[Samba] Recurrent DNS issues after DC loss
ole.traupe at tu-berlin.de
Wed Jun 6 13:40:48 UTC 2018
On 06.06.2018 14:44, lingpanda101 wrote:
>> ** SNIP **
>> Actually, the DCs (resolv.conf) were pointing to each other
>> initially, and I think that was at least one root of the evil. I
>> think this advice in the Samba wiki actually is rather bad (and
>> unnecessary with Samba, as has been pointed out, before?).
> Using Bind I find it's necessary to point the DC to itself. I had no
> issues pointing to another DC with the internal DNS. The Wiki actually
> mentions best practice for a multi DC environment as it relates to a
> Windows setup. I do think it's unnecessary with Samba however.
I fear, it is contra-productive in case you loose the other DC the one
DC is pointing to.
>> Regarding demoting the dead DC: My Samba version is rather old
>> (4.2.5). The problem is that I chose the uid/gid scopes unwisely. And
>> I read on some patch notes that I can't update anymore, because newer
>> versions of Samba actually require those scopes to be set in a very
>> specific way. So perhaps demoting via the newly available method is
>> not an option here.
> Can you repair or replace the dead DC with a current Samba version?
> Join then transfer the FSMO roles? I would advise not using the same
I plan on replacing the dead DC very soon, the hardware is in shipping.
I seem to remember having read here on the list, that it is no good idea
to mix samba versions in a domain. If there is sound advice to do it
anyways, I would be up for trying it. However, as I have written above,
I messed up the uid/gid ranges. To my understanding, later versions of
Samba (like 4.5) _require_ the ranges to comply to the defaults as
denoted by the wiki.
>> What I can think of is:
>> - removing the dead DC from the clients DNS config, of course
>> - removing it from AD DNS
>> - removing it from AD Sites and Services
>> - and removing it from AD Users and Computers
> Yes to all the above. The key is to remove all service records in DNS
> that reference the bad DC. It's easier to use RSAT for this. Make sure
> you remove all NTDS connections as well that reference the dead DC.
> Reference the Wiki as it does a good job displaying an example of
> running '# samba-tool domain demote --remove-other-dead-server=DC2'.
> It shows all that seems necessary.
I will do that. I am using RSAT. Would I eradicate the complete site
associated with the dead DC? Or which containers/objects in particular?
>> What else does the Samba script for demoting a DC do? Can I do that
>> manually, too? I repeat: it was not the FSMO role holder.
> I don't know.
Thank you very much, James!
>> Thanks again for any advice!
More information about the samba