samba-tool domain backup and xattrs

Rowland Penny rpenny at
Sun Apr 8 12:31:37 UTC 2018

On Sun, 08 Apr 2018 20:57:01 +1200
Andrew Bartlett <abartlet at> wrote:

> On Sun, 2018-04-08 at 09:08 +0100, Rowland Penny wrote:
> > Where can I read Metze's restoration steps ?
> Andrew Bartlett

OK, I must have missed that, it also provided me with the answer to
where '-r' came from ;-)

firstly, I think the tdbbackup changes need to be proposed as a single
patch, if the present tdbbackup isn't safe, it should be made safe.

Now we come to Metze's comments:

> I think we really need a corresponding restore command
> and make it relatively hard to restore the backup without
> using the restore command.

Just how are is this supposed to be done and this is different from
saying 'the restore must work before doing the backup'

> The restore command should also do this on the backup databases:
> - reset highestCommittedUSN to 1 and invent a new invocationID
>   that will be used for further replPropertyMetaData stamps

This wouldn't really be a restore, it would nearly be creating a new
domain from existing data as 'classicupgrade' does.

> - samba-tool domain demote --remove-other-dead-server for all
>   servers

Totally agree with this, otherwise you would/could have other dead DCs
in the database.

> - create a new machine account and NTDSDsa object (with the new
>   invocationID)

Why? you could just ensure that you were restoring to a computer with
the same FQDN & IP as the old one.

> - samba-tool fsmo seize for all roles

Good idea, but perhaps check before seizing.

> - change the krbtgt passwords twice

No problem with this happening, but why ?

> So that the restored domain will never replicate with any existing
> DC, as it's only a last resort if really all DCs are broken.

Surely the restore should first check if any other DCS are running
before doing anything and refuse to restore if any are.

Also, there is no mention of 'sysvolreset'

I have been looking into how windows deals with this situation and
found this:

It talks about two types of recovery without a working DC,
'Non-authoritative' & 'Authoritative'. Metze seems to want something
similar to an 'Authoritative' restore, but, at the bottom of the page,
there is this note:

Because the only case in which you would restore a domain controller
from the backup image is when all domain controllers have been lost,
authoritative restores should not be needed.

So Microsoft doesn't seem to recommend an 'Authoritative' restore.


More information about the samba-technical mailing list