[Samba] Samba Migration and AD integration

Praveen Ghimire PGhimire at sundata.com.au
Thu Feb 15 07:11:48 UTC 2018 

Guys,

Just a quick summary of our setup
- Ubuntu 17.10 server
- Samba 4.6.7 Ubuntu
-Bind 9.10.3-P4-Ubuntu
-ufw disabled 
-Server 2008R2

We are having issues post the samba AD migration. Regardless of which option , SAMBA_INTERNAL or BIND9DLZ, we are seeing DNS issues. 

Here is our migration steps:
- confirm bind has permissions to files in /etc/bind and /var/cache/bind
- Following the link https://wiki.samba.org/index.php/Migrating_a_Samba_NT4_Domain_to_Samba_AD_(Classic_Upgrade) , we copied all the relevant files.
- Stopped smbd/nmbd/winbind/bind9
-upgrade using Internal DNS: samba-tool domain classicupgrade --dbdir=/var/lib/samba.PDC/dbdir --realm=MYDOMAIN.INTERNAL --dns-backend=SAMBA_INTERNAL /etc/samba.PDC/smb.PDC.conf
-change the administrator password. Confirm kinit works
-samba -i
-confirm /etc/resolv.conf has the nameserver=172.16.24.1 (the only entry)
-confirm that /etc/hosts has the 172.16.24.1 server01 server01.mydomain (removed the loopback)
- smb.conf looks like

# Global parameters
[global]
        netbios name = server01
        realm = MYDOMAIN.INTERNAL
        workgroup = MYDOMAIN
        server role = active directory domain controller
        idmap_ldb:use rfc2307 = yes

[netlogon]
        path = /var/lib/samba/sysvol/jellinbah.group/scripts
        read only = No

[sysvol]
        path = /var/lib/samba/sysvol
        read only = No

- the following are started
[ - ]  acpid
 [ + ]  apparmor
 [ + ]  apport
 [ + ]  atd
 [ - ]  bind9
 [ - ]  console-setup.sh
 [ + ]  cron
 [ - ]  cryptdisks
 [ - ]  cryptdisks-early
 [ + ]  dbus
 [ + ]  ebtables
 [ + ]  grub-common
 [ - ]  hwclock.sh
 [ - ]  irqbalance
 [ + ]  isc-dhcp-server
 [ + ]  iscsid
 [ - ]  keyboard-setup.sh
 [ + ]  kmod
 [ - ]  lvm2
 [ + ]  lvm2-lvmetad
 [ + ]  lvm2-lvmpolld
 [ + ]  lxcfs
 [ - ]  lxd
 [ - ]  mdadm
 [ - ]  mdadm-waitidle
 [ - ]  nmbd
 [ - ]  open-iscsi
 [ + ]  open-vm-tools
 [ - ]  plymouth
 [ - ]  plymouth-log
 [ + ]  procps
 [ - ]  rsync
 [ + ]  rsyslog
 [ + ]  samba-ad-dc
 [ - ]  screen-cleanup
 [ - ]  smbd
 [ + ]  ssh
 [ + ]  udev
 [ + ]  ufw
 [ + ]  unattended-upgrades
 [ - ]  uuidd
 [ - ]  winbind

ISSUES:

- We are able to DCPROMO the server and add the DNS role.
- We can enumerate the Zones from the Windows Server 2008 DNS MMC console
-Cannot create any records in the Windows 2008R2 DNS, comes up with The host record cannot be created. Refused
- Windows firewall is disabled 
-dcdiag comes up with 
Directory Server Diagnosis


Performing initial setup:

   Trying to find home server...

   Home Server = server08dc

   * Identified AD Forest. 
   Got error while checking if the DC is using FRS or DFSR. Error:

   A device attached to the system is not functioning.The VerifyReferences,

   FrsEvent and DfsrEvent tests might fail because of this error. 

   Done gathering initial info.


Doing initial required tests
   
   Testing server: Default-First-Site-Name\SERVER08DC
      Starting test: Connectivity
         The host 60642247-203b-4804-9d92-3d4bf681c8a9._msdcs.mydomain.internal
         could not be resolved to an IP address. Check the DNS server, DHCP,
         server name, etc.
         Got error while checking LDAP and RPC connectivity. Please check your
         firewall settings.

         ......................... SERVER08DC failed test Connectivity


Doing primary tests
    Testing server: Default-First-Site-Name\SERVER08DC
      Skipping all tests, because server SERVER08DC is not responding to
      directory service requests.


Any suggestions?






-----Original Message-----
From: samba [mailto:samba-bounces at lists.samba.org] On Behalf Of Rowland Penny via samba
Sent: Tuesday, 6 February 2018 9:43 PM
To: samba at lists.samba.org
Subject: Re: [Samba] Samba Migration and AD integration

On Tue, 6 Feb 2018 11:01:52 +0000
Praveen Ghimire <PGhimire at sundata.com.au> wrote:

> Hi Rowland,
> 
> Thank you.
> 
> Yes to the first point.
> 
> We are using Bind9 but to continue using it is not necessarily set in 
> stone.

If you are going to have more than one AD DC, then using Bind9 makes sense.

> If using Samba Internal DNS makes more sense then we can do that too.

It is not really a case of 'more sense', it is just a different way of doing things.

> The question is do we need to do dns-upgrade and use Internal DNS, 
> pre-migration?  Then use internal dns during the classic migration?

If you ran the classicupgrade with '--dns-backend=BIND9_DLZ' then Samba should have been set up to allow Bind9 to use the DNS info stored in AD.
You will also need to remove any zones from the named.conf files that are also in AD.
You will find info on to set up Bind9 for Samba AD here:
https://wiki.samba.org/index.php/Setting_up_a_BIND_DNS_Server

> Also, I assume the bind9 service will have to stopped if infact we use 
> the Internal DNS?

If you do decide to use the Samba internal DNS server, then yes, you will need to stop Bind9. You will also need to remove the 'server services' line from smb.conf on the DC and add a 'dns forwarder' line.

> 
> The DHCP is to stay with Samba server for now.

Then you probably need to follow this:
https://wiki.samba.org/index.php/Configure_DHCP_to_update_DNS_records_with_BIND9

But you will need to get Bind9 working correctly first.

Rowland


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

______________________________________________________________________
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com ______________________________________________________________________

More information about the samba mailing list