[Samba] Moving the 1st DC (FSMO) to another site - howto?
mathias dufresne
infractory at gmail.com
Fri Jun 24 08:53:15 UTC 2016
Ole,
DC IPs (A records) are not meant to be changed (not changed _often_ at
least), CNAME are. CNAME are aliases.
When a AD site is created nothing else is done, you added a
2016-06-24 3:48 GMT+02:00 Traupe, Ole <ole.traupe at tu-berlin.de>:
> Thanks again for your help, James!
>
> I did test-wise and I didn't see any changes in DNS. But I hadn't changed
> the IP, yet. So I suppose I move the DC over, change the IP, and then
> restart Samba and it will update the DNS itself?
>
> Ole
>
> ________________________________________
> Von: samba <samba-bounces at lists.samba.org> im Auftrag von
> lingpanda101 at gmail.com <lingpanda101 at gmail.com>
> Gesendet: Donnerstag, 23. Juni 2016 17:58
> An: samba at lists.samba.org
> Betreff: Re: [Samba] Moving the 1st DC (FSMO) to another site - howto?
>
> On 6/23/2016 11:21 AM, Ole Traupe wrote:
> > James, it took me a while, but now I am doing this. I created the new
> > site with RSAT (want to move over my 1st DC), but this new site isn't
> > showing in the DNS console. Do I have to create the new site there, as
> > well?
> >
> > Ole
> >
> >
> >
> > On 25.04.2016 14:27, lingpanda101 at gmail.com wrote:
> >> On 4/22/2016 3:43 PM, Ole Traupe wrote:
> >>> Hi Mathias, lingpanda101, thank you for the quick reply! Comments
> >>> inline.
> >>>
> >>>
> >>> On 22.04.2016 15:14, mathias dufresne wrote:
> >>>> Hi Ole,
> >>>>
> >>>> A - If I read correctly you have only one DC and you want to move
> >>>> from one network to another.
> >>>>
> >>>> To achieve that change you will have to change all A/AAAA records
> >>>> in your both AD zones (root zone and _msdcs zone).
> >>>> Once that is done you will have to change resolver configuration on
> >>>> your clients for they can send DNS request to the new IP.
> >>>>
> >>>> Can't see anything else. Nothing about AD site: AD sites are linked
> >>>> to clients networks and clients networks do not change, only DC
> >>>> network is changing.
> >>>>
> >>>> B - If I don't read correctly, you have several DC. Move on DC to
> >>>> the new network, change A and AAAA records related to that DC to
> >>>> reflect the network change.
> >>>> If you move one DC not used by clients as DNS server, no change on
> >>>> client side.
> >>>
> >>> I have two DCs. The one with the FSMO roles is on the physical
> >>> server to move. Unfortunately I don't have another host for this VM
> >>> staying at the old place.
> >>>
> >>> Also, I will have a few clients at the new place soon, so I think a
> >>> second site is the way to go? Sorry, I mentioned this only
> >>> implicitly in "moving our lab". Is it possible to just transfer an
> >>> existing DC to another site? By manually recreating all the records?
> >>>
> >>> The moving DC will definitely be used as first DNS server, as the
> >>> second DC is on very old, potentially unreliable hardware. But
> >>> changing the DNS server config on the clients is no big deal.
> >>>
> >>>
> >>> In response to the message from lingpanda101:
> >>>
> >>> I was not talking about transferring the FSMO roles. Sorry if I had
> >>> been unclear about that.
> >>>
> >>> In theory, I will have access to both networks from both places. In
> >>> practice, the firewall settings initially are very restrictive. So I
> >>> try not to forget anything in preparation. I have thought of...
> >>> - all the ports samba regularly uses (including DNS requests)
> >>> - rsync ports for sysvol replication
> >>> - ...
> >>>
> >>> I would be very happy about the steps to create a new site and to
> >>> transfer DC and some client records to it!
> >>>
> >>>
> >>> Probably I will see for the file server integration first, while
> >>> using the 2nd DC as fallback for DNS and logon. Once that works I
> >>> deal with bringing the 1st DC back into the game.
> >>>
> >>>>
> >>>> C - You are lazy and you have enough physical computer to play with.
> >>>
> >>> Yes and no. ;)
> >>>
> >>>> Just create a new DC on the new site, join it to the domain.
> >>>> If then you want to remove old DC you will have to seize (or
> >>>> transfer if it works) FSMO roles, change DNS configuration on
> >>>> client side, but as that's a new DC you don't have to modify A/AAAA
> >>>> records.
> >>>>
> >>>> IMPORTANT NOTE: with internal DNS you have only one SOA. SOA is
> >>>> where DNS update goes. If you remove old SOA you must change SOA
> >>>> record to assign it to a working DC. Without that no change in your
> >>>> DNS zones will be possible for later use (DC moving from site to
> >>>> site is the main point, auto-update pushed by DHCP or clients won't
> >>>> work too).
> >>>
> >>> I followed the recent/ongoing discussion on that. With "DNS updates"
> >>> you mean the clients automatically updating their records, right?
> >>> Because I am pretty sure that with internal DNS I can make changes
> >>> to DNS structure with RSAT on 2nd DC and it gets replicated to the
> >>> 1st DC (SOA). Maybe the only issue with internal DNS is that the
> >>> 2nd, 3rd etc. DC won't advertise themselves as SOA, and so automatic
> >>> updates fail when the 1st DC is offline.
> >>>
> >>>>
> >>>> 2016-04-22 13:44 GMT+02:00 Ole Traupe <ole.traupe at tu-berlin.de
> >>>> <mailto:ole.traupe at tu-berlin.de>>:
> >>>>
> >>>> Hi List,
> >>>>
> >>>> I'll probably have to move my FSMO role owner to another site.
> >>>> Like at the end of next week (depends on tight transportation
> >>>> schedules). So there is no actual time for testing anything, I am
> >>>> afraid.
> >>>>
> >>>> We are in the process of moving our lab, with our offices staying
> >>>> in the old building for now (different class C subnets). The
> >>>> physical machine is basically a file server (hosting DC1 as a VM)
> >>>> which is particularly needed at the new site. Plus: Summer is
> >>>> coming and the new site has cooling. Unfortunately, our university
> >>>> techsup can't span a VLan to merge these two sites. So I am trying
> >>>> to figure out how to do it. In earlier discussions on DC failover
> >>>> strategies I was suggested to have my DCs on different sites (with
> >>>> different subnets), so I figure it being possible in general.
> >>>>
> >>>> The necessary steps likely include:
> >>>> - modifying my current DNS config: create another site, move DC1
> >>>> over, also the file server (AD member)
> >>>> - update all the clients' 1st DNS server entries to reflect the
> >>>> new IP of DC1 (and network share mappings)
> >>>> - set some firewall rules allowing for logon and smb communication
> >>>> etc.
> >>>>
> >>>> Samba is version 4.2.5 with internal DNS.
> >>>>
> >>>> Any advice, instructions, heads-up, warnings are very welcome!
> >>>>
> >>>> Best regards,
> >>>> Ole
> >>>>
> >>>>
> >>>>
> >>>> -- To unsubscribe from this list go to the following URL
> >>>> and read the
> >>>> instructions: https://lists.samba.org/mailman/options/samba
> >>>>
> >>>>
> >>>
> >> Ole,
> >>
> >> Will you be using Microsoft RSAT to create the sites? If so do
> >> follow this guide
> >>
> >>
> http://blogs.technet.com/b/canitpro/archive/2015/03/04/step-by-step-setting-up-active-directory-sites-subnets-amp-site-links.aspx
> >>
> >>
> >> Will you be changing your IP of the domain controller? If so follow
> >> this guide.
> >>
> >> https://wiki.samba.org/index.php/Change_IP_address_of_an_Samba_AD_DC
> >>
> >> If using DHCP. Give your clients the DNS IP of your new site DC. That
> >> should be it.
> >>
> >>
> >
> >
>
> Sites will not display in the DNS console. After creating the site did
> you move the DC to the new site?
>
> If the DC isn't displaying in the DNS console, you can simply right
> click on the DNS item in the left pane window and choose 'Connect to DNS
> server'.
>
> --
> -James
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
More information about the samba
mailing list