samba_upgradedns issues on secondary DC SOLVED!!
Andreas Oster
aoster at novanetwork.de
Thu May 3 08:23:54 MDT 2012
Am 03.05.2012 16:12, schrieb Daniele Dario:
> On Thu, 2012-05-03 at 15:10 +0200, Andreas Oster wrote:
>> Am 03.05.2012 14:51, schrieb Daniele Dario:
>>> On Thu, 2012-05-03 at 14:04 +0200, Andreas Oster wrote:
>>>> Am 23.04.2012 12:56, schrieb Daniele Dario:
>>>>> Hi Amitay,
>>>>>
>>>>> as said in last mail, I tried to start bind on secondary DC and it
>>>>> started without errors.
>>>>>
>>>>> nslookup works (as expected) same for samba-tool dns ...
>>>>>
>>>>> The only one thing I'm facing is that on the zones names are
>>>>> automatically replicated but records not. To clarify things, after I had
>>>>> DNS zones replicated I found that on secondary DC, using samba-tool dns
>>>>> query I saw the presence of the zones, and inside the zones I found that
>>>>> names were populated but records no: for example, on kdc02 dns query on
>>>>> forward zone tells me this about kdc01
>>>>> Name=, Records=0, Children=0
>>>>> while on kdc01 I read
>>>>> Name=, Records=1, Children=0
>>>>> A: 192.168.12.5 (flags=f0, serial=142, ttl=900)
>>>>> After the week-end, I've seen that windows boxes which started working
>>>>> today have updated records on both DCs.
>>>>>
>>>>> Is this behavior corrected?
>>>>>
>>>>> Daniele.
>>>>>
>>>>>
>>>> Hello Daniele,
>>>>
>>>> have you been able to successfully add a secondary DC as additional
>>>> bind9 DNS server ? If so, can you explain the steps to get working
>>>> configuration ?
>>>>
>>>> Thank you
>>>>
>>>> best regards
>>>>
>>>> Andreas
>>> Hi Andreas,
>>> as said by Amitay, the first step is to have DNS zones replicated
>>> between DCs.
>>>
>>> 1. join the 2nd DC to the domain as per
>>> https://wiki.samba.org/index.php/Samba4_joining_a_domain
>>> 2. after the join, before start samba I increment the log level to
>>> see problems in detail (add log level = 3 or more in
>>> etc/smb.conf in [global] section)
>>> 3. once you have started samba4 on both DCs you should see that
>>> replication starts (at least the basic three zones)
>>> 4. Amitay's tip is to restart samba4 again to start replication of
>>> DNS zones but this has not worked for me so I had to run
>>> samba-tool drs replicate <dst dc> <src dc>
>>> DC=DomainDnsZones,DC=domain,DC=local and
>>> DC=ForestDnsZones,DC=domain,DC=local on primary and than on
>>> secondary DC to get them replicated
>>> 5. once you have DNS zones replicated between DCs you can try to
>>> look if samba-tool dns query on secondary DC works
>>> 6. at this point, if you try to run samba_upgradedns you should see
>>> that the private/dns folder (and the ldbs) will be created
>>> 7. last, configure bind as in primary DC and start it
>>>
>>> As said in point 4, I was not able to get replication of DNS zones
>>> working automatically as said by Amitay.
>>> BTW, after I started them manually I was able to see the zones by RPC
>>> (using samba-tool dns ...).
>>> Even if replication is working it seems that zones are not fully
>>> replicated because them are populated with entries but without records.
>>>
>>> I've seen that after a while, windows boxes which work on the domain had
>>> updated their dns entries and the appeared also on the secondary DC.
>>>
>>> Let me know it you are luckier than me.
>>>
>>> Cheers,
>>> Daniele.
>> Hello Daniele,
>>
>> I also got stuck at the step 4. The ForestDnsZones and DomainDnsZones do
>> not replicate
>> between DC1 and DC2. I currently have a quite stable samba4
>> configuration and I am a bit
>> afraid to break it (again). The last time I tried to create a secondary
>> DNS I ended up with
>> a semi-functional secondary DC which I could not demote anymore (I think
>> you've had the
>> same issue). Unfortunately I did not backup the samba files :-(
>>
>> Is your second DNS now fully populated with the same entries as the
>> primary one ? Does
>> replication work in both ways if you add an entry to one of the DNS
>> servers ?
>>
>> Thanks
>>
>> Andreas
>>
> Hello Andreas,
>
> with v18 I also had problems when trying to demote the secondary DC. For
> me the problem was that the secondary dc had troubles with basic
> replication. I tried stopping inbound and outbound replication with
> samba-tool drs options --dsa-option=-DISABLE_OUTBOUND_REPL and than I
> demoted it successfully.
>
> BTW now I upgraded to v21 and got luck in join and demote (I tried again
> to have DNS zones replicated automatically without success so I demoted
> the secondary and joined again to the domain).
>
> For the DNS issues this is what I'm seeing:
>
> samba-tool dns query kdc01 saitelitalia.local @ ALL -U administrator
> Name=, Records=4, Children=0
> NS: kdc01.saitelitalia.local. (flags=600000f0, serial=1, ttl=900)
> A: 192.168.12.5 (flags=600000f0, serial=1, ttl=900)
> A: 192.168.12.2 (flags=600000f0, serial=254, ttl=900)
> SOA: serial=293, refresh=900, retry=600, expire=86400,
> ns=kdc01.saitelitalia.local., email=hostmaster.saitelitalia.local.
> (flags=600000f0, serial=292, ttl=3600)
> Name=_msdcs, Records=0, Children=0
> Name=_sites, Records=0, Children=1
> Name=_tcp, Records=0, Children=4
> Name=_udp, Records=0, Children=2
> Name=activity, Records=1, Children=0
> A: 192.168.12.12 (flags=f0, serial=284, ttl=1200)
> Name=alaska, Records=1, Children=0
> A: 192.168.12.157 (flags=f0, serial=136, ttl=0)
> Name=amm01, Records=1, Children=0
> A: 192.168.12.57 (flags=f0, serial=293, ttl=1200)
> Name=amm02, Records=1, Children=0
> A: 192.168.12.58 (flags=f0, serial=293, ttl=1200)
> Name=antoniodm, Records=1, Children=0
> A: 192.168.12.209 (flags=f0, serial=293, ttl=1200)
> Name=DomainDnsZones, Records=0, Children=2
> Name=filesrv01, Records=1, Children=0
> A: 192.168.12.6 (flags=f0, serial=89, ttl=900)
> Name=ForestDnsZones, Records=0, Children=2
> Name=kdc01, Records=1, Children=0
> A: 192.168.12.5 (flags=f0, serial=142, ttl=900)
> Name=kdc02, Records=1, Children=0
> A: 192.168.12.2 (flags=f0, serial=262, ttl=900)
> Name=MG01, Records=1, Children=0
> A: 192.168.12.55 (flags=f0, serial=261, ttl=1200)
> Name=pcdino, Records=1, Children=0
> A: 192.168.12.210 (flags=f0, serial=293, ttl=1200)
> Name=pcw2k, Records=1, Children=0
> A: 192.168.12.71 (flags=f0, serial=173, ttl=1200)
> Name=pr01, Records=1, Children=0
> A: 192.168.12.60 (flags=f0, serial=261, ttl=1200)
> Name=pr02, Records=1, Children=0
> A: 192.168.12.219 (flags=f0, serial=261, ttl=1200)
> Name=printsrv01, Records=1, Children=0
> A: 192.168.12.3 (flags=f0, serial=20, ttl=900)
> Name=rmanager, Records=1, Children=0
> A: 192.168.12.4 (flags=f0, serial=24, ttl=900)
> Name=serverf12, Records=1, Children=0
> A: 192.168.12.10 (flags=f0, serial=19, ttl=900)
> Name=ua01, Records=1, Children=0
> A: 192.168.12.56 (flags=f0, serial=293, ttl=1200)
> Name=ua02, Records=1, Children=0
> A: 192.168.12.64 (flags=f0, serial=16, ttl=900)
> Name=ut01, Records=1, Children=0
> A: 192.168.12.49 (flags=f0, serial=293, ttl=1200)
> Name=UT04, Records=1, Children=0
> A: 192.168.12.129 (flags=f0, serial=293, ttl=1200)
> Name=vm03, Records=1, Children=0
> A: 192.168.12.212 (flags=f0, serial=261, ttl=1200)
> Name=xensrv01, Records=1, Children=0
> A: 192.168.12.15 (flags=f0, serial=137, ttl=0)
>
> samba-tool dns query kdc02 saitelitalia.local @ ALL -U administrator
> Name=, Records=0, Children=0
> Name=_msdcs, Records=0, Children=0
> Name=_sites, Records=0, Children=1
> Name=_tcp, Records=0, Children=4
> Name=_udp, Records=0, Children=2
> Name=activity, Records=0, Children=0
> Name=alaska, Records=0, Children=0
> Name=amm01, Records=0, Children=0
> Name=amm02, Records=0, Children=0
> Name=antoniodm, Records=1, Children=0
> A: 192.168.12.209 (flags=f0, serial=293, ttl=1200)
> Name=DomainDnsZones, Records=0, Children=2
> Name=filesrv01, Records=0, Children=0
> Name=ForestDnsZones, Records=0, Children=2
> Name=kdc01, Records=0, Children=0
> Name=kdc02, Records=0, Children=0
> Name=MG01, Records=0, Children=0
> Name=pcdino, Records=1, Children=0
> A: 192.168.12.210 (flags=f0, serial=293, ttl=1200)
> Name=pcw2k, Records=0, Children=0
> Name=pr01, Records=0, Children=0
> Name=pr02, Records=0, Children=0
> Name=printsrv01, Records=0, Children=0
> Name=rmanager, Records=0, Children=0
> Name=serverf12, Records=0, Children=0
> Name=ua01, Records=0, Children=0
> Name=ua02, Records=0, Children=0
> Name=ut01, Records=0, Children=0
> Name=UT04, Records=1, Children=0
> A: 192.168.12.129 (flags=f0, serial=293, ttl=1200)
> Name=vm03, Records=0, Children=0
> Name=xensrv01, Records=0, Children=0
>
> As you can see, the forward zone contains the same entries for the names
> but only the windows boxes that today have performed dns updates have
> records in the zone of the second DNS.
> Forward zone on second DNS is still missing SOA and NS records.
>
> samba-tool dns query kdc01 _msdcs.saitelitalia.local @ ALL -U
> administrator
> Name=, Records=2, Children=0
> NS: kdc01.saitelitalia.local. (flags=600000f0, serial=1, ttl=900)
> SOA: serial=147, refresh=900, retry=600, expire=86400,
> ns=kdc01.saitelitalia.local., email=hostmaster.saitelitalia.local.
> (flags=600000f0, serial=146, ttl=3600)
> Name=06f11708-b11c-4848-879d-565d72adfaf3, Records=1, Children=0
> CNAME: kdc02.saitelitalia.local. (flags=f0, serial=284, ttl=900)
> Name=bdbaecef-ace9-4314-b65e-54933ac8b660, Records=1, Children=0
> CNAME: kdc01.saitelitalia.local. (flags=f0, serial=1, ttl=900)
> Name=dc, Records=0, Children=2
> Name=domains, Records=0, Children=1
> Name=gc, Records=0, Children=2
> Name=kdc01, Records=1, Children=0
> NS: 192.168.12.5. (flags=f0, serial=62, ttl=900)
> Name=pdc, Records=0, Children=1
>
> samba-tool dns query kdc02 _msdcs.saitelitalia.local @ ALL -U
> administrator
> Name=, Records=0, Children=0
> Name=06f11708-b11c-4848-879d-565d72adfaf3, Records=0, Children=0
> Name=bdbaecef-ace9-4314-b65e-54933ac8b660, Records=0, Children=0
> Name=dc, Records=0, Children=2
> Name=domains, Records=0, Children=1
> Name=gc, Records=0, Children=2
> Name=kdc01, Records=0, Children=0
> Name=pdc, Records=0, Children=1
>
> Same happens on the _msdcs zone (missing SOA, NS and CNAME records).
>
> samba_dnsupdate --verbose works fine on both DCs but if I change
> resolv.conf on secondary DC and remove the entry of the primary DC from
> the list of DNSs, on secondary DC dnsupdate tells me that does not find
> the records and is not able to add them because it can't get tickets
> from krb (obviously because on second DNS I'm missing ldap, krb ..
> entries).
>
> Daniele.
Hello Daniele,
thank you for your detailed explanations. From what I read, it is currently
not possible to have a redundant DNS setup with samba4 and bind9 with
DLZ backend. I guess we have to wait for developers to fix the open pieces.
Maybe Amitay can do something about this :-)
Thank you very much.
best regards
Andreas
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 260 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20120503/ecd16829/attachment.pgp>
More information about the samba-technical
mailing list