Multi DC domain issues

Tue Sep 23 06:58:56 MDT 2014

Some extra info.

When I try a join (via a working DC) I get this:

Partition[DC=DomainDnsZones,DC=essence,DC=internal,DC=com]
objects[63919/322492] linked_values[0/0]
Partition[DC=DomainDnsZones,DC=essence,DC=internal,DC=com]
objects[64321/322492] linked_values[0/0]
Partition[DC=DomainDnsZones,DC=essence,DC=internal,DC=com]
objects[64723/322492] linked_values[0/0]
Partition[DC=DomainDnsZones,DC=essence,DC=internal,DC=com]
objects[65125/322492] linked_values[0/0]

As you can see there are 322492 objects in DomainDnsZones which takes a
long time to complete. Have checked here:

/usr/local/samba/private/sam.ldb.d/

And this is the contents:

/usr/local/samba/private/sam.ldb.d# ls -ltrh
total 4.1G
-rw-r----- 1 root root 812K Sep 23 08:38 metadata.tdb
-rw------- 1 root root  10M Sep 23 08:44
CN=CONFIGURATION,DC=EXAMPLE,DC=INTERNAL,DC=COM.ldb
-rw------- 1 root root 4.1M Sep 23 08:48
DC=FORESTDNSZONES,DC=EXAMPLE,DC=INTERNAL,DC=COM.ldb
-rw------- 1 root root 4.0G Sep 23 08:50
DC=DOMAINDNSZONES,DC=EXAMPLE,DC=INTERNAL,DC=COM.ldb
-rw------- 1 root root  10M Sep 23 08:50
CN=SCHEMA,CN=CONFIGURATION,DC=EXAMPLE,DC=INTERNAL,DC=COM.ldb
-rw------- 1 root root  38M Sep 23 08:51 DC=EXAMPLE,DC=INTERNAL,DC=COM.ldb

On my broken FSMO DC this is the same folder:

/usr/local/samba/private/sam.ldb.d# ls -ltrh
total 3.1G
-rw-r----- 1 root root 412K Sep 23 13:00 metadata.tdb
-rw------- 1 root root  16M Sep 23 13:03
CN=CONFIGURATION,DC=EXAMPLE,DC=INTERNAL,DC=COM.ldb
-rw------- 1 root root 4.1M Sep 23 13:48
DC=FORESTDNSZONES,DC=EXAMPLE,DC=INTERNAL,DC=COM.ldb
-rw------- 1 root root  10M Sep 23 13:50
CN=SCHEMA,CN=CONFIGURATION,DC=EXAMPLE,DC=INTERNAL,DC=COM.ldb
-rw------- 1 root root  86M Sep 23 13:50 DC=EXAMPLE,DC=INTERNAL,DC=COM.ldb
-rw------- 1 root root 3.0G Sep 23 13:50
DC=DOMAINDNSZONES,DC=EXAMPLE,DC=INTERNAL,DC=COM.ldb

Also, when I try and join another DC via the FSMO DC there are only 88,000
objects in DomainDnsZones.

I know that I don't have that many entries in my DNS, is there any way I
can reduce the overhead on this? Safely?

So far all my attempts at joining a new DC have failed with a python error
after the DomainDnzZones objects have finished syncing.

Thanks,
Chris.

On 23 September 2014 12:18, Chris Alavoine <chrisa at acs-info.co.uk> wrote:

> Hi all,
>
> I am running 4.1.5 with 5 DC's connected globally.
>
> I am using Ubuntu 12.04.
>
> My main FSMO roles DC appears to be corrupt and I'm worried that the
> meta-data is somehow out of sync.
>
> Can some suggest a good plan of action to replace this DC? My other 4 DC's
> appear to be in good shape although one of them refuses to update any DNS
> changes. All other replication appears to be ok. The main FSMO DC is
> currently working although DNS fails from time to time. The whole domain
> feels very unstable and I'm unable to add any new DNS entries (error: "The
> local security authority database contains an internal inconsistency")
>
> I am currently building a replacement in the same Site as I've found that
> trying to join a new DC I need to specify another DC in the same
> subnet/Site for the join to work, i.e:
>
> /usr/local/samba/bin/samba-tool domain join example.com DC
> -UAdministrator --realm=example.com --server=DC1 --site=LON
>
> Once I've created this replacement in the same site I will try and
> transfer (or seize) the FSMO roles.
>
> If that works then I will remove and then recreate the main DC on the same
> IP (lots of stuff points to this IP so I need to retain it).
>
> Once that is done I shall transfer the FSMO roles back the original DC.
>
> Does this sound like a reasonable approach?
>
>
> Thanks,
> Chris.
>
> --
> ACS (Alavoine Computer Services Ltd)
> Chris Alavoine
> mob +44 (0)7724 710 730
> www.alavoinecs.co.uk
> http://twitter.com/#!/alavoinecs
> http://www.linkedin.com/pub/chris-alavoine/39/606/192
>

-- 
ACS (Alavoine Computer Services Ltd)
Chris Alavoine
mob +44 (0)7724 710 730
www.alavoinecs.co.uk
http://twitter.com/#!/alavoinecs
http://www.linkedin.com/pub/chris-alavoine/39/606/192