Samba 4 from internal DNS to named and GPOs issue

admin at admin at
Tue Oct 23 12:31:36 MDT 2012

On 2012-10-23 12:04, Ricky Nance wrote:
> Bogdon, 
>      The wiki is fairly straight forward on joining a second DC,
> and the mailing list has had several emails on the DNS changes (as do
> the change logs) as well as the samba backup/restore process. I am
> guessing that English is not your primary language, but please be
> careful on the wording that you use in emails as some of the things
> you have written could easily be taken personal. If the howtos are
> lacking, please register on the wiki and you will likely be granted
> access to change them, also there should be sufficient help in the 
> man
> pages. 

Thank you for your answer - it is much appreciated. I do understand 
English, so that's not the issue. There are several scenarios that 
people will encounter and they are not covered in the howtos. I know 
named was not an awesome choice and it's always fun to make it work with 
samba, but since the migration to internal DNS, switching the DNS 
solution is not documented. However, once I get thing rolling I will 
consider on writing some howtos for samba, but I'm still in a learning 

>      With my rant out of the way, first please give us a bit more
> information, did you install from tarball or from git? Second, in
> order to get your second machine setup you can do this in one of 2
> ways: 1) make a backup of samba, have samba 4 installed on the new
> machine, then copy over the samba/private, samba/etc, and your sysvol
> directories from old to new, then start samba, and test it. 2) setup
> samba 4 on your new machine, and join it to your existing samba 4
> machine as a DC using the following
> method,
> [1] then run samba-tool domain demote on the first DC, you will need
> to manually copy over your sysvol directory over as well and re-setup
> all of your shares as they wont exist on the new DC.

I installed samba 4 RC3 from the tarball to be able to test different 
scenarios. It is running on Fedora 17 as the primary and only domain 
controller and the windows clients are windows 7 pro sp1. I stopped 
samba and performed a backup with the provided script and I hope I got a 
valid backup. I installed samba 4 rc3 on a physical machine from tarball 
and provisioned a new domain (with named as backend) to see if there are 
main differences in the config and there are.

>      In order to change the DNS backend there is no easy straight
> forward way to do this yet (as far as I know), I know at one point in
> the past 2-3 weeks there was a discussion on the dns-DOMAIN user not
> being created when you provision with samba_internal, also I dont
> think it creates the samba/private/dns directory or the
> samba/private/named.conf file, so the configuration change that 
> Andrew
> mentioned may not be enough to make this work, however, the option he
> was speaking of will be in the [global] section of your smb.conf, you
> will need to add the line server services = -dns then comment out the
> dns forwarder = line if it exists in your config, then run
> samba_dnsupgrade and restart samba.

There are way more files in a named provisioning and there is a 
samba/private/dns in the new provisioning too, so I tried to overlap the 
new provisioning content with the new one, but kept the private folder 
where I think the database is stored (I know it sounds stupid). Unless I 
have specific instructions on how to do that to make it easy, I have no 
way of doing the dns migration. Anyway, the plan was to play and make 
the physical machine primary dns (for that I need to move the samba from 
vm to physical but samba on vm is using internal dns), then provision a 
secondary dns (in place where the original dc was - on the vm) where I 
was hoping I can setup the file shares for tests. I would put the 
primary dns on a machine that has limited hdd space, but I would put the 
secondary domain controller where I have a bigger hdd, so I can give 
users lots of space for shares. I think this should be possible. Correct 
me if I'm wrong. But I fail on changing the internal to external DNS. 
The vm thing is just for lab work only - not for production.

>      As for your earlier mail, you made the comment "I will
> probably have bind as primary dns and samba as secondary dns and on
> separate machines". I dont think you can do this really, if windows
> finds the primary dns is an active dns, then the secondary will never
> be touched, so your secure dns updates will not happen at all, and 
> any
> tool that you use that needs the dns of any machine AD wise will not
> work properly. Itd be best to leave the second dns in place and use
> samba_internal, which you are currently using, and a line in your
> smb.conf "dns forwarder =". You may need to move some
> things from your existing bind to your AD server, but this shouldnt 
> be
> that hard, unless you have a BUNCH of entries, in which case I would
> just try it and see if it works.

The way it is setup right now, I have a linux box doing DNS with named 
where I have the domain, email and web services. I have a VM in the same 
LAN where samba 4 resides running on internal dns. The windows machines 
are set to dns1 (samba server) and dns1 (gateway) and for some odd 
reason it works. I thought it won't initially. From what I understand, 
you want me to keep named primary (on the gateway) and have the "dns 
forwarder =" in the smb.conf. From what I can tell samba 4 
and named they cannot live on the same machine. I need 2 separate 
machines and the windows clients will all have primary dns samba 4 that 
will forward the request to the primary dns. Right?

What exactly do I need to remove from bind and move to the samba dns? 
Why would I need to move stuff out of named? What are the samba dns 
files and where are they located? I only found a named.conf.update or 
something like that in the provisioning. Having samba 4 running on 
internal dns is great, but I need to integrate it further with other 
solutions. I am planning to deploy samba 4 in production as soon as I 
get the GPOs working that seem to have a bug in RC3 still.

>      Hopefully this has answered your questions, but please dont
> hesitate to ask if it didnt.
> Good luck,
> Ricky

Thank you Ricky!

> On Tue, Oct 23, 2012 at 7:29 AM, <admin at [2]> wrote:
>> On 2012-10-22 05:19, Andrew Bartlett wrote:
>>> On Sun, 2012-10-21 at 08:59 -0700, bogdan_bartos wrote:
>>>> Hi,
>>>> I am running Samba 4 RC3 on a VM and I want to backup the whole
>>>> thing and
>>>> restore it onto a physical machine. I know there is a script
>>>> for that, but
>>>> currently I have it running by using the internal DNS and I
>>>> want to have it
>>>> running with named. Would the script carry the DNS confog over?
>>>> How do I
>>>> make it swicth from internal to named?
>>> My understanding is that you:
>>>  - Change the smb.conf settings, and then run samba_dnsupgrade
>> 1. I ran the backup successfully. However, I do not know how to
>> restore the backup.
>> 2. What exactly do I change in smb.conf?
>>>> I also have several GPOs set, but the client machines will not
>>>> pick them up.
>>>> I disabled the shutdown, control panel and other things, but as
>>>> soon as I
>>>> access the GPO with GPMC, it says that the SYSVOL data is not
>>>> in sync with
>>>> the AD data and it just doesnt work. Is this a bug in Samba 4
>>>> RC3?
>>> Is this against your second DC?  Remember, you have to sync your
>>> sysvol
>>> files manually.
>>> Andrew Bartlett
>> 3. I do not have 2 DCs. I am willing to try this out, but the
>> howtos are not that great.
>> First I need to be able to do basic things like backing it up,
>> restoring it, upgrading it, replicating it. Then I can say that is
>> meant to be easy, but up to now its not. Ive been using samba 3 for
>> a long time now, but samba4 is not that well documented. A regular
>> person will be able to install it, provision it, but then it will
>> come time to change things and play. If I would be in aproduction
>> environment, this would be a really tought job to recover from a
>> loss without the proper documentation.
>> I bet programming samba was a tought job, but to make a software
>> "fly", you really need an awesome tutorial. Or better step-by-step
>> explanations.

