"Resetting" a DC (and other stories)

Kev Latimer klatimer at tolent.co.uk
Wed Apr 25 06:24:53 MDT 2012 

On 25/04/2012 13:17, Andrew Bartlett wrote:
> On Wed, 2012-04-25 at 11:56 +0100, Kev Latimer wrote:
>> On 24/04/2012 17:57, Matthieu Patou wrote:
>>> On 04/24/2012 01:15 AM, Kev Latimer wrote:
>>>> Morning all,
>>>>
>>>> To cut a long story short, (I'm doing another post in a minute with
>>>> my actual problem), is there a way to get a DC to "forget" everything
>>>> it knows about AD and force it replicate from a nominated "known
>>>> good" DC?  In a sense, resetting it but without trying to
>>>> unjoin/rejoin the domain?  Delete sam.ldb or the contents of
>>>> sam.ldb.d/ for example?  I've a situation where replication has gone
>>>> a little awry I'd like to see if there's a quick way of just getting
>>>> a DC to start again...
>>>>
>>>> I've tried samba-tool drs replicate but that is throwing the error
>>>> I'm trying to clear...
>>>    --sync-forced         use SYNC_FORCED to force inbound replication
>>>    --sync-all            use SYNC_ALL to replicate from all DCs
>>>    --full-sync           resync all objects
>>>
>>>
>>> Try --full-sync, also maybe the best is to rejoin ?
>>>
>>> Matthieu.
>>>
>>>
>> (Forgot to send to list - my bad...)
>>
>> Thanks Matthieu, that's pretty much what I was after.  Unfortunately, it
>> seems when I do either of those, the same error I'm trying to clear is
>> still causing problems.
> What is that error?  Does 'samba-tool dbcheck --cross-ncs' help?
Sorry, I'd skipped to the end and rather than trying to unravel what I;d 
done, I was just asking for the reset button :-)  As it happens, that 
line you've given me may well help, I'll add them to a new thread to 
keep topic sanity.
>
>> What is the correct procedure for rejoining?  I've tried to do a
>> "samba-tool domain demote" to relieve it of DC duties with the intention
>> of deleting the resultant computer account in the normal fashion but
>> that command just results in:
>>
>> root at olddc:/usr/local/samba# bin/samba-tool domain demote
>> Using firstdc.tolent.local as partner server for the demotion
>> Desactivating inbound replication
>> Asking partner server firstdc.tolent.local to synchronize from us
>> Changing userControl and container
>> Error while demoting, re-enabling inbound replication
>> ERROR(ldb): Error while changing account control - LDAP error 1
>> LDAP_OPERATIONS_ERROR -<00002020: Operation unavailable without
>> authentication>  <>
> You must specify -Uadministrator so it doesn't connect as anonymous.
Ah, I already had a kerberos ticket and made an assumption it was using 
that - oops...
>> My next thought is to stop samba on olddc, remove /usr/local/samba,
>> reinstall and do a clean join - reading some earlier posts seem to
>> suggest this rejoin might just "take over" the role of olddc, as long as
>> it has the same name?
> It should, but there will still be some references to the old DC.  I
> would like to understand what your issue is, if you are able to help us
> with that.
>
> Thanks,
>
> Andrew Bartlett
>
No probs, I was going to create a fresh thread for that.  I was really 
looking for a quick fix but think the scenario might be interesting.

Cheers,

Kev

-- 
Kev

More information about the samba-technical mailing list