redundant DNS setup with bind_dlz possible ?

Mike Howard mike at dewberryfields.co.uk
Mon Jun 4 02:52:35 MDT 2012


On 04/06/2012 07:58, Andreas Oster wrote:
> Am 16.04.2012 10:13, schrieb Daniele Dario:
>> On Mon, 2012-04-16 at 07:24 +0200, Andreas Oster wrote:
>>> Am 13.04.2012 08:58, schrieb Daniele Dario:
>>>> Hi Andreas and Amitay,
>>>>
>>>> On Fri, 2012-04-13 at 08:09 +0200, Andreas Oster wrote:
>>>>> Am 13.04.2012 03:08, schrieb Amitay Isaacs:
>>>>>> On Fri, Apr 13, 2012 at 3:43 AM, Andreas Oster<aoster at novanetwork.de>  wrote:
>>>>>>> Am 12.04.2012 16:32, schrieb Daniele Dario:
>>>>>>>
>>>>>>>> Hi Andreas,
>>>>>>>>
>>>>>>>> On
>>>>>>> Thu, 2012-04-12 at 16:25 +0200, Daniele Dario wrote:
>>>>>>>>> On Thu,
>>>>>>> 2012-04-12 at 15:22 +0200, Andreas Oster wrote: ...
>>>>>>>>>> Hello
>>>>>>> Daniele, I have now set up a second DC and joined it to AD. I have seen
>>>>>>> that replication of ForestDnsZones and DomainDnsZones in
>>>>>>> private/sam.ldb.d is working, but I am missing the private/dns part.
>>>>>>> samba_upgradedns gave the same error as Justin has observed. best
>>>>>>> regards Andreas
>>>>>>>>> Hallo Andreas, for me (I've just demoted the
>>>>>>> secondary DC and than reinstalled and re-joined it to the domain) I
>>>>>>> don't see DNS zones in private/sam.ldb.d. I guess that for you,
>>>>>>> samba-tool drs showrepl shows also the DNS zones in the INBOUND and
>>>>>>> OUTBOUND NEIGHBORS isn't it? Daniele.
>>>>>>>> After trying to run
>>>>>>> samba_upgradedns, even if zones were not replicated,
>>>>>>>> I've seen that
>>>>>>> DNS zones appeared on sam.ldb.d.
>>>>>>>> Can you confirm that the DNS
>>>>>>> partitions are currently replicated (drs
>>>>>>>> showrepl should show them)?
>>>>>>>>
>>>>>>>> Thanks,
>>>>>>>> Daniele.
>>>>>>> Hello Daniele,
>>>>>>>
>>>>>>> yes I can confirm, that I see
>>>>>>> inbound replication on second DC for ForestDnsZones and DomainDnsZones
>>>>>>> coming from first DC. I do see any sign of either inbound or outbound
>>>>>>> replication on the first DC though.
>>>>>>>
>>>>>>> best regards
>>>>>>>
>>>>>>> Andreas
>>>>>> Hi Andreas/Daniele,
>>>>>>
>>>>>> samba_upgradedns was designed mainly to upgrade old provisions using
>>>>>> BIND9 flat files to using AD based DNS. As a side effect, the script
>>>>>> can be also be used to "fix" the dns provision after "samba-tool
>>>>>> join". However there are few requisites for this to work. If you are
>>>>>> using samba_upgradedns script to "fix" the provision on second DC,
>>>>>> make sure of the following:
>>>>>>
>>>>>> 1. Do not run samba_upgradedns immediately after join. It won't work,
>>>>>> since samba_upgradedns may create new entries and on a fresh join,
>>>>>> there are no RIDs allocated to second DC, so no new entries cannot be
>>>>>> created.
>>>>>>
>>>>>> 2. Run first and second DCs, and make sure they replicate DNS
>>>>>> partitions. One trick is to restart second DC after it has done
>>>>>> initial replication. On the first replication, DNS partitions are
>>>>>> created and on the second replication (after restart) the DNS
>>>>>> partitions should get replicated. You should be able to query DNS
>>>>>> records on second DC using samba-tool dns after the replication.
>>>>>>
>>>>>> 3. Now run samba_upgradedns script. It will detect that the partitions
>>>>>> exist and will not attempt to create them, but only create private/dns
>>>>>> directory with a copy of samdb to be used with BIND.
>>>>>>
>>>>>> The script sometimes is failing with LDB "Operations Error". I haven't
>>>>>> had a chance to look at that. If you notice it again, let me know your
>>>>>> set up. I will try to re-create the set up to debug this error.
>>>>>>
>>>>>> Amitay.
>>>>> Hello Amitay,
>>>>>
>>>>> thank you for these informations, I will demote my second DC and start again
>>>>> from scratch with your tips.
>>>>>
>>>>> Thank you for your kind help.
>>>>>
>>>>> best regards
>>>>>
>>>>> Andreas
>>>>>
>>>> I demoted my secondary DC yesterday before Amitay's tips so I fired
>>>> samba_upgradedns before the second restart of the DC.
>>>>
>>>> Now seems that something happened 'cause samba-tool dns query on
>>>> secondary DC works even if replication has errors on DNS zones (others
>>>> are OK):
>>>>
>>>> [root at kdc02:~]# samba-tool drs showrepl
>>>> ldb_wrap open of secrets.ldb
>>>> GENSEC backend 'gssapi_spnego' registered
>>>> GENSEC backend 'gssapi_krb5' registered
>>>> GENSEC backend 'gssapi_krb5_sasl' registered
>>>> GENSEC backend 'schannel' registered
>>>> GENSEC backend 'spnego' registered
>>>> GENSEC backend 'ntlmssp' registered
>>>> GENSEC backend 'krb5' registered
>>>> GENSEC backend 'fake_gssapi_krb5' registered
>>>> Using binding ncacn_ip_tcp:kdc02.saitelitalia.local[,seal]
>>>> Default-First-Site-Name\KDC02
>>>> DSA Options: 0x00000001
>>>> DSA object GUID: fc65c73a-90f6-450b-8dee-38eb890e6b69
>>>> DSA invocationId: 256ce256-9efb-4b10-8214-add01ed17d92
>>>>
>>>> ==== INBOUND NEIGHBORS ====
>>>>
>>>> DC=ForestDnsZones,DC=saitelitalia,DC=local
>>>> 	Default-First-Site-Name\KDC01 via RPC
>>>> 		DSA object GUID: bdbaecef-ace9-4314-b65e-54933ac8b660
>>>> 		Last attempt @ Fri Apr 13 08:31:16 2012 CEST failed, result 8442
>>>> (WERR_DS_DRA_INTERNAL_ERROR)
>>>> 		188 consecutive failure(s).
>>>> 		Last success @ NTTIME(0)
>>>>
>>>> DC=DomainDnsZones,DC=saitelitalia,DC=local
>>>> 	Default-First-Site-Name\KDC01 via RPC
>>>> 		DSA object GUID: bdbaecef-ace9-4314-b65e-54933ac8b660
>>>> 		Last attempt @ Fri Apr 13 08:31:16 2012 CEST failed, result 8442
>>>> (WERR_DS_DRA_INTERNAL_ERROR)
>>>> 		188 consecutive failure(s).
>>>> 		Last success @ NTTIME(0)
>>>> ...
>>>>
>>>> If I try to demote secondary DC now I find this issue:
>>>>
>>>> [root at kdc02:~]# samba-tool domain demote -U administrator
>>>> GENSEC backend 'gssapi_spnego' registered
>>>> GENSEC backend 'gssapi_krb5' registered
>>>> GENSEC backend 'gssapi_krb5_sasl' registered
>>>> GENSEC backend 'schannel' registered
>>>> GENSEC backend 'spnego' registered
>>>> GENSEC backend 'ntlmssp' registered
>>>> GENSEC backend 'krb5' registered
>>>> GENSEC backend 'fake_gssapi_krb5' registered
>>>> ERROR: Current DC is still the owner of %d role(s), use the role command
>>>> to transfer roles to another DC
>>>>
>>>> How can I transfer roles? Should I use samba-tool fsmo transfer?
>>>>
>>>> [root at kdc02:~]# samba-tool fsmo show
>>>> ldb_wrap open of secrets.ldb
>>>> InfrastructureMasterRole owner: CN=NTDS
>>>> Settings,CN=KDC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=saitelitalia,DC=local
>>>> RidAllocationMasterRole owner: CN=NTDS
>>>> Settings,CN=KDC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=saitelitalia,DC=local
>>>> PdcEmulationMasterRole owner: CN=NTDS
>>>> Settings,CN=KDC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=saitelitalia,DC=local
>>>> DomainNamingMasterRole owner: CN=NTDS
>>>> Settings,CN=KDC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=saitelitalia,DC=local
>>>> SchemaMasterRole owner: CN=NTDS
>>>> Settings,CN=KDC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=saitelitalia,DC=local
>>>>
>>>> so it seems that owner is primary DC (kdc01) isn't it?
>>>>
>>>> Thanks,
>>>> Daniele.
>>>>
>>>>
>>> Hello Daniele,
>>>
>>> did you make any progress with the DNS replication setup ?
>>> Have you been able to fix the demote issue in your configuration ?
>>>
>>> best regards
>>>
>>> Andreas
>>>
>> Hi Andreas,
>> I've just posted a patch to the list to show the FSMO rules owned by the
>> DC to demote and I'm waiting for responses.
>>
>> Anyway, I've been able to demote the secondary DC but even after
>> re-joining is and 2 samba restarts I'm not able to see DNS partitions in
>> private/sam.ldb.d/ so I guess I have something wrong or something which
>> is not removed during the demote operation.
>>
>> After last join, I've seen these errors on PDC:
>>
>> [2012/04/16 09:42:10,
>> 3] ../source4/dsdb/repl/drepl_service.c:202(_drepl_schedule_replication)
>>    _drepl_schedule_replication: forcing sync of partition
>> (5702affc-5157-438e-8714-c8f71fb06e61,
>> CN=Schema,CN=Configuration,DC=saitelitalia,DC=local,
>> 5da8f529-8af5-40ea-9d1e-dec40ba0713d._msdcs.saitelitalia.local)
>> [2012/04/16 09:42:11,
>> 3] ../source4/libcli/resolve/dns_ex.c:534(pipe_handler)
>>    dns child failed to find name
>> '6624e817-74ce-42fa-992c-1a9c51c4877b._msdcs.saitelitalia.local' of type
>> A
>> [2012/04/16 09:42:15,
>> 3] ../source4/dsdb/repl/drepl_service.c:202(_drepl_schedule_replication)
>>    _drepl_schedule_replication: forcing sync of partition
>> (14082c1d-4205-47e0-8c52-ff8764322c1c,
>> CN=Configuration,DC=saitelitalia,DC=local,
>> 5da8f529-8af5-40ea-9d1e-dec40ba0713d._msdcs.saitelitalia.local)
>> [2012/04/16 09:42:15,
>> 3] ../source4/dsdb/samdb/ldb_modules/repl_meta_data.c:4709(replmd_process_linked_attribute)
>>    Discarding older DRS linked attribute update to siteList on
>> CN=DEFAULTIPSITELINK,CN=IP,CN=Inter-Site
>> Transports,CN=Sites,CN=Configuration,DC=saitelitalia,DC=local from
>> 788bb21f-edc8-467d-89cf-f66b67840ce1
>> ...
>>
>> now, 5702affc-5157-438e-8714-c8f71fb06e61 should be kdc02 while
>> 6624e817-74ce-42fa-992c-1a9c51c4877b was the old kdc02 which should have
>> been deleted by demote ???
>>
>> Maybe this is a problem which does not allow to start replication of DNS
>> partitions?
>>
>> Daniele.
>>
>>
> Hello Daniele,
>
> did you make some progress with the redundant/secondary DNS setup ?
> Does is work for you ?
>
> best regards
>
> Andreas
>
Hi Andreas,

I've been trying this for a while now but no matter what I do, or how 
many times I do it, I cannot get the partitions replicated and so 
running  samba_upgradedns is futile.

I'm spending another day trying but it's wearing a bit thin now :)

Cheers,
Mike
-- 
Any question is easy if you know the answer!


More information about the samba-technical mailing list