[Samba] How to Migrate Samba AD from one server to another

Rowland Penny rpenny at samba.org
Mon Oct 3 07:49:19 UTC 2016 

On Sun, 2 Oct 2016 22:01:32 -0600
"Paul R. Ganci via samba" <samba at lists.samba.org> wrote:

> 
> 
> On 10/02/2016 07:57 PM, Paul R. Ganci via samba wrote:
> >
> >
> > On 10/02/2016 06:15 PM, Paul R. Ganci via samba wrote:
> >> On 09/11/2016 10:38 AM, Paul R. Ganci via samba wrote:
> >>
> >>> On 09/11/2016 01:23 AM, Rowland Penny via samba wrote:
> >>> Rowland, thanks for your reply. What you describe is pretty
> >>> simple in principle. It is the details about which I am confused.
> >>> There are 3 aspects of a Samba 4 AD that have to be properly
> >>> setup for the AD to function correctly. Namely the Samba
> >>> configuration, Kerberos and DNS. If any of these are incorrectly
> >>> configured the AD will not function. So here are my questions
> >>> regarding the details of what you describe.
> >>> <snip>
> >>> 6.) Transfer FSMO roles
> >>>
> >>> 7.) Demote old DC
> >>>
> >> So I successfully moved the DC to another server. However when I
> >> try to demote the old DC I get this error.
> >>
> >> nikita> samba-tool domain demote -Uadministrator
> >> Using nureyev.myhome.example.com as partner server for the demotion
> >> Password for [MYHOME\administrator]:
> >> Deactivating inbound replication
> >> Asking partner server nureyev.myhome.example.com to synchronize
> >> from us Changing userControl and container
> >> Error while demoting, re-enabling inbound replication
> >> ERROR(<type 'exceptions.RuntimeError'>): Error while sending a 
> >> removeDsServer of 
> >> CN=NIKITA,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=myhome,DC=example,DC=com: 
> >> - (31, 'WERR_GENERAL_FAILURE')
> >>   File
> >> "/usr/lib64/python2.6/site-packages/samba/netcmd/domain.py", line
> >> 921, in run drsuapiBind.DsRemoveDSServer(drsuapi_handle, 1, req1)
> >>
> >> Does anyone have a clue as to why I cannot demote the old DC? I am
> >> at a loss as to what is wrong. All the FSMO transfered properly to
> >> the new server. I did sync the sysvol so I am not sure what
> >> happened here because everything was good at one point. What I am
> >> finding now is that on what I want to be the PDC I have this:
> >>
> >> > samba-tool drs showrepl
> >> Default-First-Site-Name\NUREYEV
> >> DSA Options: 0x00000001
> >> DSA object GUID: 275c02e7-7077-4b10-ab71-77efeb93bb6b
> >> DSA invocationId: 0fcda6bb-9435-4852-ac8d-660af8443d34
> >>
> >> ==== INBOUND NEIGHBORS ====
> >>
> >> ==== OUTBOUND NEIGHBORS ====
> >>
> >> ==== KCC CONNECTION OBJECTS ====
> >>
> >>
> >> But on the old DC that I want to demote I have this:
> >> > samba-tool drs showrepl
> >> Default-First-Site-Name\NIKITA
> >> DSA Options: 0x00000001
> >> DSA object GUID: ba98d422-c8a7-4ac3-9196-8eec84e4445a
> >> DSA invocationId: c47710e7-8649-4c2f-bf82-f26c8d23effc
> >>
> >> ==== INBOUND NEIGHBORS ====
> >>
> >> DC=DomainDnsZones,DC=myhome,DC=example,DC=com
> >>     Default-First-Site-Name\NUREYEV via RPC
> >>         DSA object GUID: 275c02e7-7077-4b10-ab71-77efeb93bb6b
> >>         Last attempt @ Sun Oct  2 18:10:24 2016 MDT failed, result
> >> 2 (WERR_BADFILE)
> >>         301 consecutive failure(s).
> >>         Last success @ NTTIME(0)
> >> <snip>
> >>
> >> Any suggestions as how to debug/fix this problem so I can demote
> >> the old DC?
> >>
> > So I discovered that on the new DC it appears a NTDS record is 
> > missing. On DC nikita.myhome.example.com
> >
> > > ldbsearch -H /var/lib/samba/private/sam.ldb '(invocationid=*)' 
> > --cross-ncs objectguid
> > # record 1
> > dn: CN=NTDS 
> > Settings,CN=NUREYEV,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=myhome,DC=example,DC=com
> > objectGUID: 275c02e7-7077-4b10-ab71-77efeb93bb6b
> >
> > # record 2
> > dn: CN=NTDS 
> > Settings,CN=NIKITA,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=myhome,DC=example,DC=com
> > objectGUID: ba98d422-c8a7-4ac3-9196-8eec84e4445a
> >
> > # returned 2 records
> > # 2 entries
> > # 0 referrals
> >
> > but on the new DC nureyev.myhome.example.com:
> >
> > > ldbsearch -H /var/lib/samba/private/sam.ldb '(invocationid=*)' 
> > --cross-ncs objectguid
> > # record 1
> > dn: CN=NTDS 
> > Settings,CN=NUREYEV,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=myhome,DC=example,DC=com
> > objectGUID: 275c02e7-7077-4b10-ab71-77efeb93bb6b
> >
> > # returned 1 records
> > # 1 entries
> > # 0 referrals
> >
> > How is it that one of the entries is now missing? IS there someway
> > to fix this problem? It appears that the the new DC server object
> > is there and known by both DCs but the old DC object is missing
> > from the new DC server?
> I am seeing this error in the old DC log file
> 
>    Failed to bind to uuid e3514235-4b06-11d1-ab04-00c04fc2dcd2 for 
> ncacn_ip_tcp:192.168.1.11[1024,seal,krb5,target_hostname=275c02e7-7077-4b10-ab71-77efeb93bb6b._msdcs.myhome.example.com,target_principal=GC/nureyev.myhome.example.com/myhome.example.com,abstract_syntax=e3514235-4b06-11d1-ab04-00c04fc2dcd2/0x00000004,localaddress=192.168.1.11] 
> NT_STATUS_UNSUCCESSFUL
> 
> I just don't know how to fix it. Can I edit 
> /var/lib/samba/private/sam.ldb and add the missing entry for
> 
> # record 2
> dn: CN=NTDS 
> Settings,CN=NIKITA,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=myhome,DC=example,DC=com
> objectGUID: ba98d422-c8a7-4ac3-9196-8eec84e4445a
> 
> or can I just take the old DC offline and simply
> 
>  > samba-tool domain demote --remove-other-dead-server=NIKITA
> 

Known problem, see here:

https://wiki.samba.org/index.php/Verifying_and_Creating_a_DC_DNS_Record

Rowland

More information about the samba mailing list