redundant DNS setup with bind_dlz possible ?

Daniele Dario d.dario76 at gmail.com
Fri Apr 13 00:58:03 MDT 2012 

Hi Andreas and Amitay,

On Fri, 2012-04-13 at 08:09 +0200, Andreas Oster wrote:
> Am 13.04.2012 03:08, schrieb Amitay Isaacs:
> > On Fri, Apr 13, 2012 at 3:43 AM, Andreas Oster <aoster at novanetwork.de> wrote:
> >>
> >> Am 12.04.2012 16:32, schrieb Daniele Dario:
> >>
> >>> Hi Andreas,
> >>>
> >>> On
> >> Thu, 2012-04-12 at 16:25 +0200, Daniele Dario wrote:
> >>>> On Thu,
> >> 2012-04-12 at 15:22 +0200, Andreas Oster wrote: ...
> >>>>> Hello
> >> Daniele, I have now set up a second DC and joined it to AD. I have seen
> >> that replication of ForestDnsZones and DomainDnsZones in
> >> private/sam.ldb.d is working, but I am missing the private/dns part.
> >> samba_upgradedns gave the same error as Justin has observed. best
> >> regards Andreas
> >>>> Hallo Andreas, for me (I've just demoted the
> >> secondary DC and than reinstalled and re-joined it to the domain) I
> >> don't see DNS zones in private/sam.ldb.d. I guess that for you,
> >> samba-tool drs showrepl shows also the DNS zones in the INBOUND and
> >> OUTBOUND NEIGHBORS isn't it? Daniele.
> >>> After trying to run
> >> samba_upgradedns, even if zones were not replicated,
> >>> I've seen that
> >> DNS zones appeared on sam.ldb.d.
> >>> Can you confirm that the DNS
> >> partitions are currently replicated (drs
> >>> showrepl should show them)?
> >>>
> >>> Thanks,
> >>> Daniele.
> >> Hello Daniele,
> >>
> >> yes I can confirm, that I see
> >> inbound replication on second DC for ForestDnsZones and DomainDnsZones
> >> coming from first DC. I do see any sign of either inbound or outbound
> >> replication on the first DC though.
> >>
> >> best regards
> >>
> >> Andreas
> > Hi Andreas/Daniele,
> >
> > samba_upgradedns was designed mainly to upgrade old provisions using
> > BIND9 flat files to using AD based DNS. As a side effect, the script
> > can be also be used to "fix" the dns provision after "samba-tool
> > join". However there are few requisites for this to work. If you are
> > using samba_upgradedns script to "fix" the provision on second DC,
> > make sure of the following:
> >
> > 1. Do not run samba_upgradedns immediately after join. It won't work,
> > since samba_upgradedns may create new entries and on a fresh join,
> > there are no RIDs allocated to second DC, so no new entries cannot be
> > created.
> >
> > 2. Run first and second DCs, and make sure they replicate DNS
> > partitions. One trick is to restart second DC after it has done
> > initial replication. On the first replication, DNS partitions are
> > created and on the second replication (after restart) the DNS
> > partitions should get replicated. You should be able to query DNS
> > records on second DC using samba-tool dns after the replication.
> >
> > 3. Now run samba_upgradedns script. It will detect that the partitions
> > exist and will not attempt to create them, but only create private/dns
> > directory with a copy of samdb to be used with BIND.
> >
> > The script sometimes is failing with LDB "Operations Error". I haven't
> > had a chance to look at that. If you notice it again, let me know your
> > set up. I will try to re-create the set up to debug this error.
> >
> > Amitay.
> 
> Hello Amitay,
> 
> thank you for these informations, I will demote my second DC and start again
> from scratch with your tips.
> 
> Thank you for your kind help.
> 
> best regards
> 
> Andreas
> 

I demoted my secondary DC yesterday before Amitay's tips so I fired
samba_upgradedns before the second restart of the DC.

Now seems that something happened 'cause samba-tool dns query on
secondary DC works even if replication has errors on DNS zones (others
are OK):

[root at kdc02:~]# samba-tool drs showrepl
ldb_wrap open of secrets.ldb
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'schannel' registered
GENSEC backend 'spnego' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
Using binding ncacn_ip_tcp:kdc02.saitelitalia.local[,seal]
Default-First-Site-Name\KDC02
DSA Options: 0x00000001
DSA object GUID: fc65c73a-90f6-450b-8dee-38eb890e6b69
DSA invocationId: 256ce256-9efb-4b10-8214-add01ed17d92

==== INBOUND NEIGHBORS ====

DC=ForestDnsZones,DC=saitelitalia,DC=local
	Default-First-Site-Name\KDC01 via RPC
		DSA object GUID: bdbaecef-ace9-4314-b65e-54933ac8b660
		Last attempt @ Fri Apr 13 08:31:16 2012 CEST failed, result 8442
(WERR_DS_DRA_INTERNAL_ERROR)
		188 consecutive failure(s).
		Last success @ NTTIME(0)

DC=DomainDnsZones,DC=saitelitalia,DC=local
	Default-First-Site-Name\KDC01 via RPC
		DSA object GUID: bdbaecef-ace9-4314-b65e-54933ac8b660
		Last attempt @ Fri Apr 13 08:31:16 2012 CEST failed, result 8442
(WERR_DS_DRA_INTERNAL_ERROR)
		188 consecutive failure(s).
		Last success @ NTTIME(0)
...

If I try to demote secondary DC now I find this issue:

[root at kdc02:~]# samba-tool domain demote -U administrator
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'schannel' registered
GENSEC backend 'spnego' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
ERROR: Current DC is still the owner of %d role(s), use the role command
to transfer roles to another DC

How can I transfer roles? Should I use samba-tool fsmo transfer?

[root at kdc02:~]# samba-tool fsmo show
ldb_wrap open of secrets.ldb
InfrastructureMasterRole owner: CN=NTDS
Settings,CN=KDC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=saitelitalia,DC=local
RidAllocationMasterRole owner: CN=NTDS
Settings,CN=KDC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=saitelitalia,DC=local
PdcEmulationMasterRole owner: CN=NTDS
Settings,CN=KDC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=saitelitalia,DC=local
DomainNamingMasterRole owner: CN=NTDS
Settings,CN=KDC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=saitelitalia,DC=local
SchemaMasterRole owner: CN=NTDS
Settings,CN=KDC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=saitelitalia,DC=local

so it seems that owner is primary DC (kdc01) isn't it?

Thanks,
Daniele.

More information about the samba-technical mailing list