[Samba] Broken domain

mourik jan heupink - merit heupink at merit.unu.edu
Mon Sep 29 06:07:20 MDT 2014 

Hi Chris,

We have seen this, and with us the problems were that serious that we 
called in the guys from sernet help us solve it.

Why can you not add a new dc to the domain? Does it fail when trying to 
replicate the DomainDnsZones partition? Or some other problem?

What helped us is:

-reduce the size of DomainDnsZones with many lines like "ldbdel -d 0 -H 
sam.ldb "<GUID=66fd6cd4-a9dc-4d05-ab0c-dc915fce6adb>" --show-recycled 
--relax"

- you should then (normally) be able to add a new DC.

But perhaps your problems are bigger..?

MJ


On 09/29/2014 01:51 PM, Chris Alavoine wrote:
> Hi all,
>
> Hoping someone can help me out here.
>
> My 5 DC production domain (4.1.7 Ubuntu 12.04) is in a bit of a state.
>
> I attempted an upgrade from 4.1.5 to 4.1.7 which appeared to work, but now
> we have replication errors and am unable to add any new DNS entries. I am
> now certain that we've fallen foul of the DomainDnsZones DeletedObjects
> problem that I've been reading about in various posts on the lists.
>
> My DC=DOMAINDNSZONES,DC=EXAMPLE,DC=INTERNAL,DC=COM.ldb files are now
> between 3 and 4GB on each of the DC's. Doing an ldapsearch ( ldbsearch -H
> DC=DOMAINDNSZONES,DC=ESSENCE,DC=INTERNAL,DC=COM.ldb 'isDeleted=TRUE' dn )on
> each DC returns a different number of objects ranging from 387000 down to
> 88000 on the FSMO DC. Almost all of these are stale isDeleted entries.
>
> I am currently attempting a Bind migration on a test DC as this is toted as
> a possible fix (any successes out there with this?).
>
> A matter of note for the lists: When I originally provisioned my domain
> (classic upgrade from Samba3) I created a new OU for Groups and moved all
> groups into it, this is a mistake if you want to migrate to Bind as the
> migration script needs CN=DnsAdmins to be in Users OU, if it isn't the
> script errors. I moved DnsAdmins back to Users to get the script to
> complete.
>
> At present I'm holding the domain together with bits of string and sticky
> tape - having to reboot one of my DC's every 30 mins just to keep things
> ticking over.
>
> I have tried many variations of joining a new DC to the domain but that has
> failed, so my current plan is to create a test version of my FSMO DC using
> BIND_DLZ (using a current snapshot of the FSMO DC) and get things to a
> working state there, and then replace this on the production site and
> re-join new DC's to rebuild things. Obviously, not best practice but I
> can't think of any other way of getting things stable again.
>
> I have tried manually editing the .ldb files but they are so inflated now
> that any vim edits just time out and error.
>
> Thanks,
> Chris.
>

More information about the samba mailing list