Multiple DC haven't HA on Windows

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

Multiple DC haven't HA on Windows

Samba - General mailing list
Hello,

I'm trying to replace a Windows Server 2003 DC that has problems, with a
Samba 4 domain with HA.
The linux client server seems to works fine even when main DC/DNS server
fails, but as always, Windows clients not... They are able to log in (maybe
using cached credentials), but the GPO are not being applied...

I've checked the sysvol folder and both are syncsynchronized and accesible
from the client computers. Also the DNS entries of the domain points to
both servers, and both servers are in Windows DNS configuration.
The secondary DNS server seems to answer to dns request because internet is
working and it's able to resolv domain entries.
The SFMO also points to secondary server that was the main server until I
used the other as main DNS.

How I can make HA for Windows Clients?

Thanks and greetings!


--
_________________________________________

      Daniel Carrasco Marín
      Ingeniería para la Innovación i2TIC, S.L.
      Tlf:  +34 911 12 32 84 Ext: 223
      www.i2tic.com
_________________________________________
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Multiple DC haven't HA on Windows

Samba - General mailing list
This is how you should do it.

Can you post your /etc/hosts and resolv.conf
Samba uses?  Bind9_DLZ or Internal DNS ?
And smb.conf of both servers.

If you use bind, also post the bind config.


Anonimize where needed.


Greetz,

Louis



> -----Oorspronkelijk bericht-----
> Van: samba [mailto:[hidden email]] Namens
> Daniel Carrasco via samba
> Verzonden: woensdag 27 september 2017 15:34
> Aan: [hidden email]
> Onderwerp: [Samba] Multiple DC haven't HA on Windows
>
> Hello,
>
> I'm trying to replace a Windows Server 2003 DC that has
> problems, with a Samba 4 domain with HA.
> The linux client server seems to works fine even when main
> DC/DNS server fails, but as always, Windows clients not...
> They are able to log in (maybe using cached credentials), but
> the GPO are not being applied...
>
> I've checked the sysvol folder and both are syncsynchronized
> and accesible from the client computers. Also the DNS entries
> of the domain points to both servers, and both servers are in
> Windows DNS configuration.
> The secondary DNS server seems to answer to dns request
> because internet is working and it's able to resolv domain entries.
> The FSMO also points to secondary server that was the main
> server until I used the other as main DNS.
>
> How I can make HA for Windows Clients?
>
> Thanks and greetings!
>
>
> --
> _________________________________________
>
>       Daniel Carrasco Marín
>       Ingeniería para la Innovación i2TIC, S.L.
>       Tlf:  +34 911 12 32 84 Ext: 223
>       www.i2tic.com
> _________________________________________
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Multiple DC haven't HA on Windows

Samba - General mailing list
Hello, thanks for your response.

I'm using samba_internal as DNS because I don't want to add bind to only
relay the internal DNS.


The hosts file is clean on srv2 DC (default localhost), and this is the
srv1 hosts:
192.168.0.251    srv1.domain.com srv1


resolv.conf srv1:
domain domain
search domain.com
nameserver 192.168.0.251
nameserver 8.8.8.8


resolv.conf srv2:
nameserver 192.168.0.254
nameserver 8.8.8.8



smb.conf srv1 (just the created by samba-tool with dns forwarder):
[global]
netbios name = SRV1
realm = DOMAIN.COM
workgroup = DOMAIN
server role = active directory domain controller
dns forwarder = 8.8.8.8

[netlogon]
path = /server/samba/data/var/locks/sysvol/domain.com/scripts
read only = No

[sysvol]
path = /server/samba/data/var/locks/sysvol
read only = No




smb.conf srv1 (same as above plus idmap_ldb:use rfc2307 = yes and binded
interfaces):
# Global parameters
[global]
netbios name = SRV2
realm = DOMAIN.COM
workgroup = DOMAIN
server role = active directory domain controller
idmap_ldb:use rfc2307 = yes
dns forwarder = 8.8.8.8

# Only users interfaces
bind interfaces only = yes
interfaces = eth0 eth0:0


[netlogon]
path = /server/samba/data/var/locks/sysvol/domain.com/scripts
read only = No

[sysvol]
path = /server/samba/data/var/locks/sysvol
read only = No


Greetings!!


2017-09-27 16:39 GMT+02:00 L.P.H. van Belle via samba <[hidden email]
>:

> This is how you should do it.
>
> Can you post your /etc/hosts and resolv.conf
> Samba uses?  Bind9_DLZ or Internal DNS ?
> And smb.conf of both servers.
>
> If you use bind, also post the bind config.
>
>
> Anonimize where needed.
>
>
> Greetz,
>
> Louis
>
>
>
> > -----Oorspronkelijk bericht-----
> > Van: samba [mailto:[hidden email]] Namens
> > Daniel Carrasco via samba
> > Verzonden: woensdag 27 september 2017 15:34
> > Aan: [hidden email]
> > Onderwerp: [Samba] Multiple DC haven't HA on Windows
> >
> > Hello,
> >
> > I'm trying to replace a Windows Server 2003 DC that has
> > problems, with a Samba 4 domain with HA.
> > The linux client server seems to works fine even when main
> > DC/DNS server fails, but as always, Windows clients not...
> > They are able to log in (maybe using cached credentials), but
> > the GPO are not being applied...
> >
> > I've checked the sysvol folder and both are syncsynchronized
> > and accesible from the client computers. Also the DNS entries
> > of the domain points to both servers, and both servers are in
> > Windows DNS configuration.
> > The secondary DNS server seems to answer to dns request
> > because internet is working and it's able to resolv domain entries.
> > The FSMO also points to secondary server that was the main
> > server until I used the other as main DNS.
> >
> > How I can make HA for Windows Clients?
> >
> > Thanks and greetings!
> >
> >
> > --
> > _________________________________________
> >
> >       Daniel Carrasco Marín
> >       Ingeniería para la Innovación i2TIC, S.L.
> >       Tlf:  +34 911 12 32 84 Ext: 223
> >       www.i2tic.com
> > _________________________________________
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
> >
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba




--
_________________________________________

      Daniel Carrasco Marín
      Ingeniería para la Innovación i2TIC, S.L.
      Tlf:  +34 911 12 32 84 Ext: 223
      www.i2tic.com
_________________________________________
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Multiple DC haven't HA on Windows

Samba - General mailing list
On Wed, 27 Sep 2017 17:05:31 +0200
Daniel Carrasco via samba <[hidden email]> wrote:

> Hello, thanks for your response.
>
> I'm using samba_internal as DNS because I don't want to add bind to
> only relay the internal DNS.

Can you expand on that ?

Your DC should be authoritative for the AD dns domain and your Domain
clients should use the DC for their DNS, anything outside the domain
should be forwarded to a DNS server outside the AD domain. This
should happen whether you use the 'internal' or 'Bind9' dns server.  

>
>
> The hosts file is clean on srv2 DC (default localhost), and this is
> the srv1 hosts:
> 192.168.0.251    srv1.domain.com srv1
>

This seems to be wrong, you should have the DCs IP and FQDN
shorthostname in it and '127.0.0.1 localhost'
From what you have posted, your /etc/hosts should be:

DC1:

127.0.0.1 localhost
192.168.0.251 srv1.domain.com srv1

DC2:

127.0.0.1 localhost
192.168.0.254 srv2.domain.com srv2

>
> resolv.conf srv1:
> domain domain
> search domain.com
> nameserver 192.168.0.251
> nameserver 8.8.8.8
>

You should remove the 'domain' line, this is ignored when followed by
the 'search' line
You should replace the second nameserver with the IP of the second DC

> resolv.conf srv2:
> nameserver 192.168.0.254
> nameserver 8.8.8.8
>

This should be similar to the other DC, just swap the nameserver lines.

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Multiple DC haven't HA on Windows

Samba - General mailing list
Thanks Rowland.

2017-09-27 17:49 GMT+02:00 Rowland Penny via samba <[hidden email]>:

> On Wed, 27 Sep 2017 17:05:31 +0200
> Daniel Carrasco via samba <[hidden email]> wrote:
>
> > Hello, thanks for your response.
> >
> > I'm using samba_internal as DNS because I don't want to add bind to
> > only relay the internal DNS.
>
> Can you expand on that ?
>

If samba_internal can manage the dns names and send the unknown requests to
outside I don't want to add more damons to the server like for example
Bind9, then I'm just using the internal dns alone.


>
> Your DC should be authoritative for the AD dns domain and your Domain
> clients should use the DC for their DNS, anything outside the domain
> should be forwarded to a DNS server outside the AD domain. This
> should happen whether you use the 'internal' or 'Bind9' dns server.
>

I'm a bit new on Windows Domains. How I can check if the DC is
authoritative?.
I know that both servers answers to dns requests and both are synchronized
(if I edit a DNS entrie on srv1, srv2 receives the change), and both sends
the outside requests to google dns (dns forwarder = 8.8.8.8).
If I ask the dns entry for the domain name I got both servers addresses
(dig domain.com).

Clients have both servers as DNS servers. SRV2 is the main dns server and
SRV1 is the secondary server. When main DNS server is down then the
secondary starts to work (at least internet works).


>
> >
> >
> > The hosts file is clean on srv2 DC (default localhost), and this is
> > the srv1 hosts:
> > 192.168.0.251    srv1.domain.com srv1
> >
>
> This seems to be wrong, you should have the DCs IP and FQDN
> shorthostname in it and '127.0.0.1 localhost'
> From what you have posted, your /etc/hosts should be:
>
> DC1:
>
> 127.0.0.1 localhost
> 192.168.0.251   srv1.domain.com srv1
>
> DC2:
>
> 127.0.0.1 localhost
> 192.168.0.254   srv2.domain.com srv2
>
> >
> > resolv.conf srv1:
> > domain domain
> > search domain.com
> > nameserver 192.168.0.251
> > nameserver 8.8.8.8
> >
>
> You should remove the 'domain' line, this is ignored when followed by
> the 'search' line
> You should replace the second nameserver with the IP of the second DC
>
> > resolv.conf srv2:
> > nameserver 192.168.0.254
> > nameserver 8.8.8.8
> >
>
> This should be similar to the other DC, just swap the nameserver lines.
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

I take note. I'll make the changes to see how it works.

Thanks again and greetings!!

--
_________________________________________

      Daniel Carrasco Marín
      Ingeniería para la Innovación i2TIC, S.L.
      Tlf:  +34 911 12 32 84 Ext: 223
      www.i2tic.com
_________________________________________
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Multiple DC haven't HA on Windows

Samba - General mailing list
On Wed, 27 Sep 2017 18:18:19 +0200
Daniel Carrasco via samba <[hidden email]> wrote:

> Thanks Rowland.
>
> 2017-09-27 17:49 GMT+02:00 Rowland Penny via samba
> <[hidden email]>:
>
> > On Wed, 27 Sep 2017 17:05:31 +0200
> > Daniel Carrasco via samba <[hidden email]> wrote:
> >
> > > Hello, thanks for your response.
> > >
> > > I'm using samba_internal as DNS because I don't want to add bind
> > > to only relay the internal DNS.
> >
> > Can you expand on that ?
> >
>
> If samba_internal can manage the dns names and send the unknown
> requests to outside I don't want to add more damons to the server
> like for example Bind9, then I'm just using the internal dns alone.

OK, I thought you may have been using the other DNS server rather than
the AD DC.

>
>
> >
> > Your DC should be authoritative for the AD dns domain and your
> > Domain clients should use the DC for their DNS, anything outside
> > the domain should be forwarded to a DNS server outside the AD
> > domain. This should happen whether you use the 'internal' or
> > 'Bind9' dns server.
> >
>
> I'm a bit new on Windows Domains. How I can check if the DC is
> authoritative?.
> I know that both servers answers to dns requests and both are
> synchronized (if I edit a DNS entrie on srv1, srv2 receives the
> change), and both sends the outside requests to google dns (dns
> forwarder = 8.8.8.8). If I ask the dns entry for the domain name I
> got both servers addresses (dig domain.com).
>
> Clients have both servers as DNS servers. SRV2 is the main dns server
> and SRV1 is the secondary server. When main DNS server is down then
> the secondary starts to work (at least internet works).

Don't worry, if your domain clients are using a Samba DC as their dns
server, then the DC is authoritative.
 

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba