Need urgent help with samba4 DC re-join

Andrew Bartlett abartlet at samba.org
Mon Jul 16 19:17:55 MDT 2012 

On Sat, 2012-07-14 at 08:07 +0200, Andreas Oster wrote:
> Am 14.07.2012 04:29, schrieb Andrew Bartlett:
> > On Fri, 2012-07-13 at 08:09 +0200, Andreas Oster wrote:
> >> Am 03.07.2012 00:32, schrieb Andrew Bartlett:
> >>> On Mon, 2012-07-02 at 20:00 +0200, Andreas Oster wrote:
> >>>
> >>>> Hello Andrew,
> >>>>
> >>>> as I have written, I have managed to restore the system to the state
> >>>> before my disastrous attempt to demote my BDC (novadc02). Currently both
> >>>> servers operate normal but still the problems with objectClass and
> >>>> objectCategory of the DomainDnsZones and ForestDnsZones exists.
> >>>>
> >>>> Would it make sense to, after taking a proper backup, demote the second
> >>>> DC again or should the faulty DB entries be fixed first ?
> >>>
> >>> I've been thinking over this, and the reason for the slow replies is
> >>> that the situation isn't easy to fix.  Somehow (and I would like to
> >>> understand how), the instanceType in your DNS partition on the master is
> >>> set not to include the WRITE bit.  This causes the repl_meta_data
> >>> message you see.
> >>>
> >>> However, I'm pretty sure 'fixing' the instanceType bit would be
> >>> prohibited by the objectclass module, enforcing the broken schema.  
> >>>
> >>> Given all that, it seems the 'safe' way to fix it is to correct the
> >>> instanceType based on the msDS-hasMasterNCs attribute in a dbcheck
> >>> routine, setting various flags to bypass checking for this specific
> >>> change, but I've not written that yet. 
> >>>
> >>> Sorry,
> >>>
> >>> Andrew Bartlett
> >>>
> >> Hello Andrew,
> >>
> >> did you have a chance to do something regarding the dbcheck enhancement
> >> to fix the broken schema of my samba4 installation ?
> >>
> >> Thank you for your kind help
> > 
> > Not yet, sorry.  Please keep reminding me.  If someone else wants to
> > take on the task, the dbcheck.py changes needed are:
> >  - for every haveMasterNCs in an ntDsa object
> >  - confirm that the instanceType attribute on the pointed-at schema have
> > the writable flag set.  If not, set it. 
> > 
> > While doing that, an additional task will be to fill out the
> > msDS-HasInstantiatedNCs attributes so the 'binary' part of the BINARY+DN
> > matches the (perhaps newly revised) instanceType. 
> > 
> > eg
> > msDS-HasInstantiatedNCs: B:8:0000000D:${CONFIGDN}
> > 
> > Thanks,
> > 
> > Andrew Bartlett
> > 
> Hello Andrew,
> 
> thank you for the update.

Attached is a patch for the first part of this.  KEEP GOOD BACKUPS (and
run this on a backup).  

I'll get to the second part of this soon, but if you can let me know if
this lets you fix things, it would be most helpful. 

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0002-s4-dbcheck-Check-for-and-correct-incorrect-instanceT.patch
Type: text/x-patch
Size: 5284 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20120717/44b09636/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-s4-dsdb-Allow-dbcheck-to-correct-an-incorrect-instan.patch
Type: text/x-patch
Size: 1267 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20120717/44b09636/attachment-0001.bin>

More information about the samba-technical mailing list