redundant DNS setup with bind_dlz possible ?

Andreas Oster aoster at novanetwork.de
Mon Jun 4 03:06:38 MDT 2012


Am 04.06.2012 10:52, schrieb Mike Howard:
> On 04/06/2012 07:58, Andreas Oster wrote:
>> Am 16.04.2012 10:13, schrieb Daniele Dario:
>>> On Mon, 2012-04-16 at 07:24 +0200, Andreas Oster wrote:
>>>> Am 13.04.2012 08:58, schrieb Daniele Dario:
>>>>> Hi Andreas and Amitay,
>>>>>
>>>>> On Fri, 2012-04-13 at 08:09 +0200, Andreas Oster wrote:
>>>>>> Am 13.04.2012 03:08, schrieb Amitay Isaacs:
>>>>>>> On Fri, Apr 13, 2012 at 3:43 AM, Andreas
>>>>>>> Oster<aoster at novanetwork.de>  wrote:
>>>>>>>> Am 12.04.2012 16:32, schrieb Daniele Dario:
>>>>>>>>
>>>>>>>>> Hi Andreas,
>>>>>>>>>
>>>>>>>>> On
>>>>>>>> Thu, 2012-04-12 at 16:25 +0200, Daniele Dario wrote:
>>>>>>>>>> On Thu,
>>>>>>>> 2012-04-12 at 15:22 +0200, Andreas Oster wrote: ...
>>>>>>>>>>> Hello
>>>>>>>> Daniele, I have now set up a second DC and joined it to AD. I
>>>>>>>> have seen
>>>>>>>> that replication of ForestDnsZones and DomainDnsZones in
>>>>>>>> private/sam.ldb.d is working, but I am missing the private/dns
>>>>>>>> part.
>>>>>>>> samba_upgradedns gave the same error as Justin has observed. best
>>>>>>>> regards Andreas
>>>>>>>>>> Hallo Andreas, for me (I've just demoted the
>>>>>>>> secondary DC and than reinstalled and re-joined it to the domain) I
>>>>>>>> don't see DNS zones in private/sam.ldb.d. I guess that for you,
>>>>>>>> samba-tool drs showrepl shows also the DNS zones in the INBOUND and
>>>>>>>> OUTBOUND NEIGHBORS isn't it? Daniele.
>>>>>>>>> After trying to run
>>>>>>>> samba_upgradedns, even if zones were not replicated,
>>>>>>>>> I've seen that
>>>>>>>> DNS zones appeared on sam.ldb.d.
>>>>>>>>> Can you confirm that the DNS
>>>>>>>> partitions are currently replicated (drs
>>>>>>>>> showrepl should show them)?
>>>>>>>>>
>>>>>>>>> Thanks,
>>>>>>>>> Daniele.
>>>>>>>> Hello Daniele,
>>>>>>>>
>>>>>>>> yes I can confirm, that I see
>>>>>>>> inbound replication on second DC for ForestDnsZones and
>>>>>>>> DomainDnsZones
>>>>>>>> coming from first DC. I do see any sign of either inbound or
>>>>>>>> outbound
>>>>>>>> replication on the first DC though.
>>>>>>>>
>>>>>>>> best regards
>>>>>>>>
>>>>>>>> Andreas
>>>>>>> Hi Andreas/Daniele,
>>>>>>>
>>>>>>> samba_upgradedns was designed mainly to upgrade old provisions using
>>>>>>> BIND9 flat files to using AD based DNS. As a side effect, the script
>>>>>>> can be also be used to "fix" the dns provision after "samba-tool
>>>>>>> join". However there are few requisites for this to work. If you are
>>>>>>> using samba_upgradedns script to "fix" the provision on second DC,
>>>>>>> make sure of the following:
>>>>>>>
>>>>>>> 1. Do not run samba_upgradedns immediately after join. It won't
>>>>>>> work,
>>>>>>> since samba_upgradedns may create new entries and on a fresh join,
>>>>>>> there are no RIDs allocated to second DC, so no new entries
>>>>>>> cannot be
>>>>>>> created.
>>>>>>>
>>>>>>> 2. Run first and second DCs, and make sure they replicate DNS
>>>>>>> partitions. One trick is to restart second DC after it has done
>>>>>>> initial replication. On the first replication, DNS partitions are
>>>>>>> created and on the second replication (after restart) the DNS
>>>>>>> partitions should get replicated. You should be able to query DNS
>>>>>>> records on second DC using samba-tool dns after the replication.
>>>>>>>
>>>>>>> 3. Now run samba_upgradedns script. It will detect that the
>>>>>>> partitions
>>>>>>> exist and will not attempt to create them, but only create
>>>>>>> private/dns
>>>>>>> directory with a copy of samdb to be used with BIND.
>>>>>>>
>>>>>>> The script sometimes is failing with LDB "Operations Error". I
>>>>>>> haven't
>>>>>>> had a chance to look at that. If you notice it again, let me know
>>>>>>> your
>>>>>>> set up. I will try to re-create the set up to debug this error.
>>>>>>>
>>>>>>> Amitay.
>>>>>> Hello Amitay,
>>>>>>
>>>>>> thank you for these informations, I will demote my second DC and
>>>>>> start again
>>>>>> from scratch with your tips.
>>>>>>
>>>>>> Thank you for your kind help.
>>>>>>
>>>>>> best regards
>>>>>>
>>>>>> Andreas
>>>>>>
>>>>> I demoted my secondary DC yesterday before Amitay's tips so I fired
>>>>> samba_upgradedns before the second restart of the DC.
>>>>>
>>>>> Now seems that something happened 'cause samba-tool dns query on
>>>>> secondary DC works even if replication has errors on DNS zones (others
>>>>> are OK):
>>>>>
>>>>> [root at kdc02:~]# samba-tool drs showrepl
>>>>> ldb_wrap open of secrets.ldb
>>>>> GENSEC backend 'gssapi_spnego' registered
>>>>> GENSEC backend 'gssapi_krb5' registered
>>>>> GENSEC backend 'gssapi_krb5_sasl' registered
>>>>> GENSEC backend 'schannel' registered
>>>>> GENSEC backend 'spnego' registered
>>>>> GENSEC backend 'ntlmssp' registered
>>>>> GENSEC backend 'krb5' registered
>>>>> GENSEC backend 'fake_gssapi_krb5' registered
>>>>> Using binding ncacn_ip_tcp:kdc02.saitelitalia.local[,seal]
>>>>> Default-First-Site-Name\KDC02
>>>>> DSA Options: 0x00000001
>>>>> DSA object GUID: fc65c73a-90f6-450b-8dee-38eb890e6b69
>>>>> DSA invocationId: 256ce256-9efb-4b10-8214-add01ed17d92
>>>>>
>>>>> ==== INBOUND NEIGHBORS ====
>>>>>
>>>>> DC=ForestDnsZones,DC=saitelitalia,DC=local
>>>>>     Default-First-Site-Name\KDC01 via RPC
>>>>>         DSA object GUID: bdbaecef-ace9-4314-b65e-54933ac8b660
>>>>>         Last attempt @ Fri Apr 13 08:31:16 2012 CEST failed, result
>>>>> 8442
>>>>> (WERR_DS_DRA_INTERNAL_ERROR)
>>>>>         188 consecutive failure(s).
>>>>>         Last success @ NTTIME(0)
>>>>>
>>>>> DC=DomainDnsZones,DC=saitelitalia,DC=local
>>>>>     Default-First-Site-Name\KDC01 via RPC
>>>>>         DSA object GUID: bdbaecef-ace9-4314-b65e-54933ac8b660
>>>>>         Last attempt @ Fri Apr 13 08:31:16 2012 CEST failed, result
>>>>> 8442
>>>>> (WERR_DS_DRA_INTERNAL_ERROR)
>>>>>         188 consecutive failure(s).
>>>>>         Last success @ NTTIME(0)
>>>>> ...
>>>>>
>>>>> If I try to demote secondary DC now I find this issue:
>>>>>
>>>>> [root at kdc02:~]# samba-tool domain demote -U administrator
>>>>> GENSEC backend 'gssapi_spnego' registered
>>>>> GENSEC backend 'gssapi_krb5' registered
>>>>> GENSEC backend 'gssapi_krb5_sasl' registered
>>>>> GENSEC backend 'schannel' registered
>>>>> GENSEC backend 'spnego' registered
>>>>> GENSEC backend 'ntlmssp' registered
>>>>> GENSEC backend 'krb5' registered
>>>>> GENSEC backend 'fake_gssapi_krb5' registered
>>>>> ERROR: Current DC is still the owner of %d role(s), use the role
>>>>> command
>>>>> to transfer roles to another DC
>>>>>
>>>>> How can I transfer roles? Should I use samba-tool fsmo transfer?
>>>>>
>>>>> [root at kdc02:~]# samba-tool fsmo show
>>>>> ldb_wrap open of secrets.ldb
>>>>> InfrastructureMasterRole owner: CN=NTDS
>>>>> Settings,CN=KDC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=saitelitalia,DC=local
>>>>>
>>>>> RidAllocationMasterRole owner: CN=NTDS
>>>>> Settings,CN=KDC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=saitelitalia,DC=local
>>>>>
>>>>> PdcEmulationMasterRole owner: CN=NTDS
>>>>> Settings,CN=KDC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=saitelitalia,DC=local
>>>>>
>>>>> DomainNamingMasterRole owner: CN=NTDS
>>>>> Settings,CN=KDC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=saitelitalia,DC=local
>>>>>
>>>>> SchemaMasterRole owner: CN=NTDS
>>>>> Settings,CN=KDC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=saitelitalia,DC=local
>>>>>
>>>>>
>>>>> so it seems that owner is primary DC (kdc01) isn't it?
>>>>>
>>>>> Thanks,
>>>>> Daniele.
>>>>>
>>>>>
>>>> Hello Daniele,
>>>>
>>>> did you make any progress with the DNS replication setup ?
>>>> Have you been able to fix the demote issue in your configuration ?
>>>>
>>>> best regards
>>>>
>>>> Andreas
>>>>
>>> Hi Andreas,
>>> I've just posted a patch to the list to show the FSMO rules owned by the
>>> DC to demote and I'm waiting for responses.
>>>
>>> Anyway, I've been able to demote the secondary DC but even after
>>> re-joining is and 2 samba restarts I'm not able to see DNS partitions in
>>> private/sam.ldb.d/ so I guess I have something wrong or something which
>>> is not removed during the demote operation.
>>>
>>> After last join, I've seen these errors on PDC:
>>>
>>> [2012/04/16 09:42:10,
>>> 3] ../source4/dsdb/repl/drepl_service.c:202(_drepl_schedule_replication)
>>>    _drepl_schedule_replication: forcing sync of partition
>>> (5702affc-5157-438e-8714-c8f71fb06e61,
>>> CN=Schema,CN=Configuration,DC=saitelitalia,DC=local,
>>> 5da8f529-8af5-40ea-9d1e-dec40ba0713d._msdcs.saitelitalia.local)
>>> [2012/04/16 09:42:11,
>>> 3] ../source4/libcli/resolve/dns_ex.c:534(pipe_handler)
>>>    dns child failed to find name
>>> '6624e817-74ce-42fa-992c-1a9c51c4877b._msdcs.saitelitalia.local' of type
>>> A
>>> [2012/04/16 09:42:15,
>>> 3] ../source4/dsdb/repl/drepl_service.c:202(_drepl_schedule_replication)
>>>    _drepl_schedule_replication: forcing sync of partition
>>> (14082c1d-4205-47e0-8c52-ff8764322c1c,
>>> CN=Configuration,DC=saitelitalia,DC=local,
>>> 5da8f529-8af5-40ea-9d1e-dec40ba0713d._msdcs.saitelitalia.local)
>>> [2012/04/16 09:42:15,
>>> 3]
>>> ../source4/dsdb/samdb/ldb_modules/repl_meta_data.c:4709(replmd_process_linked_attribute)
>>>
>>>    Discarding older DRS linked attribute update to siteList on
>>> CN=DEFAULTIPSITELINK,CN=IP,CN=Inter-Site
>>> Transports,CN=Sites,CN=Configuration,DC=saitelitalia,DC=local from
>>> 788bb21f-edc8-467d-89cf-f66b67840ce1
>>> ...
>>>
>>> now, 5702affc-5157-438e-8714-c8f71fb06e61 should be kdc02 while
>>> 6624e817-74ce-42fa-992c-1a9c51c4877b was the old kdc02 which should have
>>> been deleted by demote ???
>>>
>>> Maybe this is a problem which does not allow to start replication of DNS
>>> partitions?
>>>
>>> Daniele.
>>>
>>>
>> Hello Daniele,
>>
>> did you make some progress with the redundant/secondary DNS setup ?
>> Does is work for you ?
>>
>> best regards
>>
>> Andreas
>>
> Hi Andreas,
> 
> I've been trying this for a while now but no matter what I do, or how
> many times I do it, I cannot get the partitions replicated and so
> running  samba_upgradedns is futile.
> 
> I'm spending another day trying but it's wearing a bit thin now :)
> 
> Cheers,
> Mike
Hi Mike,

I've read that the samba team is planning to release a beta soon. Is
it not a advisable to first fix the DNS functionality before doing so ?
I understand, that DNS is a fundamental part of a working AD. What
benefit would you get from adding additional samba DCs other than some
load balancing ? If your main DC, hosting bind9, dies the whole AD is
somewhat useless.

What do you think ?

best regards

Andreas

you get from






More information about the samba-technical mailing list