[Samba] Recurrent DNS issues after DC loss

Ole Traupe ole.traupe at tu-berlin.de
Wed Jun 6 13:40:48 UTC 2018

On 06.06.2018 14:44, lingpanda101 wrote:
>> ** SNIP **
>> Actually, the DCs (resolv.conf) were pointing to each other 
>> initially, and I think that was at least one root of the evil. I 
>> think this advice in the Samba wiki actually is rather bad (and 
>> unnecessary with Samba, as has been pointed out, before?).
> Using Bind I find it's necessary to point the DC to itself. I had no 
> issues pointing to another DC with the internal DNS. The Wiki actually 
> mentions best practice for a multi DC environment as it relates to a 
> Windows setup. I do think it's unnecessary with Samba however.

I fear, it is contra-productive in case you loose the other DC the one 
DC is pointing to.

>> Regarding demoting the dead DC: My Samba version is rather old 
>> (4.2.5). The problem is that I chose the uid/gid scopes unwisely. And 
>> I read on some patch notes that I can't update anymore, because newer 
>> versions of Samba actually require those scopes to be set in a very 
>> specific way. So perhaps demoting via the newly available method is 
>> not an option here.
> Can you repair or replace the dead DC with a current Samba version? 
> Join then transfer the FSMO roles? I would advise not using the same 
> hostname.

I plan on replacing the dead DC very soon, the hardware is in shipping.

I seem to remember having read here on the list, that it is no good idea 
to mix samba versions in a domain. If there is sound advice to do it 
anyways, I would be up for trying it. However, as I have written above, 
I messed up the uid/gid ranges. To my understanding, later versions of 
Samba (like 4.5) _require_ the ranges to comply to the defaults as 
denoted by the wiki.

>> What I can think of is:
>> - removing the dead DC from the clients DNS config, of course
>> - removing it from AD DNS
>> - removing it from AD Sites and Services
>> - and removing it from AD Users and Computers
> Yes to all the above. The key is to remove all service records in DNS 
> that reference the bad DC. It's easier to use RSAT for this. Make sure 
> you remove all NTDS connections as well that reference the dead DC. 
> Reference the Wiki as it does a good job displaying an example of 
> running '# samba-tool domain demote --remove-other-dead-server=DC2'. 
> It shows all that seems necessary.

I will do that. I am using RSAT. Would I eradicate the complete site 
associated with the dead DC? Or which containers/objects in particular?

>> What else does the Samba script for demoting a DC do? Can I do that 
>> manually, too? I repeat: it was not the FSMO role holder.
> I don't know.

Thank you very much, James!

>> Thanks again for any advice!
>> Ole

More information about the samba mailing list