[ 11]: SeDebugPrivilege
  Privilege[ 12]: SeSystemEnvironmentPrivilege
  Privilege[ 13]: SeSystemProfilePrivilege
  Privilege[ 14]: SeProfileSingleProcessPrivilege
  Privilege[ 15]: SeIncreaseBasePriorityPrivilege
  Privilege[ 16]: SeLoadDriverPrivilege
  Privilege[ 17]: SeCreatePagefilePrivilege
  Privilege[ 18]: SeIncreaseQuotaPrivilege
  Privilege[ 19]: SeChangeNotifyPrivilege
  Privilege[ 20]: SeUndockPrivilege
  Privilege[ 21]: SeManageVolumePrivilege
  Privilege[ 22]: SeImpersonatePrivilege
  Privilege[ 23]: SeCreateGlobalPrivilege
  Privilege[ 24]: SeEnableDelegationPrivilege
 Rights (0x               0):
lpcfg_servicenumber: couldn't find ldb
schema_fsmo_init: we are master[no] updates allowed[no]
ERROR: Current DC is still the owner of %d role(s), use the role command
to transfer roles to another DC

I have checked the roles and none of them is assigned to the second DC

What could be the problem ?

Thank you for the kind help

best regards

Andreas



More information about the samba-technical mailing list