My first Active Directory setup had two DC's and shortly after getting things going the second DC created a hardware failure issue and I just continued life with one DC. Now, while upgrading I am returning to two DC's. In a normal Bind9 "master and slave" setup the master always "feeds" the slave. With Bind9_DLZ setup (recommended to be used with Samba4) there is no "master and slave" setup. This "master and slave" configuration is NOT recommended for use in our (Samba4) situations and/or a Bind9_DLZ configuration. How does Bind9_DLZ "keep up" with each other (in a two AD DC environment) when one of the DC's go "off line"? The second DC continues to maintain the connections. When the first DC returns, how does it "catch up" so to speak? Probably been asked many, many times but I am finding conflicting info. A brief explanation would be appreciated? -- _______________________________ Bob Wooden of Donelson Trophy
On Fri, 21 Oct 2016 13:26:28 -0500 Bob of Donelson Trophy via samba <samba at lists.samba.org> wrote:> My first Active Directory setup had two DC's and shortly after getting > things going the second DC created a hardware failure issue and I just > continued life with one DC. > > Now, while upgrading I am returning to two DC's. > > In a normal Bind9 "master and slave" setup the master always "feeds" > the slave. > > With Bind9_DLZ setup (recommended to be used with Samba4) there is no > "master and slave" setup. This "master and slave" configuration is NOT > recommended for use in our (Samba4) situations and/or a Bind9_DLZ > configuration. > > How does Bind9_DLZ "keep up" with each other (in a two AD DC > environment) when one of the DC's go "off line"? The second DC > continues to maintain the connections. When the first DC returns, how > does it "catch up" so to speak? > > Probably been asked many, many times but I am finding conflicting > info. > > A brief explanation would be appreciated? >Hi Bob, Bind9_DLZ doesn't 'keep up' with each other, AD does ;-) All the dns records are stored in AD and the dns doesn't work in 'master and slave', it works in 'Multi-master'. Try reading these: https://technet.microsoft.com/en-gb/library/cc959306.aspx https://technet.microsoft.com/en-gb/library/cc759550%28v=ws.10%29.aspx?f=255&MSPPError=-2147217396 Rowland
On 21/10/16 19:26, Bob of Donelson Trophy via samba wrote:> My first Active Directory setup had two DC's and shortly after getting > things going the second DC created a hardware failure issue and I just > continued life with one DC. > > Now, while upgrading I am returning to two DC's. > > In a normal Bind9 "master and slave" setup the master always "feeds" the > slave. > > With Bind9_DLZ setup (recommended to be used with Samba4) there is no > "master and slave" setup. This "master and slave" configuration is NOT > recommended for use in our (Samba4) situations and/or a Bind9_DLZ > configuration. > > How does Bind9_DLZ "keep up" with each other (in a two AD DC > environment) when one of the DC's go "off line"? The second DC continues > to maintain the connections. When the first DC returns, how does it > "catch up" so to speak? > > Probably been asked many, many times but I am finding conflicting info. > > A brief explanation would be appreciated?In DLZ Bind loads helper libraries that cause domain records to be obtained from the AD databases maintained by Samba. If your Samba replication is working OK then your domain and forest DNS records should be replicated too. I'm not sure about timeouts for Samba AD DCs but in theory replication should just carry on when your old DC comes back, Maybe add this to the Wiki page about DLZ to make it clear that no bind-based master/slave is required? If your first DC failed hard did you make sure it was removed with "samba-tool domain demote --remove-other-dead-server=<olddcname>? Cheers Alex -- This message is intended only for the addressee and may contain confidential information. Unless you are that person, you may not disclose its contents or use it in any way and are requested to delete the message along with any attachments and notify us immediately. This email is not intended to, nor should it be taken to, constitute advice. The information provided is correct to our knowledge & belief and must not be used as a substitute for obtaining tax, regulatory, investment, legal or any other appropriate advice. "Transact" is operated by Integrated Financial Arrangements Ltd. 29 Clement's Lane, London EC4N 7AE. Tel: (020) 7608 4900 Fax: (020) 7608 5300. (Registered office: as above; Registered in England and Wales under number: 3727592). Authorised and regulated by the Financial Conduct Authority (entered on the Financial Services Register; no. 190856).
On 2016-10-21 13:40, Rowland Penny via samba wrote:> On Fri, 21 Oct 2016 13:26:28 -0500 > Bob of Donelson Trophy via samba <samba at lists.samba.org> wrote: > >> My first Active Directory setup had two DC's and shortly after getting >> things going the second DC created a hardware failure issue and I just >> continued life with one DC. >> >> Now, while upgrading I am returning to two DC's. >> >> In a normal Bind9 "master and slave" setup the master always "feeds" >> the slave. >> >> With Bind9_DLZ setup (recommended to be used with Samba4) there is no >> "master and slave" setup. This "master and slave" configuration is NOT >> recommended for use in our (Samba4) situations and/or a Bind9_DLZ >> configuration. >> >> How does Bind9_DLZ "keep up" with each other (in a two AD DC >> environment) when one of the DC's go "off line"? The second DC >> continues to maintain the connections. When the first DC returns, how >> does it "catch up" so to speak? >> >> Probably been asked many, many times but I am finding conflicting >> info. >> >> A brief explanation would be appreciated? > > Hi Bob, Bind9_DLZ doesn't 'keep up' with each other, AD does ;-) > > All the dns records are stored in AD and the dns doesn't work in 'master > and slave', it works in 'Multi-master'. > > Try reading these: > > https://technet.microsoft.com/en-gb/library/cc959306.aspx > > https://technet.microsoft.com/en-gb/library/cc759550%28v=ws.10%29.aspx?f=255&MSPPError=-2147217396 > > RowlandThanks Rowland. -- _______________________________ Bob Wooden of Donelson Trophy
On 2016-10-21 13:50, Alex Crow via samba wrote:> On 21/10/16 19:26, Bob of Donelson Trophy via samba wrote: > >> My first Active Directory setup had two DC's and shortly after getting >> things going the second DC created a hardware failure issue and I just >> continued life with one DC. >> >> Now, while upgrading I am returning to two DC's. >> >> In a normal Bind9 "master and slave" setup the master always "feeds" the >> slave. >> >> With Bind9_DLZ setup (recommended to be used with Samba4) there is no >> "master and slave" setup. This "master and slave" configuration is NOT >> recommended for use in our (Samba4) situations and/or a Bind9_DLZ >> configuration. >> >> How does Bind9_DLZ "keep up" with each other (in a two AD DC >> environment) when one of the DC's go "off line"? The second DC continues >> to maintain the connections. When the first DC returns, how does it >> "catch up" so to speak? >> >> Probably been asked many, many times but I am finding conflicting info. >> >> A brief explanation would be appreciated? > > In DLZ Bind loads helper libraries that cause domain records to be > obtained from the AD databases maintained by Samba. If your Samba > replication is working OK then your domain and forest DNS records should > be replicated too. > > I'm not sure about timeouts for Samba AD DCs but in theory replication > should just carry on when your old DC comes back, > > Maybe add this to the Wiki page about DLZ to make it clear that no > bind-based master/slave is required? > > If your first DC failed hard did you make sure it was removed with > "samba-tool domain demote --remove-other-dead-server=<olddcname>? > > Cheers > > Alex > > -- > This message is intended only for the addressee and may contain > confidential information. Unless you are that person, you may not > disclose its contents or use it in any way and are requested to delete > the message along with any attachments and notify us immediately. > This email is not intended to, nor should it be taken to, constitute advice. > The information provided is correct to our knowledge & belief and must not > be used as a substitute for obtaining tax, regulatory, investment, legal or > any other appropriate advice. > > "Transact" is operated by Integrated Financial Arrangements Ltd. > 29 Clement's Lane, London EC4N 7AE. Tel: (020) 7608 4900 Fax: (020) 7608 5300. > (Registered office: as above; Registered in England and Wales under > number: 3727592). Authorised and regulated by the Financial Conduct > Authority (entered on the Financial Services Register; no. 190856).Thanks for your reply. The DC failure I was referencing actually happened two years ago. I just continued with one DC for the time being. I do not remember what all I did, back then, to clear out the dead DC2 but, with all the recent documentation updates on the wiki I have been enjoying reading and in some case re-reading the wiki info. To answer your suggestion, I have already had the pleasure of "demoting" a dead DC and it went just like the wiki said it would. The documentation is very good and getting better all the time!! Thanks everybody! -- _______________________________ Bob Wooden of Donelson Trophy
On 21/10/16 20:02, Means, Jeffrey D. wrote:> > Just out of curiosity last night I was messing atoms with my samba > setup and added a second DC to my domain whole the first DC was > running bind_dlz the second was running samba_internal and for some > reason I started seeing keytab failures and lots of issues where DNS > updates were not replicating between the two DC's. Any ideas? > >You should just be able to run the procedure documented on the wiki to change backends, and make sure on the new DC the internal DNS is disabled. Restart services and make sure replication is enabled. You may have to run a samba_dnsupdate on the new DC after this. Alex -- This message is intended only for the addressee and may contain confidential information. Unless you are that person, you may not disclose its contents or use it in any way and are requested to delete the message along with any attachments and notify us immediately. This email is not intended to, nor should it be taken to, constitute advice. The information provided is correct to our knowledge & belief and must not be used as a substitute for obtaining tax, regulatory, investment, legal or any other appropriate advice. "Transact" is operated by Integrated Financial Arrangements Ltd. 29 Clement's Lane, London EC4N 7AE. Tel: (020) 7608 4900 Fax: (020) 7608 5300. (Registered office: as above; Registered in England and Wales under number: 3727592). Authorised and regulated by the Financial Conduct Authority (entered on the Financial Services Register; no. 190856).
On 21/10/16 20:11, Means, Jeffrey D. wrote:> > I guess my real question is do I have to have all my DC's running > either samba_internal or bind_dlz... ie do they have to all run the > same DNS server software... > >Simple answer - Yes, all your DCs need to run the same DNS implementation. Mixing is not supported. You can convert your DCs at any time but it's probably better to decide before deployment. Cheers Alex -- This message is intended only for the addressee and may contain confidential information. Unless you are that person, you may not disclose its contents or use it in any way and are requested to delete the message along with any attachments and notify us immediately. This email is not intended to, nor should it be taken to, constitute advice. The information provided is correct to our knowledge & belief and must not be used as a substitute for obtaining tax, regulatory, investment, legal or any other appropriate advice. "Transact" is operated by Integrated Financial Arrangements Ltd. 29 Clement's Lane, London EC4N 7AE. Tel: (020) 7608 4900 Fax: (020) 7608 5300. (Registered office: as above; Registered in England and Wales under number: 3727592). Authorised and regulated by the Financial Conduct Authority (entered on the Financial Services Register; no. 190856).
On Fri, 21 Oct 2016 20:29:43 +0100 Alex Crow via samba <samba at lists.samba.org> wrote:> > > On 21/10/16 20:11, Means, Jeffrey D. wrote: > > > > I guess my real question is do I have to have all my DC's running > > either samba_internal or bind_dlz... ie do they have to all run the > > same DNS server software... > > > > > > Simple answer - Yes, all your DCs need to run the same DNS > implementation. Mixing is not supported. You can convert your DCs at > any time but it's probably better to decide before deployment. > > Cheers > > AlexAlex, I am a Bit perplexed here, you seem to be replying to posts that have never been posted to the list and whilst they are sort of relevant to the subject, they should have been in their own separate subject. Rowland