redundant DNS setup with bind_dlz possible ?

Daniele Dario d.dario76 at gmail.com
Mon Apr 16 02:13:35 MDT 2012 

On Mon, 2012-04-16 at 07:24 +0200, Andreas Oster wrote:
> Am 13.04.2012 08:58, schrieb Daniele Dario:
> > Hi Andreas and Amitay,
> > 
> > On Fri, 2012-04-13 at 08:09 +0200, Andreas Oster wrote:
> >> Am 13.04.2012 03:08, schrieb Amitay Isaacs:
> >>> On Fri, Apr 13, 2012 at 3:43 AM, Andreas Oster <aoster at novanetwork.de> wrote:
> >>>>
> >>>> Am 12.04.2012 16:32, schrieb Daniele Dario:
> >>>>
> >>>>> Hi Andreas,
> >>>>>
> >>>>> On
> >>>> Thu, 2012-04-12 at 16:25 +0200, Daniele Dario wrote:
> >>>>>> On Thu,
> >>>> 2012-04-12 at 15:22 +0200, Andreas Oster wrote: ...
> >>>>>>> Hello
> >>>> Daniele, I have now set up a second DC and joined it to AD. I have seen
> >>>> that replication of ForestDnsZones and DomainDnsZones in
> >>>> private/sam.ldb.d is working, but I am missing the private/dns part.
> >>>> samba_upgradedns gave the same error as Justin has observed. best
> >>>> regards Andreas
> >>>>>> Hallo Andreas, for me (I've just demoted the
> >>>> secondary DC and than reinstalled and re-joined it to the domain) I
> >>>> don't see DNS zones in private/sam.ldb.d. I guess that for you,
> >>>> samba-tool drs showrepl shows also the DNS zones in the INBOUND and
> >>>> OUTBOUND NEIGHBORS isn't it? Daniele.
> >>>>> After trying to run
> >>>> samba_upgradedns, even if zones were not replicated,
> >>>>> I've seen that
> >>>> DNS zones appeared on sam.ldb.d.
> >>>>> Can you confirm that the DNS
> >>>> partitions are currently replicated (drs
> >>>>> showrepl should show them)?
> >>>>>
> >>>>> Thanks,
> >>>>> Daniele.
> >>>> Hello Daniele,
> >>>>
> >>>> yes I can confirm, that I see
> >>>> inbound replication on second DC for ForestDnsZones and DomainDnsZones
> >>>> coming from first DC. I do see any sign of either inbound or outbound
> >>>> replication on the first DC though.
> >>>>
> >>>> best regards
> >>>>
> >>>> Andreas
> >>> Hi Andreas/Daniele,
> >>>
> >>> samba_upgradedns was designed mainly to upgrade old provisions using
> >>> BIND9 flat files to using AD based DNS. As a side effect, the script
> >>> can be also be used to "fix" the dns provision after "samba-tool
> >>> join". However there are few requisites for this to work. If you are
> >>> using samba_upgradedns script to "fix" the provision on second DC,
> >>> make sure of the following:
> >>>
> >>> 1. Do not run samba_upgradedns immediately after join. It won't work,
> >>> since samba_upgradedns may create new entries and on a fresh join,
> >>> there are no RIDs allocated to second DC, so no new entries cannot be
> >>> created.
> >>>
> >>> 2. Run first and second DCs, and make sure they replicate DNS
> >>> partitions. One trick is to restart second DC after it has done
> >>> initial replication. On the first replication, DNS partitions are
> >>> created and on the second replication (after restart) the DNS
> >>> partitions should get replicated. You should be able to query DNS
> >>> records on second DC using samba-tool dns after the replication.
> >>>
> >>> 3. Now run samba_upgradedns script. It will detect that the partitions
> >>> exist and will not attempt to create them, but only create private/dns
> >>> directory with a copy of samdb to be used with BIND.
> >>>
> >>> The script sometimes is failing with LDB "Operations Error". I haven't
> >>> had a chance to look at that. If you notice it again, let me know your
> >>> set up. I will try to re-create the set up to debug this error.
> >>>
> >>> Amitay.
> >>
> >> Hello Amitay,
> >>
> >> thank you for these informations, I will demote my second DC and start again
> >> from scratch with your tips.
> >>
> >> Thank you for your kind help.
> >>
> >> best regards
> >>
> >> Andreas
> >>
> > 
> > I demoted my secondary DC yesterday before Amitay's tips so I fired
> > samba_upgradedns before the second restart of the DC.
> > 
> > Now seems that something happened 'cause samba-tool dns query on
> > secondary DC works even if replication has errors on DNS zones (others
> > are OK):
> > 
> > [root at kdc02:~]# samba-tool drs showrepl
> > ldb_wrap open of secrets.ldb
> > GENSEC backend 'gssapi_spnego' registered
> > GENSEC backend 'gssapi_krb5' registered
> > GENSEC backend 'gssapi_krb5_sasl' registered
> > GENSEC backend 'schannel' registered
> > GENSEC backend 'spnego' registered
> > GENSEC backend 'ntlmssp' registered
> > GENSEC backend 'krb5' registered
> > GENSEC backend 'fake_gssapi_krb5' registered
> > Using binding ncacn_ip_tcp:kdc02.saitelitalia.local[,seal]
> > Default-First-Site-Name\KDC02
> > DSA Options: 0x00000001
> > DSA object GUID: fc65c73a-90f6-450b-8dee-38eb890e6b69
> > DSA invocationId: 256ce256-9efb-4b10-8214-add01ed17d92
> > 
> > ==== INBOUND NEIGHBORS ====
> > 
> > DC=ForestDnsZones,DC=saitelitalia,DC=local
> > 	Default-First-Site-Name\KDC01 via RPC
> > 		DSA object GUID: bdbaecef-ace9-4314-b65e-54933ac8b660
> > 		Last attempt @ Fri Apr 13 08:31:16 2012 CEST failed, result 8442
> > (WERR_DS_DRA_INTERNAL_ERROR)
> > 		188 consecutive failure(s).
> > 		Last success @ NTTIME(0)
> > 
> > DC=DomainDnsZones,DC=saitelitalia,DC=local
> > 	Default-First-Site-Name\KDC01 via RPC
> > 		DSA object GUID: bdbaecef-ace9-4314-b65e-54933ac8b660
> > 		Last attempt @ Fri Apr 13 08:31:16 2012 CEST failed, result 8442
> > (WERR_DS_DRA_INTERNAL_ERROR)
> > 		188 consecutive failure(s).
> > 		Last success @ NTTIME(0)
> > ...
> > 
> > If I try to demote secondary DC now I find this issue:
> > 
> > [root at kdc02:~]# samba-tool domain demote -U administrator
> > GENSEC backend 'gssapi_spnego' registered
> > GENSEC backend 'gssapi_krb5' registered
> > GENSEC backend 'gssapi_krb5_sasl' registered
> > GENSEC backend 'schannel' registered
> > GENSEC backend 'spnego' registered
> > GENSEC backend 'ntlmssp' registered
> > GENSEC backend 'krb5' registered
> > GENSEC backend 'fake_gssapi_krb5' registered
> > ERROR: Current DC is still the owner of %d role(s), use the role command
> > to transfer roles to another DC
> > 
> > How can I transfer roles? Should I use samba-tool fsmo transfer?
> > 
> > [root at kdc02:~]# samba-tool fsmo show
> > ldb_wrap open of secrets.ldb
> > InfrastructureMasterRole owner: CN=NTDS
> > Settings,CN=KDC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=saitelitalia,DC=local
> > RidAllocationMasterRole owner: CN=NTDS
> > Settings,CN=KDC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=saitelitalia,DC=local
> > PdcEmulationMasterRole owner: CN=NTDS
> > Settings,CN=KDC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=saitelitalia,DC=local
> > DomainNamingMasterRole owner: CN=NTDS
> > Settings,CN=KDC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=saitelitalia,DC=local
> > SchemaMasterRole owner: CN=NTDS
> > Settings,CN=KDC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=saitelitalia,DC=local
> > 
> > so it seems that owner is primary DC (kdc01) isn't it?
> > 
> > Thanks,
> > Daniele.
> > 
> > 
> Hello Daniele,
> 
> did you make any progress with the DNS replication setup ?
> Have you been able to fix the demote issue in your configuration ?
> 
> best regards
> 
> Andreas
> 
Hi Andreas,
I've just posted a patch to the list to show the FSMO rules owned by the
DC to demote and I'm waiting for responses.

Anyway, I've been able to demote the secondary DC but even after
re-joining is and 2 samba restarts I'm not able to see DNS partitions in
private/sam.ldb.d/ so I guess I have something wrong or something which
is not removed during the demote operation.

After last join, I've seen these errors on PDC:

[2012/04/16 09:42:10,
3] ../source4/dsdb/repl/drepl_service.c:202(_drepl_schedule_replication)
  _drepl_schedule_replication: forcing sync of partition
(5702affc-5157-438e-8714-c8f71fb06e61,
CN=Schema,CN=Configuration,DC=saitelitalia,DC=local,
5da8f529-8af5-40ea-9d1e-dec40ba0713d._msdcs.saitelitalia.local)
[2012/04/16 09:42:11,
3] ../source4/libcli/resolve/dns_ex.c:534(pipe_handler)
  dns child failed to find name
'6624e817-74ce-42fa-992c-1a9c51c4877b._msdcs.saitelitalia.local' of type
A
[2012/04/16 09:42:15,
3] ../source4/dsdb/repl/drepl_service.c:202(_drepl_schedule_replication)
  _drepl_schedule_replication: forcing sync of partition
(14082c1d-4205-47e0-8c52-ff8764322c1c,
CN=Configuration,DC=saitelitalia,DC=local,
5da8f529-8af5-40ea-9d1e-dec40ba0713d._msdcs.saitelitalia.local)
[2012/04/16 09:42:15,
3] ../source4/dsdb/samdb/ldb_modules/repl_meta_data.c:4709(replmd_process_linked_attribute)
  Discarding older DRS linked attribute update to siteList on
CN=DEFAULTIPSITELINK,CN=IP,CN=Inter-Site
Transports,CN=Sites,CN=Configuration,DC=saitelitalia,DC=local from
788bb21f-edc8-467d-89cf-f66b67840ce1
...

now, 5702affc-5157-438e-8714-c8f71fb06e61 should be kdc02 while
6624e817-74ce-42fa-992c-1a9c51c4877b was the old kdc02 which should have
been deleted by demote ???

Maybe this is a problem which does not allow to start replication of DNS
partitions?

Daniele.

More information about the samba-technical mailing list