Oh, and I forgot to state that in my case during the IP update step 5
records showed up needing manual post-processing:
Failed to find matching DNS entry A dc1.my.domain.tld [IP]
Failed to find matching DNS entry A my.domain.tld [IP]
Failed to find matching DNS entry A gc._msdcs.my.domain.tld [IP]
Failed to find matching DNS entry A DomainDnsZones.my.domain.tld [IP]
Failed to find matching DNS entry A ForestDnsZones.my.domain.tld [IP]
And a sixth one wasn't even mentioned:
"dc1._msdcs.bpn.tu-berlin.de"
wasn't updated as well.
Ole
On 24.06.2016 12:49, Ole Traupe wrote:
> Hi all,
>
> thanks for all your replies!
>
> It finally went down very smoothly (once I discovered that a
> pre-installed fiber optics cable wasn't crossed properly, preventing
> some new switches in different rooms of our new lab building to stack
> - like after 5 hours, you know ;).
>
> I followed James' advice and the two links he provided (at the bottom
> of this message). And mind that I am using Samba's internal DNS solution.
>
> 1. I physically moved the server (1st DC, FSMO role holder) to the new
> building (another class C sub-net) - a virtual machine on top of a
> Samba member (file) server.
>
> 2. After dealing with the physical file server's network settings, I
> altered the IP of the DC according to this link (I had read in some
> Microsoft links that it is advised to update the IP prior to moving
> over the DC; for whatever reason):
> https://wiki.samba.org/index.php/Change_IP_address_of_an_Samba_AD_DC
> This link mentions some places where in the last step the IP actually
> has to be changed on the server (ifcfg-eth0, /etc/hosts) but does not
> explicitly name /etc/resolv.conf - might be added to the wiki.
>
> 3. I created the new site (the old one still is
> Default-First-Site-Name; I left it untouched - did not rename it or
> provide an explicit subnet) and moved over the DC (with RSAT,
> following this link):
> http://blogs.technet.com/b/canitpro/archive/2015/03/04/step-by-step-setting-up-active-directory-sites-subnets-amp-site-links.aspx
>
> As James advised (if I understood him correctly), I did NOT apply any
> changes to DNS structure reflecting this new site.
>
> 4. I updated the first DNS server entry on some machines manually, and
> on many clients via a GPO calling a script as suggested here (as I am
> using static IP settings):
> http://www.wincert.net/windows-server/set-dns-servers-via-gpo-server-2012-r2/
>
> Seems to work well.
>
> 5. I had to update the A record for the moved DC in the other DC's DNS
> database in order to get AD replication back online, as the other DC
> wasn't able to find the 1st DC, of course.
>
> 6. I had to adjust the IP settings for the rsync-based sysvol
> replication workaround.
>
> 7. I had to restart some of the clients on which i tested network
> shares on the moved file server to make then forget obsolete DNS
> knowledge.
>
> That's it, basically. Pretty straight forward. Of course, I had to
> temporarily recreate a small part of the old subnet on the new site to
> be able to use the RSAT tools (DNS, AD Sites and Services) on the 1st
> DC to perform some of the above steps.
>
> Ole
>
>
> On 24.06.2016 11:16, Rowland penny wrote:
>> On 23/06/16 16:21, Ole Traupe wrote:
>>> James, it took me a while, but now I am doing this. I created the
>>> new site with RSAT (want to move over my 1st DC), but this new site
>>> isn't showing in the DNS console. Do I have to create the new site
>>> there, as well?
>>>
>>> Ole
>>>
>>>
>>>
>>> On 25.04.2016 14:27, ***@gmail.com wrote:
>>>> On 4/22/2016 3:43 PM, Ole Traupe wrote:
>>>>> Hi Mathias, lingpanda101, thank you for the quick reply! Comments
>>>>> inline.
>>>>>
>>>>>
>>>>> On 22.04.2016 15:14, mathias dufresne wrote:
>>>>>> Hi Ole,
>>>>>>
>>>>>> A - If I read correctly you have only one DC and you want to move
>>>>>> from one network to another.
>>>>>>
>>>>>> To achieve that change you will have to change all A/AAAA records
>>>>>> in your both AD zones (root zone and _msdcs zone).
>>>>>> Once that is done you will have to change resolver configuration
>>>>>> on your clients for they can send DNS request to the new IP.
>>>>>>
>>>>>> Can't see anything else. Nothing about AD site: AD sites are
>>>>>> linked to clients networks and clients networks do not change,
>>>>>> only DC network is changing.
>>>>>>
>>>>>> B - If I don't read correctly, you have several DC. Move on DC to
>>>>>> the new network, change A and AAAA records related to that DC to
>>>>>> reflect the network change.
>>>>>> If you move one DC not used by clients as DNS server, no change
>>>>>> on client side.
>>>>>
>>>>> I have two DCs. The one with the FSMO roles is on the physical
>>>>> server to move. Unfortunately I don't have another host for this
>>>>> VM staying at the old place.
>>>>>
>>>>> Also, I will have a few clients at the new place soon, so I think
>>>>> a second site is the way to go? Sorry, I mentioned this only
>>>>> implicitly in "moving our lab". Is it possible to just transfer an
>>>>> existing DC to another site? By manually recreating all the records?
>>>>>
>>>>> The moving DC will definitely be used as first DNS server, as the
>>>>> second DC is on very old, potentially unreliable hardware. But
>>>>> changing the DNS server config on the clients is no big deal.
>>>>>
>>>>>
>>>>> In response to the message from lingpanda101:
>>>>>
>>>>> I was not talking about transferring the FSMO roles. Sorry if I
>>>>> had been unclear about that.
>>>>>
>>>>> In theory, I will have access to both networks from both places.
>>>>> In practice, the firewall settings initially are very restrictive.
>>>>> So I try not to forget anything in preparation. I have thought of...
>>>>> - all the ports samba regularly uses (including DNS requests)
>>>>> - rsync ports for sysvol replication
>>>>> - ...
>>>>>
>>>>> I would be very happy about the steps to create a new site and to
>>>>> transfer DC and some client records to it!
>>>>>
>>>>>
>>>>> Probably I will see for the file server integration first, while
>>>>> using the 2nd DC as fallback for DNS and logon. Once that works I
>>>>> deal with bringing the 1st DC back into the game.
>>>>>
>>>>>>
>>>>>> C - You are lazy and you have enough physical computer to play with.
>>>>>
>>>>> Yes and no. ;)
>>>>>
>>>>>> Just create a new DC on the new site, join it to the domain.
>>>>>> If then you want to remove old DC you will have to seize (or
>>>>>> transfer if it works) FSMO roles, change DNS configuration on
>>>>>> client side, but as that's a new DC you don't have to modify
>>>>>> A/AAAA records.
>>>>>>
>>>>>> IMPORTANT NOTE: with internal DNS you have only one SOA. SOA is
>>>>>> where DNS update goes. If you remove old SOA you must change SOA
>>>>>> record to assign it to a working DC. Without that no change in
>>>>>> your DNS zones will be possible for later use (DC moving from
>>>>>> site to site is the main point, auto-update pushed by DHCP or
>>>>>> clients won't work too).
>>>>>
>>>>> I followed the recent/ongoing discussion on that. With "DNS
>>>>> updates" you mean the clients automatically updating their
>>>>> records, right? Because I am pretty sure that with internal DNS I
>>>>> can make changes to DNS structure with RSAT on 2nd DC and it gets
>>>>> replicated to the 1st DC (SOA). Maybe the only issue with internal
>>>>> DNS is that the 2nd, 3rd etc. DC won't advertise themselves as
>>>>> SOA, and so automatic updates fail when the 1st DC is offline.
>>>>>
>>>>>>
>>>>>> 2016-04-22 13:44 GMT+02:00 Ole Traupe <***@tu-berlin.de
>>>>>> <mailto:***@tu-berlin.de>>:
>>>>>>
>>>>>> Hi List,
>>>>>>
>>>>>> I'll probably have to move my FSMO role owner to another site.
>>>>>> Like at the end of next week (depends on tight transportation
>>>>>> schedules). So there is no actual time for testing anything,
>>>>>> I am
>>>>>> afraid.
>>>>>>
>>>>>> We are in the process of moving our lab, with our offices
>>>>>> staying
>>>>>> in the old building for now (different class C subnets). The
>>>>>> physical machine is basically a file server (hosting DC1 as a
>>>>>> VM)
>>>>>> which is particularly needed at the new site. Plus: Summer is
>>>>>> coming and the new site has cooling. Unfortunately, our
>>>>>> university
>>>>>> techsup can't span a VLan to merge these two sites. So I am
>>>>>> trying
>>>>>> to figure out how to do it. In earlier discussions on DC
>>>>>> failover
>>>>>> strategies I was suggested to have my DCs on different sites
>>>>>> (with
>>>>>> different subnets), so I figure it being possible in general.
>>>>>>
>>>>>> The necessary steps likely include:
>>>>>> - modifying my current DNS config: create another site, move DC1
>>>>>> over, also the file server (AD member)
>>>>>> - update all the clients' 1st DNS server entries to reflect the
>>>>>> new IP of DC1 (and network share mappings)
>>>>>> - set some firewall rules allowing for logon and smb
>>>>>> communication
>>>>>> etc.
>>>>>>
>>>>>> Samba is version 4.2.5 with internal DNS.
>>>>>>
>>>>>> Any advice, instructions, heads-up, warnings are very welcome!
>>>>>>
>>>>>> Best regards,
>>>>>> Ole
>>>>>>
>>>>>>
>>>>>>
>>>>>> -- To unsubscribe from this list go to the following URL
>>>>>> and read the
>>>>>> instructions: https://lists.samba.org/mailman/options/samba
>>>>>>
>>>>>>
>>>>>
>>>> Ole,
>>>>
>>>> Will you be using Microsoft RSAT to create the sites? If so do
>>>> follow this guide
>>>>
>>>> http://blogs.technet.com/b/canitpro/archive/2015/03/04/step-by-step-setting-up-active-directory-sites-subnets-amp-site-links.aspx
>>>>
>>>>
>>>> Will you be changing your IP of the domain controller? If so follow
>>>> this guide.
>>>>
>>>> https://wiki.samba.org/index.php/Change_IP_address_of_an_Samba_AD_DC
>>>>
>>>> If using DHCP. Give your clients the DNS IP of your new site DC.
>>>> That should be it.
>>>>
>>>>
>>>
>>>
>> Hi Ole, I don't know of any Samba howto, but there is a microsoft one:
>>
>> https://technet.microsoft.com/en-us/library/cc794722%28v=ws.10%29.aspx
>>
>> Rowland
>>
>>
>
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba