Re: [Samba] DNS replication and BDCs

[David González Herrera - [DGHVoIP]]

Hi Marc, comments below.

On 6/20/2013 5:26 PM, Marc Muehlfeld wrote:
Hello David,
Am 20.06.2013 19:55, schrieb "David González Herrera - [DGHVoIP]":
I would like youi to point me or tell me how do I create a fail-over or
high availability system so that when one of the DCs is down the other
takes over Auth tasks and obviously DNS.

I've thought a solution would be to make a slave BIND DNS on another
slaver and replicate the Samba Zone and add aappropriate NS and A
records to the main zone so that clients can query another DNS for the
zone and not fail as I faced yesterday. This is a production environment
scenario and I have many servers authenticating users against the samba
server so if this fails everything else does.

When you join a second DC to the AD 
(http://wiki.samba.org/index.php/Samba4/HOWTO/Join_a_domain_as_a_DC), 
then the DNS part is also automatically replicated.
Alright I have done that on the second DC but using internal, I get this 
if I dig the zone.

root@bdc:~# dig @10.10.10.20 AXFR example.local

; <<>> DiG 9.9.2-P2 <<>> @10.10.10.20 AXFR example.local
; (1 server found)
;; global options: +cmd
; Transfer failed.
root@bdc:~# dig @10.10.10.5 AXFR example.local

; <<>> DiG 9.9.2-P2 <<>> @10.10.10.5 AXFR example.local
; (1 server found)
;; global options: +cmd
example.local.         3600    IN      SOA     samba.example.local. 
hostmaster.example.local. 65 900 600 86400 0
example.local.         900     IN      NS      samba.example.local.
example.local.         900     IN      A       10.10.10.5
example.local.         900     IN      A       21x.xxx.xxx.xxx
example.local.         900     IN      A       10.10.10.20
example.local.         900     IN      A       10.10.10.15
example.local.         900     IN      A       192.168.5.5
bdc.example.local.     900     IN      A       10.10.10.20
bdc.example.local.     900     IN      A       192.168.5.5
w2k8.example.local.    1200    IN      A       10.10.10.15
samba.example.local.   900     IN      A       10.10.10.5
samba.example.local.   900     IN      A       21x.xxx.xxx.xxx
DGHPC.example.local.   1200    IN      AAAA    2002:505:5bd::505:5bd
DGHPC.example.local.   1200    IN      A       192.168.5.211
DGHPC.example.local.   1200    IN      A       5.5.5.189
_msdcs.example.local.  900     IN      NS      samba.example.local.
_gc._tcp.example.local. 900    IN      SRV     0 100 3268 
samba.example.local.
_gc._tcp.example.local. 900    IN      SRV     0 100 3268 
W2K8.example.local.
_gc._tcp.example.local. 900    IN      SRV     0 100 3268 bdc.example.local.
_ldap._tcp.example.local. 900  IN      SRV     0 100 389 
samba.example.local.
_ldap._tcp.example.local. 900  IN      SRV     0 100 389 W2K8.example.local.
_ldap._tcp.example.local. 900  IN      SRV     0 100 389 bdc.example.local.
_kpasswd._udp.example.local. 900 IN    SRV     0 100 464 
samba.example.local.
_kpasswd._udp.example.local. 900 IN    SRV     0 100 464 W2K8.example.local.
_kpasswd._udp.example.local. 900 IN    SRV     0 100 464 bdc.example.local.
_kpasswd._tcp.example.local. 900 IN    SRV     0 100 464 
samba.example.local.
_kpasswd._tcp.example.local. 900 IN    SRV     0 100 464 W2K8.example.local.
_kpasswd._tcp.example.local. 900 IN    SRV     0 100 464 bdc.example.local.
_kerberos._udp.example.local. 900 IN   SRV     0 100 88 samba.example.local.
_kerberos._udp.example.local. 900 IN   SRV     0 100 88 W2K8.example.local.
_kerberos._udp.example.local. 900 IN   SRV     0 100 88 bdc.example.local.
_kerberos._tcp.example.local. 900 IN   SRV     0 100 88 samba.example.local.
_kerberos._tcp.example.local. 900 IN   SRV     0 100 88 W2K8.example.local.
_kerberos._tcp.example.local. 900 IN   SRV     0 100 88 bdc.example.local.
ForestDnsZones.example.local. 900 IN   A       10.10.10.5
DomainDnsZones.example.local. 900 IN   A       10.10.10.5
_ldap._tcp.ForestDnsZones.example.local. 900 IN SRV 0 100 389 
samba.example.local.
_ldap._tcp.DomainDnsZones.example.local. 900 IN SRV 0 100 389 
samba.example.local.
_gc._tcp.Default-First-Site-Name._sites.example.local. 900 IN SRV 0 100 
3268 samba.example.local.
_gc._tcp.Default-First-Site-Name._sites.example.local. 900 IN SRV 0 100 
3268 W2K8.example.local.
_gc._tcp.Default-First-Site-Name._sites.example.local. 900 IN SRV 0 100 
3268 bdc.example.local.
_ldap._tcp.Default-First-Site-Name._sites.example.local. 900 IN SRV 0 
100 389 samba.example.local.
_ldap._tcp.Default-First-Site-Name._sites.example.local. 900 IN SRV 0 
100 389 W2K8.example.local.
_ldap._tcp.Default-First-Site-Name._sites.example.local. 900 IN SRV 0 
100 389 bdc.example.local.
_kerberos._tcp.Default-First-Site-Name._sites.example.local. 900 IN SRV 
0 100 88 samba.example.local.
_kerberos._tcp.Default-First-Site-Name._sites.example.local. 900 IN SRV 
0 100 88 W2K8.example.local.
_kerberos._tcp.Default-First-Site-Name._sites.example.local. 900 IN SRV 
0 100 88 bdc.example.local.
_ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.example.local. 
900 INSRV 0 100 389 samba.example.local.
_ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones.example.local. 
900 INSRV 0 100 389 samba.example.local.
example.local.         3600    IN      SOA     samba.example.local. 
hostmaster.example.local. 65 900 600 86400 0
;; Query time: 5 msec
;; SERVER: 10.10.10.5#53(10.10.10.5)
;; WHEN: Fri Jun 21 17:31:13 2013
;; XFR size: 50 records (messages 1, bytes 1886)

The zone looks good so I guess the key is what you say on cients being 
them services or real workstations. I guess that's my whole issue.

I really appreciate your help Marc, I was like crazy trying to add a 
slave server and did in fact.

Now I'd like to remove the public IP 21x.xxx.xxx.xxx from the zone I use:

samba-tool dns delete samba.example.local example.local 
samba.example.local NS 21x.xxx.xxx.xxx -U Administrator
samba-tool dns delete samba.example.local example.local 
samba.example.local A 21x.xxx.xxx.xxx -U Administrator

They all succeed, but I keep seeing that when I dig the zone as you can 
see on the previous dig.


As you already have a second DC, please check, if Samba (or BIND) is 
listening on port 53 to answer DNS queries.

# netstat -taunp | grep ":53"

root@bdc:~# netstat -taunp | grep ":53"
tcp        0      0 0.0.0.0:53              0.0.0.0:* LISTEN      
12576/samba
tcp        0      0 10.10.10.20:1024        10.10.10.15:53882 
ESTABLISHED 12576/samba
udp        0      0 0.0.0.0:53 0.0.0.0:*                           
12576/samba


Then you only have to configure your clients, to use the second 
machine as DNS server, too.
This is what concerns me the most, as I'm connecting services as 
Postfix/Dovecot,OpenVPN I was using the IP of the PDC 10.10.10.5. Can I 
use "example.local" on my LDAP/AD clients configuration?. And will it be 
like round robin-dns, if one server doesn't respond will the pther take 
over?.

What I'm looking for is redundancy.

There's nothing special you have to do here.

You can use BIND or the internal DNS on the other DCs. It don't need 
to be the same than on your first one.
Alright I'll try that with my services and let you know what were the 
results.

Cheers


Regards,
Marc


--
David Gonzalez
DGHVoIP
USA:
MOBILE: +1.646.559.6200
COL: +57.1.382.6718
COL: +57.4.247.0985
URL: www.dghvoip.com
Skype: davidgonzalezh
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba