[Samba] NS records for a new AD DC

Rowland Penny rpenny at samba.org
Thu Oct 20 17:47:04 UTC 2016


On Thu, 20 Oct 2016 12:55:01 -0400
lingpanda101--- via samba <samba at lists.samba.org> wrote:

> On 10/20/2016 12:41 PM, Rowland Penny via samba wrote:
> > On Thu, 20 Oct 2016 09:02:22 +0100
> > Rowland Penny via samba <samba at lists.samba.org> wrote:
> >
> >> On Wed, 19 Oct 2016 23:12:50 +0200
> >> Marc Muehlfeld <mmuehlfeld at samba.org> wrote:
> >>
> >>> Hi Rowland,
> >>>
> >>> thanks for testing and your feedback.
> >>>
> >>>
> >>> Am 19.10.2016 um 21:50 schrieb Rowland Penny via samba:
> >>>> Workaround:
> >>>> turn off samba on the first DC, then restart samba on the second
> >>>> DC. There is a gotcha however, I had to force replication with
> >>>> 'samba-tool drs replicate' (after I restarted samba on the first
> >>>> DC)
> >>> This sounds more complicated and the user has to turn of the
> >>> existing DC(s?) what makes the domain unavailable.
> >>>
> >>> I think we should continue recommending to add the two records
> >>> manually. :-)
> >>>
> >>>
> >>> Regards,
> >>> Marc
> >>>
> >> I will try again to see if it was just a one off, but at least it
> >> gives us a pointer to what is wrong ;-)
> >>
> >> When samba_dnsupdate tries to get the credentials, there is this
> >> line:
> >>
> >> creds.guess(lp)
> >>
> >> I 'think' it is guessing wrong ??
> >>
> >> Rowland
> >>
> > OK, after a lot more testing, I can get the records created without
> > turning the first DC off.
> >
> > Provision the first DC.
> > Set the nameserver in /etc/resolv.conf on what will become the
> > second DC to the first DC.
> > Join the second DC
> > Before starting samba on the second DC, change these lines in
> > samba_dnsupdate:
> >
> >      creds = credentials.Credentials()
> >      creds.guess(lp)
> >
> > To:
> >      creds = credentials.Credentials()
> >      creds.set_workstation(host)
> >
> > change the nameserver to now be the second DCs ipaddress
> >
> > start samba and then immediately restart samba (no,I don't know why)
> >
> > now change the nameserver on each DC to point to the other DC.
> >
> > Go for a walk, have a brew, whatever, but just wait for replication
> > to kick in.
> >
> > You will now find all the required records have been created and
> > replicated.
> >
> > I think samba_upgradedns needs to start replication after updating
> > any records, it also needs to be made to use the credentials of the
> > machine it is running on. I am unsure if the modification I made is
> > valid, but it seems work.
> >
> > Rowland
> >
> 
> Rowland,
> 
>      I assume your testing is with bind? Will this modification be 
> applicable to the internal DNS server as well?
> 

No, I didn't test with Bind, what I was testing was samba_dnsupdate and
I made a mistake in the last paragraph, I wrote 'samba_upgradedns' and
I should have written 'samba_dnsupdate'. 

The problem that I found in 'samba_dnsupdate' was that it tries to use
the DNS SPN for the first DC to add the 'missing' records for the
second DC, this will not work.

I have been thinking about this, perhaps the 'dns-HOSTNAME', that is
created if you use Bind, should be created even if you use the
internal DNS, this could be used to add any records.

Rowland
 



More information about the samba mailing list