redundant DNS setup with bind_dlz possible ?

Andreas Oster aoster at novanetwork.de
Sun Apr 15 23:24:14 MDT 2012 

Am 13.04.2012 08:58, schrieb Daniele Dario:
> Hi Andreas and Amitay,
> 
> On Fri, 2012-04-13 at 08:09 +0200, Andreas Oster wrote:
>> Am 13.04.2012 03:08, schrieb Amitay Isaacs:
>>> On Fri, Apr 13, 2012 at 3:43 AM, Andreas Oster <aoster at novanetwork.de> wrote:
>>>>
>>>> Am 12.04.2012 16:32, schrieb Daniele Dario:
>>>>
>>>>> Hi Andreas,
>>>>>
>>>>> On
>>>> Thu, 2012-04-12 at 16:25 +0200, Daniele Dario wrote:
>>>>>> On Thu,
>>>> 2012-04-12 at 15:22 +0200, Andreas Oster wrote: ...
>>>>>>> Hello
>>>> Daniele, I have now set up a second DC and joined it to AD. I have seen
>>>> that replication of ForestDnsZones and DomainDnsZones in
>>>> private/sam.ldb.d is working, but I am missing the private/dns part.
>>>> samba_upgradedns gave the same error as Justin has observed. best
>>>> regards Andreas
>>>>>> Hallo Andreas, for me (I've just demoted the
>>>> secondary DC and than reinstalled and re-joined it to the domain) I
>>>> don't see DNS zones in private/sam.ldb.d. I guess that for you,
>>>> samba-tool drs showrepl shows also the DNS zones in the INBOUND and
>>>> OUTBOUND NEIGHBORS isn't it? Daniele.
>>>>> After trying to run
>>>> samba_upgradedns, even if zones were not replicated,
>>>>> I've seen that
>>>> DNS zones appeared on sam.ldb.d.
>>>>> Can you confirm that the DNS
>>>> partitions are currently replicated (drs
>>>>> showrepl should show them)?
>>>>>
>>>>> Thanks,
>>>>> Daniele.
>>>> Hello Daniele,
>>>>
>>>> yes I can confirm, that I see
>>>> inbound replication on second DC for ForestDnsZones and DomainDnsZones
>>>> coming from first DC. I do see any sign of either inbound or outbound
>>>> replication on the first DC though.
>>>>
>>>> best regards
>>>>
>>>> Andreas
>>> Hi Andreas/Daniele,
>>>
>>> samba_upgradedns was designed mainly to upgrade old provisions using
>>> BIND9 flat files to using AD based DNS. As a side effect, the script
>>> can be also be used to "fix" the dns provision after "samba-tool
>>> join". However there are few requisites for this to work. If you are
>>> using samba_upgradedns script to "fix" the provision on second DC,
>>> make sure of the following:
>>>
>>> 1. Do not run samba_upgradedns immediately after join. It won't work,
>>> since samba_upgradedns may create new entries and on a fresh join,
>>> there are no RIDs allocated to second DC, so no new entries cannot be
>>> created.
>>>
>>> 2. Run first and second DCs, and make sure they replicate DNS
>>> partitions. One trick is to restart second DC after it has done
>>> initial replication. On the first replication, DNS partitions are
>>> created and on the second replication (after restart) the DNS
>>> partitions should get replicated. You should be able to query DNS
>>> records on second DC using samba-tool dns after the replication.
>>>
>>> 3. Now run samba_upgradedns script. It will detect that the partitions
>>> exist and will not attempt to create them, but only create private/dns
>>> directory with a copy of samdb to be used with BIND.
>>>
>>> The script sometimes is failing with LDB "Operations Error". I haven't
>>> had a chance to look at that. If you notice it again, let me know your
>>> set up. I will try to re-create the set up to debug this error.
>>>
>>> Amitay.
>>
>> Hello Amitay,
>>
>> thank you for these informations, I will demote my second DC and start again
>> from scratch with your tips.
>>
>> Thank you for your kind help.
>>
>> best regards
>>
>> Andreas
>>
> 
> I demoted my secondary DC yesterday before Amitay's tips so I fired
> samba_upgradedns before the second restart of the DC.
> 
> Now seems that something happened 'cause samba-tool dns query on
> secondary DC works even if replication has errors on DNS zones (others
> are OK):
> 
> [root at kdc02:~]# samba-tool drs showrepl
> ldb_wrap open of secrets.ldb
> GENSEC backend 'gssapi_spnego' registered
> GENSEC backend 'gssapi_krb5' registered
> GENSEC backend 'gssapi_krb5_sasl' registered
> GENSEC backend 'schannel' registered
> GENSEC backend 'spnego' registered
> GENSEC backend 'ntlmssp' registered
> GENSEC backend 'krb5' registered
> GENSEC backend 'fake_gssapi_krb5' registered
> Using binding ncacn_ip_tcp:kdc02.saitelitalia.local[,seal]
> Default-First-Site-Name\KDC02
> DSA Options: 0x00000001
> DSA object GUID: fc65c73a-90f6-450b-8dee-38eb890e6b69
> DSA invocationId: 256ce256-9efb-4b10-8214-add01ed17d92
> 
> ==== INBOUND NEIGHBORS ====
> 
> DC=ForestDnsZones,DC=saitelitalia,DC=local
> 	Default-First-Site-Name\KDC01 via RPC
> 		DSA object GUID: bdbaecef-ace9-4314-b65e-54933ac8b660
> 		Last attempt @ Fri Apr 13 08:31:16 2012 CEST failed, result 8442
> (WERR_DS_DRA_INTERNAL_ERROR)
> 		188 consecutive failure(s).
> 		Last success @ NTTIME(0)
> 
> DC=DomainDnsZones,DC=saitelitalia,DC=local
> 	Default-First-Site-Name\KDC01 via RPC
> 		DSA object GUID: bdbaecef-ace9-4314-b65e-54933ac8b660
> 		Last attempt @ Fri Apr 13 08:31:16 2012 CEST failed, result 8442
> (WERR_DS_DRA_INTERNAL_ERROR)
> 		188 consecutive failure(s).
> 		Last success @ NTTIME(0)
> ...
> 
> If I try to demote secondary DC now I find this issue:
> 
> [root at kdc02:~]# samba-tool domain demote -U administrator
> GENSEC backend 'gssapi_spnego' registered
> GENSEC backend 'gssapi_krb5' registered
> GENSEC backend 'gssapi_krb5_sasl' registered
> GENSEC backend 'schannel' registered
> GENSEC backend 'spnego' registered
> GENSEC backend 'ntlmssp' registered
> GENSEC backend 'krb5' registered
> GENSEC backend 'fake_gssapi_krb5' registered
> ERROR: Current DC is still the owner of %d role(s), use the role command
> to transfer roles to another DC
> 
> How can I transfer roles? Should I use samba-tool fsmo transfer?
> 
> [root at kdc02:~]# samba-tool fsmo show
> ldb_wrap open of secrets.ldb
> InfrastructureMasterRole owner: CN=NTDS
> Settings,CN=KDC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=saitelitalia,DC=local
> RidAllocationMasterRole owner: CN=NTDS
> Settings,CN=KDC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=saitelitalia,DC=local
> PdcEmulationMasterRole owner: CN=NTDS
> Settings,CN=KDC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=saitelitalia,DC=local
> DomainNamingMasterRole owner: CN=NTDS
> Settings,CN=KDC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=saitelitalia,DC=local
> SchemaMasterRole owner: CN=NTDS
> Settings,CN=KDC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=saitelitalia,DC=local
> 
> so it seems that owner is primary DC (kdc01) isn't it?
> 
> Thanks,
> Daniele.
> 
> 
Hello Daniele,

did you make any progress with the DNS replication setup ?
Have you been able to fix the demote issue in your configuration ?

best regards

Andreas

More information about the samba-technical mailing list