On Mon, 30 Dec 2024 09:43:33 -0500
smodep--- via samba <samba at lists.samba.org> wrote:
> I started with two Samba DCs running 4.14.7 (camus and cristal). I am
> replacing them with newer OS and Samba versions with an eye to get
> everything current. At this point, I have taken the baby step of
> adding a third server running 4.15.13 (frangelico). I have added the
> new system to the domain, it is participating as a DC and replication
> is working nicely. After a few days, I transferred all the FSMO roles
> to this new DC. I will soon be dropping one of the older servers and
> repeat the cycle to get the other old one updated.
>
>
>
> My issue is the SOA record. While all three servers show up in NS
> records for the domain, the SOA points specifically to one of the old
> servers (camus). Here is an excerpt from samba-tool dns query:
>
>
>
> SOA: serial=1641, refresh=900, retry=600, expire=86400,
> minttl=3600, ns=camus.knada.lan.kitsnet.us.,
> email=hostmaster.knada.lan.kitsnet.us. (flags=600000f0, serial=110,
> ttl=3600)
>
> NS: camus.knada.lan.kitsnet.us. (flags=600000f0, serial=110,
> ttl=900)
>
> NS: cristal.knada.lan.kitsnet.us. (flags=600000f0, serial=110,
> ttl=900)
>
> NS: frangelico.knada.lan.kitsnet.us. (flags=600000f0, serial=110,
> ttl=900)
>
> A: 192.168.xxx.aaa (flags=600000f0, serial=110, ttl=900)
>
> A: 192.168.xxx.bbb (flags=600000f0, serial=110, ttl=900)
>
> A: 192.168.xxx.ccc (flags=600000f0, serial=110, ttl=900)
>
There is a slight problem with the above, while it is true, it isn't :-)
I have three DCs and if I run:
dig samdom.example.com soa
on each of them, I get different answer sections back:
;; ANSWER SECTION:
samdom.example.com. 3600 IN SOA
rpidc1.samdom.example.com. hostmaster.samdom.example.com. 290 900 600
86400 3600
;; ANSWER SECTION:
samdom.example.com. 3600 IN SOA
rpidc2.samdom.example.com. hostmaster.samdom.example.com. 290 900 600
86400 3600
;; ANSWER SECTION:
samdom.example.com. 3600 IN SOA
tmpdc1.samdom.example.com. hostmaster.samdom.example.com. 290 900 600
86400 3600
They all claim to be the SOA, because they are, it is known as
multimaster.
>
> 1. Should I have expected the ns in the SOA record to have
> been updated with the FSMO transfer, or are these unrelated
> activities?
No, the NS records are correct, all DCs are nameservers for the AD dns
domain.
However, there will be one dns record that will be wrong if you have
transferred or seized the PDC_Emulator FSMO role:
_ldap._tcp.pdc._msdcs.<domain>
There is no code (there is a bug open about this) to remove
the old dns record after the FSMO role is moved.
You need to manually delete the old dns record after the role is moved.
> 2. Can I update the ns clause in the SOA record
> to simply point to the domain, or must I continue to point at one
> specific host?
You can change the NS record in the SOA record if you want, but it
isn't required.
Rowland