Join a subdomain DC to a domain DC

classic Classic list List threaded Threaded
17 messages Options
Reply | Threaded
Open this post in threaded view
|

Join a subdomain DC to a domain DC

Samba - General mailing list
Hello guys,

I work at an institution where the domain is institute.edu.br. We have a
main dns that answers for the internal and external services that we have.

Firstly the staff here configured samba as domain institute.edu.br, but
this way it is conflicting in the resolution of internal and external
service names, since samba wants to respond for all requests and, even
inserting a forward zone, does not it works.

I configured a new DC as a subdomain, because in this way samba only
responds to your requests and forward all the rest to the main dns. It
became addc.institute.edu.br

My question is whether there is any impediment in joining the domindom to
the domain, transferring the fsmo roles and then demote the old one?

--
Elias Pereira
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Join a subdomain DC to a domain DC

Samba - General mailing list
On Tue, 14 Nov 2017 16:05:52 -0200
Elias Pereira via samba <[hidden email]> wrote:

> Hello guys,
>
> I work at an institution where the domain is institute.edu.br. We
> have a main dns that answers for the internal and external services
> that we have.
>
> Firstly the staff here configured samba as domain institute.edu.br,
> but this way it is conflicting in the resolution of internal and
> external service names, since samba wants to respond for all requests
> and, even inserting a forward zone, does not it works.
>
> I configured a new DC as a subdomain, because in this way samba only
> responds to your requests and forward all the rest to the main dns. It
> became addc.institute.edu.br
>
> My question is whether there is any impediment in joining the
> domindom to the domain, transferring the fsmo roles and then demote
> the old one?
>

Does nobody read the Samba wiki ???

As far as I am aware, AD subdomains do not work correctly with Samba AD.
What you have done with the new DC, is what you should have done in the
first place, created a subdomain of your main dns domain and used this
for the AD dns domain and realm.

I think you have two options here and I don't think you are going to
like either ;-)

Shut down your main DNS server and then use the Samba dns servers for
everything in the domain, or start again with your new DC and DNS
subdomain.

Rowland
 

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Join a subdomain DC to a domain DC

Samba - General mailing list
>
> Does nobody read the Samba wiki ???
>

What??? Samba has a wiki ??? *Bazinga *:D

As far as I am aware, AD subdomains do not work correctly with Samba AD.
>
> What you have done with the new DC, is what you should have done in the
>
> first place, created a subdomain of your main dns domain and used this
>
> for the AD dns domain and realm.
>
>
I started in this job now and it was already set up in this way. :(



I think you have two options here and I don't think you are going to

like either ;-)


> Shut down your main DNS server and then use the Samba dns servers for

everything in the domain, or


I think this option is not viable!!!

start again with your new DC and DNS

subdomain.


DNS subdomain? Why?



On Tue, Nov 14, 2017 at 5:11 PM, Rowland Penny <[hidden email]> wrote:

> On Tue, 14 Nov 2017 16:05:52 -0200
> Elias Pereira via samba <[hidden email]> wrote:
>
> > Hello guys,
> >
> > I work at an institution where the domain is institute.edu.br. We
> > have a main dns that answers for the internal and external services
> > that we have.
> >
> > Firstly the staff here configured samba as domain institute.edu.br,
> > but this way it is conflicting in the resolution of internal and
> > external service names, since samba wants to respond for all requests
> > and, even inserting a forward zone, does not it works.
> >
> > I configured a new DC as a subdomain, because in this way samba only
> > responds to your requests and forward all the rest to the main dns. It
> > became addc.institute.edu.br
> >
> > My question is whether there is any impediment in joining the
> > domindom to the domain, transferring the fsmo roles and then demote
> > the old one?
> >
>
> Does nobody read the Samba wiki ???
>
> As far as I am aware, AD subdomains do not work correctly with Samba AD.
> What you have done with the new DC, is what you should have done in the
> first place, created a subdomain of your main dns domain and used this
> for the AD dns domain and realm.
>
> I think you have two options here and I don't think you are going to
> like either ;-)
>
> Shut down your main DNS server and then use the Samba dns servers for
> everything in the domain, or start again with your new DC and DNS
> subdomain.
>
> Rowland
>
>


--
Elias Pereira
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Join a subdomain DC to a domain DC

Samba - General mailing list
On Tue, 14 Nov 2017 20:07:38 -0200
Elias Pereira via samba <[hidden email]> wrote:

> >
> > Does nobody read the Samba wiki ???
> >
>
> What??? Samba has a wiki ??? *Bazinga *:D

Yes, you will find it here:

https://wiki.samba.org/index.php/Main_Page

>
> As far as I am aware, AD subdomains do not work correctly with Samba
> AD.
> >
> > What you have done with the new DC, is what you should have done in
> > the
> >
> > first place, created a subdomain of your main dns domain and used
> > this
> >
> > for the AD dns domain and realm.
> >
> >
> I started in this job now and it was already set up in this way. :(

And you are left to pick up the pieces ;-)

>
>
>
> I think you have two options here and I don't think you are going to
>
> like either ;-)
>
>
> > Shut down your main DNS server and then use the Samba dns servers
> > for
>
> everything in the domain, or
>
>
> I think this option is not viable!!!

Didn't think it was

>
> start again with your new DC and DNS
>
> subdomain.
>
>
> DNS subdomain? Why?

If your main domain is 'example.com' and you use 'ad.example.com' as a
dns subdomain of 'example.com', the Samba DC would be authoritative
for 'ad.example.com', the AD clients would use the DC as their
nameserver for the domain and anything unknown by the DC (google for
instance, or anything in the 'example.com' domain) would be forwarded
to the 'example.com' DNS server.

Rowland
 

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Join a subdomain DC to a domain DC

Samba - General mailing list
>
> If your main domain is 'example.com' and you use 'ad.example.com' as a
>
> dns subdomain of 'example.com', the Samba DC would be authoritative
>
> for 'ad.example.com', the AD clients would use the DC as their
>
> nameserver for the domain and anything unknown by the DC (google for
>
> instance, or anything in the 'example.com' domain) would be forwarded
>
> to the 'example.com' DNS server.
>
>
Ok. I get it now. That's exactly what I want to do. :D

I thought I could join this new DC with the old one, transfer the fsmo
roles and demote, but now you said that this is not viable. :(

The big problem is that we already have users in this DC and in addition
this DC is a fileserver too. Now it got worse, isn't it Rowland? :(

On Tue, Nov 14, 2017 at 8:25 PM, Rowland Penny via samba <
[hidden email]> wrote:

> On Tue, 14 Nov 2017 20:07:38 -0200
> Elias Pereira via samba <[hidden email]> wrote:
>
> > >
> > > Does nobody read the Samba wiki ???
> > >
> >
> > What??? Samba has a wiki ??? *Bazinga *:D
>
> Yes, you will find it here:
>
> https://wiki.samba.org/index.php/Main_Page
>
> >
> > As far as I am aware, AD subdomains do not work correctly with Samba
> > AD.
> > >
> > > What you have done with the new DC, is what you should have done in
> > > the
> > >
> > > first place, created a subdomain of your main dns domain and used
> > > this
> > >
> > > for the AD dns domain and realm.
> > >
> > >
> > I started in this job now and it was already set up in this way. :(
>
> And you are left to pick up the pieces ;-)
>
> >
> >
> >
> > I think you have two options here and I don't think you are going to
> >
> > like either ;-)
> >
> >
> > > Shut down your main DNS server and then use the Samba dns servers
> > > for
> >
> > everything in the domain, or
> >
> >
> > I think this option is not viable!!!
>
> Didn't think it was
>
> >
> > start again with your new DC and DNS
> >
> > subdomain.
> >
> >
> > DNS subdomain? Why?
>
> If your main domain is 'example.com' and you use 'ad.example.com' as a
> dns subdomain of 'example.com', the Samba DC would be authoritative
> for 'ad.example.com', the AD clients would use the DC as their
> nameserver for the domain and anything unknown by the DC (google for
> instance, or anything in the 'example.com' domain) would be forwarded
> to the 'example.com' DNS server.
>
> Rowland
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>



--
Elias Pereira
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Join a subdomain DC to a domain DC

Samba - General mailing list
On Tue, 14 Nov 2017 21:32:17 -0200
Elias Pereira <[hidden email]> wrote:

> >
> > If your main domain is 'example.com' and you use 'ad.example.com'
> > as a
> >
> > dns subdomain of 'example.com', the Samba DC would be authoritative
> >
> > for 'ad.example.com', the AD clients would use the DC as their
> >
> > nameserver for the domain and anything unknown by the DC (google for
> >
> > instance, or anything in the 'example.com' domain) would be
> > forwarded
> >
> > to the 'example.com' DNS server.
> >
> >
> Ok. I get it now. That's exactly what I want to do. :D
>
> I thought I could join this new DC with the old one, transfer the fsmo
> roles and demote, but now you said that this is not viable. :(
>
> The big problem is that we already have users in this DC and in
> addition this DC is a fileserver too. Now it got worse, isn't it
> Rowland? :(
>

I did say that you wouldn't like either option ;-)

You would have this problem if the DC was Windows DC, whoever set up
the domain made a bad choice, any AD DC that runs a dns server must be
authoritative for the domain.

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Join a subdomain DC to a domain DC

Samba - General mailing list
In reply to this post by Samba - General mailing list
On Tue, 2017-11-14 at 16:05 -0200, Elias Pereira via samba wrote:

> Hello guys,
>
> I work at an institution where the domain is institute.edu.br. We have a
> main dns that answers for the internal and external services that we have.
>
> Firstly the staff here configured samba as domain institute.edu.br, but
> this way it is conflicting in the resolution of internal and external
> service names, since samba wants to respond for all requests and, even
> inserting a forward zone, does not it works.
>
> I configured a new DC as a subdomain, because in this way samba only
> responds to your requests and forward all the rest to the main dns. It
> became addc.institute.edu.br
>
> My question is whether there is any impediment in joining the domindom to
> the domain, transferring the fsmo roles and then demote the old one?

Sadly what you need is the ability to rename a Samba domain, and this
isn't something we support yet.

Sorry,

Andrew Bartlett
--
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Join a subdomain DC to a domain DC

Samba - General mailing list
Thanks for the feedback too Andrew!!!

I will analyze and verify the least impactful way to try to solve this
problem.

On Wed, Nov 15, 2017 at 4:25 PM, Andrew Bartlett <[hidden email]> wrote:

> On Tue, 2017-11-14 at 16:05 -0200, Elias Pereira via samba wrote:
> > Hello guys,
> >
> > I work at an institution where the domain is institute.edu.br. We have a
> > main dns that answers for the internal and external services that we
> have.
> >
> > Firstly the staff here configured samba as domain institute.edu.br, but
> > this way it is conflicting in the resolution of internal and external
> > service names, since samba wants to respond for all requests and, even
> > inserting a forward zone, does not it works.
> >
> > I configured a new DC as a subdomain, because in this way samba only
> > responds to your requests and forward all the rest to the main dns. It
> > became addc.institute.edu.br
> >
> > My question is whether there is any impediment in joining the domindom to
> > the domain, transferring the fsmo roles and then demote the old one?
>
> Sadly what you need is the ability to rename a Samba domain, and this
> isn't something we support yet.
>
> Sorry,
>
> Andrew Bartlett
> --
> Andrew Bartlett                       http://samba.org/~abartlet/
> Authentication Developer, Samba Team  http://samba.org
> Samba Developer, Catalyst IT          http://catalyst.net.nz/
> services/samba
>
>


--
Elias Pereira
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Join a subdomain DC to a domain DC

Samba - General mailing list
I'm going to redo my infra using the subdomain.

As I've commented before, the file server is together with the DC. I'm
going to separate it, because I think it's a good practice.

My question is if I could re-use the old DC that already has an integrated
file server for this purpose or is it still better to set up a new server,
re-configure folders and shares, etc?

On Wed, Nov 15, 2017 at 9:43 PM, Elias Pereira <[hidden email]> wrote:

> Thanks for the feedback too Andrew!!!
>
> I will analyze and verify the least impactful way to try to solve this
> problem.
>
> On Wed, Nov 15, 2017 at 4:25 PM, Andrew Bartlett <[hidden email]>
> wrote:
>
>> On Tue, 2017-11-14 at 16:05 -0200, Elias Pereira via samba wrote:
>> > Hello guys,
>> >
>> > I work at an institution where the domain is institute.edu.br. We have
>> a
>> > main dns that answers for the internal and external services that we
>> have.
>> >
>> > Firstly the staff here configured samba as domain institute.edu.br, but
>> > this way it is conflicting in the resolution of internal and external
>> > service names, since samba wants to respond for all requests and, even
>> > inserting a forward zone, does not it works.
>> >
>> > I configured a new DC as a subdomain, because in this way samba only
>> > responds to your requests and forward all the rest to the main dns. It
>> > became addc.institute.edu.br
>> >
>> > My question is whether there is any impediment in joining the domindom
>> to
>> > the domain, transferring the fsmo roles and then demote the old one?
>>
>> Sadly what you need is the ability to rename a Samba domain, and this
>> isn't something we support yet.
>>
>> Sorry,
>>
>> Andrew Bartlett
>> --
>> Andrew Bartlett                       http://samba.org/~abartlet/
>> Authentication Developer, Samba Team  http://samba.org
>> Samba Developer, Catalyst IT          http://catalyst.net.nz/service
>> s/samba
>>
>>
>
>
> --
> Elias Pereira
>



--
Elias Pereira
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Join a subdomain DC to a domain DC

Samba - General mailing list
On Thu, 16 Nov 2017 16:59:13 -0200
Elias Pereira via samba <[hidden email]> wrote:

> I'm going to redo my infra using the subdomain.
>
> As I've commented before, the file server is together with the DC. I'm
> going to separate it, because I think it's a good practice.
>
> My question is if I could re-use the old DC that already has an
> integrated file server for this purpose or is it still better to set
> up a new server, re-configure folders and shares, etc?
>

Whilst you can re-use the old DC as a fileserver, you should be aware
if you provision another DC using a new DNS domain, it will be
precisely that, a new DC. This means that unless you have added
RFC2307 attributes your users and groups in the old domain, they will
not get the same IDs in the new one.
You will have to change the old DNS domain to the new one.
You will also have to remove every trace of the old DC

Rowland
 

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Join a subdomain DC to a domain DC

Samba - General mailing list
Yes, as I mentioned, I will use another dns domain. :)

In the old domain was provisioned with the option --use-rfc2307. I believe
that it is the attributes that you mention? If so, can I migrate the users
to the new DC, so that they have the same ID?

On Thu, Nov 16, 2017 at 5:20 PM, Rowland Penny via samba <
[hidden email]> wrote:

> On Thu, 16 Nov 2017 16:59:13 -0200
> Elias Pereira via samba <[hidden email]> wrote:
>
> > I'm going to redo my infra using the subdomain.
> >
> > As I've commented before, the file server is together with the DC. I'm
> > going to separate it, because I think it's a good practice.
> >
> > My question is if I could re-use the old DC that already has an
> > integrated file server for this purpose or is it still better to set
> > up a new server, re-configure folders and shares, etc?
> >
>
> Whilst you can re-use the old DC as a fileserver, you should be aware
> if you provision another DC using a new DNS domain, it will be
> precisely that, a new DC. This means that unless you have added
> RFC2307 attributes your users and groups in the old domain, they will
> not get the same IDs in the new one.
> You will have to change the old DNS domain to the new one.
> You will also have to remove every trace of the old DC
>
> Rowland
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>



--
Elias Pereira
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Join a subdomain DC to a domain DC

Samba - General mailing list
On Thu, 16 Nov 2017 18:51:19 -0200
Elias Pereira <[hidden email]> wrote:

> Yes, as I mentioned, I will use another dns domain. :)
>
> In the old domain was provisioned with the option --use-rfc2307. I
> believe that it is the attributes that you mention? If so, can I
> migrate the users to the new DC, so that they have the same ID?
>

No, all '--use-rfc2307' does is give you the possibility of using
RFC2307 attributes, so If you didn't add anything to the users or
groups objects in AD (with ADUC, for instance), then there is
every chance your users will get different xidNumbers on the new DC and
no chance of them being used on a Unix domain member.

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Join a subdomain DC to a domain DC

Samba - General mailing list
In a nutshell, I will have to re-put all users in the domain again. :(

Rowland, do you have any tips or best practices to do that? Something you
do if it appears some infrastructure like mine.

On Thu, Nov 16, 2017 at 7:23 PM, Rowland Penny via samba <
[hidden email]> wrote:

> On Thu, 16 Nov 2017 18:51:19 -0200
> Elias Pereira <[hidden email]> wrote:
>
> > Yes, as I mentioned, I will use another dns domain. :)
> >
> > In the old domain was provisioned with the option --use-rfc2307. I
> > believe that it is the attributes that you mention? If so, can I
> > migrate the users to the new DC, so that they have the same ID?
> >
>
> No, all '--use-rfc2307' does is give you the possibility of using
> RFC2307 attributes, so If you didn't add anything to the users or
> groups objects in AD (with ADUC, for instance), then there is
> every chance your users will get different xidNumbers on the new DC and
> no chance of them being used on a Unix domain member.
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>



--
Elias Pereira
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Join a subdomain DC to a domain DC

Samba - General mailing list
On Fri, 17 Nov 2017 09:48:14 -0200
Elias Pereira <[hidden email]> wrote:

> In a nutshell, I will have to re-put all users in the domain again. :(
>
> Rowland, do you have any tips or best practices to do that? Something
> you do if it appears some infrastructure like mine.
>

Yes, it is called the Samba wiki ;-)

https://wiki.samba.org/index.php/Main_Page

Any questions, please ask .

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Join a subdomain DC to a domain DC

Samba - General mailing list
Thanks Rowland!

On Fri, Nov 17, 2017 at 10:07 AM, Rowland Penny via samba <
[hidden email]> wrote:

> On Fri, 17 Nov 2017 09:48:14 -0200
> Elias Pereira <[hidden email]> wrote:
>
> > In a nutshell, I will have to re-put all users in the domain again. :(
> >
> > Rowland, do you have any tips or best practices to do that? Something
> > you do if it appears some infrastructure like mine.
> >
>
> Yes, it is called the Samba wiki ;-)
>
> https://wiki.samba.org/index.php/Main_Page
>
> Any questions, please ask .
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>



--
Elias Pereira
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Join a subdomain DC to a domain DC

Samba - General mailing list
In reply to this post by Samba - General mailing list
On Fri, 2017-11-17 at 09:48 -0200, Elias Pereira via samba wrote:
> In a nutshell, I will have to re-put all users in the domain again. :(

The Tranquil IT folks seem to have become pretty experienced at this.  

You really want to keep the SIDs the same.

In the long term I would love for Samba to support domain renames
directly, but it is a big job.  Less effort but still a fair chunk of
work is going via Windows and renaming it there (we currently fail to
replicate back domains with a non-zero epoch).

Sorry,

Andrew Bartlett
--
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Join a subdomain DC to a domain DC

Samba - General mailing list
Andrew,

You really want to keep the SIDs the same.
>

What is the best way to keep the same SIDs?

In the long term I would love for Samba to support domain renames
> directly, but it is a big job.  Less effort but still a fair chunk of
> work is going via Windows and renaming it there (we currently fail to
> replicate back domains with a non-zero epoch).


Nice man!!! :D

On Fri, Nov 17, 2017 at 5:04 PM, Andrew Bartlett <[hidden email]> wrote:

> On Fri, 2017-11-17 at 09:48 -0200, Elias Pereira via samba wrote:
> > In a nutshell, I will have to re-put all users in the domain again. :(
>
> The Tranquil IT folks seem to have become pretty experienced at this.
>
> You really want to keep the SIDs the same.
>
> In the long term I would love for Samba to support domain renames
> directly, but it is a big job.  Less effort but still a fair chunk of
> work is going via Windows and renaming it there (we currently fail to
> replicate back domains with a non-zero epoch).
>
> Sorry,
>
> Andrew Bartlett
> --
> Andrew Bartlett                       http://samba.org/~abartlet/
> Authentication Developer, Samba Team  http://samba.org
> Samba Developer, Catalyst IT          http://catalyst.net.nz/
> services/samba
>
>


--
Elias Pereira
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba