[Samba] How to Migrate Samba AD from one server to another

Paul R. Ganci ganci at nurdog.com
Mon Oct 3 04:01:32 UTC 2016 


On 10/02/2016 07:57 PM, Paul R. Ganci via samba wrote:
>
>
> On 10/02/2016 06:15 PM, Paul R. Ganci via samba wrote:
>> On 09/11/2016 10:38 AM, Paul R. Ganci via samba wrote:
>>
>>> On 09/11/2016 01:23 AM, Rowland Penny via samba wrote:
>>> Rowland, thanks for your reply. What you describe is pretty simple 
>>> in principle. It is the details about which I am confused. There are 
>>> 3 aspects of a Samba 4 AD that have to be properly setup for the AD 
>>> to function correctly. Namely the Samba configuration, Kerberos and 
>>> DNS. If any of these are incorrectly configured the AD will not 
>>> function. So here are my questions regarding the details of what you 
>>> describe.
>>> <snip>
>>> 6.) Transfer FSMO roles
>>>
>>> 7.) Demote old DC
>>>
>> So I successfully moved the DC to another server. However when I try 
>> to demote the old DC I get this error.
>>
>> nikita> samba-tool domain demote -Uadministrator
>> Using nureyev.myhome.example.com as partner server for the demotion
>> Password for [MYHOME\administrator]:
>> Deactivating inbound replication
>> Asking partner server nureyev.myhome.example.com to synchronize from us
>> Changing userControl and container
>> Error while demoting, re-enabling inbound replication
>> ERROR(<type 'exceptions.RuntimeError'>): Error while sending a 
>> removeDsServer of 
>> CN=NIKITA,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=myhome,DC=example,DC=com: 
>> - (31, 'WERR_GENERAL_FAILURE')
>>   File "/usr/lib64/python2.6/site-packages/samba/netcmd/domain.py", 
>> line 921, in run
>>     drsuapiBind.DsRemoveDSServer(drsuapi_handle, 1, req1)
>>
>> Does anyone have a clue as to why I cannot demote the old DC? I am at 
>> a loss as to what is wrong. All the FSMO transfered properly to the 
>> new server. I did sync the sysvol so I am not sure what happened here 
>> because everything was good at one point. What I am finding now is 
>> that on what I want to be the PDC I have this:
>>
>> > samba-tool drs showrepl
>> Default-First-Site-Name\NUREYEV
>> DSA Options: 0x00000001
>> DSA object GUID: 275c02e7-7077-4b10-ab71-77efeb93bb6b
>> DSA invocationId: 0fcda6bb-9435-4852-ac8d-660af8443d34
>>
>> ==== INBOUND NEIGHBORS ====
>>
>> ==== OUTBOUND NEIGHBORS ====
>>
>> ==== KCC CONNECTION OBJECTS ====
>>
>>
>> But on the old DC that I want to demote I have this:
>> > samba-tool drs showrepl
>> Default-First-Site-Name\NIKITA
>> DSA Options: 0x00000001
>> DSA object GUID: ba98d422-c8a7-4ac3-9196-8eec84e4445a
>> DSA invocationId: c47710e7-8649-4c2f-bf82-f26c8d23effc
>>
>> ==== INBOUND NEIGHBORS ====
>>
>> DC=DomainDnsZones,DC=myhome,DC=example,DC=com
>>     Default-First-Site-Name\NUREYEV via RPC
>>         DSA object GUID: 275c02e7-7077-4b10-ab71-77efeb93bb6b
>>         Last attempt @ Sun Oct  2 18:10:24 2016 MDT failed, result 2 
>> (WERR_BADFILE)
>>         301 consecutive failure(s).
>>         Last success @ NTTIME(0)
>> <snip>
>>
>> Any suggestions as how to debug/fix this problem so I can demote the 
>> old DC?
>>
> So I discovered that on the new DC it appears a NTDS record is 
> missing. On DC nikita.myhome.example.com
>
> > ldbsearch -H /var/lib/samba/private/sam.ldb '(invocationid=*)' 
> --cross-ncs objectguid
> # record 1
> dn: CN=NTDS 
> Settings,CN=NUREYEV,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=myhome,DC=example,DC=com
> objectGUID: 275c02e7-7077-4b10-ab71-77efeb93bb6b
>
> # record 2
> dn: CN=NTDS 
> Settings,CN=NIKITA,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=myhome,DC=example,DC=com
> objectGUID: ba98d422-c8a7-4ac3-9196-8eec84e4445a
>
> # returned 2 records
> # 2 entries
> # 0 referrals
>
> but on the new DC nureyev.myhome.example.com:
>
> > ldbsearch -H /var/lib/samba/private/sam.ldb '(invocationid=*)' 
> --cross-ncs objectguid
> # record 1
> dn: CN=NTDS 
> Settings,CN=NUREYEV,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=myhome,DC=example,DC=com
> objectGUID: 275c02e7-7077-4b10-ab71-77efeb93bb6b
>
> # returned 1 records
> # 1 entries
> # 0 referrals
>
> How is it that one of the entries is now missing? IS there someway to 
> fix this problem? It appears that the the new DC server object is 
> there and known by both DCs but the old DC object is missing from the 
> new DC server?
I am seeing this error in the old DC log file

   Failed to bind to uuid e3514235-4b06-11d1-ab04-00c04fc2dcd2 for 
ncacn_ip_tcp:192.168.1.11[1024,seal,krb5,target_hostname=275c02e7-7077-4b10-ab71-77efeb93bb6b._msdcs.myhome.example.com,target_principal=GC/nureyev.myhome.example.com/myhome.example.com,abstract_syntax=e3514235-4b06-11d1-ab04-00c04fc2dcd2/0x00000004,localaddress=192.168.1.11] 
NT_STATUS_UNSUCCESSFUL

I just don't know how to fix it. Can I edit 
/var/lib/samba/private/sam.ldb and add the missing entry for

# record 2
dn: CN=NTDS 
Settings,CN=NIKITA,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=myhome,DC=example,DC=com
objectGUID: ba98d422-c8a7-4ac3-9196-8eec84e4445a

or can I just take the old DC offline and simply

 > samba-tool domain demote --remove-other-dead-server=NIKITA

-- 
Paul (ganci at nurdog.com)
Cell: (303)257-5208

More information about the samba mailing list