[Samba] NT_STATUS_NO_LOGON_SERVERS after removing a DC and WERR_BADFILE when trying to remove broken DC

Sven Schwedas sven.schwedas at tao.at
Thu Apr 20 16:00:24 UTC 2017 

On 2017-04-07 13:44, Sven Schwedas via samba wrote:
> In the end I just upgraded all DCs to 4.5 and remote-deleted the broken
> ones. Seemed to work without a hitch, manual removal was only necessary
> to remove the IPs from DNS\_msdcs.ourdomain\gc\.

Apparently not, adding new DCs failed with "WERR_DS_DATABASE_ERROR".
`samba-tool dbcheck --fix` solved that.

With that out of the way, the join seemed to work.

• DNS records as per
https://wiki.samba.org/index.php/Verifying_and_Creating_a_DC_DNS_Record
were missing, after adding them, the replication is working as well.

• File server verified to work, including authentication.

• However, the server is still missing from the following DNS records:

 – Domain [host -t A ad.tao.at.]
 – LDAP SRV records [host -t SRV _ldap._tcp.ad.tao.at.]
 – KRB5 SRV records [host -t SRV _kerberos._tcp.ad.tao.at.]
 – …and all the others I can find in the MMC DNS snap-in (_gc, _kpasswd,
etc. pp.)

• Kerberos works, but I'm not sure it's actually using the new server,
given the DNS issues.


Can I just add the SRV records manually? Should this be documented in
the wiki?

> I'll try adding new DCs on a date that's not "Friday two hours before I
> disappear for vacation".
> 
> On 2017-03-29 16:51, Sven Schwedas via samba wrote:
>> Situation: Trying to upgrade Samba from 4.1 to 4.5 without disruption
>> too much by adding new DCs and demoting old ones.
>>
>> After bringing online the first 4.5 DC, I ran `demote
>> --remove-other-dead-server=` on that DC to remove one of the old 4.1 DCs
>> (held no FSMO roles). That seemed to run fine (the DC had been offline
>> for a few weeks at that point and I didn't want to restore it just for
>> demotion.)
>>
>> At that point, some (but not all) of our file servers started throwing
>> NT_STATUS_NO_LOGON_SERVERS (smbd) and
>> NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND (winbind -P). Windows' RSAT tools
>> also completely fail to connect to the domain.
>>
>> Some of the old DCs started throwing "Failed to bind to uuid
>> e3514235-4b06-11d1-ab04-00c04fc2dcd2 for
>> e3514235-4b06-11d1-ab04-00c04fc2dcd2 at ncacn_ip_tcp:7e4973ba-4093-4523-a70f-7caa4845e34d._msdcs.ad.tao.at[1024,seal,krb5]
>> NT_STATUS_UNSUCCESSFUL" errors
>>
>> Attempts to remove the new ADDC fail with "(2, 'WERR_BADFILE')".
>>
>>
>> So… How the fuck do I recover from this? What's even wrong?
>>
>>
>>
> 
> 
> 

-- 
Mit freundlichen Grüßen, / Best Regards,
Sven Schwedas, Systemadministrator
Mail/XMPP sven.schwedas at tao.at | Skype sven.schwedas
TAO Digital | Lendplatz 45 | A8020 Graz
https://www.tao-digital.at | Tel +43 680 301 7167
https://pave.software – PAVE Password Manager

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 659 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba/attachments/20170420/71e8d046/signature.sig>

More information about the samba mailing list