samba - Aug 2020 - Changing IP Scope on a Samba DC

Andrew, I very much appreciate your swift reply and your expertise. I
readily admit I'm a little out of my depth here. I'm sitting here in
California at almost midnight with just the weekend to get done all I need
to do on the network and I fear this may be derailing my plans.

This article on the Samba Wiki
https://wiki.samba.org/index.php/Changing_the_IP_Address_of_a_Samba_AD_DC seems
to suggest I need to demote and repromote if I change the address, is that
also the same if I change the subnet?

I'm sorry if that's a dumb question, but I'm having severe problems
with
these servers and I really don't want to screw anything up because I try
something stupid.

Peter

On Fri, Aug 28, 2020 at 11:21 PM Andrew Bartlett <abartlet at samba.org>
wrote:
> On Fri, 2020-08-28 at 21:02 -0700, Peter Pollock via samba wrote:
> > I've asked a couple of other questions on here, which people have
> > kindly
> > answered and I'm waiting for the opportunity to implement what
they
> > have
> > suggested.
> >
> > In the meantime:
> >
> > We are running out of IP addresses!
> > We currently use 192.168.2.0/24 and it's proving to not be enough
> > addresses.
> >
> > I'm considering changing to 192.168.4.0/22 to virtually quadruple
the
> > number of addresses we have available and hopefully keep us in
> > available
> > addresses for years to come.
> >
> > My question is: how hard is this to do in Samba? We have 3 DC's
and
> > from
> > what I read, I need to demote one, change the IP then re-promote
> > it... but
> > I'm guessing it then won't be able to talk to the others
because it
> > will be
> > on a different subnet.
> >
> > Is there any other way to do it, or is it just not possible?
> >
> > Thanks in advance for your help!
>
> G'Day Peter,
>
> Leaving aside the IP routing questions (that is just generic routing
> issues) Samba should just update it's address once it finds a new one.
>
> Samba can also listen on multiple IPs if they are local interfaces.
>
> But why not just change to 192.168.0.0/22 and so have IPs
> 192.168.0.0 - 192.168.3.255 and so not need to renumber?
>
> Anyway, not really our problem space.
>
> I hope this helps,
>
> Andrew Bartlett
>
> --
> Andrew Bartlett                       https://samba.org/~abartlet/
> Authentication Developer, Samba Team  https://samba.org
> Samba Developer, Catalyst IT
> https://catalyst.net.nz/services/samba
>
>
>
>

On 29/08/2020 07:54, Peter Pollock via samba wrote:
> Andrew, I very much appreciate your swift reply and your expertise. I
> readily admit I'm a little out of my depth here. I'm sitting here
in
> California at almost midnight with just the weekend to get done all I need
> to do on the network and I fear this may be derailing my plans.
>
> This article on the Samba Wiki
> https://wiki.samba.org/index.php/Changing_the_IP_Address_of_a_Samba_AD_DC
seems
> to suggest I need to demote and repromote if I change the address, is that
> also the same if I change the subnet?
No, the DC's ipaddress points to the DC, so if you change either, it is 
easier to demote and re-join rather than trying to change every instance 
of the IP or name. You probably could change either, but, because they 
are in numerous places, it is fraught with danger, you might miss
some.
>
> I'm sorry if that's a dumb question, but I'm having severe
problems with
> these servers and I really don't want to screw anything up because I
try
> something stupid.
You probably have a reverse zone called '2.168.192.in-addr.arpa' (If 
unsure 'samba-tool dns zonelist <dc_name> -P' will confirm this).
If you
follow Andrew's suggestion (and I urge you to do so), you will need to 
replace it with '168.192.in-addr.arpa'

Once this is done and you have recreated any fixed IP machines records, 
dhcp should then recreate the other records for you.

Rowland

On 29/08/2020 07:54, Peter Pollock via samba wrote:
> 
> Andrew, I very much appreciate your swift reply and your expertise. I
> readily admit I'm a little out of my depth here. I'm sitting here
in
> California at almost midnight with just the weekend to get done all I need
> to do on the network and I fear this may be derailing my plans.
> 
> This article on the Samba Wiki
> https://wiki.samba.org/index.php/Changing_the_IP_Address_of_a_Samba_AD_DC
seems
> to suggest I need to demote and repromote if I change the address, is that
> also the same if I change the subnet?
> 
> I'm sorry if that's a dumb question, but I'm having severe
problems with
> these servers and I really don't want to screw anything up because I
try
> something stupid.
> 
> Peter
> 
> On Fri, Aug 28, 2020 at 11:21 PM Andrew Bartlett <abartlet at
samba.org> wrote:
> 
>> On Fri, 2020-08-28 at 21:02 -0700, Peter Pollock via samba wrote:
>>> I've asked a couple of other questions on here, which people
have
>>> kindly
>>> answered and I'm waiting for the opportunity to implement what
they
>>> have
>>> suggested.
>>>
>>> In the meantime:
>>>
>>> We are running out of IP addresses!
>>> We currently use 192.168.2.0/24 and it's proving to not be
enough
>>> addresses.
>>>
>>> I'm considering changing to 192.168.4.0/22 to virtually
quadruple the
>>> number of addresses we have available and hopefully keep us in
>>> available
>>> addresses for years to come.
>>>
>>> My question is: how hard is this to do in Samba? We have 3 DC's
and
>>> from
>>> what I read, I need to demote one, change the IP then re-promote
>>> it... but
>>> I'm guessing it then won't be able to talk to the others
because it
>>> will be
>>> on a different subnet.
>>>
>>> Is there any other way to do it, or is it just not possible?
>>>
>>> Thanks in advance for your help!
>>
>> G'Day Peter,
>>
>> Leaving aside the IP routing questions (that is just generic routing
>> issues) Samba should just update it's address once it finds a new
one.
>>
>> Samba can also listen on multiple IPs if they are local interfaces.
>>
>> But why not just change to 192.168.0.0/22 and so have IPs
>> 192.168.0.0 - 192.168.3.255 and so not need to renumber?
>>
>> Anyway, not really our problem space.
>>
>> I hope this helps,
>>
>> Andrew Bartlett
>>
>> --
>> Andrew Bartlett                       https://samba.org/~abartlet/
>> Authentication Developer, Samba Team  https://samba.org
>> Samba Developer, Catalyst IT
>> https://catalyst.net.nz/services/samba
>>
>>
>>
>>
For non-samba reasons I always recommend avoiding the 192.168.0.0/23 
range of IP's as they are too common defaults in domestic routers. If 
you ever set up something like OpenVPN (or other VPN's) to access your 
LAN resources from the internet, one of the requirements is that your 
LAN IP's don't overlap with the VPN clients' LAN IPs. If they do 
overlap, a connection will be made but no traffic will pass. With those 
two /24 subnets, there is a high chance that someone connecting from 
home will have problems.

Nick

Thank you. I've gone home for a couple of hours sleep and will tackle it in
the morning.

I appreciate you both.

On Sat, Aug 29, 2020, 12:50 AM Rowland penny via samba <
samba at lists.samba.org> wrote:
> On 29/08/2020 07:54, Peter Pollock via samba wrote:
> > Andrew, I very much appreciate your swift reply and your expertise. I
> > readily admit I'm a little out of my depth here. I'm sitting
here in
> > California at almost midnight with just the weekend to get done all I
> need
> > to do on the network and I fear this may be derailing my plans.
> >
> > This article on the Samba Wiki
> >
> https://wiki.samba.org/index.php/Changing_the_IP_Address_of_a_Samba_AD_DC
> seems
> > to suggest I need to demote and repromote if I change the address, is
> that
> > also the same if I change the subnet?
> No, the DC's ipaddress points to the DC, so if you change either, it is
> easier to demote and re-join rather than trying to change every instance
> of the IP or name. You probably could change either, but, because they
> are in numerous places, it is fraught with danger, you might miss some.
> >
> > I'm sorry if that's a dumb question, but I'm having severe
problems with
> > these servers and I really don't want to screw anything up because
I try
> > something stupid.
>
> You probably have a reverse zone called '2.168.192.in-addr.arpa'
(If
> unsure 'samba-tool dns zonelist <dc_name> -P' will confirm
this). If you
> follow Andrew's suggestion (and I urge you to do so), you will need to
> replace it with '168.192.in-addr.arpa'
>
> Once this is done and you have recreated any fixed IP machines records,
> dhcp should then recreate the other records for you.
>
> Rowland
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

Hi Nick,

That was why I was trying to use 192.168.4.0/22. However, as a rule I don't
allow VPN connections here, so we will just make do with 192.168.0.0/22 for
now.

I appreciate the advice though. Thank you!

On Sat, Aug 29, 2020 at 12:57 AM Nick Howitt via samba <
samba at lists.samba.org> wrote:
>
>
> On 29/08/2020 07:54, Peter Pollock via samba wrote:
> >
> > Andrew, I very much appreciate your swift reply and your expertise. I
> > readily admit I'm a little out of my depth here. I'm sitting
here in
> > California at almost midnight with just the weekend to get done all I
> need
> > to do on the network and I fear this may be derailing my plans.
> >
> > This article on the Samba Wiki
> >
> https://wiki.samba.org/index.php/Changing_the_IP_Address_of_a_Samba_AD_DC
> seems
> > to suggest I need to demote and repromote if I change the address, is
> that
> > also the same if I change the subnet?
> >
> > I'm sorry if that's a dumb question, but I'm having severe
problems with
> > these servers and I really don't want to screw anything up because
I try
> > something stupid.
> >
> > Peter
> >
> > On Fri, Aug 28, 2020 at 11:21 PM Andrew Bartlett <abartlet at
samba.org>
> wrote:
> >
> >> On Fri, 2020-08-28 at 21:02 -0700, Peter Pollock via samba wrote:
> >>> I've asked a couple of other questions on here, which
people have
> >>> kindly
> >>> answered and I'm waiting for the opportunity to implement
what they
> >>> have
> >>> suggested.
> >>>
> >>> In the meantime:
> >>>
> >>> We are running out of IP addresses!
> >>> We currently use 192.168.2.0/24 and it's proving to not be
enough
> >>> addresses.
> >>>
> >>> I'm considering changing to 192.168.4.0/22 to virtually
quadruple the
> >>> number of addresses we have available and hopefully keep us in
> >>> available
> >>> addresses for years to come.
> >>>
> >>> My question is: how hard is this to do in Samba? We have 3
DC's and
> >>> from
> >>> what I read, I need to demote one, change the IP then
re-promote
> >>> it... but
> >>> I'm guessing it then won't be able to talk to the
others because it
> >>> will be
> >>> on a different subnet.
> >>>
> >>> Is there any other way to do it, or is it just not possible?
> >>>
> >>> Thanks in advance for your help!
> >>
> >> G'Day Peter,
> >>
> >> Leaving aside the IP routing questions (that is just generic
routing
> >> issues) Samba should just update it's address once it finds a
new one.
> >>
> >> Samba can also listen on multiple IPs if they are local
interfaces.
> >>
> >> But why not just change to 192.168.0.0/22 and so have IPs
> >> 192.168.0.0 - 192.168.3.255 and so not need to renumber?
> >>
> >> Anyway, not really our problem space.
> >>
> >> I hope this helps,
> >>
> >> Andrew Bartlett
> >>
> >> --
> >> Andrew Bartlett                       https://samba.org/~abartlet/
> >> Authentication Developer, Samba Team  https://samba.org
> >> Samba Developer, Catalyst IT
> >> https://catalyst.net.nz/services/samba
> >>
> >>
> >>
> >>
> For non-samba reasons I always recommend avoiding the 192.168.0.0/23
> range of IP's as they are too common defaults in domestic routers. If
> you ever set up something like OpenVPN (or other VPN's) to access your
> LAN resources from the internet, one of the requirements is that your
> LAN IP's don't overlap with the VPN clients' LAN IPs. If they
do
> overlap, a connection will be made but no traffic will pass. With those
> two /24 subnets, there is a high chance that someone connecting from
> home will have problems.
>
> Nick
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

Thank you for your help Rowland.

I have done as Andrew suggested with mixed success. The biggest problem
I've found is that the internal DNS is seriously screwy. There are no zone
files for the domain that I can find and no server suggests it's the master
- yet when dc1 falls over they all fall down. I'm going to find somewhere
else to seek assistance with that because it's a bind issue not a Samba
issue, but the 192.168.0.0/22 idea has worked to some degree, so thank you
both for that!

On Sat, Aug 29, 2020 at 12:50 AM Rowland penny via samba <
samba at lists.samba.org> wrote:
> On 29/08/2020 07:54, Peter Pollock via samba wrote:
> > Andrew, I very much appreciate your swift reply and your expertise. I
> > readily admit I'm a little out of my depth here. I'm sitting
here in
> > California at almost midnight with just the weekend to get done all I
> need
> > to do on the network and I fear this may be derailing my plans.
> >
> > This article on the Samba Wiki
> >
> https://wiki.samba.org/index.php/Changing_the_IP_Address_of_a_Samba_AD_DC
> seems
> > to suggest I need to demote and repromote if I change the address, is
> that
> > also the same if I change the subnet?
> No, the DC's ipaddress points to the DC, so if you change either, it is
> easier to demote and re-join rather than trying to change every instance
> of the IP or name. You probably could change either, but, because they
> are in numerous places, it is fraught with danger, you might miss some.
> >
> > I'm sorry if that's a dumb question, but I'm having severe
problems with
> > these servers and I really don't want to screw anything up because
I try
> > something stupid.
>
> You probably have a reverse zone called '2.168.192.in-addr.arpa'
(If
> unsure 'samba-tool dns zonelist <dc_name> -P' will confirm
this). If you
> follow Andrew's suggestion (and I urge you to do so), you will need to
> replace it with '168.192.in-addr.arpa'
>
> Once this is done and you have recreated any fixed IP machines records,
> dhcp should then recreate the other records for you.
>
> Rowland
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>