[Samba] Samba 4 DC backups

mathias dufresne infractory at gmail.com
Tue Sep 1 13:12:13 UTC 2015 

Two little things:
I almost sure I had some tdbdump stopping because of changes into ldb file
dumped. So stopping the DC is a good idea to me.

When a DC goes wrong and there are others in our AD, don't bother to try
remove the broken DC. When you'll join your broken DC to AD, the join
command will first remove that DC from AD, to add it again. A clean up of
previous LDB/TDB files seems a nice idea to me too, before rejoining that
broken DC.

Cheers,

mathias

2015-09-01 10:00 GMT+02:00 Brady, Mike <mike.brady at devnull.net.nz>:

> On 2015-09-01 18:48, L.P.H. van Belle wrote:
>
>> and most important...
>>
>> If you have 2 DC's ...
>> ! NEVER USE THE BACKUP SCRIPT TO RESTORE ONE OF THE DC's  !
>>
>> This wil corrupt your AD databases..
>> Just remove the old DC from the domain and add a new one if needed .
>>
>> .. Rowland.
>> This is also a nice to have in your backup script.
>> Auto detect multiple DC's, we have that already in other scripts.
>> In case of multple DC's, backup yes, restore no, display warning.. etc.
>> something like that..
>>
>> You can add it to the backup script "wishlist"  ;-)
>>
>> Greetz,
>>
>> Louis
>>
>>
>> -----Oorspronkelijk bericht-----
>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Brady, Mike
>>> Verzonden: dinsdag 1 september 2015 04:59
>>> Aan: samba at lists.samba.org
>>> Onderwerp: [Samba] Samba 4 DC backups
>>>
>>> I have a few Samba 4.2 DC in production now and figured that I
>>> should do
>>> something about backups.
>>>
>>> I have read
>>> https://wiki.samba.org/index.php/Backup_and_restore_an_Samba_AD_DC and
>>> had a look through the samba_backup script and have a few questions.
>>>
>>> Firstly I am using the Sernet packages on Centos7.
>>>
>>> I am assuming the following mappings from the script for my set up
>>> /usr/local/samba/etc is /etc/samba
>>> /usr/local/samba/private is /var/lib/samba/private
>>> /usr/local/samba/sysvol is /var/lib/samba/sysvol
>>>
>>> Does this look correct?
>>>
>>> The samba_backup script does a tdbbackup of ldb files.  In my
>>> case that
>>> would be the following:
>>> [root at dc02 ~]# cd /var/lib/samba/
>>> [root at dc02 samba]# find . -name "*.ldb"
>>> ./private/sam.ldb
>>> ./private/privilege.ldb
>>> ./private/share.ldb
>>> ./private/idmap.ldb
>>> ./private/sam.ldb.d/DC=SAMBA,DC=COMPANY,DC=CO,DC=NZ.ldb
>>> ./private/sam.ldb.d/DC=DOMAINDNSZONES,DC=SAMBA,DC=COMPANY,DC=CO
>>> ,DC=NZ.ldb
>>> ./private/sam.ldb.d/DC=FORESTDNSZONES,DC=SAMBA,DC=COMPANY,DC=CO
>>> ,DC=NZ.ldb
>>> ./private/sam.ldb.d/CN=CONFIGURATION,DC=SAMBA,DC=COMPANY,DC=CO,
>>> DC=NZ.ldb
>>> ./private/sam.ldb.d/CN=SCHEMA,CN=CONFIGURATION,DC=SAMBA,DC=COMP
>>> ANY,DC=CO,DC=NZ.ldb
>>> ./private/dns/sam.ldb
>>> ./private/dns/sam.ldb.d/DC=SAMBA,DC=COMPANY,DC=CO,DC=NZ.ldb
>>> ./private/dns/sam.ldb.d/DC=DOMAINDNSZONES,DC=SAMBA,DC=COMPANY,D
>>> C=CO,DC=NZ.ldb
>>> ./private/dns/sam.ldb.d/DC=FORESTDNSZONES,DC=SAMBA,DC=COMPANY,D
>>> C=CO,DC=NZ.ldb
>>> ./private/dns/sam.ldb.d/CN=CONFIGURATION,DC=SAMBA,DC=COMPANY,DC
>>> =CO,DC=NZ.ldb
>>> ./private/dns/sam.ldb.d/CN=SCHEMA,CN=CONFIGURATION,DC=SAMBA,DC=
>>> COMPANY,DC=CO,DC=NZ.ldb
>>> ./private/hklm.ldb
>>> ./private/secrets.ldb
>>>
>>> The script then does a tar of the /usr/local/samba
>>> (/var/lib/samba in my
>>> case) excluding the *.ldb files, but including the *.ldb.bak files,
>>> which all makes sense.
>>>
>>> But there are also the following tdb files in the /var/lib/samba
>>> directory.
>>> [root at dc02 ~]# cd /var/lib/samba/
>>> [root at dc02 samba]# find . -name "*.tdb"
>>> ./share_info.tdb
>>> ./private/randseed.tdb
>>> ./private/sam.ldb.d/metadata.tdb
>>> ./private/dns/sam.ldb.d/metadata.tdb
>>> ./private/secrets.tdb
>>> ./private/smbd.tmp/msg/names.tdb
>>> ./private/netlogon_creds_cli.tdb
>>> ./private/schannel_store.tdb
>>> ./registry.tdb
>>> ./winbindd_cache.tdb
>>> ./account_policy.tdb
>>>
>>> The script will include these in the backup without doing a tdbback
>>> which I would not have thought was safe?  Should these files
>>> be excluded
>>> or have a tdbbackup done like the ldb files, or am I totally missing
>>> something?
>>>
>>> Regards
>>>
>>> Mike
>>>
>>> --
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions:  https://lists.samba.org/mailman/options/samba
>>>
>>>
>>>
> Hi Louis
>
> Yes I am aware of that.  As I said I have read the wiki page
> https://wiki.samba.org/index.php/Backup_and_restore_an_Samba_AD_DC which
> makes this quite clear.  Not that I needed to be told the consequences of
> copying a running database file :-)
>
> But unless I am completely misreading the samba_backup script, that is
> exactly what it is doing for the *.tdb files that I have listed above.
>
> So either the *.tdb files should be excluded or they need to backed using
> tdbbackup.  Either way the samba_backup script looks wrong to me.
>
>
> Regards
>
> Mike
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

More information about the samba mailing list