L.P.H. van Belle
2020-Feb-12 10:06 UTC
[Samba] Failover DC did not work when Main DC failed
What do you see/get when you run: dig NS $(hostname -d) With 2 dc's you should see 2 records. In the past this was a bug at samba joins so only 1 NS record existed. Worth to have a look at. And adding this to /etc/resolv.conf: options timeout:2 options attempts:3 options rotate Also might help. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Paul > Littlefield via samba > Verzonden: woensdag 12 februari 2020 10:48 > Aan: Kris Lou; samba > Onderwerp: Re: [Samba] Failover DC did not work when Main DC failed > > On 11/02/2020 23:33, Kris Lou via samba wrote: > > Is DC4 listed in in an A record for your mycompany.com? > > > > Do logs show that it's answering requests during the course > of a normal > > workday? > > > > If so ... time to simulate DC3 failure, I guess. > > Hi Kris, > > Thanks for taking the time to reply. > > I've been using Samba for what seems like a lifetime and it's > only by sheer fluke that this "bug / situation" was found > where either Samba DC AD is not correct and/or the QNAP > server does not like talking to the Samba 4 domain when one > of the DCs is not available! > > In answer to your questions... > > Yes, DC4 is listed in an A record. > > Which log file can I check, for either AD or DNS requests? > > Yes, indeed... I am going to create 2 DC VMs on my laptop and > turn one off to see what happens. > > Stay tuned. > > Regards, > > -- > > Paul Littlefield > > Telephone: 07801 125705 > Email: info at paully.co.uk > Wiki: http://wiki.indie-it.com/wiki/Special:AllPages > LinkedIn: https://www.linkedin.com/in/paullittlefield > > Paul Littlefield is environmentally responsible. Please > consider the environment before printing this email. This > email and any attachment is intended for the named addressee > only, or person authorised to receive it on their behalf. The > content should be treated as confidential and the recipient > may not disclose this message or any attachment to anyone > else without authorisation. If this transmission is received > in error please notify the sender immediately and delete this > message from your email system. All electronic transmissions > to and from me are recorded and may be monitored. Finally, > the recipient should check this email and any attachments for > viruses. Paul Littlefield accepts no liability for any damage > caused by any virus transmitted by this email. > > Ubuntu 18.04.3 LTS (x86_64) > > Tmesis is a linguistic phenomenon in which a word or phrase > is separated into two parts, with other words interrupting > between them... well, abso-blooming-lutely. > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >
Paul Littlefield
2020-Feb-12 12:26 UTC
[Samba] Failover DC did not work when Main DC failed
On 12/02/2020 10:06, L.P.H. van Belle via samba wrote:> What do you see/get when you run: > > dig NS $(hostname -d) > With 2 dc's you should see 2 records. > > In the past this was a bug at samba joins so only 1 NS record existed. > Worth to have a look at. > > And adding this to /etc/resolv.conf: > options timeout:2 > options attempts:3 > options rotate > > Also might help. > > Greetz, > > LouisHello Louis, Thanks for your reply. For that dig command I get... root at dc3.mydomain.com ~ $ (screen) dig NS $(hostname -d) ; <<>> DiG 9.11.3-1ubuntu1.11-Ubuntu <<>> NS mydomain.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63144 ;; flags: qr aa rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;mydomain.com. IN NS ;; ANSWER SECTION: mydomain.com. 900 IN NS dc3.mydomain.com. mydomain.com. 900 IN NS dc4.mydomain.com. ;; AUTHORITY SECTION: mydomain.com. 3600 IN SOA dc3.mydomain.com. hostmaster.mydomain.com. 620 900 600 86400 0 ;; Query time: 0 msec ;; SERVER: 192.168.0.218#53(192.168.0.218) ;; WHEN: Wed Feb 12 12:18:10 GMT 2020 ;; MSG SIZE rcvd: 116 ...so both records are correct, in both forward and reverse DNS zones! root at dc3.mydomain.com ~ $ (screen) host 192.168.0.218 218.0.168.192.in-addr.arpa domain name pointer DC3. root at dc3.mydomain.com ~ $ (screen) host 192.168.0.219 219.0.168.192.in-addr.arpa domain name pointer DC4. Is there any point in putting those extra lines in /etc/resolv.conf when I have been told by this mailing list to only put the 1 nameserver entry in it?! e.g. my current resolver file... root at dc3.mydomain.com ~ $ (screen) cat /etc/resolv.conf search mydomain.com nameserver 192.168.0.218 ...should I have THIS instead? root at dc3.mydomain.com ~ $ (screen) cat /etc/resolv.conf search mydomain.com nameserver 192.168.0.218 nameserver 192.168.0.219 options timeout:2 options attempts:3 options rotate Regards, Paully
L.P.H. van Belle
2020-Feb-12 12:54 UTC
[Samba] Failover DC did not work when Main DC failed
> > Hello Louis, > > Thanks for your reply. > > For that dig command I get... > > > root at dc3.mydomain.com ~ $ (screen) dig NS $(hostname -d) > > ; <<>> DiG 9.11.3-1ubuntu1.11-Ubuntu <<>> NS mydomain.com > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63144 > ;; flags: qr aa rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 1, > ADDITIONAL: 0 > > ;; QUESTION SECTION: > ;mydomain.com. IN NS > > ;; ANSWER SECTION: > mydomain.com. 900 IN NS dc3.mydomain.com. > mydomain.com. 900 IN NS dc4.mydomain.com. > > ;; AUTHORITY SECTION: > mydomain.com. 3600 IN SOA > dc3.mydomain.com. hostmaster.mydomain.com. 620 900 600 86400 0 > > ;; Query time: 0 msec > ;; SERVER: 192.168.0.218#53(192.168.0.218) > ;; WHEN: Wed Feb 12 12:18:10 GMT 2020 > ;; MSG SIZE rcvd: 116 > > > > ...so both records are correct, in both forward and reverse DNS zones! > > > root at dc3.mydomain.com ~ $ (screen) host 192.168.0.218 > 218.0.168.192.in-addr.arpa domain name pointer DC3. > > root at dc3.mydomain.com ~ $ (screen) host 192.168.0.219 > 219.0.168.192.in-addr.arpa domain name pointer DC4. > > > Is there any point in putting those extra lines in > /etc/resolv.conf when I have been told by this mailing list > to only put the 1 nameserver entry in it?!.. Uhh.. This mailing list.. Darn.. Who.. ? ? I didnt see it when i read back, but im dislect as hell so.. I might have missed that. I think its a mis interpetation then, i did see Rowland saying that what you had was correct. ( with the 2x nameservers ).. (za 1-2-2020 17:17 ) So..> > e.g. my current resolver file... > > root at dc3.mydomain.com ~ $ (screen) cat /etc/resolv.conf > search mydomain.com > nameserver 192.168.0.218 > > > ...should I have THIS instead?Yes, thats much better. Now, the order here of nameserver can influence things also. So, order of nameserver "AFTER" a EXTRA AD-DC joined the domain. Per example. #DC3. search yourprimary.dnsdomain.com other.important-domains.tld nameserver 192.168.0.218 #DC3 ( new extry after the join of the AD-DC ) nameserver 192.168.0.219 #DC4 ( first entry before and when your domain Joining and AD-DC ) options timeout:2 options attempts:3 options rotate #DC4. search yourprimary.dnsdomain.com other.important-domains.tld nameserver 192.168.0.219 #DC4 nameserver 192.168.0.218 #DC3 options timeout:2 options attempts:3 options rotate Note, test a bit if "option rotate" works for you. That makes resolving more randomized over the server, usefull but not always. Thats up to you. Greetz, Louis
On 12/02/2020 12:54, L.P.H. van Belle via samba wrote:> > >> Hello Louis, >> >> Thanks for your reply. >> >> For that dig command I get... >> >> >> root at dc3.mydomain.com ~ $ (screen) dig NS $(hostname -d) >> >> ; <<>> DiG 9.11.3-1ubuntu1.11-Ubuntu <<>> NS mydomain.com >> ;; global options: +cmd >> ;; Got answer: >> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63144 >> ;; flags: qr aa rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 1, >> ADDITIONAL: 0 >> >> ;; QUESTION SECTION: >> ;mydomain.com. IN NS >> >> ;; ANSWER SECTION: >> mydomain.com. 900 IN NS dc3.mydomain.com. >> mydomain.com. 900 IN NS dc4.mydomain.com. >> >> ;; AUTHORITY SECTION: >> mydomain.com. 3600 IN SOA >> dc3.mydomain.com. hostmaster.mydomain.com. 620 900 600 86400 0 >> >> ;; Query time: 0 msec >> ;; SERVER: 192.168.0.218#53(192.168.0.218) >> ;; WHEN: Wed Feb 12 12:18:10 GMT 2020 >> ;; MSG SIZE rcvd: 116 >> >> >> >> ...so both records are correct, in both forward and reverse DNS zones! >> >> >> root at dc3.mydomain.com ~ $ (screen) host 192.168.0.218 >> 218.0.168.192.in-addr.arpa domain name pointer DC3. >> >> root at dc3.mydomain.com ~ $ (screen) host 192.168.0.219 >> 219.0.168.192.in-addr.arpa domain name pointer DC4. >> >> >> Is there any point in putting those extra lines in >> /etc/resolv.conf when I have been told by this mailing list >> to only put the 1 nameserver entry in it?! > .. Uhh.. This mailing list.. Darn.. Who.. ? ? > I didnt see it when i read back, but im dislect as hell so.. I might have missed that. > I think its a mis interpetation then, i did see Rowland saying that what you had was correct. > ( with the 2x nameservers ).. (za 1-2-2020 17:17 ) > > So.. > >> e.g. my current resolver file... >> >> root at dc3.mydomain.com ~ $ (screen) cat /etc/resolv.conf >> search mydomain.com >> nameserver 192.168.0.218 >> >> >> ...should I have THIS instead? > Yes, thats much better. > > Now, the order here of nameserver can influence things also. > So, order of nameserver "AFTER" a EXTRA AD-DC joined the domain. > Per example. > > #DC3. > search yourprimary.dnsdomain.com other.important-domains.tld > nameserver 192.168.0.218 #DC3 ( new extry after the join of the AD-DC ) > nameserver 192.168.0.219 #DC4 ( first entry before and when your domain Joining and AD-DC ) > options timeout:2 > options attempts:3 > options rotate > > #DC4. > search yourprimary.dnsdomain.com other.important-domains.tld > nameserver 192.168.0.219 #DC4 > nameserver 192.168.0.218 #DC3 > options timeout:2 > options attempts:3 > options rotate > > Note, test a bit if "option rotate" works for you. > That makes resolving more randomized over the server, usefull but not always. > Thats up to you. > > > Greetz, > > Louis > >There are a couple of ways of looking at this on a DC The first is that a DC must use itself as its nameserver and if something goes wrong e.g. Samba has fallen over, then there isn't much point having another nameserver, Samba isn't going to use it The second is, it will not hurt having a second nameserver on a DC, just as long you understand that Samba will not use the second nameserver if Samba has fallen over, but the computer will. Rowland
El 12/2/20 a les 11:06, L.P.H. van Belle via samba ha escrit:> What do you see/get when you run: > > dig NS $(hostname -d) > With 2 dc's you should see 2 records. > > In the past this was a bug at samba joins so only 1 NS record existed. > Worth to have a look at. > > And adding this to /etc/resolv.conf: > options timeout:2 > options attempts:3 > options rotateInstead of that, after a similar incident, I'm now using dnsmasq on every host configured as such: no-resolv no-poll no-hosts interface=lo no-dhcp-interface=lo server=<address of 1st dc> server=<address of 2nd dc> as well as the command line option "--all-servers" (set in in either /etc/sysconfig/dnsmasq for my mageia VMs or /etc/default/dnsmasq for my debian/ubuntu VMs). I'm not sure it cures every problem but at least name resolution is fast. Bye -- Luca Olivetti Wetron Automation Technology http://www.wetron.es/ Tel. +34 93 5883004 (Ext.3010) Fax +34 93 5883007