[Samba] new DC via clone..

Joachim Lindenberg samba at lindenberg.one
Wed Jul 24 07:19:06 UTC 2024 

Hi Kees,

I do have working backups and snapshots for sure. After my experiment yesterday I just reverted to the previous snapshot (knowing that samba-ad-dc was down all the time and no inconsistency could enter my domain doing so). I also mentioned somewhere that it is not just samba and bind, but also sshd, docker, pi-hole and stubby. On one instance I also have freeradius. Samba alone is just not sufficient to provide a working DNS-Server, and distributing related services accross many VMs doesn´t simplify replicating or relocating them.

I have been looking at ansible and other tools, but in my perception there is no accepted standard on how to install and configure software in general, that goes beyond installation in a VM and cloning or using containers with docker (compose). You named so many tools that I think you´ll agree. If everybody using applications were to start this for all applications from scratch, then this would be a huge waste of ressources. Therefore I wished, Samba-Ad-Dc were able to run as a container, and I contacted John at least twice already for instructions on how to, but again, there is a lack of documentation provided by Samba.

Regards,
Joachim

https://lists.samba.org/archive/samba/2023-August/246151.html

 

> -----Ursprüngliche Nachricht-----
> Von: samba <samba-bounces at lists.samba.org> Im Auftrag von Kees van
> Vloten via samba
> Gesendet: Montag, 22. Juli 2024 18:53
> An: samba at lists.samba.org
> Betreff: Re: [Samba] new DC via clone..
> 
> 
> On 22-07-2024 17:49, Rowland Penny via samba wrote:
> > On Mon, 22 Jul 2024 16:48:59 +0200
> > Joachim Lindenberg via samba <samba at lists.samba.org> wrote:
> >
> >> Hello Rowland,
> >> there can be a lot more services than just the OS and Samba-AD-DC.
> > Just like Microsoft, Samba doesn't recommend using a DC for other
> > services and running it in some form of VM doesn't make it different.
> 
> I think Joachim mentioned Bind as software he is running, which is perfectly
> fine. And obviously on any Linux server there are quite a few more daemons
> that run.
> 
> Some 10 years ago I made a lot of images to clone with VMware (ESX), and I
> can tell, it is a tedious job to get a well prepared image. The same is true for
> the scripts required to personalize it again after cloning.
> 
> The more complex your machine is setup, the more complex this tasks
> becomes. It is as simple as that, but certainly not impossible.
> 
> In any case I would advice to invest time in creating a repeatable setup /
> config mechanism for every type of server you have. Use Ansible, Saltstack,
> Terraform, Chef etc. or just bash scripts. That makes the machine itself and its
> software + configs disposable. When it breaks, just run the code against a
> fresh base-OS and you are back in business.
> The only thing still required is a good backup of your data and a
> **tested** restore procedure!
> 
> - Kees.
> 
> >> As
> >> a must have you have to configure bind, and in my specific case I
> >> have also a pi-hole and stubby running with docker in order to
> >> provide complete DNS services on the DCs. Cloning is definitely a
> >> huge saving of time than starting from scratch. Everybody except
> >> probably Samba today uses clones where possible.
> > As I said, I wouldn't clone a DC, but a quick internet search turns up
> > that you can clone a Microsoft AD DC, provided a few criteria are met:
> >
> > It is only running software essential for the DC.
> > It holds most, if not all, the FSMO roles.
> > Can be powered down for a short while.
> > It is best to be already virtualised.
> >
> > Your clone does not seem to match the above.
> >
> > You are having problems, which may be just down to Samba, or they
> > could be due to an interaction between Samba and some other piece of
> software.
> >
> > I suggest you start with a fresh VM, install Samba in that and join it
> > as a DC (using the internal dns server), if that works okay, then add
> > Bind and keep adding things until it stops working, at which point you
> > may be able to work out what the problem is. If the new Samba gives
> > you the same problem that you are having now, then it will be less
> > software in the way when trying to sort out the problem.
> >
> > Rowland
> >
> >
> >
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list