samba - Feb 2018 - Samba Migration and AD integration

Hi Rowland,

Thank you.

Yes to the first point.

We are using Bind9 but to continue using it is not necessarily set in stone. If
using Samba Internal DNS makes more sense then we can do that too. The question
is do we need to do dns-upgrade and use Internal DNS, pre-migration?  Then use
internal dns during the classic migration?  Also, I assume the bind9 service
will have to stopped if infact we use the Internal DNS?

The DHCP is to stay with Samba server for now. Later on we can decide on moving
it to the Windows server.

Hope I've clearly explained the situation.



Regards,

Praveen Ghimire


-------- Original message --------
From: Rowland Penny via samba <samba at lists.samba.org>
Date: 6/02/2018 8:38 PM (GMT+10:00)
To: samba at lists.samba.org
Subject: Re: [Samba] Samba Migration and AD integration

On Tue, 6 Feb 2018 03:05:18 +0000
Praveen Ghimire via samba <samba at lists.samba.org> wrote:
> Hi,
>
> We migrated from Samba 3 to 4 (4.6.7-Ubuntu) and added promoted a
> Server 2008R2 as a Domain Controller. We've come across the following
> issues and request some suggestions to resolve them
>
>
> -          The migration didn't generate DNS entries for the new
> realm. We had to manually create a new zone file (/var/cache/bind)
> for the new realm. Only then we were able to promote the Server2008
> R2 as the DC. Is this an expected outcome post migration?
>
> -          Similarly, the dhcpd.conf file exhibited the same outcome
> as above.
>
> -          When we added a new machine to the domain, it didn't
> update the DNS record in the Samba box.  The machine joins to the
> domain but there is no DNS record for it.
>
> -          We added the DNS role in the Server2008 R2 DC, what we
> found that any record created in Bind9 gets replicated to the Windows
> server but no vice-versa.
>
> The AD user bit seems to sync ok between the servers.
>
Lets see if I understand correctly what you have done:

You had a Samba NT4-style domain and you have classic upgraded this to a Samba
AD domain

You were running Bind9 on the NT4-style PDC and you want to continue running it.

You were also running a DHCP server on the NT4-style PDC and you want to
continue running it.

Is all this correct, if not please describe your setup better.

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

______________________________________________________________________
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com
______________________________________________________________________

On Tue, 6 Feb 2018 11:01:52 +0000
Praveen Ghimire <PGhimire at sundata.com.au> wrote:
> Hi Rowland,
> 
> Thank you.
> 
> Yes to the first point.
> 
> We are using Bind9 but to continue using it is not necessarily set in
> stone. 
If you are going to have more than one AD DC, then using Bind9 makes
sense.
> If using Samba Internal DNS makes more sense then we can do
> that too.
It is not really a case of 'more sense', it is just a different way of
doing things.
> The question is do we need to do dns-upgrade and use
> Internal DNS, pre-migration?  Then use internal dns during the
> classic migration?  
If you ran the classicupgrade with '--dns-backend=BIND9_DLZ' then Samba
should have been set up to allow Bind9 to use the DNS info stored in
AD.
You will also need to remove any zones from the named.conf files that
are also in AD.
You will find info on to set up Bind9 for Samba AD here:
https://wiki.samba.org/index.php/Setting_up_a_BIND_DNS_Server
> Also, I assume the bind9 service will have to
> stopped if infact we use the Internal DNS?
If you do decide to use the Samba internal DNS server, then yes, you
will need to stop Bind9. You will also need to remove the 'server
services' line from smb.conf on the DC and add a 'dns forwarder'
line.
> 
> The DHCP is to stay with Samba server for now.
Then you probably need to follow this:
https://wiki.samba.org/index.php/Configure_DHCP_to_update_DNS_records_with_BIND9

But you will need to get Bind9 working correctly first.

Rowland

Hi Rowland,

Following the 
https://wiki.samba.org/index.php/Changing_the_DNS_Back_End_of_a_Samba_AD_DC, ran
some tests migrating from Bind9 to Samba Internal with the following results

Stopped the BIND, Samba-AD-DC services

samba_upgradedns --dns-backend=SAMBA_INTERNAL
Reading domain information
DNS accounts already exist
Reading records from zone file /var/lib/samba/private/dns/<REALMNAME>.zone
DNS partitions already exist
Finished upgrading DNS
You have switched to using SAMBA_INTERNAL as your dns backend, but you still
have samba starting looking for a BIND backend. Please remove the -dns from your
server services line.

Started the Samba-AD-DC service and left the Bind9 stopped.

The .zone file had the all the SOA records for the REALM. The issue (after the
change from Bind9 to Samba and also from Samba Internal to Bind9) we get the
following when trying to add a machine to the domain.

The error was: "This operation returned because the timeout period
expired."
(error code 0x000005B4 ERROR_TIMEOUT)
The query was for the SRV record for _ldap._tcp.dc._msdcs.<realmname>
The DNS servers used by this computer for name resolution are not responding.
This computer is configured to use DNS servers with the following IP addresses:
172.16.24.1
Verify that this computer is connected to the network, that these are the
correct DNS server IP addresses, and that at least one of the DNS servers is
running.

The SRV records are missing by the looks of it.

service --status-all
[ - ]  acpid
[ + ]  apparmor
[ + ]  apport
[ + ]  atd
[ - ]  bind9
[ - ]  console-setup.sh
[ + ]  cron
[ - ]  cryptdisks
[ - ]  cryptdisks-early
[ + ]  dbus
[ + ]  ebtables
[ + ]  grub-common
[ - ]  hwclock.sh
[ - ]  irqbalance
[ + ]  isc-dhcp-server
[ + ]  iscsid
[ - ]  keyboard-setup.sh
[ + ]  kmod
[ - ]  lvm2
[ + ]  lvm2-lvmetad
[ + ]  lvm2-lvmpolld
[ + ]  lxcfs
[ - ]  lxd
[ - ]  mdadm
[ - ]  mdadm-waitidle
[ - ]  nmbd
[ - ]  open-iscsi
[ + ]  open-vm-tools
[ - ]  plymouth
[ - ]  plymouth-log
[ + ]  procps
[ - ]  rsync
[ + ]  rsyslog
[ + ]  samba-ad-dc
[ - ]  screen-cleanup
[ - ]  smbd
[ + ]  ssh
[ + ]  udev
[ + ]  ufw
[ + ]  unattended-upgrades
[ - ]  uuidd
[ - ]  winbind


Also, does the Realm name needs to be something like abcd.local instead of
abcdef?


Regards,

Praveen Ghimire




From: Praveen Ghimire
Sent: Tuesday, 6 February 2018 9:02 PM
To: Rowland Penny; samba at lists.samba.org
Subject: Re: [Samba] Samba Migration and AD integration

Hi Rowland,

Thank you.

Yes to the first point.

We are using Bind9 but to continue using it is not necessarily set in stone. If
using Samba Internal DNS makes more sense then we can do that too. The question
is do we need to do dns-upgrade and use Internal DNS, pre-migration?  Then use
internal dns during the classic migration?  Also, I assume the bind9 service
will have to stopped if infact we use the Internal DNS?

The DHCP is to stay with Samba server for now. Later on we can decide on moving
it to the Windows server.

Hope I've clearly explained the situation.



Regards,

Praveen Ghimire


-------- Original message --------
From: Rowland Penny via samba <samba at lists.samba.org<mailto:samba at
lists.samba.org>>
Date: 6/02/2018 8:38 PM (GMT+10:00)
To: samba at lists.samba.org<mailto:samba at lists.samba.org>
Subject: Re: [Samba] Samba Migration and AD integration
On Tue, 6 Feb 2018 03:05:18 +0000
Praveen Ghimire via samba <samba at lists.samba.org<mailto:samba at
lists.samba.org>> wrote:
> Hi,
>
> We migrated from Samba 3 to 4 (4.6.7-Ubuntu) and added promoted a
> Server 2008R2 as a Domain Controller. We've come across the following
> issues and request some suggestions to resolve them
>
>
> -          The migration didn't generate DNS entries for the new
> realm. We had to manually create a new zone file (/var/cache/bind)
> for the new realm. Only then we were able to promote the Server2008
> R2 as the DC. Is this an expected outcome post migration?
>
> -          Similarly, the dhcpd.conf file exhibited the same outcome
> as above.
>
> -          When we added a new machine to the domain, it didn't
> update the DNS record in the Samba box.  The machine joins to the
> domain but there is no DNS record for it.
>
> -          We added the DNS role in the Server2008 R2 DC, what we
> found that any record created in Bind9 gets replicated to the Windows
> server but no vice-versa.
>
> The AD user bit seems to sync ok between the servers.
>
Lets see if I understand correctly what you have done:

You had a Samba NT4-style domain and you have classic upgraded this to a Samba
AD domain

You were running Bind9 on the NT4-style PDC and you want to continue running it.

You were also running a DHCP server on the NT4-style PDC and you want to
continue running it.

Is all this correct, if not please describe your setup better.

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

______________________________________________________________________
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com
______________________________________________________________________

On Wed, 7 Feb 2018 10:02:10 +0000
Praveen Ghimire <PGhimire at sundata.com.au> wrote:
> Hi Rowland,
> 
> Following the
>
https://wiki.samba.org/index.php/Changing_the_DNS_Back_End_of_a_Samba_AD_DC,
> ran some tests migrating from Bind9 to Samba Internal with the
> following results
> 
> Stopped the BIND, Samba-AD-DC services
> 
> samba_upgradedns --dns-backend=SAMBA_INTERNAL
> Reading domain information
> DNS accounts already exist
> Reading records from zone
> file /var/lib/samba/private/dns/<REALMNAME>.zone DNS partitions
> already exist Finished upgrading DNS
> You have switched to using SAMBA_INTERNAL as your dns backend, but
> you still have samba starting looking for a BIND backend. Please
> remove the -dns from your server services line.
Did you remove the 'server services' line ?
> 
> Started the Samba-AD-DC service and left the Bind9 stopped.
> 
> The .zone file had the all the SOA records for the REALM. The issue
> (after the change from Bind9 to Samba and also from Samba Internal to
> Bind9) we get the following when trying to add a machine to the
> domain.
> 
> The error was: "This operation returned because the timeout period
> expired." (error code 0x000005B4 ERROR_TIMEOUT)
> The query was for the SRV record for _ldap._tcp.dc._msdcs.<realmname>
> The DNS servers used by this computer for name resolution are not
> responding. This computer is configured to use DNS servers with the
> following IP addresses: 172.16.24.1 Verify that this computer is
> connected to the network, that these are the correct DNS server IP
> addresses, and that at least one of the DNS servers is running.
Does the computer you are trying to join have an ipaddress in the
172.16.24.x range ?

Does the nameserver in /etc/resolv.conf point to the Samba DCs
ipaddress or '127.0.0.1' ?

try running this:

samba_dnsupdate --verbose --all-names

This should try to create/update all the required dns records, if it
errors out add '--use-samba-tool'
> 
> The SRV records are missing by the looks of it.
> 
> service --status-all
> [ + ]  apparmor
Have you tried turning apparmor off ?
> [ + ]  isc-dhcp-server
I could never get isc-dhcp-server to update the server records in AD
when using the internal dns server.
> [ + ]  ufw
Are all the required ports open ?
> 
> 
> Also, does the Realm name needs to be something like abcd.local
> instead of abcdef?
> 
It would probably better if it had a TLD (just don't use .local), but
should work without one.
 
Rowland

Guys,

Just a quick summary of our setup
- Ubuntu 17.10 server
- Samba 4.6.7 Ubuntu
-Bind 9.10.3-P4-Ubuntu
-ufw disabled 
-Server 2008R2

We are having issues post the samba AD migration. Regardless of which option ,
SAMBA_INTERNAL or BIND9DLZ, we are seeing DNS issues.

Here is our migration steps:
- confirm bind has permissions to files in /etc/bind and /var/cache/bind
- Following the link
https://wiki.samba.org/index.php/Migrating_a_Samba_NT4_Domain_to_Samba_AD_(Classic_Upgrade)
, we copied all the relevant files.
- Stopped smbd/nmbd/winbind/bind9
-upgrade using Internal DNS: samba-tool domain classicupgrade
--dbdir=/var/lib/samba.PDC/dbdir --realm=MYDOMAIN.INTERNAL
--dns-backend=SAMBA_INTERNAL /etc/samba.PDC/smb.PDC.conf
-change the administrator password. Confirm kinit works
-samba -i
-confirm /etc/resolv.conf has the nameserver=172.16.24.1 (the only entry)
-confirm that /etc/hosts has the 172.16.24.1 server01 server01.mydomain (removed
the loopback)
- smb.conf looks like

# Global parameters
[global]
        netbios name = server01
        realm = MYDOMAIN.INTERNAL
        workgroup = MYDOMAIN
        server role = active directory domain controller
        idmap_ldb:use rfc2307 = yes

[netlogon]
        path = /var/lib/samba/sysvol/jellinbah.group/scripts
        read only = No

[sysvol]
        path = /var/lib/samba/sysvol
        read only = No

- the following are started
[ - ]  acpid
 [ + ]  apparmor
 [ + ]  apport
 [ + ]  atd
 [ - ]  bind9
 [ - ]  console-setup.sh
 [ + ]  cron
 [ - ]  cryptdisks
 [ - ]  cryptdisks-early
 [ + ]  dbus
 [ + ]  ebtables
 [ + ]  grub-common
 [ - ]  hwclock.sh
 [ - ]  irqbalance
 [ + ]  isc-dhcp-server
 [ + ]  iscsid
 [ - ]  keyboard-setup.sh
 [ + ]  kmod
 [ - ]  lvm2
 [ + ]  lvm2-lvmetad
 [ + ]  lvm2-lvmpolld
 [ + ]  lxcfs
 [ - ]  lxd
 [ - ]  mdadm
 [ - ]  mdadm-waitidle
 [ - ]  nmbd
 [ - ]  open-iscsi
 [ + ]  open-vm-tools
 [ - ]  plymouth
 [ - ]  plymouth-log
 [ + ]  procps
 [ - ]  rsync
 [ + ]  rsyslog
 [ + ]  samba-ad-dc
 [ - ]  screen-cleanup
 [ - ]  smbd
 [ + ]  ssh
 [ + ]  udev
 [ + ]  ufw
 [ + ]  unattended-upgrades
 [ - ]  uuidd
 [ - ]  winbind

ISSUES:

- We are able to DCPROMO the server and add the DNS role.
- We can enumerate the Zones from the Windows Server 2008 DNS MMC console
-Cannot create any records in the Windows 2008R2 DNS, comes up with The host
record cannot be created. Refused
- Windows firewall is disabled 
-dcdiag comes up with 
Directory Server Diagnosis


Performing initial setup:

   Trying to find home server...

   Home Server = server08dc

   * Identified AD Forest. 
   Got error while checking if the DC is using FRS or DFSR. Error:

   A device attached to the system is not functioning.The VerifyReferences,

   FrsEvent and DfsrEvent tests might fail because of this error. 

   Done gathering initial info.


Doing initial required tests
   
   Testing server: Default-First-Site-Name\SERVER08DC
      Starting test: Connectivity
         The host 60642247-203b-4804-9d92-3d4bf681c8a9._msdcs.mydomain.internal
         could not be resolved to an IP address. Check the DNS server, DHCP,
         server name, etc.
         Got error while checking LDAP and RPC connectivity. Please check your
         firewall settings.

         ......................... SERVER08DC failed test Connectivity


Doing primary tests
    Testing server: Default-First-Site-Name\SERVER08DC
      Skipping all tests, because server SERVER08DC is not responding to
      directory service requests.


Any suggestions?






-----Original Message-----
From: samba [mailto:samba-bounces at lists.samba.org] On Behalf Of Rowland Penny
via samba
Sent: Tuesday, 6 February 2018 9:43 PM
To: samba at lists.samba.org
Subject: Re: [Samba] Samba Migration and AD integration

On Tue, 6 Feb 2018 11:01:52 +0000
Praveen Ghimire <PGhimire at sundata.com.au> wrote:
> Hi Rowland,
> 
> Thank you.
> 
> Yes to the first point.
> 
> We are using Bind9 but to continue using it is not necessarily set in 
> stone.
If you are going to have more than one AD DC, then using Bind9 makes sense.
> If using Samba Internal DNS makes more sense then we can do that too.
It is not really a case of 'more sense', it is just a different way of
doing things.
> The question is do we need to do dns-upgrade and use Internal DNS, 
> pre-migration?  Then use internal dns during the classic migration?
If you ran the classicupgrade with '--dns-backend=BIND9_DLZ' then Samba
should have been set up to allow Bind9 to use the DNS info stored in AD.
You will also need to remove any zones from the named.conf files that are also
in AD.
You will find info on to set up Bind9 for Samba AD here:
https://wiki.samba.org/index.php/Setting_up_a_BIND_DNS_Server
> Also, I assume the bind9 service will have to stopped if infact we use 
> the Internal DNS?
If you do decide to use the Samba internal DNS server, then yes, you will need
to stop Bind9. You will also need to remove the 'server services' line
from smb.conf on the DC and add a 'dns forwarder' line.
> 
> The DHCP is to stay with Samba server for now.
Then you probably need to follow this:
https://wiki.samba.org/index.php/Configure_DHCP_to_update_DNS_records_with_BIND9

But you will need to get Bind9 working correctly first.

Rowland


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

______________________________________________________________________
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com
______________________________________________________________________