Peter Boos
2020-Sep-23 11:40 UTC
[Samba] Moving FSMO roles doesnt affect srv records in DNS ?.
We've added an extra DC for redundancy to the Debian based Active Directory. We updated our older smaba version to the current one, and joined a new DC. Then the commands where givven to move all the FSMO roles Which we verified with "samba-tool fsmo show", which showed that all roles are on the new DC. However in DNS all underscore srv records of the AD services still point to the old server. Not sure how samba handels it, though as the virtual pdc emulator is pointing to the old DNS server. The old DC still seams to handle all logon's now. As we verified by cmd command set in win 10 clients (showing logon server as the old dc).. ?Is this normal behaviour for Samba, are srv records not updated ?.? I find it strange and am wondered if our AD is now running as intended. How to verify Samba.
Rowland penny
2020-Sep-23 13:26 UTC
[Samba] Moving FSMO roles doesnt affect srv records in DNS ?.
On 23/09/2020 12:40, Peter Boos via samba wrote:> We've added an extra DC for redundancy to the Debian based Active Directory. > We updated our older smaba version to the current one, and joined a new DC. > Then the commands where givven to move all the FSMO roles > > Which we verified with "samba-tool fsmo show", which showed that all roles are on the new DC. > > However in DNS all underscore srv records of the AD services still point to the old server. > Not sure how samba handels it, though as the virtual pdc emulator is pointing to the old DNS server. > The old DC still seams to handle all logon's now. > As we verified by cmd command set in win 10 clients (showing logon server as the old dc).. > ?Is this normal behaviour for Samba, are srv records not updated ?. > I find it strange and am wondered if our AD is now running as intended. > > How to verify Samba.This is the way it is supposed to work: Every so often, samba_dnsupdate is run on a DC, this uses a file 'dns_update_list'. Any missing files from the list are created. One of the lines from the list is this: # The PDC emulator ${IF_PDC}SRV _ldap._tcp.pdc._msdcs.${DNSDOMAIN}??????????????????? ${HOSTNAME} 389 I think if you check again, you will now have the required SRV record, but you may also have another record for the old pdc_emulator role owner. Whilst it seems there is code to add the _ldap._tcp.pdc record, there doesn't seem to any to remove it from the old role owner. You can remove the incorrect record (if you have it) with 'samba-tool dns delete' Rowland