How to backup/restore in multipe DCs domain?
Stefan (metze) Metzmacher
metze at samba.org
Mon Nov 4 00:40:57 MST 2013
Am 04.11.2013 07:53, schrieb Andrew Bartlett:
> On Sun, 2013-11-03 at 14:40 +0800, hyoscar wu wrote:
>> Hi list,
>> I refer https://wiki.samba.org/index.php/Backup_and_Recovery to do
>> backup/restore and my samba4 ADDC machine works well in single-DC doamin.
>> My multiple DCs domain test is as below:
>> machineA : samba-4.0.5 , create domain "abc.test"
>> machineB : samba-4.0.5 , join "abc.test" as additional DC.
>> My scenario is machineA failed , I need to restore it.
>> 1. After machineB joining, do backup in machineA.
>> 2. create some user accounts on machineA and machineB.
>> 3. A few minutes later, check database synchronized, both machine
>> has same user accounts.
>> 4. restore machineA.
>> 5. A few minutes later, check database synchronized, both machine
>> has same user accounts.
>> After these 5 steps, machineA gets user accounts from machineB but
>> machineA can not work well in many situation. For example, machineA can not
>> create user.
>> # /usr/local/samba/bin/samba-tool user add aaaq pass123 at aaaq
>> ERROR(ldb): Failed to add user 'aaaq': -
>> ../lib/ldb/ldb_tdb/ldb_index.c:1199: Failed to re-index objectSid in
>> CN=aaaq,CN=Users,DC=ggg,DC=org - ../lib/ldb/ldb_tdb/ldb_index.c:1131:
>> unique index violation on objectSid in CN=aaaq,CN=Users,DC=ggg,DC=org
>> I know that I can do seize role in machineB then machineA rejoin to
>> domain. I have some questions about samba4 backup/restore.
>> 1. If samba4 backup/restore just for single DC domain?
>> 2. If not , how should I do in multiple DCs domain?
>> 3. If machineA failed, what is the best way to recover machineA? rejoin
>> domain , restore or any other way?
> This is very serious. It should not be possible to create duplicate
> SIDs, and this low-level check is the assertion that we have to ensure
> this really does not happen.
> Are you able to reproduce this at will?
> My best guess is that that a RID set allocation was done, and that when
> machineA, the RID master was restored, the RID pool that was (in the
> future) allocated to machineB, was instead allocated to machineA.
> If you allocated a lot of users, and used an earlier version of Samba
> 4.0 that had a bug around RID pool allocation (it requested them too
> often), then this could be even more likely to happen.
In a multi dc environment you should *NEVER* ever restore from backup!
A backup is for an emergency case, where all dcs are destroyed.
You should just create a new dc.
It's the same reason why you should never restore vm snapshots of
(windows or samba)
More information about the samba-technical