[Samba] Moving the 1st DC (FSMO) to another site - howto?

mathias dufresne infractory at gmail.com
Fri Jun 24 09:05:37 UTC 2016 

2016-06-24 10:53 GMT+02:00 mathias dufresne <infractory at gmail.com>:

> Ole,
>

Sorry, big fingers this morning...

DC IPs (A records) are not meant to be changed (not changed _often_ at
least), CNAME are. CNAME are aliases.

When a AD site is created nothing else is done, you added a new site,
that's all.

As a DC must belong to an AD site, every DC belongs to one site, by default
they belong to "Default-First-Site-Name" (which can be renamed and I
believe I read MS advising to rename it).

DNS database contains site-related names... only once there is some DC in
the site. Before you move some DC in the new site all your DC belong to
"Default-First-Site-Name", their names are related to
"Default-First-Site-Name".

Once you have a second site, you can move DC from "Default-First-Site-Name"
to the new site. _If_ you move some DC to the new site this change must be
reflected into DNS database, but not before because DNS site-related names
are here to reflect the site to which a DC belongs to.

That's why you must move DC to new site to see the site appearing into DNS
console.

Cheers,

M.


>
> 2016-06-24 3:48 GMT+02:00 Traupe, Ole <ole.traupe at tu-berlin.de>:
>
>> Thanks again for your help, James!
>>
>> I did test-wise and I didn't see any changes in DNS. But I hadn't changed
>> the IP, yet. So I suppose I move the DC over, change the IP, and then
>> restart Samba and it will update the DNS itself?
>>
>> Ole
>>
>> ________________________________________
>> Von: samba <samba-bounces at lists.samba.org> im Auftrag von
>> lingpanda101 at gmail.com <lingpanda101 at gmail.com>
>> Gesendet: Donnerstag, 23. Juni 2016 17:58
>> An: samba at lists.samba.org
>> Betreff: Re: [Samba] Moving the 1st DC (FSMO) to another site - howto?
>>
>> On 6/23/2016 11:21 AM, Ole Traupe wrote:
>> > James, it took me a while, but now I am doing this. I created the new
>> > site with RSAT (want to move over my 1st DC), but this new site isn't
>> > showing in the DNS console. Do I have to create the new site there, as
>> > well?
>> >
>> > Ole
>> >
>> >
>> >
>> > On 25.04.2016 14:27, lingpanda101 at gmail.com wrote:
>> >> On 4/22/2016 3:43 PM, Ole Traupe wrote:
>> >>> Hi Mathias, lingpanda101, thank you for the quick reply! Comments
>> >>> inline.
>> >>>
>> >>>
>> >>> On 22.04.2016 15:14, mathias dufresne wrote:
>> >>>> Hi Ole,
>> >>>>
>> >>>> A - If I read correctly you have only one DC and you want to move
>> >>>> from one network to another.
>> >>>>
>> >>>> To achieve that change you will have to change all A/AAAA records
>> >>>> in your both AD zones (root zone and _msdcs zone).
>> >>>> Once that is done you will have to change resolver configuration on
>> >>>> your clients for they can send DNS request to the new IP.
>> >>>>
>> >>>> Can't see anything else. Nothing about AD site: AD sites are linked
>> >>>> to clients networks and clients networks do not change, only DC
>> >>>> network is changing.
>> >>>>
>> >>>> B - If I don't read correctly, you have several DC. Move on DC to
>> >>>> the new network, change A and AAAA records related to that DC to
>> >>>> reflect the network change.
>> >>>> If you move one DC not used by clients as DNS server, no change on
>> >>>> client side.
>> >>>
>> >>> I have two DCs. The one with the FSMO roles is on the physical
>> >>> server to move. Unfortunately I don't have another host for this VM
>> >>> staying at the old place.
>> >>>
>> >>> Also, I will have a few clients at the new place soon, so I think a
>> >>> second site is the way to go? Sorry, I mentioned this only
>> >>> implicitly in "moving our lab". Is it possible to just transfer an
>> >>> existing DC to another site? By manually recreating all the records?
>> >>>
>> >>> The moving DC will definitely be used as first DNS server, as the
>> >>> second DC is on very old, potentially unreliable hardware. But
>> >>> changing the DNS server config on the clients is no big deal.
>> >>>
>> >>>
>> >>> In response to the message from lingpanda101:
>> >>>
>> >>> I was not talking about transferring the FSMO roles. Sorry if I had
>> >>> been unclear about that.
>> >>>
>> >>> In theory, I will have access to both networks from both places. In
>> >>> practice, the firewall settings initially are very restrictive. So I
>> >>> try not to forget anything in preparation. I have thought of...
>> >>> - all the ports samba regularly uses (including DNS requests)
>> >>> - rsync ports for sysvol replication
>> >>> - ...
>> >>>
>> >>> I would be very happy about the steps to create a new site and to
>> >>> transfer DC and some client records to it!
>> >>>
>> >>>
>> >>> Probably I will see for the file server integration first, while
>> >>> using the 2nd DC as fallback for DNS and logon. Once that works I
>> >>> deal with bringing the 1st DC back into the game.
>> >>>
>> >>>>
>> >>>> C - You are lazy and you have enough physical computer to play with.
>> >>>
>> >>> Yes and no. ;)
>> >>>
>> >>>> Just create a new DC on the new site, join it to the domain.
>> >>>> If then you want to remove old DC you will have to seize (or
>> >>>> transfer if it works) FSMO roles, change DNS configuration on
>> >>>> client side, but as that's a new DC you don't have to modify A/AAAA
>> >>>> records.
>> >>>>
>> >>>> IMPORTANT NOTE: with internal DNS you have only one SOA. SOA is
>> >>>> where DNS update goes. If you remove old SOA you must change SOA
>> >>>> record to assign it to a working DC. Without that no change in your
>> >>>> DNS zones will be possible for later use (DC moving from site to
>> >>>> site is the main point, auto-update pushed by DHCP or clients won't
>> >>>> work too).
>> >>>
>> >>> I followed the recent/ongoing discussion on that. With "DNS updates"
>> >>> you mean the clients automatically updating their records, right?
>> >>> Because I am pretty sure that with internal DNS I can make changes
>> >>> to DNS structure with RSAT on 2nd DC and it gets replicated to the
>> >>> 1st DC (SOA). Maybe the only issue with internal DNS is that the
>> >>> 2nd, 3rd etc. DC won't advertise themselves as SOA, and so automatic
>> >>> updates fail when the 1st DC is offline.
>> >>>
>> >>>>
>> >>>> 2016-04-22 13:44 GMT+02:00 Ole Traupe <ole.traupe at tu-berlin.de
>> >>>> <mailto:ole.traupe at tu-berlin.de>>:
>> >>>>
>> >>>>     Hi List,
>> >>>>
>> >>>>     I'll probably have to move my FSMO role owner to another site.
>> >>>>     Like at the end of next week (depends on tight transportation
>> >>>>     schedules). So there is no actual time for testing anything, I am
>> >>>>     afraid.
>> >>>>
>> >>>>     We are in the process of moving our lab, with our offices staying
>> >>>>     in the old building for now (different class C subnets). The
>> >>>>     physical machine is basically a file server (hosting DC1 as a VM)
>> >>>>     which is particularly needed at the new site. Plus: Summer is
>> >>>>     coming and the new site has cooling. Unfortunately, our
>> university
>> >>>>     techsup can't span a VLan to merge these two sites. So I am
>> trying
>> >>>>     to figure out how to do it. In earlier discussions on DC failover
>> >>>>     strategies I was suggested to have my DCs on different sites
>> (with
>> >>>>     different subnets), so I figure it being possible in general.
>> >>>>
>> >>>>     The necessary steps likely include:
>> >>>>     - modifying my current DNS config: create another site, move DC1
>> >>>>     over, also the file server (AD member)
>> >>>>     - update all the clients' 1st DNS server entries to reflect the
>> >>>>     new IP of DC1 (and network share mappings)
>> >>>>     - set some firewall rules allowing for logon and smb
>> communication
>> >>>>     etc.
>> >>>>
>> >>>>     Samba is version 4.2.5 with internal DNS.
>> >>>>
>> >>>>     Any advice, instructions, heads-up, warnings are very welcome!
>> >>>>
>> >>>>     Best regards,
>> >>>>     Ole
>> >>>>
>> >>>>
>> >>>>
>> >>>>     --     To unsubscribe from this list go to the following URL
>> >>>> and read the
>> >>>>     instructions: https://lists.samba.org/mailman/options/samba
>> >>>>
>> >>>>
>> >>>
>> >> Ole,
>> >>
>> >>     Will you be using Microsoft RSAT to create the sites? If so do
>> >> follow this guide
>> >>
>> >>
>> http://blogs.technet.com/b/canitpro/archive/2015/03/04/step-by-step-setting-up-active-directory-sites-subnets-amp-site-links.aspx
>> >>
>> >>
>> >> Will you be changing your IP of the domain controller? If so follow
>> >> this guide.
>> >>
>> >> https://wiki.samba.org/index.php/Change_IP_address_of_an_Samba_AD_DC
>> >>
>> >> If using DHCP. Give your clients the DNS IP of your new site DC. That
>> >> should be it.
>> >>
>> >>
>> >
>> >
>>
>> Sites will not display in the DNS console. After creating the site did
>> you move the DC to the new site?
>>
>> If the DC isn't displaying in the DNS console, you can simply right
>> click on the DNS item in the left pane window and choose 'Connect to DNS
>> server'.
>>
>> --
>> -James
>>
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>
>
>

More information about the samba mailing list