[Samba] samba4 replication issues | sam.ldb inconsistency

Wed Jul 9 06:54:54 MDT 2014

FSMO Roles are not "just" a setting.. 

This is a most importent part..  
You can set different FSMO Roles on different DC's ist not just for 1 server. 

You have 5 FSMO roles.

Schema master  FSMO role holder is the DC responsible for performing updates to the directory schema

Domain naming master role holder is the DC responsible for making changes to the forest-wide domain name space of the directory 

RID master FSMO role holder is the single DC responsible for processing RID Pool requests from all DCs within a given domain. It is also responsible for removing an object from its domain and putting it in another domain during an object move.

PDC emulator is necessary to synchronize time in an enterprise. Windows includes the W32Time (Windows Time) time service that is required by the Kerberos authentication protocol. 
it also handles : Password changes, Account lockouts are processed by PDC
and the PDC performas the functions that a MS NT4.0 Bases PDC did. 

Infrastructure master should be held by a domain controller that is not a Global Catalog server(GC). 
( which is almost never the case ) 

above is mostly a copy of : 
http://support.microsoft.com/kb/197132 

Louis

>-----Oorspronkelijk bericht-----
>Van: achim at ag-web.biz [mailto:samba-bounces at lists.samba.org] 
>Namens Achim Gottinger
>Verzonden: woensdag 9 juli 2014 14:47
>Aan: samba at lists.samba.org
>Onderwerp: Re: [Samba] samba4 replication issues | sam.ldb 
>inconsistency
>
>Am 09.07.2014 14:31, schrieb mourik jan heupink - merit:
>> Hi achim, list
>>
>>> If one of your two DC's is still working flawless you can 
>try to move
>>> all fsmo roles to that server and rejoin the other one.
>> But I'm not *sure* that one of my dc's is in perfect shape. I *know* 
>> that the DC=DOMAINDNSZONES on dc1 is corrupt.
>>
>> DC2 seems to be fine, however, samba-tool dbcheck cross-ncs never 
>> stops checking, and has been running for 18 hours now. So 
>perhaps dc2 
>> is not healthy too?
>>
>> samba-tool fsmo show tells me that all roles are currently 
>on the DC1.
>>
>> I'm a bit hesitant to start messing with my AD (transferring roles, 
>> etc), because of the uncertain state it seems to be in. I'm not sure 
>> if I'll be able to reverse it, if this goes terribly wrong.
>>
>> If I *knew* that DC2 is healthy, I could transfer all roles there, 
>> etc. But as Daniel said: he had to reinstall a DC because of 
>> "samba-tool dbcheck cross-ncs" that never ended. (like the situation 
>> on my DC2)
>>
>>> Seems tdbbackup works on dc1 for
>>> DC=DOMAINDNSZONES,DC=SAMBA,DC=COMPANY,DC=COM.ldb maybe 
>using the backup
>>> fixes your issues.
>> So, is it possible to use take the 
>> DC=DOMAINDNSZONES,DC=SAMBA,DC=COMPANY,DC=COM.ldb from the 
>working dc, 
>> and copy it to the problem dc? Can I overwrite the corrupt file with 
>> another dc's file?
>>
>> Or is my best bet now to install a DC3, and see what gets replicated 
>> to that new dc?
>>
>> MJ
>>
>>>
>>> achim~
>>>
>>>
>>>
>It sounded like tdbbackup 
>DC=DOMAINDNSZONES,DC=SAMBA,DC=COMPANY,DC=COM.ldb works on your dc1. So 
>i'd try the result of that backup operation first.
>
>As far as i unterstand fsmo roles from following that list there is 
>nothing to transfer it's just an setting so it can be changed 
>even after 
>the server holding all the roles was removed from the network. Someone 
>please correct me if i'm wron on this one.
>
>Id expect you need an server with working fsmo roles to join an new dc 
>to your domain, be it dc3 as an new one or dc1 denotet and rejoined.
>
>Best is to do an backup like it's mentioned in the wiki from your 
>working server dc2 before proceding.
>
>achim~
>
>-- 
>To unsubscribe from this list go to the following URL and read the
>instructions:  https://lists.samba.org/mailman/options/samba
>
>