[Samba] Problem creating new DC's

lp101 lingpanda101 at gmail.com
Mon Jun 9 09:19:12 MDT 2014


Chris,

     Sounds like you have a few issues. I would try and clean up your 
demoted DC first and work to resolve the new site DC. In my experience 
the demote tool has never succeeded. I've always had to go into ADUC, 
Sites and Services, DNS and ADSI edit to clean up demoted DC's that did 
not remove gracefully. I followed Microsoft suggestions for removing a 
dead or offline server. It was almost immediate for me that the dead 
server no longer displayed when running "/samba-tool drs showrepl". I 
did the following from this blog 
http://www.petri.co.il/delete_failed_dcs_from_ad.htm

 1. Open Active Directory Sites and Services and expand the appropriate
    site. Delete the dead server.
 2. http://www.petri.co.il/images/cleanup1.gif
 3. Open Active Directory Users and Computers. Expand the Domain
    Controllers container.
 4. http://www.petri.co.il/images/cleanup2.gif
 5. Delete the server object associated with the failed domain controller.
 6. Windows Server 2003 AD might display a new type of question window,
    asking you if you want to delete the server object without
    performing a DCPROMO operation (which, of course, you cannot
    perform, otherwise you wouldn't be reading this article, would
    you...) Select "This DC is permanently offline..." and click on the
    Delete button.
 7. http://www.petri.co.il/images/cleanup3.gif
21. AD will display another confirmation window. If you're sure that you
    want to delete the failed object, click Yes.
21. http://www.petri.co.il/images/cleanup4.gif
21. Next Remove the server from DNS.
22. In the DNS snap-in, expand the zone that is related to the domain
    from where the server has been removed.
23. Remove the CNAME record in the _msdcs.root domain of forest zone in
    DNS. You should also delete the HOSTNAME and other DNS records.
21. http://www.petri.co.il/images/cleanup5.gif
21. If you have reverse lookup zones, also remove the server from these
    zones.
21. Use "ADSIEdit" to remove old computer records from the Active
    Directory: Default Naming Context

    a. OU=Domain Controllers,DC=domain,DC=local

    b.
    CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=local

    c. CN=Domain System Volume (SYSVOL share),CN=File Replication
    Service,CN=System,DC=domain,DC=local
21. Use ADSI edit to remove NTDS settings: Configuration
21. CN=Sites
21. CN=Default-First-Site-Name (Your Site Name May Be different)
21. CN=Servers
21. CN=SAMBADC1 (Go through each server that has a connection to the
    offline DC)
21. CN=NTDS Settings

Remove all NTDS settings that reference the offline or dead DC. If you 
accidentally delete the wrong NTDS setting. Run samba-tool drs kcc to 
try and recreate. Be careful. Make sure you connect to the DC that holds 
all the FSMO roles. In my case the first DC I provisioned. It make take 
a few minutes for the changes to replicate across the forest. I made 
sure to log into each DC with all these tools to verify the changes 
replicated correctly. Use caution when using ADSI.  Good luck and 
remember to take a backup.

On 6/9/2014 9:34 AM, Chris Alavoine wrote:
> Hi James/all,
>
> Understood.
>
> The consistency check appears to run ok on both the new DC and the 
> FSMO DC. That is, up to the point where replication stops working and 
> samba dies.
>
> I see the occasional WERR_SEM_TIMEOUT errors on the more far-flung 
> DC's but this was happening before the replication problem.
>
> I can still see the old DC that I removed appearing in the samba-tool 
> drs showrepl output on some of my other DC's, I guess they need time 
> to update but with my cronjob restarting samba every 30 minutes to 
> keep things working that's not going to happen I guesss.
>
> I wonder if I need to remove the new Sites DC as my problems began 
> when this appeared in the Forest.
>
> Thanks,
> Chris.
>
>
>
> On 9 June 2014 14:06, lp101 <lingpanda101 at gmail.com 
> <mailto:lingpanda101 at gmail.com>> wrote:
>
>     Chris,
>
>         I may not be able to offer much more help. Maybe someone on
>     the list can chime in. After restarting samba can you run
>     "/samba-tool drs kcc" on your DC that holds all the FSMO roles as
>     well as your new one? Also after restart does "/samba-tool drs
>     showrepl" show no errors on any DC in your forest?
>
>     On 6/9/2014 8:06 AM, Chris Alavoine wrote:
>>     Hi James,
>>
>>     I may have spoken too soon. Replication to my other DC's
>>     (including the new one in the new Site) keeps failing. After a
>>     samba restart replication work for around 30 minutes and then
>>     this happens:
>>
>>     /usr/local/samba/bin/samba-tool drs showrepl | more
>>     ERROR(<class 'samba.drs_utils.drsException'>): DRS connection to
>>     REMOTEDC.example.com <http://REMOTEDC.example.com> failed -
>>     drsException: DRS connection to REMOTEDC.example.com
>>     <http://REMOTEDC.example.com> failed: (-1073741643,
>>     'NT_STATUS_IO_TIMEOUT')
>>       File
>>     "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/drs.py",
>>     line 39, in drsuapi_connect
>>         (ctx.drsuapi, ctx.drsuapi_handle,
>>     ctx.bind_supported_extensions) =
>>     drs_utils.drsuapi_connect(ctx.server, ctx.lp, ctx.creds)
>>       File
>>     "/usr/local/samba/lib/python2.7/site-packages/samba/drs_utils.py", line
>>     54, in drsuapi_connect
>>         raise drsException("DRS connection to %s failed: %s" %
>>     (server, e))
>>
>>     This has the added side-effect that Samba no longer functions
>>     (i.e. no longer processes logins) until I do another restart.
>>
>>     The only DC impervious to this behaviour the main FSMO DC.
>>
>>     As a workaround I have a cronjob on my other DC's that restarts
>>     samba every 30 minutes but clearly this is no solution.
>>
>>     Last Friday evening after adding my new DC in it's correct Site I
>>     attempt to demote the old one in this location. The samba-tool
>>     domain demote command failed for me so I removed the DC manually
>>     and removed all traces of it from DNS. Could this have caused
>>     problems?
>>
>>     Any help much appreciated.
>>
>>     Thanks,
>>     Chris.
>>
>>
>>
>>     On 4 June 2014 14:08, Chris Alavoine <chrisa at acs-info.co.uk
>>     <mailto:chrisa at acs-info.co.uk>> wrote:
>>
>>         Yep, new DC shows up under ADSS.
>>
>>         c:)
>>
>>
>>         On 4 June 2014 14:04, lp101 <lingpanda101 at gmail.com
>>         <mailto:lingpanda101 at gmail.com>> wrote:
>>
>>             Hi Chris,
>>
>>                 Great news! Confirm Site and Services does in fact
>>             show your New DC in its appropriate location.
>>
>>
>>             On 6/4/2014 8:58 AM, Chris Alavoine wrote:
>>>             Hi James,
>>>
>>>             Just thought I'd report my success!
>>>
>>>             I'd forgotten to specify the local DC (same Site) in my
>>>             domain provision command:
>>>
>>>             /usr/local/samba/bin/samba-tool domain join example.com
>>>             <http://example.com> DC -UAdministrator
>>>             --realm=example.com <http://example.com> --server=blahdc
>>>             --site=blah
>>>
>>>             This still took over an hour but didn't produce the
>>>             above TIMEOUT error.
>>>
>>>             Thanks for your help on this!
>>>
>>>             c:)
>>>
>>>
>>>
>>>             On 3 June 2014 16:40, Chris Alavoine
>>>             <chrisa at acs-info.co.uk <mailto:chrisa at acs-info.co.uk>>
>>>             wrote:
>>>
>>>                 Hi James,
>>>
>>>                 I have upped the RAM to 20GB and given it 8 cores,
>>>                 but unfortunately am getting the same result. The
>>>                 time taken to process all the objects is well over
>>>                 an hour which I'm guessing is where my problem lies.
>>>
>>>                 Not sure what else to try expect maybe attempting to
>>>                 reduce the number of DC's (over a weekend) and try
>>>                 again.
>>>
>>>                 Thanks,
>>>                 Chris.
>>>
>>>
>>>                 On 3 June 2014 13:56, lp101 <lingpanda101 at gmail.com
>>>                 <mailto:lingpanda101 at gmail.com>> wrote:
>>>
>>>                         I believe I needed at least 8GB to complete
>>>                     the join process. I know it was more then 4GB.
>>>                     Here is a link to my discussion I had on this
>>>                     list in Jan.
>>>
>>>                     http://samba.2283325.n4.nabble.com/DomainDnsZone-Replication-Shows-200-000-Objects-td4658437i20.html
>>>
>>>                         I strongly discourage using the tombstone
>>>                     attribute to fix this issue within this
>>>                     discussion. It created more issues then it was
>>>                     worth. I'm not sure if this bug was fixed or
>>>                     not. Increase the memory and attempt to join the
>>>                     new DC to the existing DC at that site. It
>>>                     should help with the timeout error. Good luck!
>>>
>>>
>>>
>>>                     On 6/3/2014 8:44 AM, Chris Alavoine wrote:
>>>>                     Hi James,
>>>>
>>>>                     Thanks for the reply.
>>>>
>>>>                     My last attempt had 4GB RAM and 4 cores (VM).
>>>>                     Do you think I should give it some more?
>>>>
>>>>                     Thanks,
>>>>                     Chris.
>>>>
>>>>
>>>>                     On 3 June 2014 13:42, lp101
>>>>                     <lingpanda101 at gmail.com
>>>>                     <mailto:lingpanda101 at gmail.com>> wrote:
>>>>
>>>>                             Hi Chris,
>>>>
>>>>                             How much memory does your server have
>>>>                         and are you attempting to join it to the
>>>>                         local DC at the site? I've had an issue
>>>>                         similar to this and increasing the server
>>>>                         memory and attempting to join to a local DC
>>>>                         helped.
>>>>
>>>>
>>>>                         On 6/3/2014 8:04 AM, Chris Alavoine wrote:
>>>>
>>>>                             Hi there,
>>>>
>>>>                             I currently have 6 Samba4 (4.1.5) DC's
>>>>                             spread over a global network. This
>>>>                             is working ok but they were created
>>>>                             before any Sites were made and as the
>>>>                             ability to move DC's to new Sites is
>>>>                             not working, I am attempting to create
>>>>                             new DC's in each location and then
>>>>                             demote the old ones.
>>>>
>>>>                             The problem I am facing is the domain
>>>>                             join process keeps timing out for any
>>>>                             new DC. I think this is due the amount
>>>>                             of objects that now need to be
>>>>                             synced:
>>>>
>>>>                             Partition[DC=DomainDnsZones,DC=essence,DC=internal,DC=com]
>>>>                             objects[142711/162691] linked_values[0/0]
>>>>                             Partition[DC=DomainDnsZones,DC=essence,DC=internal,DC=com]
>>>>                             objects[143113/162691] linked_values[0/0]
>>>>                             Partition[DC=DomainDnsZones,DC=essence,DC=internal,DC=com]
>>>>                             objects[143515/162691] linked_values[0/0]
>>>>
>>>>                             (this is a snippet from attempting to
>>>>                             join, as you can see there are 162691
>>>>                             objects which takes a fair amount of
>>>>                             time to get through - I have tried
>>>>                             this from various different locations).
>>>>
>>>>                             This is the final error I get:
>>>>
>>>>                             Replicating
>>>>                             DC=ForestDnsZones,DC=essence,DC=internal,DC=com
>>>>                             Partition[DC=ForestDnsZones,DC=essence,DC=internal,DC=com]
>>>>                             objects[24/24]
>>>>                             linked_values[0/0]
>>>>                             Partition[DC=ForestDnsZones,DC=essence,DC=internal,DC=com]
>>>>                             objects[48/24]
>>>>                             linked_values[0/0]
>>>>                             Committing SAM database
>>>>                             Sending DsReplicateUpdateRefs for all
>>>>                             the replicated partitions
>>>>                             Join failed - cleaning up
>>>>                             checking sAMAccountName
>>>>                             ERROR(runtime): uncaught exception -
>>>>                             (-1073741643, 'NT_STATUS_IO_TIMEOUT')
>>>>                                File
>>>>                             "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py",
>>>>                             line 175, in _run
>>>>                                  return self.run(*args, **kwargs)
>>>>                                File
>>>>                             "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/domain.py",
>>>>                             line
>>>>                             552, in run
>>>>                              machinepass=machinepass,
>>>>                             use_ntvfs=use_ntvfs,
>>>>                             dns_backend=dns_backend)
>>>>                                File
>>>>                             "/usr/local/samba/lib/python2.7/site-packages/samba/join.py",
>>>>                             line
>>>>                             1172, in join_DC
>>>>                              ctx.do_join()
>>>>                                File
>>>>                             "/usr/local/samba/lib/python2.7/site-packages/samba/join.py",
>>>>                             line
>>>>                             1082, in do_join
>>>>                              ctx.join_finalise()
>>>>                                File
>>>>                             "/usr/local/samba/lib/python2.7/site-packages/samba/join.py",
>>>>                             line
>>>>                             881, in join_finalise
>>>>                              ctx.send_DsReplicaUpdateRefs(nc)
>>>>                                File
>>>>                             "/usr/local/samba/lib/python2.7/site-packages/samba/join.py",
>>>>                             line
>>>>                             866, in send_DsReplicaUpdateRefs
>>>>                              ctx.drsuapi.DsReplicaUpdateRefs(ctx.drsuapi_handle,
>>>>                             1, r)
>>>>
>>>>
>>>>                             Which seem to suggest that the join
>>>>                             fails, it tries to clean up and gets a
>>>>                             NT_STATUS_IO_TIMEOUT error.
>>>>
>>>>                             This leaves me with a non-functioning
>>>>                             DC appearing in the Domain Controller
>>>>                             list on ADUC and ADSS which need to be
>>>>                             cleaned out.
>>>>
>>>>                             Any advice on how I can get around this
>>>>                             problem?
>>>>
>>>>                             Thanks
>>>>                             Chris.
>>>>
>>>>
>>>>                         -- 
>>>>                         -James
>>>>
>>>>
>>>>
>>>>
>>>>                     -- 
>>>>                     ACS (Alavoine Computer Services Ltd)
>>>>                     Chris Alavoine
>>>>                     mob +44 (0)7724 710 730
>>>>                     <tel:%2B44%20%280%297724%20710%20730>
>>>>                     www.alavoinecs.co.uk <http://www.alavoinecs.co.uk>
>>>>                     http://twitter.com/#!/alavoinecs
>>>>                     <http://twitter.com/#%21/alavoinecs>
>>>>                     http://www.linkedin.com/pub/chris-alavoine/39/606/192
>>>>
>>>
>>>                     -- 
>>>                     -James
>>>
>>>
>>>
>>>
>>>                 -- 
>>>                 ACS (Alavoine Computer Services Ltd)
>>>                 Chris Alavoine
>>>                 mob +44 (0)7724 710 730
>>>                 <tel:%2B44%20%280%297724%20710%20730>
>>>                 www.alavoinecs.co.uk <http://www.alavoinecs.co.uk>
>>>                 http://twitter.com/#!/alavoinecs
>>>                 <http://twitter.com/#%21/alavoinecs>
>>>                 http://www.linkedin.com/pub/chris-alavoine/39/606/192
>>>
>>>
>>>
>>>
>>>             -- 
>>>             ACS (Alavoine Computer Services Ltd)
>>>             Chris Alavoine
>>>             mob +44 (0)7724 710 730
>>>             <tel:%2B44%20%280%297724%20710%20730>
>>>             www.alavoinecs.co.uk <http://www.alavoinecs.co.uk>
>>>             http://twitter.com/#!/alavoinecs
>>>             <http://twitter.com/#%21/alavoinecs>
>>>             http://www.linkedin.com/pub/chris-alavoine/39/606/192
>>
>>             -- 
>>             -James
>>
>>
>>
>>
>>         -- 
>>         ACS (Alavoine Computer Services Ltd)
>>         Chris Alavoine
>>         mob +44 (0)7724 710 730 <tel:%2B44%20%280%297724%20710%20730>
>>         www.alavoinecs.co.uk <http://www.alavoinecs.co.uk>
>>         http://twitter.com/#!/alavoinecs
>>         <http://twitter.com/#%21/alavoinecs>
>>         http://www.linkedin.com/pub/chris-alavoine/39/606/192
>>
>>
>>
>>
>>     -- 
>>     ACS (Alavoine Computer Services Ltd)
>>     Chris Alavoine
>>     mob +44 (0)7724 710 730 <tel:%2B44%20%280%297724%20710%20730>
>>     www.alavoinecs.co.uk <http://www.alavoinecs.co.uk>
>>     http://twitter.com/#!/alavoinecs
>>     <http://twitter.com/#%21/alavoinecs>
>>     http://www.linkedin.com/pub/chris-alavoine/39/606/192
>
>     -- 
>     -James
>
>
>
>
> -- 
> ACS (Alavoine Computer Services Ltd)
> Chris Alavoine
> mob +44 (0)7724 710 730
> www.alavoinecs.co.uk <http://www.alavoinecs.co.uk>
> http://twitter.com/#!/alavoinecs <http://twitter.com/#%21/alavoinecs>
> http://www.linkedin.com/pub/chris-alavoine/39/606/192

-- 
-James



More information about the samba mailing list