[Samba] [SOLVED] replace Windows 2003 dc

Peter Beck peter at datentraeger.li
Fri Feb 22 21:04:43 MST 2013 

Dustin C. Hatch <admiralnemo at gmail.com> quatschte am Fri, Feb 22, 2013 at 05:58:51PM -0600:
> On 2/22/2013 15:22, Peter Beck wrote:
> >Dustin C. Hatch <admiralnemo at gmail.com> quatschte am Fri, Feb 22, 2013 at 12:31:05PM -0600:
> My samba server works perfectly fine for all AD DC roles (including
> Kerberos) except DNS. In my real and test environments, the forest
> and domain functional levels are 2008 R2.

I've just tried again, but still with 2003 functional levels and it was
working again, after removing the windows domain I was able to add new
users, change password policies, remove and change dns records.

This time I installed Exchange 2003 on the Windows DC first (just to
check if there are issues if Exchange is running on the dc. Exchange did 
not start after demoting the dc, btw). In productive environments we do
not install Exchange, it was just to test if there are issues with 
replicating the schema or dcpromo fails while demoting..

after removing the windows dc I also rebooted the Samba server and tried
to get a kerberos ticket, which was working as expected.

> Same as mine, as defined in the wiki article.

did you change your resolv.conf to the samba dc after removing the
windows domain controller ? Silly question, but sometimes little things
like that are the solution...

> I don't see a list of values for this property in smb.conf(5); where
> did you find this setting?
> >server services = rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate, smb, dns
> According to smb.conf(5), this is the default value for `server
> services`, less s3fs and plus smb. I don't think either of these
> would matter in this case.

the only value i have changed was adding +dns to the server services.
the provision command was "samba-tool domain join adlab.local DC
-Uadministrator%password --realm=$hostname.$realm --use-ntvfs

--use-ntvfs because I am running debian wheezy
 
> >         dns forwarder = 8.8.8.8
> Again, this only affects queries outside the AD domain, so it
> shouldn't matter. I do have it set, though.

I know, just posted the complete config

> Yes, that adds the NS records to the domain, and I've tried that.
> Since the Samba server is a DNS server, this should be done
> automatically anyway. In any case, it doesn't help.

nameserver records for the samba dc are not automatically created in my
test environments, I always have to add them manually.

> >after adding these records / checking other dns records (_ldap._tcp,
> >_kerberos etc) I've just did
> >
> These also should be added automatically if the Samba server is to
> be a DNS server, but adding them manually doesn't help either.

Yes, they are automatically added, but for me it's more safe to check
before removing the windows domain controller ;-)

> >samba-tool drs replicate <samba-dc> <win-dc> dc=adlab,dc=local --local
> This works fine
> 
> >samba-tool drs replicate <samba-dc> <win-dc> dc=forestdnszones,dc=adlab,dc=local --local
> >samba-tool drs replicate <samba-dc> <win-dc> dc=domaindnszones,dc=adlab,dc=local --local
> These both fail because there is no outbound connection from the
> Samba server to the Windows server for these directory partitions.
> Adding them manually with repadmin works temporarily, but the KCC
> eventually removes them.

Never had issues like yours (at least - I can't remember). On the
Windows dc in "active directory sites and services" it takes about 15
minutes until the replication is visible, but replicating from samba was
never an issue on my machine.

> >if everything is well (which was the case each time I've tested it), i
> >moved the fsmo roles with samba-tool fsmo transfer --role=....
> >
> Since Samba 4.0.3, which has a fix for the timeout problem, I have
> had no trouble moving the FSMO roles around. Regardless, until the
> DomainDnsZones and ForestDnsZones are replicated correctly, I cannot
> demote the Windows DC.

When demoting the Windows DC I get the message, that this DC holds the
last replica for DomainDnsZones and ForestDnsZones, I've just checked
remove them (otherwise dcpromo will cancel). So far everything still
seems to work. I think this is because Windows still has the DNS server
installed (?).

I use the debian package version from wheezy, which holds an older version,
4.0.0~beta2+dfsg1-3.1. transferring seems to be a "cosmetic issue"
because even if there is a timeout message if you check 15 minutes later
all roles are transferred correct.

Peter

More information about the samba mailing list