redundant DNS setup with bind_dlz possible ?

Justin Foreman jforeman at dignitastech.com
Fri Apr 13 07:50:18 MDT 2012


On Friday, April 13, 2012, Amitay Isaacs wrote:

> On Fri, Apr 13, 2012 at 1:44 PM, Justin Foreman
> <jforeman at dignitastech.com> wrote:
> > On 04/12/2012 09:08 PM, Amitay Isaacs wrote:
> >>
> >> On Fri, Apr 13, 2012 at 3:43 AM, Andreas Oster<aoster at novanetwork.de>
> >>  wrote:
> >>>
> >>>
> >>>
> >>> Am 12.04.2012 16:32, schrieb Daniele Dario:
> >>>
> >>>> Hi Andreas,
> >>>>
> >>>> On
> >>>
> >>> Thu, 2012-04-12 at 16:25 +0200, Daniele Dario wrote:
> >>>>
> >>>>
> >>>>> On Thu,
> >>>
> >>> 2012-04-12 at 15:22 +0200, Andreas Oster wrote: ...
> >>>>>
> >>>>>
> >>>>>> Hello
> >>>
> >>> Daniele, I have now set up a second DC and joined it to AD. I have seen
> >>> that replication of ForestDnsZones and DomainDnsZones in
> >>> private/sam.ldb.d is working, but I am missing the private/dns part.
> >>> samba_upgradedns gave the same error as Justin has observed. best
> >>> regards Andreas
> >>>>>
> >>>>> Hallo Andreas, for me (I've just demoted the
> >>>
> >>> secondary DC and than reinstalled and re-joined it to the domain) I
> >>> don't see DNS zones in private/sam.ldb.d. I guess that for you,
> >>> samba-tool drs showrepl shows also the DNS zones in the INBOUND and
> >>> OUTBOUND NEIGHBORS isn't it? Daniele.
> >>>>
> >>>>
> >>>> After trying to run
> >>>
> >>> samba_upgradedns, even if zones were not replicated,
> >>>>
> >>>> I've seen that
> >>>
> >>> DNS zones appeared on sam.ldb.d.
> >>>>
> >>>>
> >>>> Can you confirm that the DNS
> >>>
> >>> partitions are currently replicated (drs
> >>>>
> >>>> showrepl should show them)?
> >>>>
> >>>
> >>>> Thanks,
> >>>> Daniele.
> >>>
> >>>
> >>> Hello Daniele,
> >>>
> >>> yes I can confirm, that I see
> >>> inbound replication on second DC for ForestDnsZones and DomainDnsZones
> >>> coming from first DC. I do see any sign of either inbound or outbound
> >>> replication on the first DC though.
> >>>
> >>> best regards
> >>>
> >>> Andreas
> >>
> >>
> >> Hi Andreas/Daniele,
> >>
> >> samba_upgradedns was designed mainly to upgrade old provisions using
> >> BIND9 flat files to using AD based DNS. As a side effect, the script
> >> can be also be used to "fix" the dns provision after "samba-tool
> >> join". However there are few requisites for this to work. If you are
> >> using samba_upgradedns script to "fix" the provision on second DC,
> >> make sure of the following:
> >>
> >> 1. Do not run samba_upgradedns immediately after join. It won't work,
> >> since samba_upgradedns may create new entries and on a fresh join,
> >> there are no RIDs allocated to second DC, so no new entries cannot be
> >> created.
> >>
> >> 2. Run first and second DCs, and make sure they replicate DNS
> >> partitions. One trick is to restart second DC after it has done
> >> initial replication. On the first replication, DNS partitions are
> >> created and on the second replication (after restart) the DNS
> >> partitions should get replicated. You should be able to query DNS
> >> records on second DC using samba-tool dns after the replication.
> >>
> >> 3. Now run samba_upgradedns script. It will detect that the partitions
> >> exist and will not attempt to create them, but only create private/dns
> >> directory with a copy of samdb to be used with BIND.
> >>
> >> The script sometimes is failing with LDB "Operations Error". I haven't
> >> had a chance to look at that. If you notice it again, let me know your
> >> set up. I will try to re-create the set up to debug this error.
> >>
> >> Amitay.
> >
> >
> > Amitay,
> >
> > I followed your guidance but am still hitting the LDB Operations Error on
> > the last step. One thing of note -- on the second DC, the
> privatesamba-tool dns command uses RPC interface and does not use DNS
> protocol. So if the partitions are replicated, you should be able to
> see query DNS records.
>
> >
> > Success for a host lookup on ds1:
> > root at ds1:~# samba-tool dns query ds1 us.dignitastech.com ds1 A
> > -UadministratorPassword for [DIGNITAS\administrator]:
> >  Name=, Records=1, Children=0
> >    A: 10.0.21.100 (flags=f0, serial=1, ttl=900)
> >
> > Failure on ds2:
> > root at ds1:~# samba-tool dns query ds2 us.dignitastech.com ds1 A
> > -Uadministrator
> > Password for [DIGNITAS\administrator]:
> > ERROR(runtime): uncaught exception - (9714,
> > 'WERR_DNS_ERROR_NAME_DOES_NOT_EXIST')
> >  File
> > "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py",
> > line 160, in _run
> >    return self.run(*args, **kwargs)
> >  File "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/dns.py",
> > line 967, in run
> >    None)
>
> This just means that the name you are querying does not exist, which
> is explained if the DNS partitions have not been replicated. Alternate
> way is to search for dns zone records is
>
> ldbsearch -H /path/to/sam.ldb -b
> "DC=DomainDnsZones,DC=us,DC=dignitastech,DC=com"
> "(objectClass=dnsZone)"
>
> If it returns the dns zones, then the DNS information has been
> replicated from DC1. You can also use "(objectClass=dnsNode)" to
> search for actual DNS records.
>
> > Here's the result of the samba_upgradedns after a few restarts of the
> samba
> > daemon on the second DC:
> > root at ds2:/usr/local/samba/private# samba_upgradedns
> >
> > Reading domain information
> > Looking up IPv4 addresses
> > Looking up IPv6 addresses
> > DNS accounts already exist
> > No zone file /usr/local/samba/private/dns/us.dignitastech.com.zone
> > DNS records will be automatically created
> > Creating DNS partitions
> > Populating DNS partitions
> > Traceback (most recent call last):
> >  File "/usr/local/samba/sbin/samba_upgradedns", line 406, in <module>
> >    "msDS-hasMasterNCs")
> > _ldb.LdbError: (1, 'Operations error')
> >
> > I'm running 4.0.0alpha20-GIT-81d1749 on two 64-bit Ubuntu 12.04 servers.
> > Configured with configure.developer.
> > gcc version 4.6.3 (Ubuntu/Linaro 4.6.3-1ubuntu3)
> > Python 2.7.3rc2
> >
> > Let me know if you require more debug info.
>
> I would not run samba_upgradedns, till I know that DNS partitions have
> replicated. As you can see from the output of samba_upgradedns, it is
> creating and populating DNS partitions which is clearly wrong. This
> might put the sam database in a "bad" state, from which it might not
> recover.
>
> > DNS replication is my last hurdle from being one of those "brave" sites
> to
> > run Samba4 domain controllers in production. Looking forward to it!
>
> Before running BIND on the second DC (dc2), try enabling internal DNS
> server (services = +dns). This requires the least amount of set up. As
> soon as your DNS partitions get replicated, this should start working.
> Once you confirm that this is working, then you can run
> samba_upgradedns to create private/dns directory for BIND use. Please
> make sure that you are using only one DNS server on dc2, i.e. either
> enable Samba's internal dns server or use BIND. Do not try to start
> both of them at the same time, that will not work.
>
> Amitay.
>

Great, this is some very valuable information. I had read that long-term,
using the internal DNS server would be the preferred method. Is it ready
for prime time?

--
Justin Foreman


More information about the samba-technical mailing list