[Samba] [samba4] DNS updates

[mathias dufresne]

In fact after joining a DC I start samba-ad service. Here samba_dnsupdate
should be run a first time. If you say the right process is to start samba
once, then restart it, I would say this process seems to me a bit strange.

Then once the instalaltion script is finished it reboots the newly joined
DC, starting samba again and running samba_dnsupdate again. And DNS entries
are created locally as expected.

There is also the missing DNS entries related to replication as described
in the follwoing link :
https://wiki.samba.org/index.php/Check_and_fix_DNS_entries_on_DC_joins#Resolve_the_objectGUID_CNAME_record_of_the_new_joined_Domain_Controller

If you forget them, even you restart samba, or the whole computer, problem
are existing: as replication can't work without them, the fact
samba_dnsupdate created DNS entries locally can't be reflected on the whole
AD.

We can create locally (on newly joined DC) these missing entries for
objectGUID CNAME but if we don't perform that creation also on already
replicated DC, replicated servers won't receive these newly created CNAME
because they are created on newly joined DC which does not replicate to
others.

Please note I worked around all these traps, my DC are installed by a
script which deliver working DC (meaning synchronized with others, no
missing DNS entry too).

To achieve that I force creation of:
1° A record for newly joined DC on local database + on FSMO owner (as this
one replicates to already deployed DC), using SSH + samba-tool dns add...
2° missing objectGUID CNAME on newly joined DC and on FSMO owner, using SSH.

Finally with this four actions I'm able to run replication.

Now to speak about yesterday issue were the 10 DC installed this night did
not replicated the reason was these DC are not yet allowed to run SSH
command to the 10 others DC (those already installed, already replicating).

So no SSH means no work around and this morning newly joined DC were not
replicated even if they were all rebooted (all still means all newly joined
DC).

FSMO was not rebooted because I don't see the point rebooting a working
server when it's not needed.

And lanching failed SSH commands this morning solved all replication issues
I spoted.

Cheers,

mathias





2016-01-28 11:05 GMT+01:00 Rowland penny <rpenny at samba.org>:

> On 28/01/16 09:11, mathias dufresne wrote:
>
>> No replication this morning but FSMO was rebooted yesterday. Only joined
>> DC
>> were rebooted.
>>
>> After verifying all A records related to new DC were created, I forced
>> creation of replication related DNS entries as described there :
>>
>> https://wiki.samba.org/index.php/Check_and_fix_DNS_entries_on_DC_joins#Resolve_the_objectGUID_CNAME_record_of_the_new_joined_Domain_Controller
>>
>> I forced replication (drs replicate) from a replicated DC to all 10 new DC
>> and also force replication in the other way. All drs replicate commands
>> worked well.
>>
>> Back to newly joined DC I launched samba_dnsupdate, on 10 DC this command
>> failed on 9 DC with mesage: "update failed: NOTAUTH". I rebooted all
>> joined
>> DC and samba_dnsupdate worked well on them.
>>
>> This gave time to Samba to replicate things around and now all things goes
>> well.
>>
>> Joining new DC is still a bit tricky in my opinion. Hoping this would work
>> better with 4.4.x
>>
>> Cheers,
>>
>> mathias
>>
>>
>>
> When you provision a domain, all the dns records are created during the
> provision, but when you join a DC to a domain they aren't. You need to
> restart Samba on the newly joined DC, once Samba is restarted,
> samba_dnsupdate will be run, this reads the file 'dns_update_list' and then
> adds (if needed) the records it finds in the file. If you do not restart
> Samba, the dns records do not get added and your problems start.
>
> Rowland
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>