[Samba] Samba Migration and AD integration

Praveen Ghimire PGhimire at sundata.com.au
Tue Feb 6 10:02:32 UTC 2018

Hi Andrew,

The realm infact has no dots, is this going be an issue? It is different to workgroup. The details did get "Lost in Redaction"

Coming back to the DNS. When we did the domain migration , we used --dns-backend=BIND9_DLZ. My assumption was it will stick to the BIND_DLZ. Anyhow, when we use the default settings post migration, we are not able to DCPROMO the Server 2008R2 server. It comes up with DNS record error,  more specifically the SRV records for _ldap_tcp_dc_msdsc_(realmname).  Then if we change the DNS to BIND9 using the dns_upgrade-backend=BIND9_DLZ, stick a zone file with manually added SRV records, we are able to DCPROMO but then DNS( and it turns out AD replication) issues. The AD replication issues is due to DNS not replication and not copying the _msdsc_ zone file.

So what is the best option in  our case? Domain Prep/Migrate using BIND9_DLZ and the stick to the SAMBA_DNS? One question is would  it help if we add the SRV records to the /var/cache/bind/zone file pre migration? Will the migration read that file and convert it to the DNS DB?

  Thank you.



-----Original Message-----
From: Andrew Bartlett [mailto:abartlet at samba.org] 
Sent: Tuesday, 6 February 2018 6:22 PM
To: Praveen Ghimire <PGhimire at sundata.com.au>; samba at lists.samba.org
Subject: Re: [Samba] Samba Migration and AD integration

On Tue, 2018-02-06 at 03:05 +0000, Praveen Ghimire via samba wrote:
> Hi,
> We migrated from Samba 3 to 4 (4.6.7-Ubuntu) and added promoted a 
> Server 2008R2 as a Domain Controller. We've come across the following 
> issues and request some suggestions to resolve them
> -          The migration didn't generate DNS entries for the new
> realm. We had to manually create a new zone file (/var/cache/bind) for 
> the new realm. Only then we were able to promote the Server2008
> R2 as the DC. Is this an expected outcome post migration?

I think you have not understood how AD DNS works.  It won't create a zone file, it will create entries in the replicated DB that you can see over LDAP.  By default the internal DNS server is used, but a DLZ plugin for bind9 can also be used. 

Run samba_dnsupgrade --backend=BIND9_DLZ and follow the instructions if you wish to used bind, rather than create a zone file. 

> -          Similarly, the dhcpd.conf file exhibited the same outcome
> as above.

Samba doesn't control dhcpd, but instructions for that are on the wiki.

> -          When we added a new machine to the domain, it didn't
> update the DNS record in the Samba box.  The machine joins to the 
> domain but there is no DNS record for it.

If Samba's DNS isn't used then dynamic updates wont work. 

> -          We added the DNS role in the Server2008 R2 DC, what we
> found that any record created in Bind9 gets replicated to the Windows 
> server but no vice-versa.

While I wouldn't exactly expect this if you were not using Samba for DNS on the Samba server, I think that is at the heart of your trouble. 

> The AD user bit seems to sync ok between the servers.
> The samba-tool dbcheck -cross-ncs gives the following
> samba-tool dbcheck --cross-ncs
> Checking 3835 objects
> ERROR(<type 'exceptions.ValueError'>): uncaught exception - unable to 
> parse dn string
>   File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py",
> line 176, in _run
>     return self.run(*args, **kwargs)
>   File "/usr/lib/python2.7/dist-packages/samba/netcmd/dbcheck.py",
> line 157, in run
>     controls=controls, attrs=attrs)
>   File "/usr/lib/python2.7/dist-packages/samba/dbchecker.py", line 
> 198, in check_database
>     error_count += self.check_object(object.dn, attrs=attrs)
>   File "/usr/lib/python2.7/dist-packages/samba/dbchecker.py", line 
> 1839, in check_object
>     expected_dn = ldb.Dn(self.samdb, "RDN=RDN,%s" % (parent_dn))
> smb.conf
> [global]
>         netbios name = TEST
>         realm = TESTDC
>         server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, 
> drepl, winbindd, ntp_signd, kcc, dnsupdate
>         workgroup = TESTDC
>         server role = active directory domain controller
>         idmap_ldb:use rfc2307 = yes

The fact that your realm has no dots in it and is the same as the workgroup isn't a good start.  This may be a redaction, but I smell trouble here. 

> [netlogon]
>         path = /var/lib/samba/sysvol/testdc/scripts
>         read only = No
> [sysvol]
>         path = /var/lib/samba/sysvol
>         read only = No

I hope the above helps,

Andrew Bartlett

Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com ______________________________________________________________________

More information about the samba mailing list