redundant DNS setup with bind_dlz possible ?

Daniele Dario d.dario76 at gmail.com
Fri Apr 13 09:50:37 MDT 2012 

On Fri, 2012-04-13 at 17:33 +0200, Andreas Oster wrote:
> Am 13.04.2012 14:22, schrieb Daniele Dario:
> > Hi Andreas,
> >
> > On Fri, 2012-04-13 at 14:07 +0200, Daniele Dario wrote:
> >> Hi Andreas,
> >>
> >> On Fri, 2012-04-13 at 12:34 +0200, Andreas Oster wrote:
> >>> Am 13.04.2012 08:58, schrieb Daniele Dario:
> >>>> Hi Andreas and Amitay,
> >>>>
> >>>> On Fri, 2012-04-13 at 08:09 +0200, Andreas Oster wrote:
> >>>>> Am 13.04.2012 03:08, schrieb Amitay Isaacs:
> >>>>>> On Fri, Apr 13, 2012 at 3:43 AM, Andreas Oster <aoster at novanetwork.de> wrote:
> >> ...
> >>> Hello Daniele,
> >>>
> >>> as you might have seen in my last post I have run into the same demoting
> >>> issue. Did you manage to demote your server in the meanwhile ?
> >>>
> >>> best regards
> >>>
> >>> Andreas
> >>>
> >> I made a little change in
> >> samba/lib//python2.7/site-packages/samba/netcmd/domain.py to show how
> >> many rules are locking the demote operation (and which ones). My python
> >> knowledge is not so deep but changes are on line 250 like:
> >>         if len(res) != 0:
> >> -            raise CommandError("Current DC is still the owner of %d
> >> role(s), use the role command to transfer roles to another DC"
> >> +           for foundRole in res:
> >>                 print foundRole.dn
> >>             raise CommandError("Current DC is still the owner of %d
> >> role(s), use the role command to transfer roles to another DC" %
> >> len(res))
> >>
> >> And it seems that secondary DC is owner of the DNS zones replication
> >>
> >> [root at kdc02:~/samba4/samba-master]# samba-tool domain demote -U
> >> administrator
> >> GENSEC backend 'gssapi_spnego' registered
> >> GENSEC backend 'gssapi_krb5' registered
> >> GENSEC backend 'gssapi_krb5_sasl' registered
> >> GENSEC backend 'schannel' registered
> >> GENSEC backend 'spnego' registered
> >> GENSEC backend 'ntlmssp' registered
> >> GENSEC backend 'krb5' registered
> >> GENSEC backend 'fake_gssapi_krb5' registered
> >> CN=Infrastructure,DC=DomainDnsZones,DC=saitelitalia,DC=local
> >> CN=Infrastructure,DC=ForestDnsZones,DC=saitelitalia,DC=local
> >> ERROR: Current DC is still the owner of 2 role(s), use the role command
> >> to transfer roles to another DC
> >>
> >> If instead of print foundRole.dn you use just foundRole it shows a very
> >> long message where you can find more things like
> >>
> >> 'fSMORoleOwner': MessageElement(['CN=NTDS
> >> Settings,CN=KDC02,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=saitelitalia,DC=local'])
> >>
> >> At this point I think there is something wrong because samba-tool fsmo
> >> show doesn't show at all these two roles.
> >>
> >> Maybe we can just try to delete them using ldbdel ...?
> >>
> >> Daniele.
> >>
> > jast a step forward:
> > in my case, ldbsearch tells me something strange.
> >
> > [root at kdc01:~]# ldbsearch -H /usr/local/samba/private/sam.ldb -b
> > "DC=DomainDnsZones,DC=saitelitalia,DC=local" "(name=Infrastructure)"
> > ...
> > # record 1
> > dn: CN=Infrastructure,DC=DomainDnsZones,DC=saitelitalia,DC=local
> > objectClass: top
> > objectClass: infrastructureUpdate
> > cn: Infrastructure
> > instanceType: 4
> > whenCreated: 20111222201013.0Z
> > uSNCreated: 3624
> > showInAdvancedViewOnly: TRUE
> > name: Infrastructure
> > objectGUID: a81bd71a-fa5e-4eec-87a5-c05bba4e332f
> > systemFlags: -1946157056
> > objectCategory:
> > CN=Infrastructure-Update,CN=Schema,CN=Configuration,DC=saiteli
> >  talia,DC=local
> > isCriticalSystemObject: TRUE
> > fSMORoleOwner: CN=NTDS
> > Settings,CN=KDC01,CN=Servers,CN=Default-First-Site-Name
> >  ,CN=Sites,CN=Configuration,DC=saitelitalia,DC=local
> > whenChanged: 20111222201017.0Z
> > uSNChanged: 3633
> > distinguishedName:
> > CN=Infrastructure,DC=DomainDnsZones,DC=saitelitalia,DC=loca
> >  l
> >
> > # returned 1 records
> > # 1 entries
> > # 0 referrals
> >
> > [root at kdc02:~/samba4/samba-master]# ldbsearch
> > -H /usr/local/samba/private/sam.ldb -b
> > "DC=DomainDnsZones,DC=saitelitalia,DC=local" "(name=Infrastructure)"
> > ...
> > # record 1
> > dn: CN=Infrastructure,DC=DomainDnsZones,DC=saitelitalia,DC=local
> > objectClass: top
> > objectClass: infrastructureUpdate
> > cn: Infrastructure
> > instanceType: 4
> > whenCreated: 20120412142746.0Z
> > uSNCreated: 3700
> > showInAdvancedViewOnly: TRUE
> > name: Infrastructure
> > objectGUID: ee2a9817-32b3-410c-ac27-f97e71274a85
> > systemFlags: -1946157056
> > objectCategory:
> > CN=Infrastructure-Update,CN=Schema,CN=Configuration,DC=saiteli
> >  talia,DC=local
> > isCriticalSystemObject: TRUE
> > fSMORoleOwner: CN=NTDS
> > Settings,CN=KDC02,CN=Servers,CN=Default-First-Site-Name
> >  ,CN=Sites,CN=Configuration,DC=saitelitalia,DC=local
> > whenChanged: 20120412142749.0Z
> > uSNChanged: 3709
> > distinguishedName:
> > CN=Infrastructure,DC=DomainDnsZones,DC=saitelitalia,DC=loca
> >  l
> >
> > # returned 1 records
> > # 1 entries
> > # 0 referrals
> >
> > As you can see both the DCs are saying that they are owners of the role.
> >
> > I'll try to delete entries and see what happens :-P
> >
> > Daniele
> >
> Hello Daniele,
> 
> do you have an idea what might have caused this ? Can this have been
> caused by
> the failed samba_upgradedns run ?
> 
> I hope you are successful with deleting the role .
> 
> best regards
> 
> Andreas
> 

Hello Andreas,
I had some troubles deleting the role (guess because don't know very
well how ldbdel works) so tried with ldbedit and changed the owner by
hand (I know it is the WRONG way to work).
After that I've been able to successfully demote the server.

Then I cleaned samba/* and made make install again.
The join of the secondary DC has been successful but I've found other
issues related to kcc_topology and looking with ldbedit I've found that
there were many instances of DomainDnsZones and ForesDnsZones records,
maybe due to something which has not been deleted after the DC demote.
I think that the best way to proceed would be to provision from scratch
the PDC and than join BDC.

Anyway I tried to remove the dup records and went on but even after two
samba4 restarts on secondary DC DNS partition replication won't start so
I'm stuck again.

Let me know if you have more luck,
Daniele.

More information about the samba-technical mailing list