[Samba] Moving the 1st DC (FSMO) to another site - howto?

Ole Traupe ole.traupe at tu-berlin.de
Fri Jun 24 11:22:13 UTC 2016

Oh, and I forgot to state that in my case during the IP update step 5 
records showed up needing manual post-processing:

Failed to find matching DNS entry A dc1.my.domain.tld [IP]
Failed to find matching DNS entry A my.domain.tld [IP]
Failed to find matching DNS entry A gc._msdcs.my.domain.tld [IP]
Failed to find matching DNS entry A DomainDnsZones.my.domain.tld [IP]
Failed to find matching DNS entry A ForestDnsZones.my.domain.tld [IP]

And a sixth one wasn't even mentioned:
wasn't updated as well.


On 24.06.2016 12:49, Ole Traupe wrote:
> Hi all,
> thanks for all your replies!
> It finally went down very smoothly (once I discovered that a 
> pre-installed fiber optics cable wasn't crossed properly, preventing 
> some new switches in different rooms of our new lab building to stack 
> - like after 5 hours, you know ;).
> I followed James' advice and the two links he provided (at the bottom 
> of this message). And mind that I am using Samba's internal DNS solution.
> 1. I physically moved the server (1st DC, FSMO role holder) to the new 
> building (another class C sub-net) - a virtual machine on top of a 
> Samba member (file) server.
> 2. After dealing with the physical file server's network settings, I 
> altered the IP of the DC according to this link (I had read in some 
> Microsoft links that it is advised to update the IP prior to moving 
> over the DC; for whatever reason):
> https://wiki.samba.org/index.php/Change_IP_address_of_an_Samba_AD_DC
> This link mentions some places where in the last step the IP actually 
> has to be changed on the server (ifcfg-eth0, /etc/hosts) but does not 
> explicitly name /etc/resolv.conf - might be added to the wiki.
> 3. I created the new site (the old one still is 
> Default-First-Site-Name; I left it untouched - did not rename it or 
> provide an explicit subnet) and moved over the DC (with RSAT, 
> following this link):
> http://blogs.technet.com/b/canitpro/archive/2015/03/04/step-by-step-setting-up-active-directory-sites-subnets-amp-site-links.aspx 
> As James advised (if I understood him correctly), I did NOT apply any 
> changes to DNS structure reflecting this new site.
> 4. I updated the first DNS server entry on some machines manually, and 
> on many clients via a GPO calling a script as suggested here (as I am 
> using static IP settings):
> http://www.wincert.net/windows-server/set-dns-servers-via-gpo-server-2012-r2/ 
> Seems to work well.
> 5. I had to update the A record for the moved DC in the other DC's DNS 
> database in order to get AD replication back online, as the other DC 
> wasn't able to find the 1st DC, of course.
> 6. I had to adjust the IP settings for the rsync-based sysvol 
> replication workaround.
> 7. I had to restart some of the clients on which i tested network 
> shares on the moved file server to make then forget obsolete DNS 
> knowledge.
> That's it, basically. Pretty straight forward. Of course, I had to 
> temporarily recreate a small part of the old subnet on the new site to 
> be able to use the RSAT tools (DNS, AD Sites and Services) on the 1st 
> DC to perform some of the above steps.
> Ole
> On 24.06.2016 11:16, Rowland penny wrote:
>> On 23/06/16 16:21, Ole Traupe wrote:
>>> James, it took me a while, but now I am doing this. I created the 
>>> new site with RSAT (want to move over my 1st DC), but this new site 
>>> isn't showing in the DNS console. Do I have to create the new site 
>>> there, as well?
>>> Ole
>>> On 25.04.2016 14:27, lingpanda101 at gmail.com wrote:
>>>> On 4/22/2016 3:43 PM, Ole Traupe wrote:
>>>>> Hi Mathias, lingpanda101, thank you for the quick reply! Comments 
>>>>> inline.
>>>>> On 22.04.2016 15:14, mathias dufresne wrote:
>>>>>> Hi Ole,
>>>>>> A - If I read correctly you have only one DC and you want to move 
>>>>>> from one network to another.
>>>>>> To achieve that change you will have to change all A/AAAA records 
>>>>>> in your both AD zones (root zone and _msdcs zone).
>>>>>> Once that is done you will have to change resolver configuration 
>>>>>> on your clients for they can send DNS request to the new IP.
>>>>>> Can't see anything else. Nothing about AD site: AD sites are 
>>>>>> linked to clients networks and clients networks do not change, 
>>>>>> only DC network is changing.
>>>>>> B - If I don't read correctly, you have several DC. Move on DC to 
>>>>>> the new network, change A and AAAA records related to that DC to 
>>>>>> reflect the network change.
>>>>>> If you move one DC not used by clients as DNS server, no change 
>>>>>> on client side.
>>>>> I have two DCs. The one with the FSMO roles is on the physical 
>>>>> server to move. Unfortunately I don't have another host for this 
>>>>> VM staying at the old place.
>>>>> Also, I will have a few clients at the new place soon, so I think 
>>>>> a second site is the way to go? Sorry, I mentioned this only 
>>>>> implicitly in "moving our lab". Is it possible to just transfer an 
>>>>> existing DC to another site? By manually recreating all the records?
>>>>> The moving DC will definitely be used as first DNS server, as the 
>>>>> second DC is on very old, potentially unreliable hardware. But 
>>>>> changing the DNS server config on the clients is no big deal.
>>>>> In response to the message from lingpanda101:
>>>>> I was not talking about transferring the FSMO roles. Sorry if I 
>>>>> had been unclear about that.
>>>>> In theory, I will have access to both networks from both places. 
>>>>> In practice, the firewall settings initially are very restrictive. 
>>>>> So I try not to forget anything in preparation. I have thought of...
>>>>> - all the ports samba regularly uses (including DNS requests)
>>>>> - rsync ports for sysvol replication
>>>>> - ...
>>>>> I would be very happy about the steps to create a new site and to 
>>>>> transfer DC and some client records to it!
>>>>> Probably I will see for the file server integration first, while 
>>>>> using the 2nd DC as fallback for DNS and logon. Once that works I 
>>>>> deal with bringing the 1st DC back into the game.
>>>>>> C - You are lazy and you have enough physical computer to play with.
>>>>> Yes and no. ;)
>>>>>> Just create a new DC on the new site, join it to the domain.
>>>>>> If then you want to remove old DC you will have to seize (or 
>>>>>> transfer if it works) FSMO roles, change DNS configuration on 
>>>>>> client side, but as that's a new DC you don't have to modify 
>>>>>> A/AAAA records.
>>>>>> IMPORTANT NOTE: with internal DNS you have only one SOA. SOA is 
>>>>>> where DNS update goes. If you remove old SOA you must change SOA 
>>>>>> record to assign it to a working DC. Without that no change in 
>>>>>> your DNS zones will be possible for later use (DC moving from 
>>>>>> site to site is the main point, auto-update pushed by DHCP or 
>>>>>> clients won't work too).
>>>>> I followed the recent/ongoing discussion on that. With "DNS 
>>>>> updates" you mean the clients automatically updating their 
>>>>> records, right? Because I am pretty sure that with internal DNS I 
>>>>> can make changes to DNS structure with RSAT on 2nd DC and it gets 
>>>>> replicated to the 1st DC (SOA). Maybe the only issue with internal 
>>>>> DNS is that the 2nd, 3rd etc. DC won't advertise themselves as 
>>>>> SOA, and so automatic updates fail when the 1st DC is offline.
>>>>>> 2016-04-22 13:44 GMT+02:00 Ole Traupe <ole.traupe at tu-berlin.de 
>>>>>> <mailto:ole.traupe at tu-berlin.de>>:
>>>>>>     Hi List,
>>>>>>     I'll probably have to move my FSMO role owner to another site.
>>>>>>     Like at the end of next week (depends on tight transportation
>>>>>>     schedules). So there is no actual time for testing anything, 
>>>>>> I am
>>>>>>     afraid.
>>>>>>     We are in the process of moving our lab, with our offices 
>>>>>> staying
>>>>>>     in the old building for now (different class C subnets). The
>>>>>>     physical machine is basically a file server (hosting DC1 as a 
>>>>>> VM)
>>>>>>     which is particularly needed at the new site. Plus: Summer is
>>>>>>     coming and the new site has cooling. Unfortunately, our 
>>>>>> university
>>>>>>     techsup can't span a VLan to merge these two sites. So I am 
>>>>>> trying
>>>>>>     to figure out how to do it. In earlier discussions on DC 
>>>>>> failover
>>>>>>     strategies I was suggested to have my DCs on different sites 
>>>>>> (with
>>>>>>     different subnets), so I figure it being possible in general.
>>>>>>     The necessary steps likely include:
>>>>>>     - modifying my current DNS config: create another site, move DC1
>>>>>>     over, also the file server (AD member)
>>>>>>     - update all the clients' 1st DNS server entries to reflect the
>>>>>>     new IP of DC1 (and network share mappings)
>>>>>>     - set some firewall rules allowing for logon and smb 
>>>>>> communication
>>>>>>     etc.
>>>>>>     Samba is version 4.2.5 with internal DNS.
>>>>>>     Any advice, instructions, heads-up, warnings are very welcome!
>>>>>>     Best regards,
>>>>>>     Ole
>>>>>>     --     To unsubscribe from this list go to the following URL 
>>>>>> and read the
>>>>>>     instructions: https://lists.samba.org/mailman/options/samba
>>>> Ole,
>>>>     Will you be using Microsoft RSAT to create the sites? If so do 
>>>> follow this guide
>>>> http://blogs.technet.com/b/canitpro/archive/2015/03/04/step-by-step-setting-up-active-directory-sites-subnets-amp-site-links.aspx 
>>>> Will you be changing your IP of the domain controller? If so follow 
>>>> this guide.
>>>> https://wiki.samba.org/index.php/Change_IP_address_of_an_Samba_AD_DC
>>>> If using DHCP. Give your clients the DNS IP of your new site DC. 
>>>> That should be it.
>> Hi Ole, I don't know of any Samba howto, but there is a microsoft one:
>> https://technet.microsoft.com/en-us/library/cc794722%28v=ws.10%29.aspx
>> Rowland

More information about the samba mailing list