redundant DNS setup with bind_dlz possible ?

Andreas Oster aoster at novanetwork.de
Mon Jun 4 00:58:29 MDT 2012 

Am 16.04.2012 10:13, schrieb Daniele Dario:
> On Mon, 2012-04-16 at 07:24 +0200, Andreas Oster wrote:
>> Am 13.04.2012 08:58, schrieb Daniele Dario:
>>> Hi Andreas and Amitay,
>>>
>>> On Fri, 2012-04-13 at 08:09 +0200, Andreas Oster wrote:
>>>> Am 13.04.2012 03:08, schrieb Amitay Isaacs:
>>>>> On Fri, Apr 13, 2012 at 3:43 AM, Andreas Oster <aoster at novanetwork.de> wrote:
>>>>>>
>>>>>> Am 12.04.2012 16:32, schrieb Daniele Dario:
>>>>>>
>>>>>>> Hi Andreas,
>>>>>>>
>>>>>>> On
>>>>>> Thu, 2012-04-12 at 16:25 +0200, Daniele Dario wrote:
>>>>>>>> On Thu,
>>>>>> 2012-04-12 at 15:22 +0200, Andreas Oster wrote: ...
>>>>>>>>> Hello
>>>>>> Daniele, I have now set up a second DC and joined it to AD. I have seen
>>>>>> that replication of ForestDnsZones and DomainDnsZones in
>>>>>> private/sam.ldb.d is working, but I am missing the private/dns part.
>>>>>> samba_upgradedns gave the same error as Justin has observed. best
>>>>>> regards Andreas
>>>>>>>> Hallo Andreas, for me (I've just demoted the
>>>>>> secondary DC and than reinstalled and re-joined it to the domain) I
>>>>>> don't see DNS zones in private/sam.ldb.d. I guess that for you,
>>>>>> samba-tool drs showrepl shows also the DNS zones in the INBOUND and
>>>>>> OUTBOUND NEIGHBORS isn't it? Daniele.
>>>>>>> After trying to run
>>>>>> samba_upgradedns, even if zones were not replicated,
>>>>>>> I've seen that
>>>>>> DNS zones appeared on sam.ldb.d.
>>>>>>> Can you confirm that the DNS
>>>>>> partitions are currently replicated (drs
>>>>>>> showrepl should show them)?
>>>>>>>
>>>>>>> Thanks,
>>>>>>> Daniele.
>>>>>> Hello Daniele,
>>>>>>
>>>>>> yes I can confirm, that I see
>>>>>> inbound replication on second DC for ForestDnsZones and DomainDnsZones
>>>>>> coming from first DC. I do see any sign of either inbound or outbound
>>>>>> replication on the first DC though.
>>>>>>
>>>>>> best regards
>>>>>>
>>>>>> Andreas
>>>>> Hi Andreas/Daniele,
>>>>>
>>>>> samba_upgradedns was designed mainly to upgrade old provisions using
>>>>> BIND9 flat files to using AD based DNS. As a side effect, the script
>>>>> can be also be used to "fix" the dns provision after "samba-tool
>>>>> join". However there are few requisites for this to work. If you are
>>>>> using samba_upgradedns script to "fix" the provision on second DC,
>>>>> make sure of the following:
>>>>>
>>>>> 1. Do not run samba_upgradedns immediately after join. It won't work,
>>>>> since samba_upgradedns may create new entries and on a fresh join,
>>>>> there are no RIDs allocated to second DC, so no new entries cannot be
>>>>> created.
>>>>>
>>>>> 2. Run first and second DCs, and make sure they replicate DNS
>>>>> partitions. One trick is to restart second DC after it has done
>>>>> initial replication. On the first replication, DNS partitions are
>>>>> created and on the second replication (after restart) the DNS
>>>>> partitions should get replicated. You should be able to query DNS
>>>>> records on second DC using samba-tool dns after the replication.
>>>>>
>>>>> 3. Now run samba_upgradedns script. It will detect that the partitions
>>>>> exist and will not attempt to create them, but only create private/dns
>>>>> directory with a copy of samdb to be used with BIND.
>>>>>
>>>>> The script sometimes is failing with LDB "Operations Error". I haven't
>>>>> had a chance to look at that. If you notice it again, let me know your
>>>>> set up. I will try to re-create the set up to debug this error.
>>>>>
>>>>> Amitay.
>>>>
>>>> Hello Amitay,
>>>>
>>>> thank you for these informations, I will demote my second DC and start again
>>>> from scratch with your tips.
>>>>
>>>> Thank you for your kind help.
>>>>
>>>> best regards
>>>>
>>>> Andreas
>>>>
>>>
>>> I demoted my secondary DC yesterday before Amitay's tips so I fired
>>> samba_upgradedns before the second restart of the DC.
>>>
>>> Now seems that something happened 'cause samba-tool dns query on
>>> secondary DC works even if replication has errors on DNS zones (others
>>> are OK):
>>>
>>> [root at kdc02:~]# samba-tool drs showrepl
>>> ldb_wrap open of secrets.ldb
>>> GENSEC backend 'gssapi_spnego' registered
>>> GENSEC backend 'gssapi_krb5' registered
>>> GENSEC backend 'gssapi_krb5_sasl' registered
>>> GENSEC backend 'schannel' registered
>>> GENSEC backend 'spnego' registered
>>> GENSEC backend 'ntlmssp' registered
>>> GENSEC backend 'krb5' registered
>>> GENSEC backend 'fake_gssapi_krb5' registered
>>> Using binding ncacn_ip_tcp:kdc02.saitelitalia.local[,seal]
>>> Default-First-Site-Name\KDC02
>>> DSA Options: 0x00000001
>>> DSA object GUID: fc65c73a-90f6-450b-8dee-38eb890e6b69
>>> DSA invocationId: 256ce256-9efb-4b10-8214-add01ed17d92
>>>
>>> ==== INBOUND NEIGHBORS ====
>>>
>>> DC=ForestDnsZones,DC=saitelitalia,DC=local
>>> 	Default-First-Site-Name\KDC01 via RPC
>>> 		DSA object GUID: bdbaecef-ace9-4314-b65e-54933ac8b660
>>> 		Last attempt @ Fri Apr 13 08:31:16 2012 CEST failed, result 8442
>>> (WERR_DS_DRA_INTERNAL_ERROR)
>>> 		188 consecutive failure(s).
>>> 		Last success @ NTTIME(0)
>>>
>>> DC=DomainDnsZones,DC=saitelitalia,DC=local
>>> 	Default-First-Site-Name\KDC01 via RPC
>>> 		DSA object GUID: bdbaecef-ace9-4314-b65e-54933ac8b660
>>> 		Last attempt @ Fri Apr 13 08:31:16 2012 CEST failed, result 8442
>>> (WERR_DS_DRA_INTERNAL_ERROR)
>>> 		188 consecutive failure(s).
>>> 		Last success @ NTTIME(0)
>>> ...
>>>
>>> If I try to demote secondary DC now I find this issue:
>>>
>>> [root at kdc02:~]# samba-tool domain demote -U administrator
>>> GENSEC backend 'gssapi_spnego' registered
>>> GENSEC backend 'gssapi_krb5' registered
>>> GENSEC backend 'gssapi_krb5_sasl' registered
>>> GENSEC backend 'schannel' registered
>>> GENSEC backend 'spnego' registered
>>> GENSEC backend 'ntlmssp' registered
>>> GENSEC backend 'krb5' registered
>>> GENSEC backend 'fake_gssapi_krb5' registered
>>> ERROR: Current DC is still the owner of %d role(s), use the role command
>>> to transfer roles to another DC
>>>
>>> How can I transfer roles? Should I use samba-tool fsmo transfer?
>>>
>>> [root at kdc02:~]# samba-tool fsmo show
>>> ldb_wrap open of secrets.ldb
>>> InfrastructureMasterRole owner: CN=NTDS
>>> Settings,CN=KDC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=saitelitalia,DC=local
>>> RidAllocationMasterRole owner: CN=NTDS
>>> Settings,CN=KDC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=saitelitalia,DC=local
>>> PdcEmulationMasterRole owner: CN=NTDS
>>> Settings,CN=KDC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=saitelitalia,DC=local
>>> DomainNamingMasterRole owner: CN=NTDS
>>> Settings,CN=KDC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=saitelitalia,DC=local
>>> SchemaMasterRole owner: CN=NTDS
>>> Settings,CN=KDC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=saitelitalia,DC=local
>>>
>>> so it seems that owner is primary DC (kdc01) isn't it?
>>>
>>> Thanks,
>>> Daniele.
>>>
>>>
>> Hello Daniele,
>>
>> did you make any progress with the DNS replication setup ?
>> Have you been able to fix the demote issue in your configuration ?
>>
>> best regards
>>
>> Andreas
>>
> Hi Andreas,
> I've just posted a patch to the list to show the FSMO rules owned by the
> DC to demote and I'm waiting for responses.
> 
> Anyway, I've been able to demote the secondary DC but even after
> re-joining is and 2 samba restarts I'm not able to see DNS partitions in
> private/sam.ldb.d/ so I guess I have something wrong or something which
> is not removed during the demote operation.
> 
> After last join, I've seen these errors on PDC:
> 
> [2012/04/16 09:42:10,
> 3] ../source4/dsdb/repl/drepl_service.c:202(_drepl_schedule_replication)
>   _drepl_schedule_replication: forcing sync of partition
> (5702affc-5157-438e-8714-c8f71fb06e61,
> CN=Schema,CN=Configuration,DC=saitelitalia,DC=local,
> 5da8f529-8af5-40ea-9d1e-dec40ba0713d._msdcs.saitelitalia.local)
> [2012/04/16 09:42:11,
> 3] ../source4/libcli/resolve/dns_ex.c:534(pipe_handler)
>   dns child failed to find name
> '6624e817-74ce-42fa-992c-1a9c51c4877b._msdcs.saitelitalia.local' of type
> A
> [2012/04/16 09:42:15,
> 3] ../source4/dsdb/repl/drepl_service.c:202(_drepl_schedule_replication)
>   _drepl_schedule_replication: forcing sync of partition
> (14082c1d-4205-47e0-8c52-ff8764322c1c,
> CN=Configuration,DC=saitelitalia,DC=local,
> 5da8f529-8af5-40ea-9d1e-dec40ba0713d._msdcs.saitelitalia.local)
> [2012/04/16 09:42:15,
> 3] ../source4/dsdb/samdb/ldb_modules/repl_meta_data.c:4709(replmd_process_linked_attribute)
>   Discarding older DRS linked attribute update to siteList on
> CN=DEFAULTIPSITELINK,CN=IP,CN=Inter-Site
> Transports,CN=Sites,CN=Configuration,DC=saitelitalia,DC=local from
> 788bb21f-edc8-467d-89cf-f66b67840ce1
> ...
> 
> now, 5702affc-5157-438e-8714-c8f71fb06e61 should be kdc02 while
> 6624e817-74ce-42fa-992c-1a9c51c4877b was the old kdc02 which should have
> been deleted by demote ???
> 
> Maybe this is a problem which does not allow to start replication of DNS
> partitions?
> 
> Daniele.
> 
> 
Hello Daniele,

did you make some progress with the redundant/secondary DNS setup ?
Does is work for you ?

best regards

Andreas

More information about the samba-technical mailing list