[Samba] Samba fsmo/demote/unjoin trouble after crash

Denis Cardon denis.cardon at tranquil-it-systems.fr
Tue May 14 09:48:21 MDT 2013 

Hi Giedrius,

>      i've got initial setup on DC1 (4.0.1)... all working good and flawless
>      Added additional geographically distributed controllers (DC2, DC3,
> DC4,DC5) with 4.0.5 - no problem.
>      All PC's can connect to their own site/DC
>
>      Transferred all FSMO's to DC2  - transferred successfully (with
> seize "error" bug)
>      DC1 crashed badly....  during maintenance, SAMBA was updated to
> 4.0.5, data restored from backup.
>
>      Now, the problem is:
>          1) DC1 sees itself as owner of all FSMO's, although DC[2,3,4,5]
> sees DC2 as owner of FSMO's
>          3) DC1 is missing some users (created between backup and crash),
> wbinfo for these users return E_DOMAIN_NOT_FOUND
>          4) Got "decrypt integrity check failed"  errors, fixed with
> chtdcpass, witch not results to "Failed to find HOST$#DOMAIN(kvno)"
> (client reboot seems to fix this)
>          4) any attempt to replicate missing information from DC2/DC3 to
> DC1  (samba-tool drs replicate) results in errors after it (cannot find
> own NTDS)
>          5) impossible to demote / unjoin server and provision from
> scratch - some DRS errors
>
>      Question is:
>          how can i change FSMO owner (ldbedit ?) on DC1 to be DC2 and then:
>               a) replicate missing users (and computer trust accounts) to DC1
>               b) force removing DC1 from domain for good ( reinstall from
> scratch )
>
>      Domain as a whole recreation from scratch is sadly *not* an option :(

On https://wiki.samba.org/index.php/Backup_and_Recovery#General it is 
clearly stated that you shouldn't restore a DC from backup in a multi DC 
environment.

Others DC have evolved since you backed up your data, and you cannot 
have synchronisation with the other DCs. It is not a Samba problem, but 
it is by design because the multi master replication between DCs.

You should just re-install samba4 4.0.5 on your DC1 server, and then 
join it to the domain as a DC, it will synchronise and all will be back 
to normal.

Cheers,

Denis



>


-- 
Denis Cardon
Tranquil IT Systems
Les Espaces Jules Verne, bâtiment A
12 avenue Jules Verne
44230 Saint Sébastien sur Loire
tel : +33 (0) 2.40.97.57.55
http://www.tranquil-it-systems.fr

More information about the samba mailing list