[Samba] unique index violation on objectSid on samba ad

Mon Oct 19 14:02:02 UTC 2015

Let me explain myself here. We ship video surveillance systems with
build-in ad domain controllers on 2 servers. Right now we have 4 active
projects and 3 more this year. Provisioning dc's by hand each time is a
pain I would like to avoid.

There's not much I want from a domain: groups 'video' and 'video admins' to
exist, gpo's to auto redirect user profiles to network share and to prevent
users from video and video admins group from windows login and a some
specific password age settings.

But if I would have to do this manually for every new system...

So please advise me how to make a template domain for this setup.

2015-10-19 16:33 GMT+03:00 Rowland Penny <rowlandpenny241155 at gmail.com>:

> On 19/10/15 14:07, Krutskikh Ivan wrote:
>
>> ok =( Guess I should repeat all the work from scratch. So just to check if
>> I got it right:
>>
>> 1) Create a new container. Provision a ad dc on it. Can I join some
>> machine
>> to apply some gpo's and to create users at this point? I'll delete it
>> afterwards
>>
>
> Well NO , there is no point.
>
>
>> 2) Power down the container from 1) and use it as a template for every
>> other dc I need just by changing ip/dns
>>
>
> NO, clone the container BEFORE you provision Samba, at this point you can
> use it as a template.
>
>
>> 3) Create another template for the second domain. Clone it and attach for
>> each new dc from 2)
>>
>
> Why do you need different DCs ? if they are all going to be in the same
> realm, you can use 'sites', if they aren't, then they need to be totally
> different DNS domains and realms. Speaking of which, all machines in a
> realm need to be using the same DNS domain, you seem to using different
> domains on your original DCs (dc.office.mtt & bdc.tsnr.mtt)
>
> Will this work? The dc's would work in different lan's.
>>
>
> Don't recommend it.
>
> Rowland
>
>
>
>> 2015-10-19 15:39 GMT+03:00 Marc Muehlfeld <mmuehlfeld at samba.org>:
>>
>> Hello Ivan,
>>>
>>> Am 19.10.2015 um 12:42 schrieb Krutskikh Ivan:
>>>
>>>> I think, I've done something stupid here. At first I've created 2 lxc
>>>> containers and provisioned one as dc.office.mtt and joined second one to
>>>> the first ad bdc.tsnr.mtt.
>>>>
>>> You should not name your DC something like "backup" (bdc). If the first
>>> one (dc) gets lost, you only have one. There's no primary, secondary,
>>> etc. in an AD.
>>>
>>> But this isn't your problem :-)
>>>
>>>
>>>
>>> Then I've cloned those containers several times
>>>> and changed ip adresses and dns names of new containers to different
>>>> subnets.
>>>>
>>> This was the mistake you made. Don't join and then clone! DCs have GUIDs
>>> inside the AD. If you change the name/IP after the join, you have two
>>> hosts with the same GUID in AD and you will of course get replication
>>> problems.
>>>
>>> Is this already in production or just with a large number of
>>> user/computers? If not, start from scratch. I think it's much less work
>>> and risk to prevent upcomming trouble in future.
>>>
>>> 1. Install first DC
>>> 2. Provision a domain on it
>>> 3. Install second DC as template (just install OS + Samba, but don't
>>> join!)
>>> 4. Clone your machine
>>> 5. Give the clone a new hostname and IP
>>> 6. Join the cloned machine to the domain
>>> 7. Repeat 4-6 for all DCs you want to create.
>>>
>>>
>>>
>>> Regards,
>>> Marc
>>>
>>>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>