redundant DNS setup with bind_dlz possible ?

Andreas Oster aoster at novanetwork.de
Fri Apr 13 10:07:45 MDT 2012 

Am 13.04.2012 17:50, schrieb Daniele Dario:
> On Fri, 2012-04-13 at 17:33 +0200, Andreas Oster wrote:
>> Am 13.04.2012 14:22, schrieb Daniele Dario:
>>> Hi Andreas,
>>>
>>> On Fri, 2012-04-13 at 14:07 +0200, Daniele Dario wrote:
>>>> Hi Andreas,
>>>>
>>>> On Fri, 2012-04-13 at 12:34 +0200, Andreas Oster wrote:
>>>>> Am 13.04.2012 08:58, schrieb Daniele Dario:
>>>>>> Hi Andreas and Amitay,
>>>>>>
>>>>>> On Fri, 2012-04-13 at 08:09 +0200, Andreas Oster wrote:
>>>>>>> Am 13.04.2012 03:08, schrieb Amitay Isaacs:
>>>>>>>> On Fri, Apr 13, 2012 at 3:43 AM, Andreas Oster <aoster at novanetwork.de> wrote:
>>>> ...
>>>>> Hello Daniele,
>>>>>
>>>>> as you might have seen in my last post I have run into the same demoting
>>>>> issue. Did you manage to demote your server in the meanwhile ?
>>>>>
>>>>> best regards
>>>>>
>>>>> Andreas
>>>>>
>>>> I made a little change in
>>>> samba/lib//python2.7/site-packages/samba/netcmd/domain.py to show how
>>>> many rules are locking the demote operation (and which ones). My python
>>>> knowledge is not so deep but changes are on line 250 like:
>>>>         if len(res) != 0:
>>>> -            raise CommandError("Current DC is still the owner of %d
>>>> role(s), use the role command to transfer roles to another DC"
>>>> +           for foundRole in res:
>>>>                 print foundRole.dn
>>>>             raise CommandError("Current DC is still the owner of %d
>>>> role(s), use the role command to transfer roles to another DC" %
>>>> len(res))
>>>>
>>>> And it seems that secondary DC is owner of the DNS zones replication
>>>>
>>>> [root at kdc02:~/samba4/samba-master]# samba-tool domain demote -U
>>>> administrator
>>>> GENSEC backend 'gssapi_spnego' registered
>>>> GENSEC backend 'gssapi_krb5' registered
>>>> GENSEC backend 'gssapi_krb5_sasl' registered
>>>> GENSEC backend 'schannel' registered
>>>> GENSEC backend 'spnego' registered
>>>> GENSEC backend 'ntlmssp' registered
>>>> GENSEC backend 'krb5' registered
>>>> GENSEC backend 'fake_gssapi_krb5' registered
>>>> CN=Infrastructure,DC=DomainDnsZones,DC=saitelitalia,DC=local
>>>> CN=Infrastructure,DC=ForestDnsZones,DC=saitelitalia,DC=local
>>>> ERROR: Current DC is still the owner of 2 role(s), use the role command
>>>> to transfer roles to another DC
>>>>
>>>> If instead of print foundRole.dn you use just foundRole it shows a very
>>>> long message where you can find more things like
>>>>
>>>> 'fSMORoleOwner': MessageElement(['CN=NTDS
>>>> Settings,CN=KDC02,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=saitelitalia,DC=local'])
>>>>
>>>> At this point I think there is something wrong because samba-tool fsmo
>>>> show doesn't show at all these two roles.
>>>>
>>>> Maybe we can just try to delete them using ldbdel ...?
>>>>
>>>> Daniele.
>>>>
>>> jast a step forward:
>>> in my case, ldbsearch tells me something strange.
>>>
>>> [root at kdc01:~]# ldbsearch -H /usr/local/samba/private/sam.ldb -b
>>> "DC=DomainDnsZones,DC=saitelitalia,DC=local" "(name=Infrastructure)"
>>> ...
>>> # record 1
>>> dn: CN=Infrastructure,DC=DomainDnsZones,DC=saitelitalia,DC=local
>>> objectClass: top
>>> objectClass: infrastructureUpdate
>>> cn: Infrastructure
>>> instanceType: 4
>>> whenCreated: 20111222201013.0Z
>>> uSNCreated: 3624
>>> showInAdvancedViewOnly: TRUE
>>> name: Infrastructure
>>> objectGUID: a81bd71a-fa5e-4eec-87a5-c05bba4e332f
>>> systemFlags: -1946157056
>>> objectCategory:
>>> CN=Infrastructure-Update,CN=Schema,CN=Configuration,DC=saiteli
>>>  talia,DC=local
>>> isCriticalSystemObject: TRUE
>>> fSMORoleOwner: CN=NTDS
>>> Settings,CN=KDC01,CN=Servers,CN=Default-First-Site-Name
>>>  ,CN=Sites,CN=Configuration,DC=saitelitalia,DC=local
>>> whenChanged: 20111222201017.0Z
>>> uSNChanged: 3633
>>> distinguishedName:
>>> CN=Infrastructure,DC=DomainDnsZones,DC=saitelitalia,DC=loca
>>>  l
>>>
>>> # returned 1 records
>>> # 1 entries
>>> # 0 referrals
>>>
>>> [root at kdc02:~/samba4/samba-master]# ldbsearch
>>> -H /usr/local/samba/private/sam.ldb -b
>>> "DC=DomainDnsZones,DC=saitelitalia,DC=local" "(name=Infrastructure)"
>>> ...
>>> # record 1
>>> dn: CN=Infrastructure,DC=DomainDnsZones,DC=saitelitalia,DC=local
>>> objectClass: top
>>> objectClass: infrastructureUpdate
>>> cn: Infrastructure
>>> instanceType: 4
>>> whenCreated: 20120412142746.0Z
>>> uSNCreated: 3700
>>> showInAdvancedViewOnly: TRUE
>>> name: Infrastructure
>>> objectGUID: ee2a9817-32b3-410c-ac27-f97e71274a85
>>> systemFlags: -1946157056
>>> objectCategory:
>>> CN=Infrastructure-Update,CN=Schema,CN=Configuration,DC=saiteli
>>>  talia,DC=local
>>> isCriticalSystemObject: TRUE
>>> fSMORoleOwner: CN=NTDS
>>> Settings,CN=KDC02,CN=Servers,CN=Default-First-Site-Name
>>>  ,CN=Sites,CN=Configuration,DC=saitelitalia,DC=local
>>> whenChanged: 20120412142749.0Z
>>> uSNChanged: 3709
>>> distinguishedName:
>>> CN=Infrastructure,DC=DomainDnsZones,DC=saitelitalia,DC=loca
>>>  l
>>>
>>> # returned 1 records
>>> # 1 entries
>>> # 0 referrals
>>>
>>> As you can see both the DCs are saying that they are owners of the role.
>>>
>>> I'll try to delete entries and see what happens :-P
>>>
>>> Daniele
>>>
>> Hello Daniele,
>>
>> do you have an idea what might have caused this ? Can this have been
>> caused by
>> the failed samba_upgradedns run ?
>>
>> I hope you are successful with deleting the role .
>>
>> best regards
>>
>> Andreas
>>
> Hello Andreas,
> I had some troubles deleting the role (guess because don't know very
> well how ldbdel works) so tried with ldbedit and changed the owner by
> hand (I know it is the WRONG way to work).
> After that I've been able to successfully demote the server.
>
> Then I cleaned samba/* and made make install again.
> The join of the secondary DC has been successful but I've found other
> issues related to kcc_topology and looking with ldbedit I've found that
> there were many instances of DomainDnsZones and ForesDnsZones records,
> maybe due to something which has not been deleted after the DC demote.
> I think that the best way to proceed would be to provision from scratch
> the PDC and than join BDC.
>
> Anyway I tried to remove the dup records and went on but even after two
> samba4 restarts on secondary DC DNS partition replication won't start so
> I'm stuck again.
>
> Let me know if you have more luck,
> Daniele.
>
Hello Daniele,

personally I would prefer to be able to use the samba-tool demote
function. I am not
happy with messing around with the  ldbedit tool as I do not have the
experience to
do that properly. I hope one of the developers can give us some help
with that. To
have to start all over again would be a pain.

best regards

Andreas

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 260 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20120413/9dc5c02c/attachment.pgp>

More information about the samba-technical mailing list