Re: [Samba] Samba4 AD DC Sites / Rename Default-First-Site-Name and internal DNS
Am 31.12.2012 18:26, schrieb Rob Townley: MS ADS utilities would demand restoring from backups for deleting dns records. Assuming you are trying to have two different sites in the same domain, you would not want to delete DNS records at all, but change the dns SRV record such that the remote site has a lower priority (higher number) and the local site has a better priority (lower number). In many computer systems, higher priority is represented by a lower number. zero is often the highest priority. Weight is different than priority. More Weight is represented by a higher number. You may want to leave weight alone because rfc2782 says WEIGHT zero is a special case. rfc2782 is a little confusing as to what weight zero implies. It also states the order of ResourceRecords returned matters in the selection process. Details are in the URLs below. i would recommend reading about PRIORITY and WEIGHT in 2782. http://en.wikipedia.org/wiki/SRV_record http://tools.ietf.org/html/rfc2782 Thank you for the explanation. I redid the site reation and renaming once again, this time i did not touch any DNS entry. 1. After the creation of the first DC LDAP: dn: DC=gsg,DC=local fSMORoleOwner: CN=NTDS Settings,CN=SERVER-SITE1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=gsg,DC=local msDs-masteredBy: CN=NTDS Settings,CN=SERVER-SITE1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=gsg,DC=local msDS-IsDomainFor: CN=NTDS Settings,CN=SERVER-SITE1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=gsg,DC=local masteredBy: CN=NTDS Settings,CN=SERVER-SITE1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=gsg,DC=local dn: CN=Infrastructure,DC=gsg,DC=local fSMORoleOwner: CN=NTDS Settings,CN=SERVER-SITE1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=gsg,DC=local dn: CN=RID Manager$,CN=System,DC=gsg,DC=local fSMORoleOwner: CN=NTDS Settings,CN=SERVER-SITE1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=gsg,DC=local dn: CN=SERVER-SITE1,OU=Domain Controllers,DC=gsg,DC=local serverReferenceBL: CN=SERVER-SITE1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=gsg,DC=local DNS: gsg.local _gc._tcp SRV 0 100 3268 server-site1.gsg.local _kerberos._tcp SRV 0 100 88 server-site1.gsg.local _kpasswd._tcp SRV 0 100 464 server-site1.gsg.local _ldap._tcp SRV 0 100 389 server-site1.gsg.local _kerberos._udp SRV 0 100 88 server-site1.gsg.local _kpasswd._udp SRV 0 100 464 server-site1.gsg.local _ldap._tcp.DomainDnsZones SRV 0 100 389 server-site1.gsg.local _ldap._tcp.ForestDnsZones SRV 0 100 389 server-site1.gsg.local _gc._tcp.Default-First-Site-Name._sites SRV 0 100 3268 server-site1.gsg.local _kerberos._tcp.Default-First-Site-Name._sites SRV 0 100 88 server-site1.gsg.local _ldap._tcp.Default-First-Site-Name._sites SRV 0 100 389 server-site1.gsg.local _ldap._tcp.Default-First-Site-Name._site.DomainDnsZones SRV 0 100 389 server-site1.gsg.local _ldap._tcp.Default-First-Site-Name._site.ForestDnsZones SRV 0 100 389 server-site1.gsg.local DNS: _msdc.gsg.local _kerberos._tcp.dc SRV 0 100 88 server-site1.gsg.local _ldap._tcp.dc SRV 0 100 389 server-site1.gsg.local _ldap._tcp.gc SRV 0 100 3268 server-site1.gsg.local _ldap._tcp.pdc SRV 0 100 389 server-site1.gsg.local _ldap._tcp.[DOMAIN ID].domains SRV 0 100 389 server-site1.gsg.local _kerberos._tcp.Default-First-Site-Name._sites.dc SRV 0 100 88 server-site1.gsg.local _ldap._tcp.Default-First-Site-Name._sites.dc SRV 0 100 389 server-site1.gsg.local _ldap._tcp.Default-First-Site-Name._sites.gc SRV 0 100 3268 server-site1.gsg.local 2. Join server-site2 create site2 and move server-site2 into site2, assign subnets to both sites. LDAP: dn: DC=gsg,DC=local fSMORoleOwner: CN=NTDS Settings,CN=SERVER-SITE1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=gsg,DC=local msDs-masteredBy: CN=NTDS Settings,CN=SERVER-SITE1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=gsg,DC=local msDS-IsDomainFor: CN=NTDS Settings,CN=SERVER-SITE1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=gsg,DC=local masteredBy: CN=NTDS Settings,CN=SERVER-SITE1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=gsg,DC=local msDs-masteredBy: CN=NTDS Settings,CN=SERVER-SITE2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=gsg,DC=local msDS-IsDomainFor: CN=NTDS Settings,CN=SERVER-SITE2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=gsg,DC=local masteredBy: CN=NTDS Settings,CN=SERVER-SITE2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=gsg,DC=local dn: CN=Infrastructure,DC=gsg,DC=local fSMORoleOwner: CN=NTDS Settings,CN=SERVER-SITE1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=gsg,DC=local dn: CN=RID Manager$,CN=System,DC=gsg,DC=local fSMORoleOwner: CN=NTDS
Re: [Samba] Samba4 AD DC Sites / Rename Default-First-Site-Name and internal DNS
Am 30.12.2012 02:03, schrieb Andrew Bartlett: On Sat, 2012-12-29 at 13:38 +0100, Achim Gottinger wrote: _ldap._tcp.Default-First-Site-Name._sites.gsg.local SRV site1.gsg.local _kerberos._tcp.Default-First-Site-Name._sites.gsg.local SRV site1.gsg.local _gc._tcp.Default-First-Site-Name._sites.gsg.local SRV site1.gsg.local _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.gsg.local SRV site1.gsg.local _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.gsg.local SRV site1.gsg.local _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.gsg.local SRV site1.gsg.local So there are no more (visible) entries left in Default-First-Site-Name._sites.gsg.local Default-First-Site-Name._sites.gc._msdcs.gsg.local Default-First-Site-Name._sites.dc._msdcs.gsg.local But the structure remains an can not be deleted. (things like _tcp.Default-First-Site-Name._sites.gsg.local). Things still seem to work at both sites but i'm curious if these leftovers can be completely removed. As you have noticed, we are very good at adding DNS records, but never remove the old ones. What you have done seems reasonable, if you have renamed the site, removing the remaining DNS references seems entirely reasonable. Please file a bug about the left-behind DNS stuff, we really should clean that up. Andrew Bartlett Well after some time and samba restarts the left over structure elements had disappeared. Had to remove two records with samba-tools because they could not be accessed from the MS DNS Snapin. samba-tool dns delete localhost gsg.local _ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones.gsg.local SRV server-site1.gsg.local. 389 0 100 samba-tool dns delete localhost gsg.local _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.gsg.local SRV server-site1.gsg.local. 389 0 100 Afterwards all appearances of Default-First-Site-Name disappeared. There remains however still an issue with the site dependant SRV records on an server. If a server is moved to another site or an site gets renamed. The old SRV records for that server/site remain. Achim Gottinger -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4 AD DC Sites / Rename Default-First-Site-Name and internal DNS
On Sun, Dec 30, 2012 at 10:06 PM, Matthieu Patou m...@samba.org wrote: On 12/30/2012 07:10 PM, Achim Gottinger wrote: As you have noticed, we are very good at adding DNS records, but never remove the old ones. What you have done seems reasonable, if you have renamed the site, removing the remaining DNS references seems entirely reasonable. Please file a bug about the left-behind DNS stuff, we really should clean that up. Andrew Bartlett There is this menu option cleanup old resource entries in the DNS snap-in, guess it's normal AD behaviour. :-) Not it's not, there is KB about DNS server about how to clean old records that were set by a client via DDNS This does not yet work against an Samba4 AD DC. But I'll file an bugreport. I'm not 100% sure that we implement everything that is needed for a client to pickup the correct site, so you might see some issues still. It had happened in very seldom cases with the samba3/bind/openldap before. In the Samba4 test environment it happened only once after i had removed the mentioned SRV records pointig to site2's dc in site1 folders. I'll report back if it happens on an regular basis. As an last step i renamed the site Default-First-Site-Name into site1. Restarted the samba services at both sites check replication. But there are still a few DNS entries left whom i deleted manual. It's really not a good idea to delete rename the default-First site lots of Windows admins don't advise to do so, you'd better leave it empty. Matthieu So to be on the safe side you recommend i create two new sites and assign the two servers to them, leaving Default-First-Site-Name with on assigned server. I thought it is safer to leave the first server in that default site because i had read the sites thing is a work in progress. Renaming it was somethin i did after abit of online research which mentioned it is safe and not forbidden. Beside that now empty structure elements in dns the test environment is still work functional. http://social.technet.**microsoft.com/Forums/en-US/** winserverNIS/thread/2afc3cf5-**7389-4368-bdeb-887e60c0081fhttp://social.technet.microsoft.com/Forums/en-US/winserverNIS/thread/2afc3cf5-7389-4368-bdeb-887e60c0081f Beside all that for me samba4 is a great step forward an will simplify things alot compared to the previous samba3/bind/openldap solution Ok good to know. Matthieu. -- Matthieu Patou Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/**mailman/options/sambahttps://lists.samba.org/mailman/options/samba MS ADS utilities would demand restoring from backups for deleting dns records. Assuming you are trying to have two different sites in the same domain, you would not want to delete DNS records at all, but change the dns SRV record such that the remote site has a lower priority (higher number) and the local site has a better priority (lower number). In many computer systems, higher priority is represented by a lower number. zero is often the highest priority. Weight is different than priority. More Weight is represented by a higher number. You may want to leave weight alone because rfc2782 says WEIGHT zero is a special case. rfc2782 is a little confusing as to what weight zero implies. It also states the order of ResourceRecords returned matters in the selection process. Details are in the URLs below. i would recommend reading about PRIORITY and WEIGHT in 2782. http://en.wikipedia.org/wiki/SRV_record http://tools.ietf.org/html/rfc2782 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4 AD DC Sites / Rename Default-First-Site-Name and internal DNS
On 12/29/2012 04:38 AM, Achim Gottinger wrote: Hello, I'm running a few tests here with two locations. site1: server-site1.gsg.local subnet 192.168.200.0/24 site2: server-site2.gsg.local subnet 192.168.190.0/24 both are connected via VPN. I migrated an samba3 domain at server-site1 it gets Default-First-Site-Name assigned. Then I joined the new samba4 domain withe server-site2. Both servers work and i can join and access them with clients at both locations. I created reverse zones for both subnets and added the required static entries. Then I created an new site (name site2) and two subnets with MS AD Site Management. I assigned subnet 192.168.200.0/24 to the site Default-First-Site-Name and subnet 192.168.190.0/24 to the site site2. And moved server-site2 from Default-First-Site-Name to site2. Machines at site1 randomly picked server-site2 for logins. On site2 they always picked server-site2. I'm not 100% sure that we implement everything that is needed for a client to pickup the correct site, so you might see some issues still. As an last step i renamed the site Default-First-Site-Name into site1. Restarted the samba services at both sites check replication. But there are still a few DNS entries left whom i deleted manual. It's really not a good idea to delete rename the default-First site lots of Windows admins don't advise to do so, you'd better leave it empty. Matthieu -- Matthieu Patou Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4 AD DC Sites / Rename Default-First-Site-Name and internal DNS
As you have noticed, we are very good at adding DNS records, but never remove the old ones. What you have done seems reasonable, if you have renamed the site, removing the remaining DNS references seems entirely reasonable. Please file a bug about the left-behind DNS stuff, we really should clean that up. Andrew Bartlett There is this menu option cleanup old resource entries in the DNS snap-in, guess it's normal AD behaviour. :-) This does not yet work against an Samba4 AD DC. But I'll file an bugreport. I'm not 100% sure that we implement everything that is needed for a client to pickup the correct site, so you might see some issues still. It had happened in very seldom cases with the samba3/bind/openldap before. In the Samba4 test environment it happened only once after i had removed the mentioned SRV records pointig to site2's dc in site1 folders. I'll report back if it happens on an regular basis. As an last step i renamed the site Default-First-Site-Name into site1. Restarted the samba services at both sites check replication. But there are still a few DNS entries left whom i deleted manual. It's really not a good idea to delete rename the default-First site lots of Windows admins don't advise to do so, you'd better leave it empty. Matthieu So to be on the safe side you recommend i create two new sites and assign the two servers to them, leaving Default-First-Site-Name with on assigned server. I thought it is safer to leave the first server in that default site because i had read the sites thing is a work in progress. Renaming it was somethin i did after abit of online research which mentioned it is safe and not forbidden. Beside that now empty structure elements in dns the test environment is still work functional. http://social.technet.microsoft.com/Forums/en-US/winserverNIS/thread/2afc3cf5-7389-4368-bdeb-887e60c0081f Beside all that for me samba4 is a great step forward an will simplify things alot compared to the previous samba3/bind/openldap solution Achim Gottinger -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4 AD DC Sites / Rename Default-First-Site-Name and internal DNS
On 12/30/2012 07:10 PM, Achim Gottinger wrote: As you have noticed, we are very good at adding DNS records, but never remove the old ones. What you have done seems reasonable, if you have renamed the site, removing the remaining DNS references seems entirely reasonable. Please file a bug about the left-behind DNS stuff, we really should clean that up. Andrew Bartlett There is this menu option cleanup old resource entries in the DNS snap-in, guess it's normal AD behaviour. :-) Not it's not, there is KB about DNS server about how to clean old records that were set by a client via DDNS This does not yet work against an Samba4 AD DC. But I'll file an bugreport. I'm not 100% sure that we implement everything that is needed for a client to pickup the correct site, so you might see some issues still. It had happened in very seldom cases with the samba3/bind/openldap before. In the Samba4 test environment it happened only once after i had removed the mentioned SRV records pointig to site2's dc in site1 folders. I'll report back if it happens on an regular basis. As an last step i renamed the site Default-First-Site-Name into site1. Restarted the samba services at both sites check replication. But there are still a few DNS entries left whom i deleted manual. It's really not a good idea to delete rename the default-First site lots of Windows admins don't advise to do so, you'd better leave it empty. Matthieu So to be on the safe side you recommend i create two new sites and assign the two servers to them, leaving Default-First-Site-Name with on assigned server. I thought it is safer to leave the first server in that default site because i had read the sites thing is a work in progress. Renaming it was somethin i did after abit of online research which mentioned it is safe and not forbidden. Beside that now empty structure elements in dns the test environment is still work functional. http://social.technet.microsoft.com/Forums/en-US/winserverNIS/thread/2afc3cf5-7389-4368-bdeb-887e60c0081f Beside all that for me samba4 is a great step forward an will simplify things alot compared to the previous samba3/bind/openldap solution Ok good to know. Matthieu. -- Matthieu Patou Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba4 AD DC Sites / Rename Default-First-Site-Name and internal DNS
Hello, I'm running a few tests here with two locations. site1: server-site1.gsg.local subnet 192.168.200.0/24 site2: server-site2.gsg.local subnet 192.168.190.0/24 both are connected via VPN. I migrated an samba3 domain at server-site1 it gets Default-First-Site-Name assigned. Then I joined the new samba4 domain withe server-site2. Both servers work and i can join and access them with clients at both locations. I created reverse zones for both subnets and added the required static entries. Then I created an new site (name site2) and two subnets with MS AD Site Management. I assigned subnet 192.168.200.0/24 to the site Default-First-Site-Name and subnet 192.168.190.0/24 to the site site2. And moved server-site2 from Default-First-Site-Name to site2. Machines at site1 randomly picked server-site2 for logins. On site2 they always picked server-site2. So I deleted a few DNS records. _ldap._tcp.Default-First-Site-Name._sites.gsg.local SRV site2.gsg.local _kerberos._tcp.Default-First-Site-Name._sites.gsg.local SRV site2.gsg.local _gc._tcp.Default-First-Site-Name._sites.gsg.local SRV site2.gsg.local _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.gsg.local SRV site2.gsg.local And after an samba restart also _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.gsg.local SRV site2.gsg.local _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.gsg.local SRV site2.gsg.local Afterwards machines at site1 also chose server-site1 most of the time. Hope i can optimize the behaviour of logon server choosing abit more but it happened really seldom and it all ran virtualized with 1GB bandwidth for the VPN connection, which will be 1-2MBit once in production. As an last step i renamed the site Default-First-Site-Name into site1. Restarted the samba services at both sites check replication. But there are still a few DNS entries left whom i deleted manual. _ldap._tcp.Default-First-Site-Name._sites.gsg.local SRV site1.gsg.local _kerberos._tcp.Default-First-Site-Name._sites.gsg.local SRV site1.gsg.local _gc._tcp.Default-First-Site-Name._sites.gsg.local SRV site1.gsg.local _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.gsg.local SRV site1.gsg.local _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.gsg.local SRV site1.gsg.local _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.gsg.local SRV site1.gsg.local So there are no more (visible) entries left in Default-First-Site-Name._sites.gsg.local Default-First-Site-Name._sites.gc._msdcs.gsg.local Default-First-Site-Name._sites.dc._msdcs.gsg.local But the structure remains an can not be deleted. (things like _tcp.Default-First-Site-Name._sites.gsg.local). Things still seem to work at both sites but i'm curious if these leftovers can be completely removed. Thanks in advance Achim Gottinger -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4 AD DC Sites / Rename Default-First-Site-Name and internal DNS
On Sat, 2012-12-29 at 13:38 +0100, Achim Gottinger wrote: Hello, I'm running a few tests here with two locations. site1: server-site1.gsg.local subnet 192.168.200.0/24 site2: server-site2.gsg.local subnet 192.168.190.0/24 both are connected via VPN. I migrated an samba3 domain at server-site1 it gets Default-First-Site-Name assigned. Then I joined the new samba4 domain withe server-site2. Both servers work and i can join and access them with clients at both locations. I created reverse zones for both subnets and added the required static entries. Then I created an new site (name site2) and two subnets with MS AD Site Management. I assigned subnet 192.168.200.0/24 to the site Default-First-Site-Name and subnet 192.168.190.0/24 to the site site2. And moved server-site2 from Default-First-Site-Name to site2. Machines at site1 randomly picked server-site2 for logins. On site2 they always picked server-site2. So I deleted a few DNS records. _ldap._tcp.Default-First-Site-Name._sites.gsg.local SRV site2.gsg.local _kerberos._tcp.Default-First-Site-Name._sites.gsg.local SRV site2.gsg.local _gc._tcp.Default-First-Site-Name._sites.gsg.local SRV site2.gsg.local _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.gsg.local SRV site2.gsg.local And after an samba restart also _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.gsg.local SRV site2.gsg.local _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.gsg.local SRV site2.gsg.local Afterwards machines at site1 also chose server-site1 most of the time. Hope i can optimize the behaviour of logon server choosing abit more but it happened really seldom and it all ran virtualized with 1GB bandwidth for the VPN connection, which will be 1-2MBit once in production. As an last step i renamed the site Default-First-Site-Name into site1. Restarted the samba services at both sites check replication. But there are still a few DNS entries left whom i deleted manual. _ldap._tcp.Default-First-Site-Name._sites.gsg.local SRV site1.gsg.local _kerberos._tcp.Default-First-Site-Name._sites.gsg.local SRV site1.gsg.local _gc._tcp.Default-First-Site-Name._sites.gsg.local SRV site1.gsg.local _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.gsg.local SRV site1.gsg.local _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.gsg.local SRV site1.gsg.local _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.gsg.local SRV site1.gsg.local So there are no more (visible) entries left in Default-First-Site-Name._sites.gsg.local Default-First-Site-Name._sites.gc._msdcs.gsg.local Default-First-Site-Name._sites.dc._msdcs.gsg.local But the structure remains an can not be deleted. (things like _tcp.Default-First-Site-Name._sites.gsg.local). Things still seem to work at both sites but i'm curious if these leftovers can be completely removed. As you have noticed, we are very good at adding DNS records, but never remove the old ones. What you have done seems reasonable, if you have renamed the site, removing the remaining DNS references seems entirely reasonable. Please file a bug about the left-behind DNS stuff, we really should clean that up. Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba