[Samba] messy replication

Rowland penny rpenny at samba.org
Thu Jul 18 12:19:40 UTC 2019 

On 18/07/2019 12:55, Adam Weremczuk via samba wrote:
> On 18/07/19 12:33, Rowland penny via samba wrote:
>
>> I would clone the DC you want keep, move the clone away from the 
>> domain (easiest way, unplug the ethernet) then remove the old dead DC 
>> from this and ensure it works. If you want to use Bind9 and don't 
>> have the 'dns-*' user, then run samba-upgradedns as I said earlier.
>>
>> Once you are sure just what to do, turn off the DC you don't want and 
>> then carry out the clean up procedure you used on the clone. This 
>> should get you back to just one DC.
>>
>> Rowland
>
> A bit more clarification and background info.
>
> Dc1 is a physical server running tonnes of critical stuff.
> It can't easily be cloned or even disconnected.
> It was set up before my time and for years the company had only one 
> domain controller.
Very bad move and you have been asked to pick up the pieces
> The problem is dc1 server is a single point of failure.
And it appears to have failed.
> I have already deployed a Proxmox stack which will provide much more 
> redundancy.
> It will also allow to decouple numerous various services of dc1 server 
> and run them in separate LXC containers.
I do hope that (if you are going to be running Bind9) that the Samba DC 
and Bind9 will run in the same container.
> Once everything is migrated I'm still planning to have a single domain 
> controller since the hosting environment itself will be very resilient.
>
> My plan is to:
> 1. Demote dc2 and make dc1 forget about it
> 2. Annihilate dc2
> 3. Gradually fix all config problems on dc1
> 4. Deploy brand new dc3 LXC container running newer samba version
> 5. Replicate AD from dc1 to dc3 and test
> 6. Dcpromo dc3 to own all roles
> 7. Annihilate dc1
>
> That's quite a few steps but I'm still badly stuck on no 1 :(

OK, from my understanding DC1 is using the internal dns and DC2 is using 
Bind9. I would ensure your clients only use DC1, turn off Bind9 on DC2 
and then run samba-upgradedns to use the internal dns server, this will 
cure one of your problems. You may have to delete the 'dns-dc2' user 
manually. There is more to it than just renaming 'dns-dc2' to 'dns-dc1'.

If you then want to demote DC2, you will need to get into idmap.ldb and 
make some changes, I would start by trying to change the FSMO role 
holders to DC1, the ultimate aim will be to get replication working, 
speaking of which, have you tried this command:

samba-tool drs replicate ldap://DC2 ldap://DC1 all

Rowland

More information about the samba mailing list