[Samba] messy replication

[Rowland penny]

On 18/07/2019 15:35, Adam Weremczuk via samba wrote:
> On 18/07/19 13:19, Rowland penny via samba wrote:
>
>> OK, from my understanding DC1 is using the internal dns and DC2 is 
>> using Bind9.
>
> It's the other way round.
> On dc1 port 53 is mapped to /usr/sbin/named -u bind.
> On dc2 it's /usr/sbin/samba.
> I wasn't sure what to do when I deployed dc2.
> I remember installing bind9 on dc2 but then purging it.
Then you do not need the user 'dns-DC2'
>
> BTW - does it matter for replication which backend is being used?
All DC's are supposed to replicate to all other DC's
> Or is everything expected to fully populate regardless of the DNS 
> backend choice?
Just as long as a DC can find the other DC's, replication should occur.
>
>> I would ensure your clients only use DC1
>
> What's the best way to achieve it?
> Through a local firewall?
>
>> turn off Bind9 on DC2 and then run samba-upgradedns to use the 
>> internal dns server, this will cure one of your problems. You may 
>> have to delete the 'dns-dc2' user manually. There is more to it than 
>> just renaming 'dns-dc2' to 'dns-dc1'.
>>
>> If you then want to demote DC2, you will need to get into idmap.ldb 
>> and make some changes, I would start by trying to change the FSMO 
>> role holders to DC1, the ultimate aim will be to get replication working
>>
> I thought the plan was to forcefully demote dc2 and dc1 suffers from 
> too many config issues to rely on replication.

I thought that was the plan as well, but you then seemed to want to try 
and fix DC2 so you could demote it, my plan would be to:

TURN OFF DC2

Remove any trace of DC2 from DC1

Run 'samba-tool dbcheck --fix --yes --cross-ncs'

Hopefully this will fix DC1, but your Samba is that old, I cannot 
remember if that will run on your DC.

Your main problem is that your DC is in production, that is why I said 
to back everything up before you start. I would also do all of this when 
your network is down, at the weekend maybe ??

Rowland