Thanks Rowland and Louis! :) Ok I'm going to test the failover mode! ;) Do I need to set the same value for NSRVS in dhcp-dyndns.sh? ( the first AD server, "S4" for me ) Or can I keep NSRVS=S4.ariane.intra on server S4 and NSRVS=S4bis.ariane.intra on server S4bis? It seems to be more secure for me if the first server switch off... Sam Le 27/01/2016 12:16, Rowland penny a écrit :> On 27/01/16 11:03, Sam wrote: >> If I don't use DHCP failover, can you tell me how to do to to have >> manually dhcp start method working... >> >> I think I could made a mistake, this is what i did : ( I using Louis >> script from "old set of script" directory : >> https://secure.bazuin.nl/scripts/ ) >> >> - On server S4 : resolv.conf set to S4 first and S4bis in second >> - On server S4 : in dhcp-dyndns-debian.sh, NSRVS=*S4*.ariane.intra >> - On server S4 : bash install.sh >> - On server S4 : osync set to sync dhcpd.conf between the 2 servers >> - On server S4bis : resolv.conf set to S4bis first and S4 in second >> - On server S4bis : in dhcp-dyndns-debian.sh, NSRVS=*S4bis*.ariane.intra >> - On server S4bis : bash install.sh >> >> Am I wrong? >> >> Regards, >> Sam >> >> >> > > I don't think that is going to work. > If you are using Louis's script, then you are using a variant of my > script, so the following should point you in the right direction. > > > Setting Up DHCP Failover > > This is based on using two Samba4 AD DCs: > > dc1.samdom.example.com : 192.168.0.5 : primary > dc2.samdom.example.com : 192.168.0.6 : secondary > > The network will be 192.168.0.0/24 and the address pool will be > '192.168.0.50 to 192.168.0.229' > > No firewall is running > > Add the following for the failover peers to the configuration files on > the primary: > > failover peer "dhcp-failover" { > primary; > address dc1.samdom.example.com; > port 519; > peer address dc2.samdom.example.com; > peer port 520; > max-response-delay 60; > max-unacked-updates 10; > mclt 3600; > split 128; > load balance max seconds 3; > } > > ..and secondary: > > failover peer "dhcp-failover" { > secondary; > address dc2.samdom.example.com; > port 520; > peer address dc1.samdom.example.com; > peer port 519; > max-response-delay 60; > max-unacked-updates 10; > load balance max seconds 3; > } > > Add references for the subnet/pool which will do failover. > > subnet 192.168.0.0 netmask 255.255.255.0 { > option subnet-mask 255.255.255.0; > option broadcast-address 192.168.0.255; > option time-offset 0; > option routers 192.168.0.1; > option domain-name "samdom.example.com"; > option domain-name-servers 192.168.0.5, 192.168.0.6; > option ntp-servers 192.168.0.5, 192.168.0.6; > pool { > failover peer "dhcp-failover"; > max-lease-time 1800; # 30 minutes > range 192.168.0.50 192.168.0.229; > } > } > > Configure OMAPI and define a secret key. > > Generate a random OMAPI key on the primary, using the dnssec-keygen > utility distributed with BIND. > > dnssec‐keygen ‐a HMAC‐MD5 ‐b 512 ‐n USER DHCP_OMAPI > > Now extract the actual key: > > cat Kdhcp_omapi.+*.private |grep ^Key|cut -d ' ' -f2- > > Add the following to dhcpd.conf on both primary and secondary. > > omapi-port 7911; > omapi-key omapi_key; > > key omapi_key { > algorithm hmac-md5; > secret "PUT_YOUR_KEY_HERE"; > } > > Replace PUT_YOUR_KEY_HERE with the key you extracted from the private > key created by the dnssec command > > Add the following to dhcpd.conf on both machines: > > on commit { > set ClientIP = binary-to-ascii(10, 8, ".", leased-address); > set ClientDHCID = binary-to-ascii(16, 8, ":", hardware); > set ClientName = pick-first-value(option host-name, > config-option-host-name, client-name); > log(concat("Commit: IP: ", ClientIP, " DHCID: ", ClientDHCID, " Name: > ", ClientName)); > execute("/etc/dhcp/bin/dhcp-dyndns.sh", "add", ClientIP, ClientDHCID, > ClientName); > } > > on release { > set ClientIP = binary-to-ascii(10, 8, ".", leased-address); > set ClientDHCID = binary-to-ascii(16, 8, ":", hardware); > log(concat("Release: IP: ", ClientIP)); > execute("/etc/dhcp/bin/dhcp-dyndns.sh", "delete", ClientIP, ClientDHCID); > } > > on expiry { > set ClientIP = binary-to-ascii(10, 8, ".", leased-address); > # cannot get a ClientMac here, apparently this only works when > actually receiving a packet > log(concat("Expired: IP: ", ClientIP)); > # cannot get a ClientName here, for some reason that always fails > execute("/etc/dhcp/bin/dhcp-dyndns.sh", "delete", ClientIP, "", "0"); > } > > Restart both servers to apply the configuration changes. > > If OMAPI is working properly you can test failover by stopping the > primary server. > > Once you are sure everything is working as expected, restart both > servers to ensure everything is running correctly. > > > The 'split' value '128' divides responsibility for the clients between > the two failover partners. > If you want the primary to answer all dhcp requests unless it is down > (for whatever reason) set the value to '255', use '0' to make the > secondary responsible. > > HTH > > Rowland >
On 27/01/16 13:24, Sam wrote:> Thanks Rowland and Louis! :) > > Ok I'm going to test the failover mode! ;) > Do I need to set the same value for NSRVS in dhcp-dyndns.sh? ( the > first AD server, "S4" for me ) > Or can I keep > NSRVS=S4.ariane.intra on server S4 and > NSRVS=S4bis.ariane.intra on server S4bis? > > It seems to be more secure for me if the first server switch off... > > Sam >I actually use '127.0.0.1' on both DCs Rowland
Hi, Ok it's better like this!:-) The dhcp failover mode works well and 2 windows 7 client PC are well handled. They can have an IP and addresses are created/deleted in the DNS successfully. but... I try to remove my 2 old windows 2000 AD server from the production's LAN and put my 2 new Samba4 instead. The dhcp servers works fine but not really the DDNS. We have this kind of error for network printers ( they are in DHCP mode ) : Jan 29 16:19:37 S4 dhcpd: DHCPOFFER on 172.20.4.132 to 00:17:c8:23:6c:65 (I-LP-10) via eth0 Jan 29 16:19:37 S4 dhcpd: execute_statement argv[0] = /etc/dhcp/bin/dhcp-dyndns-debian.sh Jan 29 16:19:37 S4 dhcpd: execute_statement argv[1] = add Jan 29 16:19:37 S4 dhcpd: execute_statement argv[2] = 172.20.4.132 Jan 29 16:19:37 S4 dhcpd: execute_statement argv[3] = I-LP-10 Jan 29 16:19:37 S4 dhcpd: execute_statement argv[4] = 0:17:c8:23:6c:65 Jan 29 16:19:37 S4 dhcpd: DHCPREQUEST for 172.20.4.132 (172.20.2.2) from 00:17:c8:23:6c:65 (I-LP-10) via eth0 Jan 29 16:19:37 S4 dhcpd: DHCPACK on 172.20.4.132 to 00:17:c8:23:6c:65 (I-LP-10) via eth0 Jan 29 16:19:37 S4 dhcpd: DDNS: adding records for 172.20.4.132 (I-LP-10.ariane.intra) *FAILED: nsupdate status 2* Jan 29 16:07:37 S4bis dhcpd: DHCPOFFER on 172.21.34.2 to 00:17:c8:23:ab:0b (I-MDT-30) via 172.21.34.1 Jan 29 16:07:37 S4bis dhcpd: execute_statement argv[0] = /etc/dhcp/bin/dhcp-dyndns-debian.sh Jan 29 16:07:37 S4bis dhcpd: execute_statement argv[1] = add Jan 29 16:07:37 S4bis dhcpd: execute_statement argv[2] = 172.21.34.2 Jan 29 16:07:37 S4bis dhcpd: execute_statement argv[3] = I-MDT-30 Jan 29 16:07:37 S4bis dhcpd: execute_statement argv[4] = 0:17:c8:23:ab:b Jan 29 16:07:37 S4bis dhcpd: DHCPREQUEST for 172.21.34.2 (172.20.2.3) from 00:17:c8:23:ab:0b (I-MDT-30) via 172.21.34.1 Jan 29 16:07:37 S4bis dhcpd: DHCPACK on 172.21.34.2 to 00:17:c8:23:ab:0b (I-MDT-30) via 172.21.34.1 Jan 29 16:07:37 S4bis dhcpd: DDNS: adding records for 172.21.34.2 (I-MDT-30.ariane.intra) *FAILED: nsupdate status 1* and we have this for the client computers : Jan 29 16:10:26 S4bis dhcpd: execute_statement argv[0] = /etc/dhcp/bin/dhcp-dyndns-debian.sh Jan 29 16:10:26 S4bis dhcpd: execute_statement argv[1] = add Jan 29 16:10:26 S4bis dhcpd: execute_statement argv[2] = 172.21.33.113 Jan 29 16:10:26 S4bis dhcpd: execute_statement argv[3] = HP-CZC2097TDR Jan 29 16:10:26 S4bis dhcpd: execute_statement argv[4] = 9c:8e:99:d2:ec:fd Jan 29 16:10:26 S4bis dhcpd: DHCPREQUEST for 172.21.33.113 from 9c:8e:99:d2:ec:fd via 172.21.33.1 Jan 29 16:10:26 S4bis dhcpd: DHCPACK on 172.21.33.113 to 9c:8e:99:d2:ec:fd (HP-CZC2097TDR) via 172.21.33.1 Jan 29 16:10:26 S4bis dhcpd: DDNS: adding records for 172.21.33.113 (HP-CZC2097TDR.ariane.intra) *FAILED: nsupdate status 1* Jan 29 16:12:36 S4bis dhcpd: execute_statement argv[0] = /etc/dhcp/bin/dhcp-dyndns-debian.sh Jan 29 16:12:36 S4bis dhcpd: execute_statement argv[1] = add Jan 29 16:12:36 S4bis dhcpd: execute_statement argv[2] = 172.21.50.17 Jan 29 16:12:36 S4bis dhcpd: execute_statement argv[3] = HP-CZC1279CMV Jan 29 16:12:36 S4bis dhcpd: execute_statement argv[4] = 98:4b:e1:7d:86:5e Jan 29 16:12:36 S4bis named[2330]: samba_dlz b9_format: *unhandled record type 0* Jan 29 16:12:36 S4bis dhcpd: DDNS: adding records for 172.21.50.17 (HP-CZC1279CMV.ariane.intra)*FAILED: nsupdate status 1* Jan 29 16:12:36 S4bis dhcpd: DHCPREQUEST for 172.21.50.17 from 98:4b:e1:7d:86:5e via 172.21.50.1 Jan 29 16:12:36 S4bis dhcpd: DHCPACK on 172.21.50.17 to 98:4b:e1:7d:86:5e (HP-CZC1279CMV) via 172.21.50.1 Jan 29 16:12:36 S4bis dhcpd: execute_statement argv[0] = /etc/dhcp/bin/dhcp-dyndns-debian.sh Jan 29 16:12:36 S4bis dhcpd: execute_statement argv[1] = add Jan 29 16:12:36 S4bis dhcpd: execute_statement argv[2] = 172.21.50.17 Jan 29 16:12:36 S4bis dhcpd: execute_statement argv[3] = HP-CZC1279CMV Jan 29 16:12:36 S4bis dhcpd: execute_statement argv[4] = 98:4b:e1:7d:86:5e Jan 29 16:12:36 S4bis dhcpd: DHCPREQUEST for 172.21.50.17 from 98:4b:e1:7d:86:5e (HP-CZC1279CMV) via 172.21.50.1 Jan 29 16:12:36 S4bis dhcpd: DHCPACK on 172.21.50.17 to 98:4b:e1:7d:86:5e (HP-CZC1279CMV) via 172.21.50.1 Jan 29 16:12:36 S4bis named[2330]: samba_dlz b9_format: *unhandled record type 0* Jan 29 16:12:36 S4bis dhcpd: DDNS: adding records for 172.21.50.17 (HP-CZC1279CMV.ariane.intra) *FAILED: nsupdate status 1** * Is it due to a time-lease timming? also, I wonder if I have to switch "wins support" to off in smb.conf? Regards Sam Le 27/01/2016 14:36, Rowland penny a écrit :> On 27/01/16 13:24, Sam wrote: >> Thanks Rowland and Louis! :) >> >> Ok I'm going to test the failover mode! ;) >> Do I need to set the same value for NSRVS in dhcp-dyndns.sh? ( the >> first AD server, "S4" for me ) >> Or can I keep >> NSRVS=S4.ariane.intra on server S4 and >> NSRVS=S4bis.ariane.intra on server S4bis? >> >> It seems to be more secure for me if the first server switch off... >> >> Sam >> > > I actually use '127.0.0.1' on both DCs > > Rowland > >