[Samba] How to Migrate Samba AD from one server to another
Paul R. Ganci
ganci at nurdog.com
Mon Oct 3 00:15:45 UTC 2016
On 09/11/2016 10:38 AM, Paul R. Ganci via samba wrote:
> On 09/11/2016 01:23 AM, Rowland Penny via samba wrote:
> Rowland, thanks for your reply. What you describe is pretty simple in
> principle. It is the details about which I am confused. There are 3
> aspects of a Samba 4 AD that have to be properly setup for the AD to
> function correctly. Namely the Samba configuration, Kerberos and DNS.
> If any of these are incorrectly configured the AD will not function.
> So here are my questions regarding the details of what you describe.
> <snip>
> 6.) Transfer FSMO roles
>
> 7.) Demote old DC
>
So I successfully moved the DC to another server. However when I try to
demote the old DC I get this error.
nikita> samba-tool domain demote -Uadministrator
Using nureyev.myhome.example.com as partner server for the demotion
Password for [MYHOME\administrator]:
Deactivating inbound replication
Asking partner server nureyev.myhome.example.com to synchronize from us
Changing userControl and container
Error while demoting, re-enabling inbound replication
ERROR(<type 'exceptions.RuntimeError'>): Error while sending a
removeDsServer of
CN=NIKITA,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=myhome,DC=example,DC=com:
- (31, 'WERR_GENERAL_FAILURE')
File "/usr/lib64/python2.6/site-packages/samba/netcmd/domain.py",
line 921, in run
drsuapiBind.DsRemoveDSServer(drsuapi_handle, 1, req1)
Does anyone have a clue as to why I cannot demote the old DC? I am at a
loss as to what is wrong. All the FSMO transfered properly to the new
server. I did sync the sysvol so I am not sure what happened here
because everything was good at one point. What I am finding now is that
on what I want to be the PDC I have this:
> samba-tool drs showrepl
Default-First-Site-Name\NUREYEV
DSA Options: 0x00000001
DSA object GUID: 275c02e7-7077-4b10-ab71-77efeb93bb6b
DSA invocationId: 0fcda6bb-9435-4852-ac8d-660af8443d34
==== INBOUND NEIGHBORS ====
==== OUTBOUND NEIGHBORS ====
==== KCC CONNECTION OBJECTS ====
But on the old DC that I want to demote I have this:
> samba-tool drs showrepl
Default-First-Site-Name\NIKITA
DSA Options: 0x00000001
DSA object GUID: ba98d422-c8a7-4ac3-9196-8eec84e4445a
DSA invocationId: c47710e7-8649-4c2f-bf82-f26c8d23effc
==== INBOUND NEIGHBORS ====
DC=DomainDnsZones,DC=myhome,DC=example,DC=com
Default-First-Site-Name\NUREYEV via RPC
DSA object GUID: 275c02e7-7077-4b10-ab71-77efeb93bb6b
Last attempt @ Sun Oct 2 18:10:24 2016 MDT failed, result 2
(WERR_BADFILE)
301 consecutive failure(s).
Last success @ NTTIME(0)
DC=ForestDnsZones,DC=myhome,DC=example,DC=com
Default-First-Site-Name\NUREYEV via RPC
DSA object GUID: 275c02e7-7077-4b10-ab71-77efeb93bb6b
Last attempt @ Sun Oct 2 18:10:24 2016 MDT failed, result 2
(WERR_BADFILE)
301 consecutive failure(s).
Last success @ NTTIME(0)
DC=myhome,DC=example,DC=com
Default-First-Site-Name\NUREYEV via RPC
DSA object GUID: 275c02e7-7077-4b10-ab71-77efeb93bb6b
Last attempt @ Sun Oct 2 18:10:24 2016 MDT failed, result 2
(WERR_BADFILE)
301 consecutive failure(s).
Last success @ NTTIME(0)
CN=Schema,CN=Configuration,DC=myhome,DC=example,DC=com
Default-First-Site-Name\NUREYEV via RPC
DSA object GUID: 275c02e7-7077-4b10-ab71-77efeb93bb6b
Last attempt @ Sun Oct 2 18:10:24 2016 MDT failed, result 2
(WERR_BADFILE)
301 consecutive failure(s).
Last success @ NTTIME(0)
CN=Configuration,DC=myhome,DC=example,DC=com
Default-First-Site-Name\NUREYEV via RPC
DSA object GUID: 275c02e7-7077-4b10-ab71-77efeb93bb6b
Last attempt @ Sun Oct 2 18:10:24 2016 MDT failed, result 2
(WERR_BADFILE)
301 consecutive failure(s).
Last success @ NTTIME(0)
==== OUTBOUND NEIGHBORS ====
DC=DomainDnsZones,DC=myhome,DC=example,DC=com
Default-First-Site-Name\NUREYEV via RPC
DSA object GUID: 275c02e7-7077-4b10-ab71-77efeb93bb6b
Last attempt @ Sun Oct 2 18:11:50 2016 MDT failed, result 2
(WERR_BADFILE)
90 consecutive failure(s).
Last success @ NTTIME(0)
DC=ForestDnsZones,DC=myhome,DC=example,DC=com
Default-First-Site-Name\NUREYEV via RPC
DSA object GUID: 275c02e7-7077-4b10-ab71-77efeb93bb6b
Last attempt @ Sun Oct 2 18:11:50 2016 MDT failed, result 2
(WERR_BADFILE)
90 consecutive failure(s).
Last success @ NTTIME(0)
DC=myhome,DC=example,DC=com
Default-First-Site-Name\NUREYEV via RPC
DSA object GUID: 275c02e7-7077-4b10-ab71-77efeb93bb6b
Last attempt @ Sun Oct 2 18:11:50 2016 MDT failed, result 2
(WERR_BADFILE)
90 consecutive failure(s).
Last success @ NTTIME(0)
CN=Schema,CN=Configuration,DC=myhome,DC=example,DC=com
Default-First-Site-Name\NUREYEV via RPC
DSA object GUID: 275c02e7-7077-4b10-ab71-77efeb93bb6b
Last attempt @ Sun Oct 2 18:11:50 2016 MDT failed, result 2
(WERR_BADFILE)
90 consecutive failure(s).
Last success @ NTTIME(0)
CN=Configuration,DC=myhome,DC=example,DC=com
Default-First-Site-Name\NUREYEV via RPC
DSA object GUID: 275c02e7-7077-4b10-ab71-77efeb93bb6b
Last attempt @ Sun Oct 2 18:11:50 2016 MDT failed, result 2
(WERR_BADFILE)
90 consecutive failure(s).
Last success @ NTTIME(0)
==== KCC CONNECTION OBJECTS ====
Connection --
Connection name: 2b332225-20d4-486f-8b38-87c56c64f707
Enabled : TRUE
Server DNS name : nureyev.myhome.example.com
Server DN name : CN=NTDS
Settings,CN=NUREYEV,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=myhome,DC=example,DC=com
TransportType: RPC
options: 0x00000001
Warning: No NC replicated for Connection!
Any suggestions as how to debug/fix this problem so I can demote the old DC?
--
Paul (ganci at example.com)
Cell: (303)257-5208
More information about the samba
mailing list