[Samba] How to Migrate Samba AD from one server to another

Paul R. Ganci ganci at nurdog.com
Mon Oct 3 01:57:20 UTC 2016 


On 10/02/2016 06:15 PM, Paul R. Ganci via samba wrote:
> On 09/11/2016 10:38 AM, Paul R. Ganci via samba wrote:
>
>> On 09/11/2016 01:23 AM, Rowland Penny via samba wrote:
>> Rowland, thanks for your reply. What you describe is pretty simple in 
>> principle. It is the details about which I am confused. There are 3 
>> aspects of a Samba 4 AD that have to be properly setup for the AD to 
>> function correctly. Namely the Samba configuration, Kerberos and DNS. 
>> If any of these are incorrectly configured the AD will not function. 
>> So here are my questions regarding the details of what you describe.
>> <snip>
>> 6.) Transfer FSMO roles
>>
>> 7.) Demote old DC
>>
> So I successfully moved the DC to another server. However when I try 
> to demote the old DC I get this error.
>
> nikita> samba-tool domain demote -Uadministrator
> Using nureyev.myhome.example.com as partner server for the demotion
> Password for [MYHOME\administrator]:
> Deactivating inbound replication
> Asking partner server nureyev.myhome.example.com to synchronize from us
> Changing userControl and container
> Error while demoting, re-enabling inbound replication
> ERROR(<type 'exceptions.RuntimeError'>): Error while sending a 
> removeDsServer of 
> CN=NIKITA,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=myhome,DC=example,DC=com: 
> - (31, 'WERR_GENERAL_FAILURE')
>   File "/usr/lib64/python2.6/site-packages/samba/netcmd/domain.py", 
> line 921, in run
>     drsuapiBind.DsRemoveDSServer(drsuapi_handle, 1, req1)
>
> Does anyone have a clue as to why I cannot demote the old DC? I am at 
> a loss as to what is wrong. All the FSMO transfered properly to the 
> new server. I did sync the sysvol so I am not sure what happened here 
> because everything was good at one point. What I am finding now is 
> that on what I want to be the PDC I have this:
>
> > samba-tool drs showrepl
> Default-First-Site-Name\NUREYEV
> DSA Options: 0x00000001
> DSA object GUID: 275c02e7-7077-4b10-ab71-77efeb93bb6b
> DSA invocationId: 0fcda6bb-9435-4852-ac8d-660af8443d34
>
> ==== INBOUND NEIGHBORS ====
>
> ==== OUTBOUND NEIGHBORS ====
>
> ==== KCC CONNECTION OBJECTS ====
>
>
> But on the old DC that I want to demote I have this:
> > samba-tool drs showrepl
> Default-First-Site-Name\NIKITA
> DSA Options: 0x00000001
> DSA object GUID: ba98d422-c8a7-4ac3-9196-8eec84e4445a
> DSA invocationId: c47710e7-8649-4c2f-bf82-f26c8d23effc
>
> ==== INBOUND NEIGHBORS ====
>
> DC=DomainDnsZones,DC=myhome,DC=example,DC=com
>     Default-First-Site-Name\NUREYEV via RPC
>         DSA object GUID: 275c02e7-7077-4b10-ab71-77efeb93bb6b
>         Last attempt @ Sun Oct  2 18:10:24 2016 MDT failed, result 2 
> (WERR_BADFILE)
>         301 consecutive failure(s).
>         Last success @ NTTIME(0)
> <snip>
>
> Any suggestions as how to debug/fix this problem so I can demote the 
> old DC?
>
So I discovered that on the new DC it appears a NTDS record is missing. 
On DC nikita.myhome.example.com

 > ldbsearch -H /var/lib/samba/private/sam.ldb '(invocationid=*)' 
--cross-ncs objectguid
# record 1
dn: CN=NTDS 
Settings,CN=NUREYEV,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=myhome,DC=example,DC=com
objectGUID: 275c02e7-7077-4b10-ab71-77efeb93bb6b

# record 2
dn: CN=NTDS 
Settings,CN=NIKITA,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=myhome,DC=example,DC=com
objectGUID: ba98d422-c8a7-4ac3-9196-8eec84e4445a

# returned 2 records
# 2 entries
# 0 referrals

but on the new DC nureyev.myhome.example.com:

 > ldbsearch -H /var/lib/samba/private/sam.ldb '(invocationid=*)' 
--cross-ncs objectguid
# record 1
dn: CN=NTDS 
Settings,CN=NUREYEV,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=myhome,DC=example,DC=com
objectGUID: 275c02e7-7077-4b10-ab71-77efeb93bb6b

# returned 1 records
# 1 entries
# 0 referrals

How is it that one of the entries is now missing? IS there someway to 
fix this problem? It appears that the the new DC server object is there 
and known by both DCs but the old DC object is missing from the new DC 
server?
-- 
Paul (ganci at nurdog.com)
Cell: (303)257-5208

More information about the samba mailing list