How to get DNS replication working properly?

Morten Kramer node1011 at googlemail.com
Fri Jun 22 09:32:58 MDT 2012 

Hi all,


I've been trying to get DNS replication to work for a few days now.


What I've done:


- Compile Samba (Beta1/Beta2/recent git pull) under Centos 6.2 x64
- Compile latest BIND 9.8.x/9.9.x (with DL open + gssapi support)
- Join it to the existing Windows 2008 R2 Domain, using this howto: 
http://wiki.samba.org/index.php/Samba4/HOWTO/Join_a_domain_as_a_DC

At this point i can start Samba (having /etc/resolv.conf pointing to the 
Windows DC) and after running repadmin /kcc on the Windows DC it will 
show up as Online on the Windows DC and showrepl looks fine.

I then run ./samba_upgradedns

....
DNS records will be automatically created
DNS partitions already exist
....

It terminates with no errors and private/dns and named.conf are being 
created.

Added tkey-gssapi-keytab option to named.conf and included the samba 
named.conf.
Bind starts without errors and loaded the Samba DLZ.

When i change the nameserver to 127.0.0.1 on the linux host, Samba won't 
connect to the Windows DC, or become Online. It can't find the _ldap, 
_kerberos, _gc A and SRV records in the local Bind nameserver. For 
whatever reason they are not replicated.

./samba-tool dns query confirms this. When i run ./samba-dnsupdate 
--verbose, it fails to resolve everything. With the Windows NS 
everything is fine.
I took the output from dnsupdate and created a zonefile manually. I 
added it to a zone in Bind. This works and the Samba can now connect to 
the Windows DC, using the local nameserver.
However, it conflicts with the DLZ zone, so i can only have one of them 
running at the same time :(

Tried to add them via ./samba-tool dns add, but it fails with 
'WERR_INTERNAL_DB_ERROR'. Tried to use nsupdate -g, it comes back with 
some rdata error.


It seems like DNS is not replicated reliable at all. During the various 
attempts i had quite different outcomes:

- Have most of the DNS names, but no IP record and also old names that 
have already been deleted on the Windows DC
- Have some of the DNS names, but no IP record and also old names that 
have already been deleted on the Windows DC
- Have mostly correct DNS names, with lots of IPs.

In any case though, the A, SRV records mentioned above are not replicated.

The dynamic client updates are dropping in over time though, so after 
having it running for half a day, the DNS server will resolve about half 
of our clients. The DLZ plugin seems to function properly.

This is a little bit frustrating.
I know there are still some issues with DNS and i saw there is some work 
going on (thanks Andrew B.)

Anyway, is there some workaround at this point? We'd like to migrate our 
domain to Samba ONLY as soon as possible.
Since there are about 150 clients, it would be very painful to start 
from scratch and rejoin all machines etc.

I would be happy if I could export the existing OUs/Users/Machines from 
the Windows2k8 Domain and import them to a freshly provisioned Samba, if 
that is possible.

Or have a way to set the A, SRV records static somehow and then demote 
the Windows DC, transfer the FSMO roles to Samba. Whatever makes the 
most sense.




Any help will be greatly appreciated!

Thanks,
Morten

More information about the samba-technical mailing list