[Samba] Samba fsmo/demote/unjoin trouble after crash

Giedrius giedrius+samba at su.lt
Tue May 21 00:43:08 MDT 2013

Hi Andrew,
2013.05.21 00:46, Andrew Bartlett rašė:
> On Wed, 2013-05-15 at 10:09 +0300, Giedrius wrote:
>> 2013.05.14 18:48, Denis Cardon rašė:
>>> Hi Giedrius,
>>>>      i've got initial setup on DC1 (4.0.1)... all working good and
>>>> flawless
>>>>      Added additional geographically distributed controllers (DC2, DC3,
>>>> DC4,DC5) with 4.0.5 - no problem.
>>>>      All PC's can connect to their own site/DC
>>>>      Transferred all FSMO's to DC2  - transferred successfully (with
>>>> seize "error" bug)
>>>>      DC1 crashed badly....  during maintenance, SAMBA was updated to
>>>> 4.0.5, data restored from backup.
>>>>      Now, the problem is:
>>>>          1) DC1 sees itself as owner of all FSMO's, although DC[2,3,4,5]
>>>> sees DC2 as owner of FSMO's
>>>>          3) DC1 is missing some users (created between backup and crash),
>>>> wbinfo for these users return E_DOMAIN_NOT_FOUND
>>>>          4) Got "decrypt integrity check failed"  errors, fixed with
>>>> chtdcpass, witch not results to "Failed to find HOST$#DOMAIN(kvno)"
>>>> (client reboot seems to fix this)
>>>>          4) any attempt to replicate missing information from DC2/DC3 to
>>>> DC1  (samba-tool drs replicate) results in errors after it (cannot find
>>>> own NTDS)
>>>>          5) impossible to demote / unjoin server and provision from
>>>> scratch - some DRS errors
>>>>      Question is:
>>>>          how can i change FSMO owner (ldbedit ?) on DC1 to be DC2 and
>>>> then:
>>>>               a) replicate missing users (and computer trust accounts)
>>>> to DC1
>>>>               b) force removing DC1 from domain for good ( reinstall from
>>>> scratch )
>>>>      Domain as a whole recreation from scratch is sadly *not* an
>>>> option :(
>>> On https://wiki.samba.org/index.php/Backup_and_Recovery#General it is
>>> clearly stated that you shouldn't restore a DC from backup in a multi DC
>>> environment.
>> Ok, my bad.
>>> Others DC have evolved since you backed up your data, and you cannot
>>> have synchronisation with the other DCs. It is not a Samba problem, but
>>> it is by design because the multi master replication between DCs.
>>> You should just re-install samba4 4.0.5 on your DC1 server, and then
>>> join it to the domain as a DC, it will synchronise and all will be back
>>> to normal.
>> But how do i force remove the old server from domain ? (Windows tools
>> and samba's net unjoin failed)
> Just re-join it with the same name, that does as much as we can do.  It
> isn't perfectly ideal, but it should be good enough. 
Ok, but something is still wrong: drs kcc gives this:
Wrong username or password: kinit for <DC_NAME>$@<REALM> failed
(Preauthentication failed)

Consistency check on <hostname> successful.

Some computers lost trust relationship - rejoin was necessary.
To be exact, somehow I have 2 DC's on the same site, but there never
were 2 of them. Some workstations try to use the other DC as a logon
server, although it is clearly offline and not announced on the lan.
Helps, if i set netbios aliases in smb.conf

What should be done next? Launch another samba instance and join with
the other name ?

> Andrew Bartlett

More information about the samba mailing list