S4 and BIND

titantoppler at gmail.com titantoppler at gmail.com
Sun Jun 10 19:18:21 MDT 2012 

Hi Andrew and list,

Yes, creating a second DC was my intended first step in shutting down the
original alpha12 DC (bypassing the upgrading and just provisioning it all
over again without losing my original domain information.

So to confirm, what I should be doing is:

1) Copy my zone files from my original DNS server to my second DC (dc2)
2) Start BIND on dc2
3) Run samba_upgradedns on dc2
4) Shutdown BIND on both the DNS server and dc2 (* where at this point
Samba's internal DNS server should be up and running)

Is that correct?

Cheers!

On Fri, Jun 8, 2012 at 6:54 PM, Andrew Bartlett <abartlet at samba.org> wrote:

> On Fri, 2012-06-08 at 20:48 +1000, Andrew Bartlett wrote:
> > On Fri, 2012-06-08 at 16:04 +0800, titantoppler at gmail.com wrote:
> > > Hi list,
> > >
> > > I've been trying to set up another S4 DC on my network.
> > >
> > > My old set up was a single S4 DC (alpha 12) running DNS as well. I
> > > subsequently hived off the DNS service to a dedicated box by copying
> the
> > > zone files and the dns.keytab file from the original S4 DC to the new
> box.
> > >
> > > It seemed to work fine, though as no DNS updates from the original S4
> DC
> > > were needed I am just guessing here.
> > >
> > > I successfully installed S4 (alpha 21) last night on another box. I
> joined
> > > it to the domain using the instructions from here (
> > > https://wiki.samba.org/index.php/Samba4/HOWTO/Join_a_domain_as_a_DC)
> > >
> > > On starting S4, however, I get an error message that says:
> > > [2012/06/05 09:39:52,  0]
> > > ../lib/util/util_runcmd.c:334(samba_runcmd_io_handler)
> > >   /usr/local/samba/sbin/samba_dnsupdate: update failed: NOTAUTH
> > >
> > > What is the problem here?
> > >
> > > I have exported the new dns.keytab and restarted BIND, but to no
> avail. My
> > > BIND version is 9.8.1
> >
> > Have you included all the options (the gss options in particular, but
> > also the configuration for the DLZ plugin) in your named.conf as
> > directed by provision?
>
> (ignore this, I re-read your message just a moment too late).
>
> So, the issue here is in part due to the way you split off the DNS, and
> partly due to how old alpha12 is.
>
> A second DC in the domain needs to update a number of extra records,
> beyond what the options in alpha12 permitted.  For the flatfile, we
> generate a list of extra principals who are allowed to update the DNS
> records for the DC.
>
> But we handle this better in the bind9_dlz case, as there we can process
> the ACL internally.
>
> So, at this point your best option for a migration would be to copy the
> zone files to your new DC, run samba_upgradedns to place that zone into
> the DNS partition, and then start bind9_dlz on that new DC.   It should
> continue to accept DNS updates from your original DC.
>
> Also note that alpha12 is quite old, and while you certainly should run
> a dbcheck, you might be caught in the nasty spot where we need an
> upgradeprovision, but an upgradeprovision isn't recommended any
> more :-(.
>
> I hope this is of more help,
>
> Andrew Bartlett
>
> --
> Andrew Bartlett                                http://samba.org/~abartlet/
> Authentication Developer, Samba Team           http://samba.org
>
>

More information about the samba-technical mailing list