[Samba] Joining new AD controller to *old* Samba AD controller

Peter Smode psmode at kitsnet.us
Tue Apr 27 13:08:11 UTC 2021 

Rowland,

Adding the user to the domain from the command line on the new DC did the
trick right away. With that , I was able to get the backup completed. 

I had looked earlier into getting the ldb-tools installed on the old DC, but
with me having built that with a specialized repo and RPM set for Samba
binaries (which went away), I cannot install the tools because of cross
impacts on the underlying libraries. Basically, yum cannot sort out the
broken dependencies, and I am reluctant to force the issue on the old server
lest break the running Samba instance. I just want to get off the old server
as quickly and safely as possible. More reasons against using somebody
else's repo for getting Samba binaries and updates. Nice and simple in
theory, but you run a great risk of being left high and dry if the group
behind that build and repo end up abandoning it. 

In building up my new AD DCs, I have aimed to put together my own repeatable
process. So I have put together a build server feeding to multiple AD DCs.
While my servers are based on CentOS 8, I am planning on moving to Rocky
Linux 8 as it comes online later this year. I have put together very
specific documentation on my process for putting together the servers, as
well as the build and distribution sequence for each Samba version that
comes out. This should make each Samba version update relatively painless.
Even the move to Rocky Linux should be straightforward (knock wood), since
I'll just build new AD DC servers with minor adjustments to the existing
CentOS 8 build sequence. 

My plans for my new process are probably a bit of overkill for my little
deployment, but it should give me a bit more peace of mind.

Thanks again for your help
 Peter

-----Original Message-----
From: samba <samba-bounces at lists.samba.org> On Behalf Of Rowland penny via
samba
Sent: Monday, April 26, 2021 2:52 AM
To: samba at lists.samba.org
Subject: Re: [Samba] Joining new AD controller to *old* Samba AD controller

On 25/04/2021 20:49, Peter Smode via samba wrote:
> Rowland,
>
> Thank you for the advice on the failed to commit message. The is a big 
> step forward for me!
>
> But it does bring me to my next issue on trying to execute a backup on 
> my new DC. I get a complaint about the RID pool not being initialized 
> and I am not sure about how best to proceed.
>
> Unfortunately, this is not possible on the existing DC since the 
> ldbsearch command is not available to me there.
>
>
> I do not get what exactly I am supposed to do at this point since the 
> message that talks about creating a user on this DC (and only this 
> DC?) is not making sense to me.
>
>
> Could you suggest the safest way to move forward? Is there a trivial 
> sequence I can execute to get this backup moving along without 
> bifurcating the AD database on the two DCs?


Just do what the error message says, create a new user on the new DC. 
Every DC has a different RID pool (it is one of the ways you can identify on
which DC an object was created), once the user is created on that DC, it
will be replicated to all others. Creating the user will also initialise the
DC's RID pool.

If you do not have ldbsearch on a particular DC, just install ldb-tools.

Rowland



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list