[Samba] DC disaster recovery

Gregory Sloop gregs at sloop.net
Tue Jul 14 18:06:54 UTC 2020 


Rpvs> On 14/07/2020 17:25, Gregory Sloop via samba wrote:

>> Rpvs> On 14/07/2020 16:51, Gregory Sloop via samba wrote:
>>>> Yeah, I could setup an extra XCP box - but at smaller setups, it really seems like overkill.
>>>> So, it sounds like restores of the VM work "fine."
>>>> How often do machine accounts reset their passwords?
>> Rpvs> Every 30 days, though this is adjustable, but not recommended
>>>> [This is the one that is most likely to be problematic. Rejoining the domain means a new profile. And that's a big PITA on the client side.]
>>>> User password changes can simply be handled by the admin resetting them, or the like. Machine accounts? Not so straight-forward, at least not that I'm aware of - unless there's some way to "reset" the computer account password and sync with the workstation.
>> Rpvs> You do know that a computer is a user with an extra objectclass ?

>> Rpvs> Rowland


>> Yeah, I do know that.
>> But that seems like a *completely pointless* observation if there's not some way to re-sync the "machine" account password on the station with a new password on the AD-DC. If there's a way, I'm all ears. If there's not, then who cares - what's the point in even bringing it up?

>> It feels like
>> Bystander: "Hey drowning man, there's a way you don't have to drown, you know!"
>> Drowning man: "Yeah?! Crikey! How about telling me about that, instead of just telling me I don't have to drown!"
>> Bystander "I just wanted you to know 'bout my technical superiority!"
>> Drowning man: "Can I drown now?"
>> :)

>> -Greg

Rpvs> Hey 'Drowning man':

Rpvs> samba-tool user setpassword computer_name$ --random-password

So, you're telling me that if I restore an AD (VM) to a prior point (lets say from a backup from a week ago), *after* the computer account has changed it's password, I can simply do "samba-tool user setpassword computer_name$ --random-password" and then that Windows station will be able to connect again, without needing to rejoin the domain? [And thus, keep the same user profile as before, etc.]

If true, that's pretty cool.

Rpvs> This will work, but I don't recommend doing it, Samba will change the 
Rpvs> password every 30 days.

Yes, but I wouldn't be needing to do this, except in the case of my hypothetical disaster where I need to restore the AD domain from a backup from before - and now the computer account on the PC doesn't match the computer account in AD.

Rpvs> Rowland



-Greg

More information about the samba mailing list