[Samba] after a couple of year of success is not possible to add workstations to domain
Denis Cardon
dcardon at tranquil.it
Wed Feb 7 17:40:52 UTC 2018
Hi Massimo,
>>>
>>>> Il 05/02/2018 16:41, Rowland Penny ha scritto:
>>>>> On Mon, 5 Feb 2018 16:01:27 +0100
>>>>> "Massimo Donato - Adcom.it via samba" <samba at lists.samba.org> wrote:
>>>>>
>>>>>> */Hi all,
>>>>>> after a couple of year of successfully working samba AD DC is
>>>>>> not possible to add workstations to domain
>>>>>> since a few day ago in windows i get a messagge complaining that the
>>>>>> account previously exists. ant that to try access with a different
>>>>>> account. after some investigation i found that the backupDC was in
>>>>>> hardware fault. the primary seems to work great, but still unable to
>>>>>> add workstation to domain.
>>>>>> seems like something is missing,
>>>>>> samba version is 4.7.4(upgraded during investigation)
>>>>>>
>>>>>> any advice ? where to look ?
>>>>>>
>>>>> One of the problems here is that you are thinking in terms of
>>>>> 'primary'
>>>>> and 'backup' DCs. You haven't got a 'primary' DC or a 'backup' DC, you
>>>>> just have two DCs and they should both contain exactly the same
>>>>> data in
>>>>> AD. Problem is, when your second DC became faulty, it may have
>>>>> corrupted AD on the DC and then replicated this corruption to the
>>>>> first DC.
>>>>>
>>>>> I would turn off the faulty DC (if it is still running), demote the
>>>>> dead DC and then run 'samba-tool dbcheck'
>>>>>
>>>>> But, before I tried to do anything, I would ensure that the first DC
>>>>> was fully backed up.
>>>>>
>>>>> Rowland
>>>>>
>>>>>
>>>> thank you Rowland for your answer.,
>>>> i understend what you mean regarding DC, there was just two dc.
>>>> the faulty DC is no more in our datacenter(disk dead)
>>>> so i have one DC that is corrupted, i have a backup, but only after
>>>> corruption.
>>>> dbcheck is good, even with ncs option, 0 errors
>>>> any other advice to check ?
>>>
>>> which server is/was the RID FSMO role owner?
>>>
>>> Denis
>> I think the one still lives, was the forst one i configured.
>>
>> i tryed something just not to bother all the list, may this help ?
>>
>> [root at zeus log]# samba-tool dbcheck --fix
>> WARNING: The "profile acls" option is deprecated
>> Checking 309 objects
>> Checked 309 objects (0 errors)
>> [root at zeus log]# samba-tool dbcheck --cross-nc --fix
>> WARNING: The "profile acls" option is deprecated
>> Checking 3578 objects
>> Checked 3578 objects (0 errors)
>> [root at zeus log]# samba-tool drs showrepl
>> WARNING: The "profile acls" option is deprecated
>> Default-First-Site-Name\ZEUS
>> DSA Options: 0x00000001
>> DSA object GUID: e0a28581-6f38-4a9e-b593-43b65cafb872
>> DSA invocationId: adb5b609-20d2-4b4c-a8da-1bdb74dc444e
>>
>> ==== INBOUND NEIGHBORS ====
>>
>> ==== OUTBOUND NEIGHBORS ====
>>
>> ==== KCC CONNECTION OBJECTS ====
> also tryed this and no errors:
> any idea on how to remove the dead server from dns entries ?
>
> [root at zeus /]# host -t SRV _kerberos._udp.somdomain.com.
> _kerberos._udp.somdomain.com has SRV record 0 100 88 zeus.somdomain.com.
> _kerberos._udp.somdomain.com has SRV record 0 100 88
> backupdc.somdomain.com.
> [root at zeus /]# host -t SRV _ldap._tcp.somdomain.com
> _ldap._tcp.somdomain.com has SRV record 0 100 389 zeus.somdomain.com.
> _ldap._tcp.somdomain.com has SRV record 0 100 389 backupdc.somdomain.com.
if you are in 4.7, then
samba-tool domain demote --remove-other-dead-server=backupdc
it should remove both the computer/ntdsa entries and the dns entries.
Cheers,
Denis
>
>
>
>
>
> ---
> Questa email è stata esaminata alla ricerca di virus da AVG.
> http://www.avg.com
--
Denis Cardon
Tranquil IT Systems
Les Espaces Jules Verne, bâtiment A
12 avenue Jules Verne
44230 Saint Sébastien sur Loire
tel : +33 (0) 2.40.97.57.55
http://www.tranquil-it-systems.fr
More information about the samba
mailing list