[Samba] DNS and DC replication clarification

[Mircea Husz]

On Mon, 2017-03-06 at 18:31 +0000, Rowland Penny via samba wrote:
> On Tue, 07 Mar 2017 07:05:25 +1300
> Andrew Bartlett <abartlet at samba.org> wrote:
> 
> 
> > 
> > This can have some other impacts, if a DNS run hasn't happened by
> > the
> > time we first start up.  I've got some patches to force the first
> > DNS
> > entries to be created during the domain join.  I hope that will
> > help a
> > lot here, but this remains a problematic area.
> 
> I think this will help a lot, the new DC's DNS records not being
> created during the join is undoubtedly a big problem.
> 
> > 
> > 
> > There is also an issue with a patch that went in to 4.5 to help us
> > with resolv_wrapper that make the real-world use more fragile,
> > because it requires that the DC we point to first already have the
> > NS
> > records (and our local IP won't have those yet).
> 
> The problem at the moment (as far as I see it) is that when
> samba_dnsupdate is first run on the new DC, it uses the kerberos info
> for the first DC and so doesn't work.

Yes, one discovers that problem the hard way. But that's a one-time
initial configuration issue so not a big deal. 

> > 
> > 
> > Using it the other way around (remote first, then local) seems to
> > avoid some of that.
> > 
> > I'm really sorry we have got this far in to Samba as an AD DC
> > without
> > this stuff 'just working', and I hope to have improved patches in
> > master soon.
> 
> There are quite a few things that need sorting, but as they say 'Rome
> wasn't built in a day' ;-)
> 
> Rowland
> 

The recommendation to cross-reference DCs on the wiki comes after the
second DC is running and synchronizing to the primary. It aims to be a
best-practice recommendation, but if one follows the advice and cross-
references DCs then 'samba_dnsupdate --verbose --all-names' gives a
false postitive.

The advice raises questions so I asked ...

Thank you both for great answers.
-Mike