[Samba] Samba AD/DC crashed again, third time in as many months

Rowland penny rpenny at samba.org
Mon Mar 7 15:27:55 UTC 2016 

On 07/03/16 15:07, mathias dufresne wrote:
> Answering to previous mail:
> AD is hearth of infrastructure. That's where all accounts are stored. That
> last affirmation implies few times after you start deploying AD most of
> your IT infrastructure depends on AD (all applications need accounts, they
> are in AD, no AD, no accounts, nothing work) and that you take security in
> consideration and that you do that seriously: an attacker with
> administrator account can do almost everything everywhere on machines
> joined to AD.
>
> So redundancy, every times.

Totally agree

>
> You could also think about your own issue: is it the whole DB which is
> broken or is it the DB on the broken DC? With one DC, the whole DB is the
> one DC, so you always break the whole DB.
> With several you get a chance to break only one DC and to have others with
> a coherent DB. That do not means you will never break the whole DB (backup
> and a working process to restore is still needed).

Again agree

>
> Second mail:
> You want to remove your FSMO owner. The FSMO owner is SOA.

Not necessarily, there are no FSMO roles on my second DC, but it has a SOA.

> These two are really important notion in AD:
> - FSMO is kind of PDC in NT4 domain,

Well, to a certain extent and only when you are describing the PDC 
emulator FSMO role

>   these roels must belong to one DC.

Totally wrong, you can, and probably should, share these about if you 
have more than one DC.

> Seize role before demoting the old one.

Again wrong, you should try to transfer the role first, only seize it if 
you have to i.e. the FSMO role owner DC is dead.

> - SOA is about DNS, it refers the one server where some client can push DNS
> modification. Change SOA before you try to add a replacement server to the
> one you demoted. If you don't the DC you would join to replace demoted DC
> won't be able to send DNS update!

It would seem that something has changed and I need to some more 
testing, must add it to my todo list.

Rowland
>
> And yes it possible to get redundancy with dns-backend=SAMBA_INTERNAL.
>
> How to test your DNS servers are well configured: samba_dnsupdate gives no
> error on all DC (this a test related to DNS service only).
>
>
>
>

More information about the samba mailing list