[Samba] How to Migrate Samba AD from one server to another

Paul R. Ganci ganci at nurdog.com
Tue Oct 4 05:10:17 UTC 2016 

On 10/03/2016 01:49 AM, Rowland Penny via samba wrote:
> Onldbsearch -H /var/lib/samba/private/sam.ldb '(invocationid=*)'
>>> --cross-ncs objectguid
>>> # record 1
>>> dn: CN=NTDS
>>> Settings,CN=exampleEYEV,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=myhome,DC=example,DC=com
>>> objectGUID: 275c02e7-7077-4b10-ab71-77efeb93bb6b
>>>
>>> # record 2
>>> dn: CN=NTDS
>>> Settings,CN=NIKITA,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=myhome,DC=example,DC=com
>>> objectGUID: ba98d422-c8a7-4ac3-9196-8eec84e4445a
>>>
>>> # returned 2 records
>>> # 2 entries
>>> # 0 referrals
>>>
>>> but on the new DC exampleeyev.myhome.example.com:
>>>
>>>> ldbsearch -H /var/lib/samba/private/sam.ldb '(invocationid=*)'
>>> --cross-ncs objectguid
>>> # record 1
>>> dn: CN=NTDS
>>> Settings,CN=exampleEYEV,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=myhome,DC=example,DC=com
>>> objectGUID: 275c02e7-7077-4b10-ab71-77efeb93bb6b
>>>
>>> # returned 1 records
>>> # 1 entries
>>> # 0 referrals
>>>
>>> How is it that one of the entries is now missing? IS there someway
>>> to fix this problem? It appears that the the new DC server object
>>> is there and known by both DCs but the old DC object is missing
>>> from the new DC server?
>> I am seeing this error in the old DC log file
>>
>>     Failed to bind to uuid e3514235-4b06-11d1-ab04-00c04fc2dcd2 for
>> ncacn_ip_tcp:192.168.1.11[1024,seal,krb5,target_hostname=275c02e7-7077-4b10-ab71-77efeb93bb6b._msdcs.myhome.example.com,target_principal=GC/exampleeyev.myhome.example.com/myhome.example.com,abstract_syntax=e3514235-4b06-11d1-ab04-00c04fc2dcd2/0x00000004,localaddress=192.168.1.11]
>> NT_STATUS_UNSUCCESSFUL
>>
>> I just don't know how to fix it. Can I edit
>> /var/lib/samba/private/sam.ldb and add the missing entry for
>>
>> # record 2
>> dn: CN=NTDS
>> Settings,CN=NIKITA,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=myhome,DC=example,DC=com
>> objectGUID: ba98d422-c8a7-4ac3-9196-8eec84e4445a
>>
>> or can I just take the old DC offline and simply
>>
>>   > samba-tool domain demote --remove-other-dead-server=NIKITA
>>
> Known problem, see here:
>
> https://wiki.samba.org/index.php/Verifying_and_Creating_a_DC_DNS_Record

Well I did what was indicated from the wiki and discovered that 
replication worked at first. However the replication killed the DC1 
(nikita.myhome.example.com) such that it no longer worked. I think the 
problem is that there was a record on DC1 that looked like this:

# record 206
dn: CN=NIKITA,OU=Domain Controllers,DC=myhome,DC=example,DC=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
objectClass: computer
cn: NIKITA
instanceType: 4
whenCreated: 20130804214231.0Z
uSNCreated: 3583
name: NIKITA
objectGUID: 4f3beaa6-1111-46b8-b435-2ae15861ee14
userAccountControl: 532480
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
localPolicyFlags: 0
pwdLastSet: 130201261510000000
primaryGroupID: 516
objectSid: S-1-5-21-729452656-3029571206-2736118167-1000
accountExpires: 9223372036854775807
logonCount: 0
sAMAccountName: NIKITA$
sAMAccountType: 805306369
operatingSystem: Samba
operatingSystemVersion: 4.0.7-SerNet-RedHat-4.el6
dNSHostName: nikita.myhome.example.com
objectCategory: 
CN=Computer,CN=Schema,CN=Configuration,DC=myhome,DC=example,DC=
  com
isCriticalSystemObject: TRUE
rIDSetReferences: CN=RID Set,CN=NIKITA,OU=Domain 
Controllers,DC=myhome,DC=exampled
  og,DC=com
serverReferenceBL: 
CN=NIKITA,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN
  =Configuration,DC=myhome,DC=example,DC=com
msDS-SupportedEncryptionTypes: 31
servicePrincipalName: HOST/nikita.myhome.example.com
servicePrincipalName: HOST/nikita.myhome.example.com/MYHOME
servicePrincipalName: ldap/nikita.myhome.example.com/MYHOME
servicePrincipalName: GC/nikita.myhome.example.com/myhome.example.com
servicePrincipalName: ldap/nikita.myhome.example.com
servicePrincipalName: HOST/nikita.myhome.example.com/myhome.example.com
servicePrincipalName: ldap/nikita.myhome.example.com/myhome.example.com
servicePrincipalName: HOST/NIKITA
servicePrincipalName: 
E3514235-4B06-11D1-AB04-00C04FC2DCD2/ba98d422-c8a7-4ac3-
  9196-8eec84e4445a/myhome.example.com
servicePrincipalName: 
ldap/ba98d422-c8a7-4ac3-9196-8eec84e4445a._msdcs.myhome.
  example.com
servicePrincipalName: ldap/NIKITA
servicePrincipalName: RestrictedKrbHost/NIKITA
servicePrincipalName: RestrictedKrbHost/nikita.myhome.example.com
servicePrincipalName: 
ldap/nikita.myhome.example.com/DomainDnsZones.myhome.example.com
servicePrincipalName: 
ldap/nikita.myhome.example.com/ForestDnsZones.myhome.example.com
servicePrincipalName: nfs/nikita
servicePrincipalName: nfs/nikita.myhome.example.com
lastLogonTimestamp: 131198490436935340
whenChanged: 20161002023043.0Z
uSNChanged: 5716
lastLogon: 131199325446020720
distinguishedName: CN=NIKITA,OU=Domain 
Controllers,DC=myhome,DC=example,DC=com

But on DC2 (nureyev.myhome.example.com) there was only this:

# record 1
dn: CN=NIKITA,CN=Computers,DC=myhome,DC=example,DC=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
objectClass: computer
instanceType: 4
whenCreated: 20130804214231.0Z
uSNCreated: 3237
objectGUID: 4f3beaa6-1111-46b8-b435-2ae15861ee14
codePage: 0
countryCode: 0
localPolicyFlags: 0
pwdLastSet: 130201261510000000
objectSid: S-1-5-21-729452656-3029571206-2736118167-1000
accountExpires: 9223372036854775807
sAMAccountName: NIKITA$
sAMAccountType: 805306369
operatingSystem: Samba
operatingSystemVersion: 4.0.7-SerNet-RedHat-4.el6
dNSHostName: nikita.myhome.example.com
rIDSetReferences: CN=RID 
Set,CN=NIKITA,CN=Computers,DC=myhome,DC=example,DC=com
servicePrincipalName: HOST/nikita.myhome.example.com
servicePrincipalName: HOST/nikita.myhome.example.com/MYHOME
servicePrincipalName: ldap/nikita.myhome.example.com/MYHOME
servicePrincipalName: GC/nikita.myhome.example.com/myhome.example.com
servicePrincipalName: ldap/nikita.myhome.example.com
servicePrincipalName: HOST/nikita.myhome.example.com/myhome.example.com
servicePrincipalName: ldap/nikita.myhome.example.com/myhome.example.com
servicePrincipalName: HOST/NIKITA
servicePrincipalName: 
E3514235-4B06-11D1-AB04-00C04FC2DCD2/ba98d422-c8a7-4ac3-
  9196-8eec84e4445a/myhome.example.com
servicePrincipalName: 
ldap/ba98d422-c8a7-4ac3-9196-8eec84e4445a._msdcs.myhome.
  example.com
servicePrincipalName: ldap/NIKITA
servicePrincipalName: RestrictedKrbHost/NIKITA
servicePrincipalName: RestrictedKrbHost/nikita.myhome.example.com
servicePrincipalName: 
ldap/nikita.myhome.example.com/DomainDnsZones.myhome.example.com
servicePrincipalName: 
ldap/nikita.myhome.example.com/ForestDnsZones.myhome.example.com
servicePrincipalName: nfs/nikita
servicePrincipalName: nfs/nikita.myhome.example.com
objectCategory: 
CN=Computer,CN=Schema,CN=Configuration,DC=myhome,DC=example,DC=
  com
msDS-SupportedEncryptionTypes: 31
serverReferenceBL: 
CN=NIKITA,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN
  =Configuration,DC=myhome,DC=example,DC=com
lastLogonTimestamp: 131198490436935340
userAccountControl: 4096
isCriticalSystemObject: FALSE
primaryGroupID: 515
whenChanged: 20161002235437.0Z
cn: NIKITA
name: NIKITA
uSNChanged: 3827
distinguishedName: CN=NIKITA,CN=Computers,DC=myhome,DC=example,DC=com

I think that when I tried to demote DC1 before replication was working 
that caused the DC1 to change the Domain Controller record

dn: CN=NIKITA,OU=Domain Controllers,DC=myhome,DC=example,DC=com

to simply a computer record

dn: CN=NIKITA,CN=Computers,DC=myhome,DC=example,DC=com

completely screwing up DC1.

Thankfully I made a backup and could put things back the way they were. 
I will try again next weekend but this time I will make sure replication 
is working 1st. That means doing the wiki DNS fix to get replication to 
work first.

I think I was so close to having this all work.
-- 
Paul (ganci at example.com)
Cell: (303)257-5208

More information about the samba mailing list