Need urgent help with samba4 DC re-join

Andrew Bartlett abartlet at samba.org
Fri Jul 13 20:29:15 MDT 2012 

On Fri, 2012-07-13 at 08:09 +0200, Andreas Oster wrote:
> Am 03.07.2012 00:32, schrieb Andrew Bartlett:
> > On Mon, 2012-07-02 at 20:00 +0200, Andreas Oster wrote:
> > 
> >> Hello Andrew,
> >>
> >> as I have written, I have managed to restore the system to the state
> >> before my disastrous attempt to demote my BDC (novadc02). Currently both
> >> servers operate normal but still the problems with objectClass and
> >> objectCategory of the DomainDnsZones and ForestDnsZones exists.
> >>
> >> Would it make sense to, after taking a proper backup, demote the second
> >> DC again or should the faulty DB entries be fixed first ?
> > 
> > I've been thinking over this, and the reason for the slow replies is
> > that the situation isn't easy to fix.  Somehow (and I would like to
> > understand how), the instanceType in your DNS partition on the master is
> > set not to include the WRITE bit.  This causes the repl_meta_data
> > message you see.
> > 
> > However, I'm pretty sure 'fixing' the instanceType bit would be
> > prohibited by the objectclass module, enforcing the broken schema.  
> > 
> > Given all that, it seems the 'safe' way to fix it is to correct the
> > instanceType based on the msDS-hasMasterNCs attribute in a dbcheck
> > routine, setting various flags to bypass checking for this specific
> > change, but I've not written that yet. 
> > 
> > Sorry,
> > 
> > Andrew Bartlett
> > 
> Hello Andrew,
> 
> did you have a chance to do something regarding the dbcheck enhancement
> to fix the broken schema of my samba4 installation ?
> 
> Thank you for your kind help

Not yet, sorry.  Please keep reminding me.  If someone else wants to
take on the task, the dbcheck.py changes needed are:
 - for every haveMasterNCs in an ntDsa object
 - confirm that the instanceType attribute on the pointed-at schema have
the writable flag set.  If not, set it. 

While doing that, an additional task will be to fill out the
msDS-HasInstantiatedNCs attributes so the 'binary' part of the BINARY+DN
matches the (perhaps newly revised) instanceType. 

eg
msDS-HasInstantiatedNCs: B:8:0000000D:${CONFIGDN}

Thanks,

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org

More information about the samba-technical mailing list