[Samba] Samba fsmo/demote/unjoin trouble after crash

Andrew Bartlett abartlet at samba.org
Mon May 20 15:46:28 MDT 2013 

On Wed, 2013-05-15 at 10:09 +0300, Giedrius wrote:
> 2013.05.14 18:48, Denis Cardon rašė:
> > Hi Giedrius,
> > 
> >>      i've got initial setup on DC1 (4.0.1)... all working good and
> >> flawless
> >>      Added additional geographically distributed controllers (DC2, DC3,
> >> DC4,DC5) with 4.0.5 - no problem.
> >>      All PC's can connect to their own site/DC
> >>
> >>      Transferred all FSMO's to DC2  - transferred successfully (with
> >> seize "error" bug)
> >>      DC1 crashed badly....  during maintenance, SAMBA was updated to
> >> 4.0.5, data restored from backup.
> >>
> >>      Now, the problem is:
> >>          1) DC1 sees itself as owner of all FSMO's, although DC[2,3,4,5]
> >> sees DC2 as owner of FSMO's
> >>          3) DC1 is missing some users (created between backup and crash),
> >> wbinfo for these users return E_DOMAIN_NOT_FOUND
> >>          4) Got "decrypt integrity check failed"  errors, fixed with
> >> chtdcpass, witch not results to "Failed to find HOST$#DOMAIN(kvno)"
> >> (client reboot seems to fix this)
> >>          4) any attempt to replicate missing information from DC2/DC3 to
> >> DC1  (samba-tool drs replicate) results in errors after it (cannot find
> >> own NTDS)
> >>          5) impossible to demote / unjoin server and provision from
> >> scratch - some DRS errors
> >>
> >>      Question is:
> >>          how can i change FSMO owner (ldbedit ?) on DC1 to be DC2 and
> >> then:
> >>               a) replicate missing users (and computer trust accounts)
> >> to DC1
> >>               b) force removing DC1 from domain for good ( reinstall from
> >> scratch )
> >>
> >>      Domain as a whole recreation from scratch is sadly *not* an
> >> option :(
> > 
> > On https://wiki.samba.org/index.php/Backup_and_Recovery#General it is
> > clearly stated that you shouldn't restore a DC from backup in a multi DC
> > environment.
> Ok, my bad.
> 
> > 
> > Others DC have evolved since you backed up your data, and you cannot
> > have synchronisation with the other DCs. It is not a Samba problem, but
> > it is by design because the multi master replication between DCs.
> > 
> > You should just re-install samba4 4.0.5 on your DC1 server, and then
> > join it to the domain as a DC, it will synchronise and all will be back
> > to normal.
> > 
> But how do i force remove the old server from domain ? (Windows tools
> and samba's net unjoin failed)

Just re-join it with the same name, that does as much as we can do.  It
isn't perfectly ideal, but it should be good enough. 

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org

More information about the samba mailing list