[Samba] Joining Second DC error -- NT_STATUS_CONNECTION_RESET

Chan Min Wai dcmwai at gmail.com
Wed Aug 20 16:55:32 MDT 2014 

Dear Marc,

> 1. Should I restoree DC1 since DC2 is already offline.

What size is your domain? On a small installation it's sometimes worth
starting from scratch instead of trying to fix the databases and
overlook something that gets later worse.

[dcmwai]Just 25 PC and about 15~30 users, you are right that is the issue
I'm worry.
Just thinking in future or wiki.
If we take a snapshot on the whole vm. Should we stop samba from running?
or should we remove that disk from being taking taking snapshot?
Just my though...
If we have 2 DC, DC1 and Dc2, if I restore DC1 to some point before
(Running or Stop)
Would DC2 restore DC1 DB? since the information on DC1 are older...



You have currently only DC1 online, but it's broken. And DC2 is also
broken and offline. Right? So if it's already in that worse state, you
can try the following:
Setup a separated test environment. Restore the snapshots of both DCs.
Check if the replicate. Run
[dcmwai] too late for that unless I restore both DC1 and DC2... As I've
deleted /var/lib/samba (everything)




# samba-tool dbcheck --cross-ncs --reset-well-known-acls --fix

on both hosts. And then try to demote DC2.

Which of the two hosts had which FSMO role? If they were all on DC1,
then you should be able to demote DC2. At least bug #10734 seems only to
happen if the host, that should be demoted, had roles before.
[dcmwai] will try that, all FSMO are on DC1. ah better...


> 2. Can we do any backup the DC in any other way?

What I do in production is to run the backup script (a modified version)
on all DCs. Even if you must not restore a single DC, if others are
still working, this may be some day a help, if the total desaster
happens :-)
[dcmwai] too bad that I cannot do that before...
Because of the wrong LDflags on the gentoo I build, all the ldbsearch and
edit function required by samba_backup was having segment fault and I'm
trying to fix that when I discover the DC2 are broken...(Due to the restore
or etc...)


> 3. Do we have a way to backup Dc user and group or the updated computer
> password :)

The user/group stuff you can export via ldap (at least the most
attributes). And you can write a script that creates the users via
samba-tool again. But you can't restore the SID on this way. Also you
don't get the passwords out of your DC.

[dcmwai] Why can't we, we do have native access to the database... we don't
access it using ldap or other protocol we are accessing it using the DB
control. which I think we should have all the Encrypted password ;)


> 4. If I join another AD DC and replicate it and also demote DC1 (Can we do
> that as I see the bugs report) would DC2 now be better???

I didn't understand that.
[dcmwai] What I meant was Make a new DC and Join in... Do you think that it
would have more issue :)

Thank You.


On Thu, Aug 21, 2014 at 5:50 AM, mourik jan heupink - merit <
heupink at merit.unu.edu> wrote:

> I know also that ldap-account-manager has functionality to dump all
> users/groups, and restore them (recreate).
>
> (https://www.ldap-account-manager.org)
>
> Of course you still need to be able to connect to your DC over ldap.
>
> This could help you as well.
>
> Goodluck..!
>
>
>
>
> On 08/20/2014 11:26 PM, Rowland Penny wrote:
>
>> On 20/08/14 22:05, Marc Muehlfeld wrote:
>>
>>> Am 20.08.2014 21:59, schrieb Rowland Penny:
>>>
>>>> 3. Do we have a way to backup Dc user and group or the updated
>>>>>> computer
>>>>>> password :)
>>>>>>
>>>>> The user/group stuff you can export via ldap (at least the most
>>>>> attributes). And you can write a script that creates the users via
>>>>> samba-tool again. But you can't restore the SID on this way.
>>>>>
>>>> Hi, are you sure about the SID ? I have never used it, but 'samba-tool
>>>> domain provision --help' shows this:
>>>>
>>>> --domain-sid=SID      set domainsid (otherwise random)
>>>>
>>> The domain SID you can set during provisioning. But I ment the SID (RID)
>>> of accounts/groups.
>>>
>>> # samba-tool user add ....
>>>
>>> doesn't have anything to create an user/group with a defined RID.
>>>
>>> And I'm not sure, if this is possible at all, when I'm thinking about
>>> it. Because the RIDs for new created objects are taken from the RID
>>> pool. Every DC has a pool of 500 RIDs (when empty, the pool is filled
>>> with the next free 500 RIDs from the RID Master). So if e. g. an account
>>> is created with a defined RID on DC1. But this RID is one that is in the
>>> free-RID-pool of DC2, this would cause trouble. The same trouble would
>>> happen if you would manually edit the objectSID.
>>>
>> I am never going to try this, but I think that if you were to dump the
>> entire AD database, extract from this any users and groups that you have
>> created. Now provision the new domain using as much info as you can from
>> the old DC, if you then use the user/groups ldifs you extracted, I think
>> that you would be able to recreate the users & groups with the old
>> SID-RID, you would also have to update 'rIDNextRID' from 'cn=RID Set'.
>> this would only ever have a chance of working on a single DC domain.
>>
>> As I said, I am never ever going to try this, just saying that it might
>> be possible ;-)
>>
>> Rowland
>>
>>>
>>> Regards,
>>> Marc
>>>
>>
>>  --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

More information about the samba mailing list