Sites and DNS
klatimer at tolent.co.uk
Tue Mar 27 01:31:16 MDT 2012
Thanks for your replies Andrew/Amitay.
On 26/03/2012 23:40, Amitay Isaacs wrote:
> Hi Kev,
> On Tue, Mar 27, 2012 at 2:40 AM, Kev Latimer<klatimer at tolent.co.uk> wrote:
>> Afternoon all,
>> This has had me rattling my head all day trying to figure out my best
>> I'm wanting to stick a DC in each of our physical offices, as they're all
>> either side of WAN links. I've set up and provisioned many tests over the
>> last 8 or so weeks (mainly to try any permutation I could think of to find
>> my "sweet spot") and once I had my initial DC provisioned I created another
>> 5 - one extra in the initial site and one in each office. Logically, I
>> created 4 new sites in "AD sites and services" MMC and renamed the
>> Default-First-Site-Name to reflect the geographic region of the original
> I have not tested what happens when you rename the default site. Samba
> daemon runs a samba_dnsupdate script periodically to update DNS
> records for DC. This should update the names with correct site name.
> Do you see any names in AD DNS with the new site name?
I don't, unfortunately. If I rename the default site, it appears fine
in the Sites and Services MMC, same as if I add a new site. I create a
subnet for each of these and link against my site, again, shows fine in
MMC. Unfortunately, No change in DNS, still only shows
Default-First-Site-Name in all the _sites containers (in
_sites.dc._msdcs.MyDomainName.com and _sites.gc._msdcs.MyDomainName.com).
I manually ran samba_dnsupdate, initially prior to making any changes
just to see what correct output should be - it returned nothing so I
assume that's correct behaviour when no errors. After renaming the
first site and creating a new site (probably should have only done one
or the other!) I get:
Failed update of 6 entries
How can I best debug this for you? I'll try and get some better output
but if there's a specific thing I can do to get the most relevant
debugging, just let me know.
>> First deployment had DRS issues, one of the DC's would repeatedly give out
>> errors no matter how many times I brought them back in sync but my
>> subsequent attempts seem to be quite happy. Sites were shown properly in
>> the MMC and aside from not trying a client at a remote site, I was happy
>> that the implementation looked okay.
>> It's been a couple of weeks since I did that last test with sites as I've
>> been looking at DNS implementation - all with clean provisions and always
>> latest git, first using bind9_dlz, then flatfile, then internal this morning
>> (using Amitay's dns-wip git branch) and now back to dlz. While going
>> through both the DLZ and Internal structures through the DNS MMC, it seems
>> to me that while the sites are showing up correctly in AD, this isn't
>> reflected in DNS. I've been reading through MS's docs on DNS in AD to make
>> sure I'm reading it all right (I think I am) but I figure that if I add a
>> new site, I should see it as
> You don't need to use my dns-wip branch anymore. All the dns changes
> in my branch are in samba master tree.
Ah, my bad. I think I spotted earlier on the list you were prompting
people to use dns-wip so I assumed that was where the most functional
internal server was. I'm glad, as I understand I can switch between the
two directory-based DNS implementations while testing rather than
building and provisioning a new one each time
>> I've tried asking it to resolve through "host" on a shell to see if it's a
>> trick of the MMC but it seems no matter what I do with regards to changing
>> the Default-First-Site-Name or adding new sites, DNS just doesn't change.
>> Can anyone tell me if I've been staring at this for so long I'm going a bit
>> mad or if this isn't supported yet? I'm sure I read it was, but I do wonder
>> if it's something that's supported as far as directory objects but not
>> within directory-based DNS (dlz _or_ internal)?
> Whether you use BIND9_DLZ or SAMBA_INTERNAL backend, you'll see the
> same DNS records. Since the DNS records are updated when you
> provision, via samba_dnsupdate script and via directory replication.
> (If you have windows DC, then it will try to update the names via
> secure dynamic dns update.) For samba only DCs, the way to get all
> sites to work is by ensuring that all sites are replicating. That will
> replicate the DNS information.
No Windows DC's in here at all, it's all samba. Replication seemed to
be fine prior to spotting the issue with site names in DNS so I figure
we're best making sure AD DNS looks fine before worrying about whether
it makes it to the other DC's :-)
> Please note that DNS in this kind of multi-site set up is not really
> tested. So if you notice something is not working, probably it needs
> to be fixed. And you're not going mad. :) If you can pinpoint specific
> problems, I can help to sort them out.
I had begun to lean towards the idea of "handcrafting" a BIND9 zone file
(as my sites and DC's are unlikely to change in the near future) and
ditching a directory-based DNS server but if I can help get this working
for everyone else then please just let me know what I can do.
Thanks again Amitay.
More information about the samba-technical