Achim Gottinger
2012-Dec-29 12:38 UTC
[Samba] Samba4 AD DC Sites / Rename Default-First-Site-Name and internal DNS
Hello, I'm running a few tests here with two locations. site1: server-site1.gsg.local subnet 192.168.200.0/24 site2: server-site2.gsg.local subnet 192.168.190.0/24 both are connected via VPN. I migrated an samba3 domain at server-site1 it gets Default-First-Site-Name assigned. Then I joined the new samba4 domain withe server-site2. Both servers work and i can join and access them with clients at both locations. I created reverse zones for both subnets and added the required static entries. Then I created an new site (name site2) and two subnets with MS AD Site Management. I assigned subnet 192.168.200.0/24 to the site "Default-First-Site-Name" and subnet 192.168.190.0/24 to the site "site2". And moved server-site2 from Default-First-Site-Name to site2. Machines at site1 randomly picked server-site2 for logins. On site2 they always picked server-site2. So I deleted a few DNS records. _ldap._tcp.Default-First-Site-Name._sites.gsg.local SRV site2.gsg.local _kerberos._tcp.Default-First-Site-Name._sites.gsg.local SRV site2.gsg.local _gc._tcp.Default-First-Site-Name._sites.gsg.local SRV site2.gsg.local _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.gsg.local SRV site2.gsg.local And after an samba restart also _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.gsg.local SRV site2.gsg.local _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.gsg.local SRV site2.gsg.local Afterwards machines at site1 also chose server-site1 most of the time. Hope i can optimize the behaviour of logon server choosing abit more but it happened really seldom and it all ran virtualized with 1GB bandwidth for the VPN connection, which will be 1-2MBit once in production. As an last step i renamed the site "Default-First-Site-Name" into "site1". Restarted the samba services at both sites check replication. But there are still a few DNS entries left whom i deleted manual. _ldap._tcp.Default-First-Site-Name._sites.gsg.local SRV site1.gsg.local _kerberos._tcp.Default-First-Site-Name._sites.gsg.local SRV site1.gsg.local _gc._tcp.Default-First-Site-Name._sites.gsg.local SRV site1.gsg.local _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.gsg.local SRV site1.gsg.local _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.gsg.local SRV site1.gsg.local _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.gsg.local SRV site1.gsg.local So there are no more (visible) entries left in Default-First-Site-Name._sites.gsg.local Default-First-Site-Name._sites.gc._msdcs.gsg.local Default-First-Site-Name._sites.dc._msdcs.gsg.local But the structure remains an can not be deleted. (things like _tcp.Default-First-Site-Name._sites.gsg.local). Things still seem to work at both sites but i'm curious if these leftovers can be completely removed. Thanks in advance Achim Gottinger
Andrew Bartlett
2012-Dec-30 01:03 UTC
[Samba] Samba4 AD DC Sites / Rename Default-First-Site-Name and internal DNS
On Sat, 2012-12-29 at 13:38 +0100, Achim Gottinger wrote:> Hello, > > I'm running a few tests here with two locations. > > site1: server-site1.gsg.local subnet 192.168.200.0/24 > site2: server-site2.gsg.local subnet 192.168.190.0/24 > > both are connected via VPN. > > I migrated an samba3 domain at server-site1 it gets > Default-First-Site-Name assigned. Then I joined the new samba4 domain > withe server-site2. Both servers work and i can join and access them > with clients at both locations. I created reverse zones for both subnets > and added the required static entries. > Then I created an new site (name site2) and two subnets with MS AD Site > Management. I assigned subnet 192.168.200.0/24 to the site > "Default-First-Site-Name" and subnet 192.168.190.0/24 to the site > "site2". And moved server-site2 from Default-First-Site-Name to site2. > Machines at site1 randomly picked server-site2 for logins. On site2 they > always picked server-site2. > > So I deleted a few DNS records. > > _ldap._tcp.Default-First-Site-Name._sites.gsg.local SRV site2.gsg.local > > _kerberos._tcp.Default-First-Site-Name._sites.gsg.local SRV site2.gsg.local > > _gc._tcp.Default-First-Site-Name._sites.gsg.local SRV site2.gsg.local > > _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.gsg.local SRV site2.gsg.local > > > And after an samba restart also > > _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.gsg.local SRV site2.gsg.local > > _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.gsg.local SRV site2.gsg.local > > Afterwards machines at site1 also chose server-site1 most of the time. > Hope i can optimize the behaviour of logon server choosing abit more but > it happened really seldom and it all ran virtualized with 1GB bandwidth > for the VPN connection, which will be 1-2MBit once in production. > > As an last step i renamed the site "Default-First-Site-Name" into > "site1". Restarted the samba services at both sites check replication. > But there are still a few DNS entries left whom i deleted manual. > > _ldap._tcp.Default-First-Site-Name._sites.gsg.local SRV site1.gsg.local > _kerberos._tcp.Default-First-Site-Name._sites.gsg.local SRV site1.gsg.local > _gc._tcp.Default-First-Site-Name._sites.gsg.local SRV site1.gsg.local > _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.gsg.local SRV site1.gsg.local > _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.gsg.local SRV site1.gsg.local > _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.gsg.local SRV site1.gsg.local > > So there are no more (visible) entries left in > > Default-First-Site-Name._sites.gsg.local > Default-First-Site-Name._sites.gc._msdcs.gsg.local > Default-First-Site-Name._sites.dc._msdcs.gsg.local > > But the structure remains an can not be deleted. (things like > _tcp.Default-First-Site-Name._sites.gsg.local). Things still seem to > work at both sites but i'm curious if these leftovers can be completely > removed.As you have noticed, we are very good at adding DNS records, but never remove the old ones. What you have done seems reasonable, if you have renamed the site, removing the remaining DNS references seems entirely reasonable. Please file a bug about the left-behind DNS stuff, we really should clean that up. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org
Matthieu Patou
2012-Dec-30 08:43 UTC
[Samba] Samba4 AD DC Sites / Rename Default-First-Site-Name and internal DNS
On 12/29/2012 04:38 AM, Achim Gottinger wrote:> Hello, > > I'm running a few tests here with two locations. > > site1: server-site1.gsg.local subnet 192.168.200.0/24 > site2: server-site2.gsg.local subnet 192.168.190.0/24 > > both are connected via VPN. > > I migrated an samba3 domain at server-site1 it gets > Default-First-Site-Name assigned. Then I joined the new samba4 domain > withe server-site2. Both servers work and i can join and access them > with clients at both locations. I created reverse zones for both > subnets and added the required static entries. > Then I created an new site (name site2) and two subnets with MS AD > Site Management. I assigned subnet 192.168.200.0/24 to the site > "Default-First-Site-Name" and subnet 192.168.190.0/24 to the site > "site2". And moved server-site2 from Default-First-Site-Name to site2. > Machines at site1 randomly picked server-site2 for logins. On site2 > they always picked server-site2. >I'm not 100% sure that we implement everything that is needed for a client to pickup the correct site, so you might see some issues still.> As an last step i renamed the site "Default-First-Site-Name" into > "site1". Restarted the samba services at both sites check replication. > But there are still a few DNS entries left whom i deleted manual. >It's really not a good idea to delete rename the default-First site lots of Windows admins don't advise to do so, you'd better leave it empty. Matthieu>-- Matthieu Patou Samba Team http://samba.org
Achim Gottinger
2012-Dec-31 03:10 UTC
[Samba] Samba4 AD DC Sites / Rename Default-First-Site-Name and internal DNS
> As you have noticed, we are very good at adding DNS records, but never > remove the old ones. What you have done seems reasonable, if you have > renamed the site, removing the remaining DNS references seems entirely > reasonable. > > Please file a bug about the left-behind DNS stuff, we really should > clean that up. > > Andrew BartlettThere is this menu option "cleanup old resource entries" in the DNS snap-in, guess it's normal AD behaviour. :-) This does not yet work against an Samba4 AD DC. But I'll file an bugreport.> I'm not 100% sure that we implement everything that is needed for a > client to pickup the correct site, so you might see some issues still.It had happened in very seldom cases with the samba3/bind/openldap before. In the Samba4 test environment it happened only once after i had removed the mentioned SRV records pointig to site2's dc in site1 folders. I'll report back if it happens on an regular basis.>> As an last step i renamed the site "Default-First-Site-Name" into >> "site1". Restarted the samba services at both sites check >> replication. But there are still a few DNS entries left whom i >> deleted manual. > It's really not a good idea to delete rename the default-First site > lots of Windows admins don't advise to do so, you'd better leave it > empty. MatthieuSo to be on the safe side you recommend i create two new sites and assign the two servers to them, leaving Default-First-Site-Name with on assigned server. I thought it is safer to leave the first server in that default site because i had read the sites thing is a work in progress. Renaming it was somethin i did after abit of online research which mentioned it is safe and not forbidden. Beside that now empty structure elements in dns the test environment is still work functional. http://social.technet.microsoft.com/Forums/en-US/winserverNIS/thread/2afc3cf5-7389-4368-bdeb-887e60c0081f Beside all that for me samba4 is a great step forward an will simplify things alot compared to the previous samba3/bind/openldap solution Achim Gottinger
Seemingly Similar Threads
- Samba 4.3.0 and DNS entries missing for DCs
- Authentication to Secondary Domain Controller initially fails when PDC is offline
- filling in datasets of differing lengths
- gl and different number of replications
- Bootstraping for groups and subgroups and joing with other table