[PATCH][WIP] Create DC DNS entires at domain join

[Andrew Bartlett]

On Fri, 2017-02-24 at 08:59 +0100, Stefan Metzmacher wrote:
> Hi Andrew,
> 
> > Just as with the domain member join, the DC join really should
> > create
> > the essential DNS entries at join time.
> > 
> > This should make it easier for folks to get DNS working and fully
> > replicated, by ensuring the entry isn't written to the local DC
> > (that
> > nobody else knows how to contact). 
> > 
> > The attached patch does exactly that, in this case using the dnsrpc
> > protocol.
> > 
> > I chose the dnsserver RPC protocol because:
> >  - I don't want to race with the replication of the machine account
> > to
> > the KDC (which might not be the server I'm joining).  Instead we
> > will
> > change the owner over LDAP
> >  - Direct LDAP or DsAddEntry injection wouldn't update the sequence
> > number
> >  - shelling to nsupdate isn't reliable
> >  - We still don't have great bindings for secure DNS updates in
> > python
> > 
> > I need to finish the owner change part, and write the
> > dns_update_cache,
> > but we do successfully create the DNS records and re-sync the
> > database.
> >  This should make Samba DCs a little more reliable from the moment
> > they
> > start.
> > 
> > Comment welcome.
> 
> I typically just use the following after "samba-tool domain join":
> samba_dnsupdate --use-samba-tool --rpc-server-ip=<ip>
> Can't we just call that at the end of the join?

That is essentially what I'm doing, just avoiding the double-exec and
forcing an incremental replication so everyone is sync'ed up.

Andrew Bartlett

-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba