[Samba] Samba Migration and AD integration

Praveen Ghimire PGhimire at sundata.com.au
Wed Feb 7 10:02:10 UTC 2018 

Hi Rowland,

Following the  https://wiki.samba.org/index.php/Changing_the_DNS_Back_End_of_a_Samba_AD_DC, ran some tests migrating from Bind9 to Samba Internal with the following results

Stopped the BIND, Samba-AD-DC services

samba_upgradedns --dns-backend=SAMBA_INTERNAL
Reading domain information
DNS accounts already exist
Reading records from zone file /var/lib/samba/private/dns/<REALMNAME>.zone
DNS partitions already exist
Finished upgrading DNS
You have switched to using SAMBA_INTERNAL as your dns backend, but you still have samba starting looking for a BIND backend. Please remove the -dns from your server services line.

Started the Samba-AD-DC service and left the Bind9 stopped.

The .zone file had the all the SOA records for the REALM. The issue (after the change from Bind9 to Samba and also from Samba Internal to Bind9) we get the following when trying to add a machine to the domain.

The error was: "This operation returned because the timeout period expired."
(error code 0x000005B4 ERROR_TIMEOUT)
The query was for the SRV record for _ldap._tcp.dc._msdcs.<realmname>
The DNS servers used by this computer for name resolution are not responding. This computer is configured to use DNS servers with the following IP addresses:
172.16.24.1
Verify that this computer is connected to the network, that these are the correct DNS server IP addresses, and that at least one of the DNS servers is running.

The SRV records are missing by the looks of it.

service --status-all
[ - ]  acpid
[ + ]  apparmor
[ + ]  apport
[ + ]  atd
[ - ]  bind9
[ - ]  console-setup.sh
[ + ]  cron
[ - ]  cryptdisks
[ - ]  cryptdisks-early
[ + ]  dbus
[ + ]  ebtables
[ + ]  grub-common
[ - ]  hwclock.sh
[ - ]  irqbalance
[ + ]  isc-dhcp-server
[ + ]  iscsid
[ - ]  keyboard-setup.sh
[ + ]  kmod
[ - ]  lvm2
[ + ]  lvm2-lvmetad
[ + ]  lvm2-lvmpolld
[ + ]  lxcfs
[ - ]  lxd
[ - ]  mdadm
[ - ]  mdadm-waitidle
[ - ]  nmbd
[ - ]  open-iscsi
[ + ]  open-vm-tools
[ - ]  plymouth
[ - ]  plymouth-log
[ + ]  procps
[ - ]  rsync
[ + ]  rsyslog
[ + ]  samba-ad-dc
[ - ]  screen-cleanup
[ - ]  smbd
[ + ]  ssh
[ + ]  udev
[ + ]  ufw
[ + ]  unattended-upgrades
[ - ]  uuidd
[ - ]  winbind


Also, does the Realm name needs to be something like abcd.local instead of abcdef?


Regards,

Praveen Ghimire




From: Praveen Ghimire
Sent: Tuesday, 6 February 2018 9:02 PM
To: Rowland Penny; samba at lists.samba.org
Subject: Re: [Samba] Samba Migration and AD integration

Hi Rowland,

Thank you.

Yes to the first point.

We are using Bind9 but to continue using it is not necessarily set in stone. If using Samba Internal DNS makes more sense then we can do that too. The question is do we need to do dns-upgrade and use Internal DNS, pre-migration?  Then use internal dns during the classic migration?  Also, I assume the bind9 service will have to stopped if infact we use the Internal DNS?

The DHCP is to stay with Samba server for now. Later on we can decide on moving it to the Windows server.

Hope I've clearly explained the situation.



Regards,

Praveen Ghimire


-------- Original message --------
From: Rowland Penny via samba <samba at lists.samba.org<mailto:samba at lists.samba.org>>
Date: 6/02/2018 8:38 PM (GMT+10:00)
To: samba at lists.samba.org<mailto:samba at lists.samba.org>
Subject: Re: [Samba] Samba Migration and AD integration
On Tue, 6 Feb 2018 03:05:18 +0000
Praveen Ghimire via samba <samba at lists.samba.org<mailto:samba at lists.samba.org>> wrote:

> Hi,
>
> We migrated from Samba 3 to 4 (4.6.7-Ubuntu) and added promoted a
> Server 2008R2 as a Domain Controller. We've come across the following
> issues and request some suggestions to resolve them
>
>
> -          The migration didn't generate DNS entries for the new
> realm. We had to manually create a new zone file (/var/cache/bind)
> for the new realm. Only then we were able to promote the Server2008
> R2 as the DC. Is this an expected outcome post migration?
>
> -          Similarly, the dhcpd.conf file exhibited the same outcome
> as above.
>
> -          When we added a new machine to the domain, it didn't
> update the DNS record in the Samba box.  The machine joins to the
> domain but there is no DNS record for it.
>
> -          We added the DNS role in the Server2008 R2 DC, what we
> found that any record created in Bind9 gets replicated to the Windows
> server but no vice-versa.
>
> The AD user bit seems to sync ok between the servers.
>

Lets see if I understand correctly what you have done:

You had a Samba NT4-style domain and you have classic upgraded this to a Samba AD domain

You were running Bind9 on the NT4-style PDC and you want to continue running it.

You were also running a DHCP server on the NT4-style PDC and you want to continue running it.

Is all this correct, if not please describe your setup better.

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

______________________________________________________________________
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com
______________________________________________________________________

More information about the samba mailing list