Ole Traupe
2016-Apr-22 19:43 UTC
[Samba] Moving the 1st DC (FSMO) to another site - howto?
Hi Mathias, lingpanda101, thank you for the quick reply! Comments inline. On 22.04.2016 15:14, mathias dufresne wrote:> Hi Ole, > > A - If I read correctly you have only one DC and you want to move from > one network to another. > > To achieve that change you will have to change all A/AAAA records in > your both AD zones (root zone and _msdcs zone). > Once that is done you will have to change resolver configuration on > your clients for they can send DNS request to the new IP. > > Can't see anything else. Nothing about AD site: AD sites are linked to > clients networks and clients networks do not change, only DC network > is changing. > > B - If I don't read correctly, you have several DC. Move on DC to the > new network, change A and AAAA records related to that DC to reflect > the network change. > If you move one DC not used by clients as DNS server, no change on > client side.I have two DCs. The one with the FSMO roles is on the physical server to move. Unfortunately I don't have another host for this VM staying at the old place. Also, I will have a few clients at the new place soon, so I think a second site is the way to go? Sorry, I mentioned this only implicitly in "moving our lab". Is it possible to just transfer an existing DC to another site? By manually recreating all the records? The moving DC will definitely be used as first DNS server, as the second DC is on very old, potentially unreliable hardware. But changing the DNS server config on the clients is no big deal. In response to the message from lingpanda101: I was not talking about transferring the FSMO roles. Sorry if I had been unclear about that. In theory, I will have access to both networks from both places. In practice, the firewall settings initially are very restrictive. So I try not to forget anything in preparation. I have thought of... - all the ports samba regularly uses (including DNS requests) - rsync ports for sysvol replication - ... I would be very happy about the steps to create a new site and to transfer DC and some client records to it! Probably I will see for the file server integration first, while using the 2nd DC as fallback for DNS and logon. Once that works I deal with bringing the 1st DC back into the game.> > C - You are lazy and you have enough physical computer to play with.Yes and no. ;)> Just create a new DC on the new site, join it to the domain. > If then you want to remove old DC you will have to seize (or transfer > if it works) FSMO roles, change DNS configuration on client side, but > as that's a new DC you don't have to modify A/AAAA records. > > IMPORTANT NOTE: with internal DNS you have only one SOA. SOA is where > DNS update goes. If you remove old SOA you must change SOA record to > assign it to a working DC. Without that no change in your DNS zones > will be possible for later use (DC moving from site to site is the > main point, auto-update pushed by DHCP or clients won't work too).I followed the recent/ongoing discussion on that. With "DNS updates" you mean the clients automatically updating their records, right? Because I am pretty sure that with internal DNS I can make changes to DNS structure with RSAT on 2nd DC and it gets replicated to the 1st DC (SOA). Maybe the only issue with internal DNS is that the 2nd, 3rd etc. DC won't advertise themselves as SOA, and so automatic updates fail when the 1st DC is offline.> > 2016-04-22 13:44 GMT+02:00 Ole Traupe <ole.traupe at tu-berlin.de > <mailto:ole.traupe at tu-berlin.de>>: > > Hi List, > > I'll probably have to move my FSMO role owner to another site. > Like at the end of next week (depends on tight transportation > schedules). So there is no actual time for testing anything, I am > afraid. > > We are in the process of moving our lab, with our offices staying > in the old building for now (different class C subnets). The > physical machine is basically a file server (hosting DC1 as a VM) > which is particularly needed at the new site. Plus: Summer is > coming and the new site has cooling. Unfortunately, our university > techsup can't span a VLan to merge these two sites. So I am trying > to figure out how to do it. In earlier discussions on DC failover > strategies I was suggested to have my DCs on different sites (with > different subnets), so I figure it being possible in general. > > The necessary steps likely include: > - modifying my current DNS config: create another site, move DC1 > over, also the file server (AD member) > - update all the clients' 1st DNS server entries to reflect the > new IP of DC1 (and network share mappings) > - set some firewall rules allowing for logon and smb communication > etc. > > Samba is version 4.2.5 with internal DNS. > > Any advice, instructions, heads-up, warnings are very welcome! > > Best regards, > Ole > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >
lingpanda101 at gmail.com
2016-Apr-25 12:27 UTC
[Samba] Moving the 1st DC (FSMO) to another site - howto?
On 4/22/2016 3:43 PM, Ole Traupe wrote:> Hi Mathias, lingpanda101, thank you for the quick reply! Comments inline. > > > On 22.04.2016 15:14, mathias dufresne wrote: >> Hi Ole, >> >> A - If I read correctly you have only one DC and you want to move >> from one network to another. >> >> To achieve that change you will have to change all A/AAAA records in >> your both AD zones (root zone and _msdcs zone). >> Once that is done you will have to change resolver configuration on >> your clients for they can send DNS request to the new IP. >> >> Can't see anything else. Nothing about AD site: AD sites are linked >> to clients networks and clients networks do not change, only DC >> network is changing. >> >> B - If I don't read correctly, you have several DC. Move on DC to the >> new network, change A and AAAA records related to that DC to reflect >> the network change. >> If you move one DC not used by clients as DNS server, no change on >> client side. > > I have two DCs. The one with the FSMO roles is on the physical server > to move. Unfortunately I don't have another host for this VM staying > at the old place. > > Also, I will have a few clients at the new place soon, so I think a > second site is the way to go? Sorry, I mentioned this only implicitly > in "moving our lab". Is it possible to just transfer an existing DC to > another site? By manually recreating all the records? > > The moving DC will definitely be used as first DNS server, as the > second DC is on very old, potentially unreliable hardware. But > changing the DNS server config on the clients is no big deal. > > > In response to the message from lingpanda101: > > I was not talking about transferring the FSMO roles. Sorry if I had > been unclear about that. > > In theory, I will have access to both networks from both places. In > practice, the firewall settings initially are very restrictive. So I > try not to forget anything in preparation. I have thought of... > - all the ports samba regularly uses (including DNS requests) > - rsync ports for sysvol replication > - ... > > I would be very happy about the steps to create a new site and to > transfer DC and some client records to it! > > > Probably I will see for the file server integration first, while using > the 2nd DC as fallback for DNS and logon. Once that works I deal with > bringing the 1st DC back into the game. > >> >> C - You are lazy and you have enough physical computer to play with. > > Yes and no. ;) > >> Just create a new DC on the new site, join it to the domain. >> If then you want to remove old DC you will have to seize (or transfer >> if it works) FSMO roles, change DNS configuration on client side, but >> as that's a new DC you don't have to modify A/AAAA records. >> >> IMPORTANT NOTE: with internal DNS you have only one SOA. SOA is where >> DNS update goes. If you remove old SOA you must change SOA record to >> assign it to a working DC. Without that no change in your DNS zones >> will be possible for later use (DC moving from site to site is the >> main point, auto-update pushed by DHCP or clients won't work too). > > I followed the recent/ongoing discussion on that. With "DNS updates" > you mean the clients automatically updating their records, right? > Because I am pretty sure that with internal DNS I can make changes to > DNS structure with RSAT on 2nd DC and it gets replicated to the 1st DC > (SOA). Maybe the only issue with internal DNS is that the 2nd, 3rd > etc. DC won't advertise themselves as SOA, and so automatic updates > fail when the 1st DC is offline. > >> >> 2016-04-22 13:44 GMT+02:00 Ole Traupe <ole.traupe at tu-berlin.de >> <mailto:ole.traupe at tu-berlin.de>>: >> >> Hi List, >> >> I'll probably have to move my FSMO role owner to another site. >> Like at the end of next week (depends on tight transportation >> schedules). So there is no actual time for testing anything, I am >> afraid. >> >> We are in the process of moving our lab, with our offices staying >> in the old building for now (different class C subnets). The >> physical machine is basically a file server (hosting DC1 as a VM) >> which is particularly needed at the new site. Plus: Summer is >> coming and the new site has cooling. Unfortunately, our university >> techsup can't span a VLan to merge these two sites. So I am trying >> to figure out how to do it. In earlier discussions on DC failover >> strategies I was suggested to have my DCs on different sites (with >> different subnets), so I figure it being possible in general. >> >> The necessary steps likely include: >> - modifying my current DNS config: create another site, move DC1 >> over, also the file server (AD member) >> - update all the clients' 1st DNS server entries to reflect the >> new IP of DC1 (and network share mappings) >> - set some firewall rules allowing for logon and smb communication >> etc. >> >> Samba is version 4.2.5 with internal DNS. >> >> Any advice, instructions, heads-up, warnings are very welcome! >> >> Best regards, >> Ole >> >> >> >> -- To unsubscribe from this list go to the following URL and >> read the >> instructions: https://lists.samba.org/mailman/options/samba >> >> >Ole, Will you be using Microsoft RSAT to create the sites? If so do follow this guide http://blogs.technet.com/b/canitpro/archive/2015/03/04/step-by-step-setting-up-active-directory-sites-subnets-amp-site-links.aspx Will you be changing your IP of the domain controller? If so follow this guide. https://wiki.samba.org/index.php/Change_IP_address_of_an_Samba_AD_DC If using DHCP. Give your clients the DNS IP of your new site DC. That should be it. -- -James
Ole Traupe
2016-Apr-29 14:37 UTC
[Samba] Moving the 1st DC (FSMO) to another site - howto?
On 25.04.2016 14:27, lingpanda101 at gmail.com wrote:> On 4/22/2016 3:43 PM, Ole Traupe wrote: >> Hi Mathias, lingpanda101, thank you for the quick reply! Comments >> inline. >> >> >> On 22.04.2016 15:14, mathias dufresne wrote: >>> Hi Ole, >>> >>> A - If I read correctly you have only one DC and you want to move >>> from one network to another. >>> >>> To achieve that change you will have to change all A/AAAA records in >>> your both AD zones (root zone and _msdcs zone). >>> Once that is done you will have to change resolver configuration on >>> your clients for they can send DNS request to the new IP. >>> >>> Can't see anything else. Nothing about AD site: AD sites are linked >>> to clients networks and clients networks do not change, only DC >>> network is changing. >>> >>> B - If I don't read correctly, you have several DC. Move on DC to >>> the new network, change A and AAAA records related to that DC to >>> reflect the network change. >>> If you move one DC not used by clients as DNS server, no change on >>> client side. >> >> I have two DCs. The one with the FSMO roles is on the physical server >> to move. Unfortunately I don't have another host for this VM staying >> at the old place. >> >> Also, I will have a few clients at the new place soon, so I think a >> second site is the way to go? Sorry, I mentioned this only implicitly >> in "moving our lab". Is it possible to just transfer an existing DC >> to another site? By manually recreating all the records? >> >> The moving DC will definitely be used as first DNS server, as the >> second DC is on very old, potentially unreliable hardware. But >> changing the DNS server config on the clients is no big deal. >> >> >> In response to the message from lingpanda101: >> >> I was not talking about transferring the FSMO roles. Sorry if I had >> been unclear about that. >> >> In theory, I will have access to both networks from both places. In >> practice, the firewall settings initially are very restrictive. So I >> try not to forget anything in preparation. I have thought of... >> - all the ports samba regularly uses (including DNS requests) >> - rsync ports for sysvol replication >> - ... >> >> I would be very happy about the steps to create a new site and to >> transfer DC and some client records to it! >> >> >> Probably I will see for the file server integration first, while >> using the 2nd DC as fallback for DNS and logon. Once that works I >> deal with bringing the 1st DC back into the game. >> >>> >>> C - You are lazy and you have enough physical computer to play with. >> >> Yes and no. ;) >> >>> Just create a new DC on the new site, join it to the domain. >>> If then you want to remove old DC you will have to seize (or >>> transfer if it works) FSMO roles, change DNS configuration on client >>> side, but as that's a new DC you don't have to modify A/AAAA records. >>> >>> IMPORTANT NOTE: with internal DNS you have only one SOA. SOA is >>> where DNS update goes. If you remove old SOA you must change SOA >>> record to assign it to a working DC. Without that no change in your >>> DNS zones will be possible for later use (DC moving from site to >>> site is the main point, auto-update pushed by DHCP or clients won't >>> work too). >> >> I followed the recent/ongoing discussion on that. With "DNS updates" >> you mean the clients automatically updating their records, right? >> Because I am pretty sure that with internal DNS I can make changes to >> DNS structure with RSAT on 2nd DC and it gets replicated to the 1st >> DC (SOA). Maybe the only issue with internal DNS is that the 2nd, 3rd >> etc. DC won't advertise themselves as SOA, and so automatic updates >> fail when the 1st DC is offline. >> >>> >>> 2016-04-22 13:44 GMT+02:00 Ole Traupe <ole.traupe at tu-berlin.de >>> <mailto:ole.traupe at tu-berlin.de>>: >>> >>> Hi List, >>> >>> I'll probably have to move my FSMO role owner to another site. >>> Like at the end of next week (depends on tight transportation >>> schedules). So there is no actual time for testing anything, I am >>> afraid. >>> >>> We are in the process of moving our lab, with our offices staying >>> in the old building for now (different class C subnets). The >>> physical machine is basically a file server (hosting DC1 as a VM) >>> which is particularly needed at the new site. Plus: Summer is >>> coming and the new site has cooling. Unfortunately, our university >>> techsup can't span a VLan to merge these two sites. So I am trying >>> to figure out how to do it. In earlier discussions on DC failover >>> strategies I was suggested to have my DCs on different sites (with >>> different subnets), so I figure it being possible in general. >>> >>> The necessary steps likely include: >>> - modifying my current DNS config: create another site, move DC1 >>> over, also the file server (AD member) >>> - update all the clients' 1st DNS server entries to reflect the >>> new IP of DC1 (and network share mappings) >>> - set some firewall rules allowing for logon and smb communication >>> etc. >>> >>> Samba is version 4.2.5 with internal DNS. >>> >>> Any advice, instructions, heads-up, warnings are very welcome! >>> >>> Best regards, >>> Ole >>> >>> >>> >>> -- To unsubscribe from this list go to the following URL and >>> read the >>> instructions: https://lists.samba.org/mailman/options/samba >>> >>> >> > Ole,James, sorry for the late response, I was away a few days. Thank you for the links you provided!> > Will you be using Microsoft RSAT to create the sites? If so do > follow this guideYes.> > http://blogs.technet.com/b/canitpro/archive/2015/03/04/step-by-step-setting-up-active-directory-sites-subnets-amp-site-links.aspx > > > Will you be changing your IP of the domain controller? If so follow > this guide. > > https://wiki.samba.org/index.php/Change_IP_address_of_an_Samba_AD_DCYes.> > If using DHCP. Give your clients the DNS IP of your new site DC.No. Fixed settings currently.> That should be it.Great, thanks a lot! I'll let you know how it goes. Ole
Ole Traupe
2016-Jun-23 15:21 UTC
[Samba] Moving the 1st DC (FSMO) to another site - howto?
James, it took me a while, but now I am doing this. I created the new site with RSAT (want to move over my 1st DC), but this new site isn't showing in the DNS console. Do I have to create the new site there, as well? Ole On 25.04.2016 14:27, lingpanda101 at gmail.com wrote:> On 4/22/2016 3:43 PM, Ole Traupe wrote: >> Hi Mathias, lingpanda101, thank you for the quick reply! Comments >> inline. >> >> >> On 22.04.2016 15:14, mathias dufresne wrote: >>> Hi Ole, >>> >>> A - If I read correctly you have only one DC and you want to move >>> from one network to another. >>> >>> To achieve that change you will have to change all A/AAAA records in >>> your both AD zones (root zone and _msdcs zone). >>> Once that is done you will have to change resolver configuration on >>> your clients for they can send DNS request to the new IP. >>> >>> Can't see anything else. Nothing about AD site: AD sites are linked >>> to clients networks and clients networks do not change, only DC >>> network is changing. >>> >>> B - If I don't read correctly, you have several DC. Move on DC to >>> the new network, change A and AAAA records related to that DC to >>> reflect the network change. >>> If you move one DC not used by clients as DNS server, no change on >>> client side. >> >> I have two DCs. The one with the FSMO roles is on the physical server >> to move. Unfortunately I don't have another host for this VM staying >> at the old place. >> >> Also, I will have a few clients at the new place soon, so I think a >> second site is the way to go? Sorry, I mentioned this only implicitly >> in "moving our lab". Is it possible to just transfer an existing DC >> to another site? By manually recreating all the records? >> >> The moving DC will definitely be used as first DNS server, as the >> second DC is on very old, potentially unreliable hardware. But >> changing the DNS server config on the clients is no big deal. >> >> >> In response to the message from lingpanda101: >> >> I was not talking about transferring the FSMO roles. Sorry if I had >> been unclear about that. >> >> In theory, I will have access to both networks from both places. In >> practice, the firewall settings initially are very restrictive. So I >> try not to forget anything in preparation. I have thought of... >> - all the ports samba regularly uses (including DNS requests) >> - rsync ports for sysvol replication >> - ... >> >> I would be very happy about the steps to create a new site and to >> transfer DC and some client records to it! >> >> >> Probably I will see for the file server integration first, while >> using the 2nd DC as fallback for DNS and logon. Once that works I >> deal with bringing the 1st DC back into the game. >> >>> >>> C - You are lazy and you have enough physical computer to play with. >> >> Yes and no. ;) >> >>> Just create a new DC on the new site, join it to the domain. >>> If then you want to remove old DC you will have to seize (or >>> transfer if it works) FSMO roles, change DNS configuration on client >>> side, but as that's a new DC you don't have to modify A/AAAA records. >>> >>> IMPORTANT NOTE: with internal DNS you have only one SOA. SOA is >>> where DNS update goes. If you remove old SOA you must change SOA >>> record to assign it to a working DC. Without that no change in your >>> DNS zones will be possible for later use (DC moving from site to >>> site is the main point, auto-update pushed by DHCP or clients won't >>> work too). >> >> I followed the recent/ongoing discussion on that. With "DNS updates" >> you mean the clients automatically updating their records, right? >> Because I am pretty sure that with internal DNS I can make changes to >> DNS structure with RSAT on 2nd DC and it gets replicated to the 1st >> DC (SOA). Maybe the only issue with internal DNS is that the 2nd, 3rd >> etc. DC won't advertise themselves as SOA, and so automatic updates >> fail when the 1st DC is offline. >> >>> >>> 2016-04-22 13:44 GMT+02:00 Ole Traupe <ole.traupe at tu-berlin.de >>> <mailto:ole.traupe at tu-berlin.de>>: >>> >>> Hi List, >>> >>> I'll probably have to move my FSMO role owner to another site. >>> Like at the end of next week (depends on tight transportation >>> schedules). So there is no actual time for testing anything, I am >>> afraid. >>> >>> We are in the process of moving our lab, with our offices staying >>> in the old building for now (different class C subnets). The >>> physical machine is basically a file server (hosting DC1 as a VM) >>> which is particularly needed at the new site. Plus: Summer is >>> coming and the new site has cooling. Unfortunately, our university >>> techsup can't span a VLan to merge these two sites. So I am trying >>> to figure out how to do it. In earlier discussions on DC failover >>> strategies I was suggested to have my DCs on different sites (with >>> different subnets), so I figure it being possible in general. >>> >>> The necessary steps likely include: >>> - modifying my current DNS config: create another site, move DC1 >>> over, also the file server (AD member) >>> - update all the clients' 1st DNS server entries to reflect the >>> new IP of DC1 (and network share mappings) >>> - set some firewall rules allowing for logon and smb communication >>> etc. >>> >>> Samba is version 4.2.5 with internal DNS. >>> >>> Any advice, instructions, heads-up, warnings are very welcome! >>> >>> Best regards, >>> Ole >>> >>> >>> >>> -- To unsubscribe from this list go to the following URL and >>> read the >>> instructions: https://lists.samba.org/mailman/options/samba >>> >>> >> > Ole, > > Will you be using Microsoft RSAT to create the sites? If so do > follow this guide > > http://blogs.technet.com/b/canitpro/archive/2015/03/04/step-by-step-setting-up-active-directory-sites-subnets-amp-site-links.aspx > > > Will you be changing your IP of the domain controller? If so follow > this guide. > > https://wiki.samba.org/index.php/Change_IP_address_of_an_Samba_AD_DC > > If using DHCP. Give your clients the DNS IP of your new site DC. That > should be it. > >