[Samba] Joining Second DC error -- NT_STATUS_CONNECTION_RESET

Chan Min Wai dcmwai at gmail.com
Mon Aug 25 08:56:13 MDT 2014

Thank you all for the help.

I'm able to recovery the DB to the last working version.
it seem that my DC will corrupted by Dc2 when I restore from snapshot...

As I was restoring both DC1 and DC2 from snapshot...
I think they both killed each other and leave me a corrupted ldif...

So I export the ldif from this version (I've made some group/users change
before it was not writable)
And I would like to kept the uid an gid password I can change...

Snapshot this VM with Samba shutdown.

restore back to the old workable samba, make samba backup (important on the
private folder)
copy it to another server/location

Restore back to the latest snapshot...
Rebuild the same samba version as before (As stated on the samba AD DC
backup and restore page) only backup and restore have to be done on the
same samba version and not different or upgrade version.

restore the samba private dir

Start samba...
Samba AD Dc is now working...

But due to the samba backup was about 2 months olds. Most computer password
was different and I've to rejoin to the domain...
including samba files member server

Also I've also join DC2 back to this AD DC without problem.(new 4.1.11)

And later update DC1 to a new AD DC 4.1.11

Everything is running fine now :)

But I think we should have some node on the wiki about
Multiple DC and also vm snapshot....

We should at least kept one DC_new online when we are restore DC_old
snapshot so that the DC_old will be overwrite by this new information.

I'm not too sure If I'm getting it write.

Please advise.

Thank You.

On Thu, Aug 21, 2014 at 6:55 AM, Chan Min Wai <dcmwai at gmail.com> wrote:

> Dear Marc,
> > 1. Should I restoree DC1 since DC2 is already offline.
> What size is your domain? On a small installation it's sometimes worth
> starting from scratch instead of trying to fix the databases and
> overlook something that gets later worse.
> [dcmwai]Just 25 PC and about 15~30 users, you are right that is the issue
> I'm worry.
> Just thinking in future or wiki.
> If we take a snapshot on the whole vm. Should we stop samba from running?
> or should we remove that disk from being taking taking snapshot?
> Just my though...
> If we have 2 DC, DC1 and Dc2, if I restore DC1 to some point before
> (Running or Stop)
> Would DC2 restore DC1 DB? since the information on DC1 are older...
> You have currently only DC1 online, but it's broken. And DC2 is also
> broken and offline. Right? So if it's already in that worse state, you
> can try the following:
> Setup a separated test environment. Restore the snapshots of both DCs.
> Check if the replicate. Run
> [dcmwai] too late for that unless I restore both DC1 and DC2... As I've
> deleted /var/lib/samba (everything)
> # samba-tool dbcheck --cross-ncs --reset-well-known-acls --fix
> on both hosts. And then try to demote DC2.
> Which of the two hosts had which FSMO role? If they were all on DC1,
> then you should be able to demote DC2. At least bug #10734 seems only to
> happen if the host, that should be demoted, had roles before.
> [dcmwai] will try that, all FSMO are on DC1. ah better...
> > 2. Can we do any backup the DC in any other way?
> What I do in production is to run the backup script (a modified version)
> on all DCs. Even if you must not restore a single DC, if others are
> still working, this may be some day a help, if the total desaster
> happens :-)
> [dcmwai] too bad that I cannot do that before...
> Because of the wrong LDflags on the gentoo I build, all the ldbsearch and
> edit function required by samba_backup was having segment fault and I'm
> trying to fix that when I discover the DC2 are broken...(Due to the restore
> or etc...)
> > 3. Do we have a way to backup Dc user and group or the updated computer
> > password :)
> The user/group stuff you can export via ldap (at least the most
> attributes). And you can write a script that creates the users via
> samba-tool again. But you can't restore the SID on this way. Also you
> don't get the passwords out of your DC.
> [dcmwai] Why can't we, we do have native access to the database... we
> don't access it using ldap or other protocol we are accessing it using the
> DB control. which I think we should have all the Encrypted password ;)
> > 4. If I join another AD DC and replicate it and also demote DC1 (Can we
> do
> > that as I see the bugs report) would DC2 now be better???
> I didn't understand that.
> [dcmwai] What I meant was Make a new DC and Join in... Do you think that
> it would have more issue :)
> Thank You.
> On Thu, Aug 21, 2014 at 5:50 AM, mourik jan heupink - merit <
> heupink at merit.unu.edu> wrote:
>> I know also that ldap-account-manager has functionality to dump all
>> users/groups, and restore them (recreate).
>> (https://www.ldap-account-manager.org)
>> Of course you still need to be able to connect to your DC over ldap.
>> This could help you as well.
>> Goodluck..!
>> On 08/20/2014 11:26 PM, Rowland Penny wrote:
>>> On 20/08/14 22:05, Marc Muehlfeld wrote:
>>>> Am 20.08.2014 21:59, schrieb Rowland Penny:
>>>>> 3. Do we have a way to backup Dc user and group or the updated
>>>>>>> computer
>>>>>>> password :)
>>>>>> The user/group stuff you can export via ldap (at least the most
>>>>>> attributes). And you can write a script that creates the users via
>>>>>> samba-tool again. But you can't restore the SID on this way.
>>>>> Hi, are you sure about the SID ? I have never used it, but 'samba-tool
>>>>> domain provision --help' shows this:
>>>>> --domain-sid=SID      set domainsid (otherwise random)
>>>> The domain SID you can set during provisioning. But I ment the SID (RID)
>>>> of accounts/groups.
>>>> # samba-tool user add ....
>>>> doesn't have anything to create an user/group with a defined RID.
>>>> And I'm not sure, if this is possible at all, when I'm thinking about
>>>> it. Because the RIDs for new created objects are taken from the RID
>>>> pool. Every DC has a pool of 500 RIDs (when empty, the pool is filled
>>>> with the next free 500 RIDs from the RID Master). So if e. g. an account
>>>> is created with a defined RID on DC1. But this RID is one that is in the
>>>> free-RID-pool of DC2, this would cause trouble. The same trouble would
>>>> happen if you would manually edit the objectSID.
>>> I am never going to try this, but I think that if you were to dump the
>>> entire AD database, extract from this any users and groups that you have
>>> created. Now provision the new domain using as much info as you can from
>>> the old DC, if you then use the user/groups ldifs you extracted, I think
>>> that you would be able to recreate the users & groups with the old
>>> SID-RID, you would also have to update 'rIDNextRID' from 'cn=RID Set'.
>>> this would only ever have a chance of working on a single DC domain.
>>> As I said, I am never ever going to try this, just saying that it might
>>> be possible ;-)
>>> Rowland
>>>> Regards,
>>>> Marc
>>>  --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list