"Resetting" a DC (and other stories)

Andrew Bartlett abartlet at samba.org
Wed Apr 25 06:17:01 MDT 2012 

On Wed, 2012-04-25 at 11:56 +0100, Kev Latimer wrote:
> On 24/04/2012 17:57, Matthieu Patou wrote:
> > On 04/24/2012 01:15 AM, Kev Latimer wrote:
> >> Morning all,
> >>
> >> To cut a long story short, (I'm doing another post in a minute with 
> >> my actual problem), is there a way to get a DC to "forget" everything 
> >> it knows about AD and force it replicate from a nominated "known 
> >> good" DC?  In a sense, resetting it but without trying to 
> >> unjoin/rejoin the domain?  Delete sam.ldb or the contents of 
> >> sam.ldb.d/ for example?  I've a situation where replication has gone 
> >> a little awry I'd like to see if there's a quick way of just getting 
> >> a DC to start again...
> >>
> >> I've tried samba-tool drs replicate but that is throwing the error 
> >> I'm trying to clear...
> >
> >   --sync-forced         use SYNC_FORCED to force inbound replication
> >   --sync-all            use SYNC_ALL to replicate from all DCs
> >   --full-sync           resync all objects
> >
> >
> > Try --full-sync, also maybe the best is to rejoin ?
> >
> > Matthieu.
> >
> >
> (Forgot to send to list - my bad...)
> 
> Thanks Matthieu, that's pretty much what I was after.  Unfortunately, it 
> seems when I do either of those, the same error I'm trying to clear is 
> still causing problems.

What is that error?  Does 'samba-tool dbcheck --cross-ncs' help? 

> What is the correct procedure for rejoining?  I've tried to do a 
> "samba-tool domain demote" to relieve it of DC duties with the intention 
> of deleting the resultant computer account in the normal fashion but 
> that command just results in:
> 
> root at olddc:/usr/local/samba# bin/samba-tool domain demote
> Using firstdc.tolent.local as partner server for the demotion
> Desactivating inbound replication
> Asking partner server firstdc.tolent.local to synchronize from us
> Changing userControl and container
> Error while demoting, re-enabling inbound replication
> ERROR(ldb): Error while changing account control - LDAP error 1 
> LDAP_OPERATIONS_ERROR - <00002020: Operation unavailable without 
> authentication> <>

You must specify -Uadministrator so it doesn't connect as anonymous.

> My next thought is to stop samba on olddc, remove /usr/local/samba, 
> reinstall and do a clean join - reading some earlier posts seem to 
> suggest this rejoin might just "take over" the role of olddc, as long as 
> it has the same name?

It should, but there will still be some references to the old DC.  I
would like to understand what your issue is, if you are able to help us
with that.

Thanks,

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org

More information about the samba-technical mailing list