samba - Dec 2012 - Samba4 AD DC Sites / Rename Default-First-Site-Name and internal DNS

Hello,

I'm running a  few tests here with two locations.

site1: server-site1.gsg.local subnet 192.168.200.0/24
site2: server-site2.gsg.local subnet 192.168.190.0/24

both are connected via VPN.

I migrated an samba3 domain at server-site1 it gets 
Default-First-Site-Name assigned. Then I joined the new samba4 domain 
withe server-site2. Both servers work and i can join and access them 
with clients at both locations. I created reverse zones for both subnets 
and added the required static entries.
Then I created an new site (name site2) and two subnets with MS AD Site 
Management. I assigned subnet 192.168.200.0/24 to the site 
"Default-First-Site-Name" and subnet 192.168.190.0/24 to the site 
"site2". And moved server-site2 from Default-First-Site-Name to site2.
Machines at site1 randomly picked server-site2 for logins. On site2 they 
always picked server-site2.

So I deleted a few DNS records.

_ldap._tcp.Default-First-Site-Name._sites.gsg.local SRV site2.gsg.local

_kerberos._tcp.Default-First-Site-Name._sites.gsg.local SRV site2.gsg.local

_gc._tcp.Default-First-Site-Name._sites.gsg.local SRV site2.gsg.local

_ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.gsg.local SRV
site2.gsg.local


And after an samba restart also

_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.gsg.local SRV
site2.gsg.local

_kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.gsg.local SRV
site2.gsg.local

Afterwards machines at site1 also chose server-site1 most of the time. 
Hope i can optimize the behaviour of logon server choosing abit more but 
it happened really seldom and it all ran virtualized with 1GB bandwidth 
for the VPN connection, which will be 1-2MBit once in production.

As an last step i renamed the site "Default-First-Site-Name" into 
"site1". Restarted the samba services at both sites check replication.
But there are still a few DNS entries left whom i deleted manual.

_ldap._tcp.Default-First-Site-Name._sites.gsg.local SRV site1.gsg.local
_kerberos._tcp.Default-First-Site-Name._sites.gsg.local SRV site1.gsg.local
_gc._tcp.Default-First-Site-Name._sites.gsg.local SRV site1.gsg.local
_ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.gsg.local SRV
site1.gsg.local
_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.gsg.local SRV
site1.gsg.local
_kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.gsg.local SRV
site1.gsg.local

So there are no more (visible) entries left in

Default-First-Site-Name._sites.gsg.local
Default-First-Site-Name._sites.gc._msdcs.gsg.local
Default-First-Site-Name._sites.dc._msdcs.gsg.local

But the structure remains an can not be deleted. (things like 
_tcp.Default-First-Site-Name._sites.gsg.local). Things still seem to 
work at both sites but i'm curious if these leftovers can be completely 
removed.

Thanks in advance
Achim Gottinger

On Sat, 2012-12-29 at 13:38 +0100, Achim Gottinger
wrote:
> Hello,
> 
> I'm running a  few tests here with two locations.
> 
> site1: server-site1.gsg.local subnet 192.168.200.0/24
> site2: server-site2.gsg.local subnet 192.168.190.0/24
> 
> both are connected via VPN.
> 
> I migrated an samba3 domain at server-site1 it gets 
> Default-First-Site-Name assigned. Then I joined the new samba4 domain 
> withe server-site2. Both servers work and i can join and access them 
> with clients at both locations. I created reverse zones for both subnets 
> and added the required static entries.
> Then I created an new site (name site2) and two subnets with MS AD Site 
> Management. I assigned subnet 192.168.200.0/24 to the site 
> "Default-First-Site-Name" and subnet 192.168.190.0/24 to the site
> "site2". And moved server-site2 from Default-First-Site-Name to
site2.
> Machines at site1 randomly picked server-site2 for logins. On site2 they 
> always picked server-site2.
> 
> So I deleted a few DNS records.
> 
> _ldap._tcp.Default-First-Site-Name._sites.gsg.local SRV site2.gsg.local
> 
> _kerberos._tcp.Default-First-Site-Name._sites.gsg.local SRV site2.gsg.local
> 
> _gc._tcp.Default-First-Site-Name._sites.gsg.local SRV site2.gsg.local
> 
> _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.gsg.local SRV
site2.gsg.local
> 
> 
> And after an samba restart also
> 
> _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.gsg.local SRV
site2.gsg.local
> 
> _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.gsg.local SRV
site2.gsg.local
> 
> Afterwards machines at site1 also chose server-site1 most of the time. 
> Hope i can optimize the behaviour of logon server choosing abit more but 
> it happened really seldom and it all ran virtualized with 1GB bandwidth 
> for the VPN connection, which will be 1-2MBit once in production.
> 
> As an last step i renamed the site "Default-First-Site-Name" into
> "site1". Restarted the samba services at both sites check
replication.
> But there are still a few DNS entries left whom i deleted manual.
> 
> _ldap._tcp.Default-First-Site-Name._sites.gsg.local SRV site1.gsg.local
> _kerberos._tcp.Default-First-Site-Name._sites.gsg.local SRV site1.gsg.local
> _gc._tcp.Default-First-Site-Name._sites.gsg.local SRV site1.gsg.local
> _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.gsg.local SRV
site1.gsg.local
> _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.gsg.local SRV
site1.gsg.local
> _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.gsg.local SRV
site1.gsg.local
> 
> So there are no more (visible) entries left in
> 
> Default-First-Site-Name._sites.gsg.local
> Default-First-Site-Name._sites.gc._msdcs.gsg.local
> Default-First-Site-Name._sites.dc._msdcs.gsg.local
> 
> But the structure remains an can not be deleted. (things like 
> _tcp.Default-First-Site-Name._sites.gsg.local). Things still seem to 
> work at both sites but i'm curious if these leftovers can be completely
> removed.
As you have noticed, we are very good at adding DNS records, but never
remove the old ones.  What you have done seems reasonable, if you have
renamed the site, removing the remaining DNS references seems entirely
reasonable.

Please file a bug about the left-behind DNS stuff, we really should
clean that up. 

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org

On 12/29/2012 04:38 AM, Achim Gottinger wrote:
> Hello,
>
> I'm running a  few tests here with two locations.
>
> site1: server-site1.gsg.local subnet 192.168.200.0/24
> site2: server-site2.gsg.local subnet 192.168.190.0/24
>
> both are connected via VPN.
>
> I migrated an samba3 domain at server-site1 it gets 
> Default-First-Site-Name assigned. Then I joined the new samba4 domain 
> withe server-site2. Both servers work and i can join and access them 
> with clients at both locations. I created reverse zones for both 
> subnets and added the required static entries.
> Then I created an new site (name site2) and two subnets with MS AD 
> Site Management. I assigned subnet 192.168.200.0/24 to the site 
> "Default-First-Site-Name" and subnet 192.168.190.0/24 to the site
> "site2". And moved server-site2 from Default-First-Site-Name to
site2.
> Machines at site1 randomly picked server-site2 for logins. On site2 
> they always picked server-site2.
>
I'm not 100% sure that we implement everything that is needed for a 
client to pickup the correct site, so you might see some issues still.
> As an last step i renamed the site "Default-First-Site-Name" into
> "site1". Restarted the samba services at both sites check
replication.
> But there are still a few DNS entries left whom i deleted manual.
>
It's really not a good idea to delete rename the default-First site lots 
of Windows admins don't advise to do so, you'd better leave it empty.

Matthieu
>

-- 
Matthieu Patou
Samba Team
http://samba.org

> As you have noticed, we are very good at adding DNS records, but never
> remove the old ones.  What you have done seems reasonable, if you have
> renamed the site, removing the remaining DNS references seems entirely
> reasonable.
>
> Please file a bug about the left-behind DNS stuff, we really should
> clean that up.
>
> Andrew Bartlett
There is this menu option "cleanup old resource entries" in the DNS
snap-in, guess it's normal AD behaviour.  :-)
This does not yet work against an Samba4 AD DC. But I'll file an bugreport.
> I'm not 100% sure that we implement everything that is needed for a 
> client to pickup the correct site, so you might see some issues still. 
It had happened in very seldom cases with the samba3/bind/openldap before. In
the Samba4 test environment it happened only once after i had removed the
mentioned SRV records pointig to site2's dc in site1 folders. I'll
report back if it happens on an regular basis.
>> As an last step i renamed the site "Default-First-Site-Name"
into
>> "site1". Restarted the samba services at both sites check 
>> replication. But there are still a few DNS entries left whom i 
>> deleted manual. 
> It's really not a good idea to delete rename the default-First site 
> lots of Windows admins don't advise to do so, you'd better leave it
> empty. Matthieu 
So to be on the safe side you recommend i create two new sites and assign the
two servers to them, leaving Default-First-Site-Name with on assigned server.
I thought it is safer to leave the first server in that default site because i
had read the sites thing is a work in progress. Renaming it was somethin i did
after abit of online research which mentioned it is safe and not forbidden.
Beside that now empty structure elements in dns the test environment is still
work functional.

http://social.technet.microsoft.com/Forums/en-US/winserverNIS/thread/2afc3cf5-7389-4368-bdeb-887e60c0081f

Beside all that for me samba4 is a great step forward an will simplify things
alot compared to the previous samba3/bind/openldap solution

Achim Gottinger