[Samba] Samba 4 fsmo-handling on crashed dc-server

Peter Grotz - Obel und Partner GbR grotz at obel-architekten.de
Wed Aug 27 02:00:43 MDT 2014 

Hello Marc,

thanks for your answer.

But I´ve further questions:
 2.a.:
- What happens with fsmo in the meantime when the crashed server doesn´t
work?
- Do the remaining dc and the other member-fileservers and the win-clients
at the domain work as usual?
- Are there any things we can´t do until the fmso containing server works
again? Doing changes in AD for example...

2.b.:
- While demoting foreign dcs is still broken what must I do with the AD- and
DNS-entries of the crashed server? Delete all entries with RSAT or
samba-tool?
- For the crashed server it may be the best to scrap the whole
samba-installation and reinstall or better delete the samba-databases?!

Putting the extension of the FSMO documentation on your to-do list is a
great idea. Fsmo is deep hole of unknowingness...

Thanks again,

Peter





-----Ursprüngliche Nachricht-----
Von: Marc Muehlfeld [mailto:mmuehlfeld at samba.org] 
Gesendet: Dienstag, 26. August 2014 20:15
An: Peter Grotz - Obel und Partner GbR; samba at lists.samba.org
Betreff: Re: [Samba] Samba 4 fsmo-handling on crashed dc-server

Hello Peter,

Am 26.08.2014 17:47, schrieb Peter Grotz - Obel und Partner GbR:
> we have two dcs in one domain which is located in separate subnets. 
> These subnets are connected by a routed vpn.
> 
> How must I handle fsmo roles when one of these dcs fails and will 
> maybe be repaired and reconnected?
>
> A transfer of the fsmo roles is not possible until the dc is repaired, 
> so should the fsmos be seized from the other dc? Can anybody give me a 
> hint how to handle this situation?



There are different situations:

1.) The crashed DC owns none of the FSMO roles: You have nothing to do if
the repaired DC comes back.


2.) The crashed DC has at least one of the FSMO roles:

2.a.) the DC can be repaired: You have nothing to do. You _must not_ seize
the roles in the meantime!

2.b.) the DC can't be repaired: You seize the roles on one of the remaining
DCs. But you must ensure that the DC really never comes back!
Otherwise two DCs are owning the same roles, what could have serious
consequences. You have to remove the DC from the domain. But demoting is
currently only possible for DCs, that are still working. Demoting foreign
DCs is broken: https://bugzilla.samba.org/show_bug.cgi?id=10595


Regards,
Marc



PS: I had put the extension of the FSMO documentation on my to-do list.
We're having often questions about FSMO meanwhile.

More information about the samba mailing list