[Samba] [samba] DC validity test needed?

[mathias dufresne]

Hi all,

Context: Samba 4.3.3 as AD domain.

These days main work is to work on backup / restore. Both worked well after
spotting hard links into $samba/private/dns/sam.ldb.d (thanks to the wiki :)

All the following is how I see things related to restore a domain from
backup, that's not The Truth. All comments would be welcomed.

a- prerequisites
For me when restoring a database we must shutdown all others DC, at least
shutdown Samba services on them, then we can restore data and start one DC.

b- restore (status after)
This one DC started is using a database which contains all others DC, all
DC declared at backup time, but we still have only one working DC, the one
we restored.

c- rebuild a working domain
Next step is to re-join all others DC. Here a join is needed and not only a
restart of Samba service to force our DCs to use the same DB, the one from
the DC we restored.

First if you disagree with that, please tell me (and tell me why :p)

This process is almost working: some DC still refuse to synchronize after
join, sometimes refuse to join... little issues which seem to be
auto-solvable: mostly restarting the broken command (sometimes after a
reboot) is solving the issue.

So why do I post?

I've got one DC which refuse to join correctly even after reboot, even
using a brand new VM.
I finally tried to demote that DC before re-join it.

And here is the strange thing: Samba tries to connect on non-working DC to
demote itself, which means there is no test of how is working remote DC
before trying to deal with.

Process to chose a DC from Windows client side is to use some _ldap SRV
record, potentially redo that search including AD site to get answer
related to our AD Site only, then using the received list of DC Windows
client send LDAP reaquest (some simple one) to every DC to find one which
replies to that LDAP request.

It seems this process of finding a working DC is missing at least when
trying a demote...

Best regards,

mathias