[Samba] DCs demote / change IP / re-join mistakes

lperoma at icloud.com lperoma at icloud.com
Sat Oct 29 09:44:34 UTC 2022

Hi guys,

Greetings. My first post to the list. I have had a working Samba environment for years with no major problems, 3 DCs + 2 Member servers. Some history:

DC1 was the initial DC, provisioned with --use-rfc2307. (Debian 9 initially) All worked fine.

Second DC, DC2, was joined with:

samba-tool domain join mad.mater.int DC -U"MAD\luis" --dns-backend=SAMBA_INTERNAL --option='idmap_ldb:use rfc2307 = yes’ , Debian 9 too, idmap.ldb was backed up from DC1 and copied to DC2, and Rsync SYSVOL replication in place. 

Some time later another DC, DC3 was installed in another subnet for resiliency purposes and joined in a similar manner to DC2, including replication and idmap.ldb copied from DC1 (DC1 has always had the FSMO roles)

In the next few years, all DCs were upgraded to Bullseye and Samba 4.16.5 from backports , no problem, everything has been working with zero issues.

In the last few weeks a change of IP was necessary for DC1 and DC2. I proceeded as follows, starting with DC2:

- Demote DC2,
- Change IP
- Remove old files (tdb and ldb)
- rejoin AD with:

samba-tool domain join mad.mater.int DC -U"MAD\Luis"

I completely forgot about a) --option='idmap_ldb:use rfc2307 = yes’, b) replace idmap.ldb from DC1. I tested SYSVOL replication, and the actual DC2 (by turning off DC1 and DC3) and all seems to work fine.

To make things worse, a few days later I changed the IP of DC1:

- Transfer FSMO roles to DC2
- Demote DC1
- Change IP
- Remove old files (tdb and ldb)
- rejoin AD with:

samba-tool domain join mad.mater.int DC -U"MAD\Luis”

Again, without --option='idmap_ldb:use rfc2307 = yes’ and replacing idmap.ldb.

- All FSMO roles were transferred back to DC1.

DC3 has not been reconfigured in any way, except that it is still syncing SYSVOL from DC1. All seems to work fine but fear these mistakes will somehow give me grief in the future. What is my best way to sort this AD ? 

Let me know if you need configuration files, I thought it would not be necessary.

Thank you very much for the help, All the best, LP

More information about the samba mailing list