[Samba] Unable to join DC to domain

mathias dufresne infractory at gmail.com
Tue Mar 29 09:04:24 UTC 2016 

Hi JS,

Rowland was right about restoring, which I didn't spotted, you must always
have only one DC running when you restore: the DC you are restoring. All
others must obviously stopped as they run the old DB, the broken one and
you don't want the restored DB collide with the broken ones hosted one on
old DCs.

Regarding deleted objects: if you want to get rid of deleted objects you
can modify tombstoneLifeTime which is a configuration item.
Here are information about changing that parameter:
https://www.petri.com/changing_the_tombstone_lifetime_windows_ad

Why changing that parameter? You have deleted objects, they could be what
blocks you (I'm arriving at work and I don't fully read all your mails, not
carefully enough at least). Changing that parameter to 1 (days) and waiting
for 1 day long, your deleted objects will be really deleted, or I missed
something about that parameter.

Regarding missing FSMO: I would try to seize them (with --force at least)
on each FSMO, one by one.
If that does not work you can try to force them manually.

Here are my own FSMO:
 ldbsearch --cross-ncs -H $sam fsmoroleowner=* dn fSMORoleOwner
# record 1
dn: CN=Schema,CN=Configuration,DC=samba,DC=domain,DC=tld
fSMORoleOwner: CN=NTDS
Settings,CN=DC200,CN=Servers,CN=Autres,CN=Sites,CN=Conf
 iguration,DC=samba,DC=domain,DC=tld

# record 2
dn: CN=Partitions,CN=Configuration,DC=samba,DC=domain,DC=tld
fSMORoleOwner: CN=NTDS
Settings,CN=DC200,CN=Servers,CN=Autres,CN=Sites,CN=Conf
 iguration,DC=samba,DC=domain,DC=tld

# record 3
dn: CN=Infrastructure,DC=DomainDnsZones,DC=samba,DC=domain,DC=tld
fSMORoleOwner: CN=NTDS
Settings,CN=DC200,CN=Servers,CN=Autres,CN=Sites,CN=Conf
 iguration,DC=samba,DC=domain,DC=tld

# record 4
dn: CN=Infrastructure,DC=ForestDnsZones,DC=samba,DC=domain,DC=tld
fSMORoleOwner: CN=NTDS
Settings,CN=DC200,CN=Servers,CN=Autres,CN=Sites,CN=Conf
 iguration,DC=samba,DC=domain,DC=tld

# record 5
dn: CN=Infrastructure,DC=samba,DC=domain,DC=tld
fSMORoleOwner: CN=NTDS
Settings,CN=DC200,CN=Servers,CN=Autres,CN=Sites,CN=Conf
 iguration,DC=samba,DC=domain,DC=tld

# record 6
dn: DC=samba,DC=domain,DC=tld
fSMORoleOwner: CN=NTDS
Settings,CN=DC200,CN=Servers,CN=Autres,CN=Sites,CN=Conf
 iguration,DC=samba,DC=domain,DC=tld

# record 7
dn: CN=RID Manager$,CN=System,DC=samba,DC=domain,DC=tld
fSMORoleOwner: CN=NTDS
Settings,CN=DC200,CN=Servers,CN=Autres,CN=Sites,CN=Conf
 iguration,DC=samba,DC=domain,DC=tld

You could try to use some LDIF files to add fSMORoleOwner attribute to FSMO
roles:
---------------------
dn: DC=samba,DC=domain,DC=tld
changetype: modify
add: fSMORoleOwner
fSMORoleOwner: CN=NTDS
Settings,CN=DC200,CN=Servers,CN=Autres,CN=Sites,CN=Conf
 iguration,DC=samba,DC=domain,DC=tld
---------------------------------

Before using that LDIF:
- you must verify the object declared as new fSMORoleOwner is existing.
- you must chose CN=NTDS Settings,CN=<YOUR_WORKING_DC>,...............
- you should try to add only one role and verify the role is well set
before trying to add others roles
- you MUST take note of what you do, to rollback these tries in case they
don't work (which I have no idea).




2016-03-28 19:50 GMT+02:00 Rowland penny <rpenny at samba.org>:

> On 28/03/16 18:46, IT Admin wrote:
>
>>
>> Hi Rowland,
>>
>> I had run those queries during troubleshooting last night as well,
>> apologies if I get ahead of myself, here are all of my missing roles, they
>> only have dn entries, the second line containing fsmoowner is blank:
>>
>> itwerks at cbadc01:~$ sudo /usr/local/samba/bin/ldbsearch -H
>> /usr/local/samba/private/sam.ldb -b 'CN=System,DC=cb,DC=cliffbells,DC=com'
>> -s sub '(&(objectclass=rIDManager)(cn=RID Manager$))' fSMORoleOwner
>> # record 1
>> dn: CN=RID Manager$,CN=System,DC=cb,DC=cliffbells,DC=com
>>
>> # returned 1 records
>> # 1 entries
>> # 0 referrals
>>
>> itwerks at cbadc01:~$ !284
>> sudo /usr/local/samba/bin/ldbsearch --cross-ncs -H
>> /usr/local/samba/private/sam.ldb -b
>> "CN=Infrastructure,DC=DomainDnsZones,DC=cb,DC=cliffbells,DC=com" -s base
>> fsmoroleowner
>> # record 1
>> dn: CN=Infrastructure,DC=DomainDnsZones,DC=cb,DC=cliffbells,DC=com
>>
>> # returned 1 records
>> # 1 entries
>> # 0 referrals
>>
>> itwerks at cbadc01:~$ !285 sudo /usr/local/samba/bin/ldbsearch --cross-ncs
>> -H /usr/local/samba/private/sam.ldb -b
>> "CN=Infrastructure,DC=ForestDnsZones,DC=cb,DC=cliffbells,DC=com" -s base
>> fsmoroleowner
>> # record 1
>> dn: CN=Infrastructure,DC=ForestDnsZones,DC=cb,DC=cliffbells,DC=com
>>
>> # returned 1 records
>> # 1 entries
>> # 0 referrals
>>
>> itwerks at cbadc01:~$ !286 sudo /usr/local/samba/bin/ldbsearch --cross-ncs
>> -H /usr/local/samba/private/sam.ldb -b
>> "CN=Infrastructure,DC=cb,DC=cliffbells,DC=com" -s base fsmoroleowner
>> # record 1
>> dn: CN=Infrastructure,DC=cb,DC=cliffbells,DC=com
>>
>> # returned 1 records
>> # 1 entries
>> # 0 referrals
>> itwerks at cbadc01:~$
>>
>> JS
>>
>>
> OK, there appears to be a bug in the fsmo.py code, can you bear with me
> whilst I try to sort it and also come up with something to possibly fix
> your problem.
>
> The bug has nothing to do with your main problem, it has to do with the
> error i.e. it shouldn't.
>
> Rowland
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

More information about the samba mailing list