[Samba] messy replication
rpenny at samba.org
Thu Jul 18 12:19:40 UTC 2019
On 18/07/2019 12:55, Adam Weremczuk via samba wrote:
> On 18/07/19 12:33, Rowland penny via samba wrote:
>> I would clone the DC you want keep, move the clone away from the
>> domain (easiest way, unplug the ethernet) then remove the old dead DC
>> from this and ensure it works. If you want to use Bind9 and don't
>> have the 'dns-*' user, then run samba-upgradedns as I said earlier.
>> Once you are sure just what to do, turn off the DC you don't want and
>> then carry out the clean up procedure you used on the clone. This
>> should get you back to just one DC.
> A bit more clarification and background info.
> Dc1 is a physical server running tonnes of critical stuff.
> It can't easily be cloned or even disconnected.
> It was set up before my time and for years the company had only one
> domain controller.
Very bad move and you have been asked to pick up the pieces
> The problem is dc1 server is a single point of failure.
And it appears to have failed.
> I have already deployed a Proxmox stack which will provide much more
> It will also allow to decouple numerous various services of dc1 server
> and run them in separate LXC containers.
I do hope that (if you are going to be running Bind9) that the Samba DC
and Bind9 will run in the same container.
> Once everything is migrated I'm still planning to have a single domain
> controller since the hosting environment itself will be very resilient.
> My plan is to:
> 1. Demote dc2 and make dc1 forget about it
> 2. Annihilate dc2
> 3. Gradually fix all config problems on dc1
> 4. Deploy brand new dc3 LXC container running newer samba version
> 5. Replicate AD from dc1 to dc3 and test
> 6. Dcpromo dc3 to own all roles
> 7. Annihilate dc1
> That's quite a few steps but I'm still badly stuck on no 1 :(
OK, from my understanding DC1 is using the internal dns and DC2 is using
Bind9. I would ensure your clients only use DC1, turn off Bind9 on DC2
and then run samba-upgradedns to use the internal dns server, this will
cure one of your problems. You may have to delete the 'dns-dc2' user
manually. There is more to it than just renaming 'dns-dc2' to 'dns-dc1'.
If you then want to demote DC2, you will need to get into idmap.ldb and
make some changes, I would start by trying to change the FSMO role
holders to DC1, the ultimate aim will be to get replication working,
speaking of which, have you tried this command:
samba-tool drs replicate ldap://DC2 ldap://DC1 all
More information about the samba