[Samba] Samba Migration and AD integration

Denis Cardon dcardon at tranquil.it
Wed Feb 7 13:12:56 UTC 2018 

Hi Praveen,

> The realm infact has no dots, is this going be an issue? It is different to workgroup. The details did get "Lost in Redaction"

About single labeled domain (SLD) name, from Microsoft documentation[1] 
: "SLDs are not a recommended configuration for future deployments and 
may not work with some products or versions"

Actually I thought it was not possible to make a samba classic upgrade 
with a SLD... Perhaps upgrade scripts doesn't block it.

Anyway, if you are still testing your upgrade, you should do again the 
classic upgrade using a realm containing a dot. If you are already gone 
in production with that problematic SLD and all desktops have switched 
to AD domain attachment, then you are mostly screwed. It can be salvaged 
  by recreating a new domain with a proper name and same SID, piping in 
all the accounts and groups with their respective SID and ntlm hash, and 
then rejoin all the computers to the domain.

Cheers,

Denis


[1] 
https://support.microsoft.com/en-us/help/2269810/microsoft-support-for-single-label-domains

>
> Coming back to the DNS. When we did the domain migration , we used --dns-backend=BIND9_DLZ. My assumption was it will stick to the BIND_DLZ. Anyhow, when we use the default settings post migration, we are not able to DCPROMO the Server 2008R2 server. It comes up with DNS record error,  more specifically the SRV records for _ldap_tcp_dc_msdsc_(realmname).  Then if we change the DNS to BIND9 using the dns_upgrade-backend=BIND9_DLZ, stick a zone file with manually added SRV records, we are able to DCPROMO but then DNS( and it turns out AD replication) issues. The AD replication issues is due to DNS not replication and not copying the _msdsc_ zone file.
>
> So what is the best option in  our case? Domain Prep/Migrate using BIND9_DLZ and the stick to the SAMBA_DNS? One question is would  it help if we add the SRV records to the /var/cache/bind/zone file pre migration? Will the migration read that file and convert it to the DNS DB?
>
>   Thank you.
>
> Regards,
>
> Praveen
>
>
> -----Original Message-----
> From: Andrew Bartlett [mailto:abartlet at samba.org]
> Sent: Tuesday, 6 February 2018 6:22 PM
> To: Praveen Ghimire <PGhimire at sundata.com.au>; samba at lists.samba.org
> Subject: Re: [Samba] Samba Migration and AD integration
>
> On Tue, 2018-02-06 at 03:05 +0000, Praveen Ghimire via samba wrote:
>> Hi,
>>
>> We migrated from Samba 3 to 4 (4.6.7-Ubuntu) and added promoted a
>> Server 2008R2 as a Domain Controller. We've come across the following
>> issues and request some suggestions to resolve them
>>
>>
>> -          The migration didn't generate DNS entries for the new
>> realm. We had to manually create a new zone file (/var/cache/bind) for
>> the new realm. Only then we were able to promote the Server2008
>> R2 as the DC. Is this an expected outcome post migration?
>
> I think you have not understood how AD DNS works.  It won't create a zone file, it will create entries in the replicated DB that you can see over LDAP.  By default the internal DNS server is used, but a DLZ plugin for bind9 can also be used.
>
> Run samba_dnsupgrade --backend=BIND9_DLZ and follow the instructions if you wish to used bind, rather than create a zone file.
>
>> -          Similarly, the dhcpd.conf file exhibited the same outcome
>> as above.
>
> Samba doesn't control dhcpd, but instructions for that are on the wiki.
>
>> -          When we added a new machine to the domain, it didn't
>> update the DNS record in the Samba box.  The machine joins to the
>> domain but there is no DNS record for it.
>
> If Samba's DNS isn't used then dynamic updates wont work.
>
>> -          We added the DNS role in the Server2008 R2 DC, what we
>> found that any record created in Bind9 gets replicated to the Windows
>> server but no vice-versa.
>
> While I wouldn't exactly expect this if you were not using Samba for DNS on the Samba server, I think that is at the heart of your trouble.
>
>> The AD user bit seems to sync ok between the servers.
>>
>> The samba-tool dbcheck -cross-ncs gives the following
>>
>>
>> samba-tool dbcheck --cross-ncs
>> Checking 3835 objects
>> ERROR(<type 'exceptions.ValueError'>): uncaught exception - unable to
>> parse dn string
>>   File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py",
>> line 176, in _run
>>     return self.run(*args, **kwargs)
>>   File "/usr/lib/python2.7/dist-packages/samba/netcmd/dbcheck.py",
>> line 157, in run
>>     controls=controls, attrs=attrs)
>>   File "/usr/lib/python2.7/dist-packages/samba/dbchecker.py", line
>> 198, in check_database
>>     error_count += self.check_object(object.dn, attrs=attrs)
>>   File "/usr/lib/python2.7/dist-packages/samba/dbchecker.py", line
>> 1839, in check_object
>>     expected_dn = ldb.Dn(self.samdb, "RDN=RDN,%s" % (parent_dn))
>>
>>
>> smb.conf
>>
>> [global]
>>         netbios name = TEST
>>         realm = TESTDC
>>         server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
>> drepl, winbindd, ntp_signd, kcc, dnsupdate
>>         workgroup = TESTDC
>>         server role = active directory domain controller
>>         idmap_ldb:use rfc2307 = yes
>
> The fact that your realm has no dots in it and is the same as the workgroup isn't a good start.  This may be a redaction, but I smell trouble here.
>
>> [netlogon]
>>         path = /var/lib/samba/sysvol/testdc/scripts
>>         read only = No
>>
>> [sysvol]
>>         path = /var/lib/samba/sysvol
>>         read only = No
>
> I hope the above helps,
>
> Andrew Bartlett
>

-- 
Denis Cardon
Tranquil IT Systems
Les Espaces Jules Verne, bâtiment A
12 avenue Jules Verne
44230 Saint SĂ©bastien sur Loire
tel : +33 (0) 2.40.97.57.55
http://www.tranquil-it-systems.fr

More information about the samba mailing list