[Samba] NS records for a new AD DC

Rowland Penny rpenny at samba.org
Thu Oct 20 16:41:45 UTC 2016 

On Thu, 20 Oct 2016 09:02:22 +0100
Rowland Penny via samba <samba at lists.samba.org> wrote:

> On Wed, 19 Oct 2016 23:12:50 +0200
> Marc Muehlfeld <mmuehlfeld at samba.org> wrote:
> 
> > Hi Rowland,
> > 
> > thanks for testing and your feedback.
> > 
> > 
> > Am 19.10.2016 um 21:50 schrieb Rowland Penny via samba:
> > > Workaround:
> > > turn off samba on the first DC, then restart samba on the second
> > > DC. There is a gotcha however, I had to force replication with
> > > 'samba-tool drs replicate' (after I restarted samba on the first
> > > DC)
> > 
> > This sounds more complicated and the user has to turn of the
> > existing DC(s?) what makes the domain unavailable.
> > 
> > I think we should continue recommending to add the two records
> > manually. :-)
> > 
> > 
> > Regards,
> > Marc
> > 
> 
> I will try again to see if it was just a one off, but at least it
> gives us a pointer to what is wrong ;-)
> 
> When samba_dnsupdate tries to get the credentials, there is this line:
> 
> creds.guess(lp)
> 
> I 'think' it is guessing wrong ??
> 
> Rowland
> 

OK, after a lot more testing, I can get the records created without
turning the first DC off.

Provision the first DC.
Set the nameserver in /etc/resolv.conf on what will become the second
DC to the first DC.
Join the second DC
Before starting samba on the second DC, change these lines in
samba_dnsupdate:

    creds = credentials.Credentials()
    creds.guess(lp)

To:
    creds = credentials.Credentials()
    creds.set_workstation(host)

change the nameserver to now be the second DCs ipaddress

start samba and then immediately restart samba (no,I don't know why)

now change the nameserver on each DC to point to the other DC.

Go for a walk, have a brew, whatever, but just wait for replication to
kick in.

You will now find all the required records have been created and
replicated.

I think samba_upgradedns needs to start replication after updating any
records, it also needs to be made to use the credentials of the machine
it is running on. I am unsure if the modification I made is valid, but
it seems work.

Rowland

More information about the samba mailing list