samba_upgradedns issues on secondary DC SOLVED!!

Daniele Dario d.dario76 at gmail.com
Thu May 3 08:12:42 MDT 2012


On Thu, 2012-05-03 at 15:10 +0200, Andreas Oster wrote:
> Am 03.05.2012 14:51, schrieb Daniele Dario:
> > On Thu, 2012-05-03 at 14:04 +0200, Andreas Oster wrote:
> >> Am 23.04.2012 12:56, schrieb Daniele Dario:
> >>> Hi Amitay,
> >>>
> >>> as said in last mail, I tried to start bind on secondary DC and it
> >>> started without errors.
> >>>
> >>> nslookup works (as expected) same for samba-tool dns ...
> >>>
> >>> The only one thing I'm facing is that on the zones names are
> >>> automatically replicated but records not. To clarify things, after I had
> >>> DNS zones replicated I found that on secondary DC, using samba-tool dns
> >>> query I saw the presence of the zones, and inside the zones I found that
> >>> names were populated but records no: for example, on kdc02 dns query on
> >>> forward zone tells me this about kdc01
> >>>   Name=, Records=0, Children=0
> >>> while on kdc01 I read 
> >>>   Name=, Records=1, Children=0
> >>>     A: 192.168.12.5 (flags=f0, serial=142, ttl=900)
> >>> After the week-end, I've seen that windows boxes which started working
> >>> today have updated records on both DCs.
> >>>
> >>> Is this behavior corrected?
> >>>
> >>> Daniele.
> >>>
> >>>
> >> Hello Daniele,
> >>
> >> have you been able to successfully add a secondary DC as additional
> >> bind9 DNS server ? If so, can you explain the steps to get working
> >> configuration ?
> >>
> >> Thank you
> >>
> >> best regards
> >>
> >> Andreas
> > Hi Andreas,
> > as said by Amitay, the first step is to have DNS zones replicated
> > between DCs.
> >
> >      1. join the 2nd DC to the domain as per
> >         https://wiki.samba.org/index.php/Samba4_joining_a_domain
> >      2. after the join, before start samba I increment the log level to
> >         see problems in detail (add log level = 3 or more in
> >         etc/smb.conf in [global] section)
> >      3. once you have started samba4 on both DCs you should see that
> >         replication starts (at least the basic three zones)
> >      4. Amitay's tip is to restart samba4 again to start replication of
> >         DNS zones but this has not worked for me so I had to run
> >         samba-tool drs replicate <dst dc> <src dc>
> >         DC=DomainDnsZones,DC=domain,DC=local and
> >         DC=ForestDnsZones,DC=domain,DC=local on primary and than on
> >         secondary DC to get them replicated
> >      5. once you have DNS zones replicated between DCs you can try to
> >         look if samba-tool dns query on secondary DC works
> >      6. at this point, if you try to run samba_upgradedns you should see
> >         that the private/dns folder (and the ldbs) will be created
> >      7. last, configure bind as in primary DC and start it
> >
> > As said in point 4, I was not able to get replication of DNS zones
> > working automatically as said by Amitay.
> > BTW, after I started them manually I was able to see the zones by RPC
> > (using samba-tool dns ...).
> > Even if replication is working it seems that zones are not fully
> > replicated because them are populated with entries but without records.
> >
> > I've seen that after a while, windows boxes which work on the domain had
> > updated their dns entries and the appeared also on the secondary DC.
> >
> > Let me know it you are luckier than me.
> >
> > Cheers,
> > Daniele.
> Hello Daniele,
> 
> I also got stuck at the step 4. The ForestDnsZones and DomainDnsZones do
> not replicate
> between DC1 and DC2. I currently have a quite stable samba4
> configuration and I am a bit
> afraid to  break it (again). The last time I tried to create a secondary
> DNS I ended up with
> a semi-functional secondary DC which I could not demote anymore (I think
> you've had the
> same issue). Unfortunately I did not backup the samba files :-(
> 
> Is your second DNS now fully populated with the same entries as the
> primary one ? Does
> replication work in both ways if you add an entry to one of the DNS
> servers  ?
> 
> Thanks
> 
> Andreas
> 
Hello Andreas,

with v18 I also had problems when trying to demote the secondary DC. For
me the problem was that the secondary dc had troubles with basic
replication. I tried stopping inbound and outbound replication with
samba-tool drs options --dsa-option=-DISABLE_OUTBOUND_REPL and than I
demoted it successfully.

BTW now I upgraded to v21 and got luck in join and demote (I tried again
to have DNS zones replicated automatically without success so I demoted
the secondary and joined again to the domain).

For the DNS issues this is what I'm seeing:

samba-tool dns query kdc01 saitelitalia.local @ ALL -U administrator
  Name=, Records=4, Children=0
    NS: kdc01.saitelitalia.local. (flags=600000f0, serial=1, ttl=900)
    A: 192.168.12.5 (flags=600000f0, serial=1, ttl=900)
    A: 192.168.12.2 (flags=600000f0, serial=254, ttl=900)
    SOA: serial=293, refresh=900, retry=600, expire=86400,
ns=kdc01.saitelitalia.local., email=hostmaster.saitelitalia.local.
(flags=600000f0, serial=292, ttl=3600)
  Name=_msdcs, Records=0, Children=0
  Name=_sites, Records=0, Children=1
  Name=_tcp, Records=0, Children=4
  Name=_udp, Records=0, Children=2
  Name=activity, Records=1, Children=0
    A: 192.168.12.12 (flags=f0, serial=284, ttl=1200)
  Name=alaska, Records=1, Children=0
    A: 192.168.12.157 (flags=f0, serial=136, ttl=0)
  Name=amm01, Records=1, Children=0
    A: 192.168.12.57 (flags=f0, serial=293, ttl=1200)
  Name=amm02, Records=1, Children=0
    A: 192.168.12.58 (flags=f0, serial=293, ttl=1200)
  Name=antoniodm, Records=1, Children=0
    A: 192.168.12.209 (flags=f0, serial=293, ttl=1200)
  Name=DomainDnsZones, Records=0, Children=2
  Name=filesrv01, Records=1, Children=0
    A: 192.168.12.6 (flags=f0, serial=89, ttl=900)
  Name=ForestDnsZones, Records=0, Children=2
  Name=kdc01, Records=1, Children=0
    A: 192.168.12.5 (flags=f0, serial=142, ttl=900)
  Name=kdc02, Records=1, Children=0
    A: 192.168.12.2 (flags=f0, serial=262, ttl=900)
  Name=MG01, Records=1, Children=0
    A: 192.168.12.55 (flags=f0, serial=261, ttl=1200)
  Name=pcdino, Records=1, Children=0
    A: 192.168.12.210 (flags=f0, serial=293, ttl=1200)
  Name=pcw2k, Records=1, Children=0
    A: 192.168.12.71 (flags=f0, serial=173, ttl=1200)
  Name=pr01, Records=1, Children=0
    A: 192.168.12.60 (flags=f0, serial=261, ttl=1200)
  Name=pr02, Records=1, Children=0
    A: 192.168.12.219 (flags=f0, serial=261, ttl=1200)
  Name=printsrv01, Records=1, Children=0
    A: 192.168.12.3 (flags=f0, serial=20, ttl=900)
  Name=rmanager, Records=1, Children=0
    A: 192.168.12.4 (flags=f0, serial=24, ttl=900)
  Name=serverf12, Records=1, Children=0
    A: 192.168.12.10 (flags=f0, serial=19, ttl=900)
  Name=ua01, Records=1, Children=0
    A: 192.168.12.56 (flags=f0, serial=293, ttl=1200)
  Name=ua02, Records=1, Children=0
    A: 192.168.12.64 (flags=f0, serial=16, ttl=900)
  Name=ut01, Records=1, Children=0
    A: 192.168.12.49 (flags=f0, serial=293, ttl=1200)
  Name=UT04, Records=1, Children=0
    A: 192.168.12.129 (flags=f0, serial=293, ttl=1200)
  Name=vm03, Records=1, Children=0
    A: 192.168.12.212 (flags=f0, serial=261, ttl=1200)
  Name=xensrv01, Records=1, Children=0
    A: 192.168.12.15 (flags=f0, serial=137, ttl=0)

samba-tool dns query kdc02 saitelitalia.local @ ALL -U administrator
  Name=, Records=0, Children=0
  Name=_msdcs, Records=0, Children=0
  Name=_sites, Records=0, Children=1
  Name=_tcp, Records=0, Children=4
  Name=_udp, Records=0, Children=2
  Name=activity, Records=0, Children=0
  Name=alaska, Records=0, Children=0
  Name=amm01, Records=0, Children=0
  Name=amm02, Records=0, Children=0
  Name=antoniodm, Records=1, Children=0
    A: 192.168.12.209 (flags=f0, serial=293, ttl=1200)
  Name=DomainDnsZones, Records=0, Children=2
  Name=filesrv01, Records=0, Children=0
  Name=ForestDnsZones, Records=0, Children=2
  Name=kdc01, Records=0, Children=0
  Name=kdc02, Records=0, Children=0
  Name=MG01, Records=0, Children=0
  Name=pcdino, Records=1, Children=0
    A: 192.168.12.210 (flags=f0, serial=293, ttl=1200)
  Name=pcw2k, Records=0, Children=0
  Name=pr01, Records=0, Children=0
  Name=pr02, Records=0, Children=0
  Name=printsrv01, Records=0, Children=0
  Name=rmanager, Records=0, Children=0
  Name=serverf12, Records=0, Children=0
  Name=ua01, Records=0, Children=0
  Name=ua02, Records=0, Children=0
  Name=ut01, Records=0, Children=0
  Name=UT04, Records=1, Children=0
    A: 192.168.12.129 (flags=f0, serial=293, ttl=1200)
  Name=vm03, Records=0, Children=0
  Name=xensrv01, Records=0, Children=0

As you can see, the forward zone contains the same entries for the names
but only the windows boxes that today have performed dns updates have
records in the zone of the second DNS.
Forward zone on second DNS is still missing SOA and NS records.

samba-tool dns query kdc01 _msdcs.saitelitalia.local @ ALL -U
administrator
  Name=, Records=2, Children=0
    NS: kdc01.saitelitalia.local. (flags=600000f0, serial=1, ttl=900)
    SOA: serial=147, refresh=900, retry=600, expire=86400,
ns=kdc01.saitelitalia.local., email=hostmaster.saitelitalia.local.
(flags=600000f0, serial=146, ttl=3600)
  Name=06f11708-b11c-4848-879d-565d72adfaf3, Records=1, Children=0
    CNAME: kdc02.saitelitalia.local. (flags=f0, serial=284, ttl=900)
  Name=bdbaecef-ace9-4314-b65e-54933ac8b660, Records=1, Children=0
    CNAME: kdc01.saitelitalia.local. (flags=f0, serial=1, ttl=900)
  Name=dc, Records=0, Children=2
  Name=domains, Records=0, Children=1
  Name=gc, Records=0, Children=2
  Name=kdc01, Records=1, Children=0
    NS: 192.168.12.5. (flags=f0, serial=62, ttl=900)
  Name=pdc, Records=0, Children=1

samba-tool dns query kdc02 _msdcs.saitelitalia.local @ ALL -U
administrator
  Name=, Records=0, Children=0
  Name=06f11708-b11c-4848-879d-565d72adfaf3, Records=0, Children=0
  Name=bdbaecef-ace9-4314-b65e-54933ac8b660, Records=0, Children=0
  Name=dc, Records=0, Children=2
  Name=domains, Records=0, Children=1
  Name=gc, Records=0, Children=2
  Name=kdc01, Records=0, Children=0
  Name=pdc, Records=0, Children=1

Same happens on the _msdcs zone (missing SOA, NS and CNAME records).

samba_dnsupdate --verbose works fine on both DCs but if I change
resolv.conf on secondary DC and remove the entry of the primary DC from
the list of DNSs, on secondary DC dnsupdate tells me that does not find
the records and is not able to add them because it can't get tickets
from krb (obviously because on second DNS I'm missing ldap, krb ..
entries).

Daniele.



More information about the samba-technical mailing list