[Samba] Moving the 1st DC (FSMO) to another site - howto?

lingpanda101 at gmail.com lingpanda101 at gmail.com
Mon Apr 25 12:27:39 UTC 2016 

On 4/22/2016 3:43 PM, Ole Traupe wrote:
> Hi Mathias, lingpanda101, thank you for the quick reply! Comments inline.
>
>
> On 22.04.2016 15:14, mathias dufresne wrote:
>> Hi Ole,
>>
>> A - If I read correctly you have only one DC and you want to move 
>> from one network to another.
>>
>> To achieve that change you will have to change all A/AAAA records in 
>> your both AD zones (root zone and _msdcs zone).
>> Once that is done you will have to change resolver configuration on 
>> your clients for they can send DNS request to the new IP.
>>
>> Can't see anything else. Nothing about AD site: AD sites are linked 
>> to clients networks and clients networks do not change, only DC 
>> network is changing.
>>
>> B - If I don't read correctly, you have several DC. Move on DC to the 
>> new network, change A and AAAA records related to that DC to reflect 
>> the network change.
>> If you move one DC not used by clients as DNS server, no change on 
>> client side.
>
> I have two DCs. The one with the FSMO roles is on the physical server 
> to move. Unfortunately I don't have another host for this VM staying 
> at the old place.
>
> Also, I will have a few clients at the new place soon, so I think a 
> second site is the way to go? Sorry, I mentioned this only implicitly 
> in "moving our lab". Is it possible to just transfer an existing DC to 
> another site? By manually recreating all the records?
>
> The moving DC will definitely be used as first DNS server, as the 
> second DC is on very old, potentially unreliable hardware. But 
> changing the DNS server config on the clients is no big deal.
>
>
> In response to the message from lingpanda101:
>
> I was not talking about transferring the FSMO roles. Sorry if I had 
> been unclear about that.
>
> In theory, I will have access to both networks from both places. In 
> practice, the firewall settings initially are very restrictive. So I 
> try not to forget anything in preparation. I have thought of...
> - all the ports samba regularly uses (including DNS requests)
> - rsync ports for sysvol replication
> - ...
>
> I would be very happy about the steps to create a new site and to 
> transfer DC and some client records to it!
>
>
> Probably I will see for the file server integration first, while using 
> the 2nd DC as fallback for DNS and logon. Once that works I deal with 
> bringing the 1st DC back into the game.
>
>>
>> C - You are lazy and you have enough physical computer to play with.
>
> Yes and no. ;)
>
>> Just create a new DC on the new site, join it to the domain.
>> If then you want to remove old DC you will have to seize (or transfer 
>> if it works) FSMO roles, change DNS configuration on client side, but 
>> as that's a new DC you don't have to modify A/AAAA records.
>>
>> IMPORTANT NOTE: with internal DNS you have only one SOA. SOA is where 
>> DNS update goes. If you remove old SOA you must change SOA record to 
>> assign it to a working DC. Without that no change in your DNS zones 
>> will be possible for later use (DC moving from site to site is the 
>> main point, auto-update pushed by DHCP or clients won't work too).
>
> I followed the recent/ongoing discussion on that. With "DNS updates" 
> you mean the clients automatically updating their records, right? 
> Because I am pretty sure that with internal DNS I can make changes to 
> DNS structure with RSAT on 2nd DC and it gets replicated to the 1st DC 
> (SOA). Maybe the only issue with internal DNS is that the 2nd, 3rd 
> etc. DC won't advertise themselves as SOA, and so automatic updates 
> fail when the 1st DC is offline.
>
>>
>> 2016-04-22 13:44 GMT+02:00 Ole Traupe <ole.traupe at tu-berlin.de 
>> <mailto:ole.traupe at tu-berlin.de>>:
>>
>>     Hi List,
>>
>>     I'll probably have to move my FSMO role owner to another site.
>>     Like at the end of next week (depends on tight transportation
>>     schedules). So there is no actual time for testing anything, I am
>>     afraid.
>>
>>     We are in the process of moving our lab, with our offices staying
>>     in the old building for now (different class C subnets). The
>>     physical machine is basically a file server (hosting DC1 as a VM)
>>     which is particularly needed at the new site. Plus: Summer is
>>     coming and the new site has cooling. Unfortunately, our university
>>     techsup can't span a VLan to merge these two sites. So I am trying
>>     to figure out how to do it. In earlier discussions on DC failover
>>     strategies I was suggested to have my DCs on different sites (with
>>     different subnets), so I figure it being possible in general.
>>
>>     The necessary steps likely include:
>>     - modifying my current DNS config: create another site, move DC1
>>     over, also the file server (AD member)
>>     - update all the clients' 1st DNS server entries to reflect the
>>     new IP of DC1 (and network share mappings)
>>     - set some firewall rules allowing for logon and smb communication
>>     etc.
>>
>>     Samba is version 4.2.5 with internal DNS.
>>
>>     Any advice, instructions, heads-up, warnings are very welcome!
>>
>>     Best regards,
>>     Ole
>>
>>
>>
>>     --     To unsubscribe from this list go to the following URL and 
>> read the
>>     instructions: https://lists.samba.org/mailman/options/samba
>>
>>
>
Ole,

     Will you be using Microsoft RSAT to create the sites? If so do 
follow this guide

http://blogs.technet.com/b/canitpro/archive/2015/03/04/step-by-step-setting-up-active-directory-sites-subnets-amp-site-links.aspx

Will you be changing your IP of the domain controller? If so follow this 
guide.

https://wiki.samba.org/index.php/Change_IP_address_of_an_Samba_AD_DC

If using DHCP. Give your clients the DNS IP of your new site DC. That 
should be it.


-- 
-James

More information about the samba mailing list