[Samba] Moving the 1st DC (FSMO) to another site - howto?

Ole Traupe ole.traupe at tu-berlin.de
Thu Jun 23 15:34:15 UTC 2016 

I am using Samba internal DNS.


On 23.06.2016 17:21, Ole Traupe wrote:
> James, it took me a while, but now I am doing this. I created the new 
> site with RSAT (want to move over my 1st DC), but this new site isn't 
> showing in the DNS console. Do I have to create the new site there, as 
> well?
>
> Ole
>
>
>
> On 25.04.2016 14:27, lingpanda101 at gmail.com wrote:
>> On 4/22/2016 3:43 PM, Ole Traupe wrote:
>>> Hi Mathias, lingpanda101, thank you for the quick reply! Comments 
>>> inline.
>>>
>>>
>>> On 22.04.2016 15:14, mathias dufresne wrote:
>>>> Hi Ole,
>>>>
>>>> A - If I read correctly you have only one DC and you want to move 
>>>> from one network to another.
>>>>
>>>> To achieve that change you will have to change all A/AAAA records 
>>>> in your both AD zones (root zone and _msdcs zone).
>>>> Once that is done you will have to change resolver configuration on 
>>>> your clients for they can send DNS request to the new IP.
>>>>
>>>> Can't see anything else. Nothing about AD site: AD sites are linked 
>>>> to clients networks and clients networks do not change, only DC 
>>>> network is changing.
>>>>
>>>> B - If I don't read correctly, you have several DC. Move on DC to 
>>>> the new network, change A and AAAA records related to that DC to 
>>>> reflect the network change.
>>>> If you move one DC not used by clients as DNS server, no change on 
>>>> client side.
>>>
>>> I have two DCs. The one with the FSMO roles is on the physical 
>>> server to move. Unfortunately I don't have another host for this VM 
>>> staying at the old place.
>>>
>>> Also, I will have a few clients at the new place soon, so I think a 
>>> second site is the way to go? Sorry, I mentioned this only 
>>> implicitly in "moving our lab". Is it possible to just transfer an 
>>> existing DC to another site? By manually recreating all the records?
>>>
>>> The moving DC will definitely be used as first DNS server, as the 
>>> second DC is on very old, potentially unreliable hardware. But 
>>> changing the DNS server config on the clients is no big deal.
>>>
>>>
>>> In response to the message from lingpanda101:
>>>
>>> I was not talking about transferring the FSMO roles. Sorry if I had 
>>> been unclear about that.
>>>
>>> In theory, I will have access to both networks from both places. In 
>>> practice, the firewall settings initially are very restrictive. So I 
>>> try not to forget anything in preparation. I have thought of...
>>> - all the ports samba regularly uses (including DNS requests)
>>> - rsync ports for sysvol replication
>>> - ...
>>>
>>> I would be very happy about the steps to create a new site and to 
>>> transfer DC and some client records to it!
>>>
>>>
>>> Probably I will see for the file server integration first, while 
>>> using the 2nd DC as fallback for DNS and logon. Once that works I 
>>> deal with bringing the 1st DC back into the game.
>>>
>>>>
>>>> C - You are lazy and you have enough physical computer to play with.
>>>
>>> Yes and no. ;)
>>>
>>>> Just create a new DC on the new site, join it to the domain.
>>>> If then you want to remove old DC you will have to seize (or 
>>>> transfer if it works) FSMO roles, change DNS configuration on 
>>>> client side, but as that's a new DC you don't have to modify A/AAAA 
>>>> records.
>>>>
>>>> IMPORTANT NOTE: with internal DNS you have only one SOA. SOA is 
>>>> where DNS update goes. If you remove old SOA you must change SOA 
>>>> record to assign it to a working DC. Without that no change in your 
>>>> DNS zones will be possible for later use (DC moving from site to 
>>>> site is the main point, auto-update pushed by DHCP or clients won't 
>>>> work too).
>>>
>>> I followed the recent/ongoing discussion on that. With "DNS updates" 
>>> you mean the clients automatically updating their records, right? 
>>> Because I am pretty sure that with internal DNS I can make changes 
>>> to DNS structure with RSAT on 2nd DC and it gets replicated to the 
>>> 1st DC (SOA). Maybe the only issue with internal DNS is that the 
>>> 2nd, 3rd etc. DC won't advertise themselves as SOA, and so automatic 
>>> updates fail when the 1st DC is offline.
>>>
>>>>
>>>> 2016-04-22 13:44 GMT+02:00 Ole Traupe <ole.traupe at tu-berlin.de 
>>>> <mailto:ole.traupe at tu-berlin.de>>:
>>>>
>>>>     Hi List,
>>>>
>>>>     I'll probably have to move my FSMO role owner to another site.
>>>>     Like at the end of next week (depends on tight transportation
>>>>     schedules). So there is no actual time for testing anything, I am
>>>>     afraid.
>>>>
>>>>     We are in the process of moving our lab, with our offices staying
>>>>     in the old building for now (different class C subnets). The
>>>>     physical machine is basically a file server (hosting DC1 as a VM)
>>>>     which is particularly needed at the new site. Plus: Summer is
>>>>     coming and the new site has cooling. Unfortunately, our university
>>>>     techsup can't span a VLan to merge these two sites. So I am trying
>>>>     to figure out how to do it. In earlier discussions on DC failover
>>>>     strategies I was suggested to have my DCs on different sites (with
>>>>     different subnets), so I figure it being possible in general.
>>>>
>>>>     The necessary steps likely include:
>>>>     - modifying my current DNS config: create another site, move DC1
>>>>     over, also the file server (AD member)
>>>>     - update all the clients' 1st DNS server entries to reflect the
>>>>     new IP of DC1 (and network share mappings)
>>>>     - set some firewall rules allowing for logon and smb communication
>>>>     etc.
>>>>
>>>>     Samba is version 4.2.5 with internal DNS.
>>>>
>>>>     Any advice, instructions, heads-up, warnings are very welcome!
>>>>
>>>>     Best regards,
>>>>     Ole
>>>>
>>>>
>>>>
>>>>     --     To unsubscribe from this list go to the following URL 
>>>> and read the
>>>>     instructions: https://lists.samba.org/mailman/options/samba
>>>>
>>>>
>>>
>> Ole,
>>
>>     Will you be using Microsoft RSAT to create the sites? If so do 
>> follow this guide
>>
>> http://blogs.technet.com/b/canitpro/archive/2015/03/04/step-by-step-setting-up-active-directory-sites-subnets-amp-site-links.aspx 
>>
>>
>> Will you be changing your IP of the domain controller? If so follow 
>> this guide.
>>
>> https://wiki.samba.org/index.php/Change_IP_address_of_an_Samba_AD_DC
>>
>> If using DHCP. Give your clients the DNS IP of your new site DC. That 
>> should be it.
>>
>>
>

More information about the samba mailing list