[PATCH: Domain backup samba-tool command]
Stefan Metzmacher
metze at samba.org
Fri Mar 23 06:32:23 UTC 2018
Am 23.03.2018 um 05:59 schrieb Aaron Haslett via samba-technical:
> The exists shell script for backing up a domain doesn't lock things
> properly while doing the backup and could end up with a corrupt backup
> or cause a lockup. Here's a new python script that actually works,
> along with tests and required fixes.
I haven't looked into this in detail, but I have a few questions/comments:
- Can you write down in words would the new command is supposed to do?
- The most important part of a backup is always the restore!
I come across a few sites already, which tried to restore
DCs from a VM snapshot and corrupted the replication state.
I think we really need a corresponding restore command
and make it relatively hard to restore the backup without
using the restore command.
The restore command should also do this on the backup databases:
- reset highestCommittedUSN to 1 and invent a new invocationID
that will be used for further replPropertyMetaData stamps
- samba-tool domain demote --remove-other-dead-server for all
servers
- create a new machine account and NTDSDsa object (with the new
invocationID)
- samba-tool fsmo seize for all roles
- change the krbtgt passwords twice
So that the restored domain will never replicate with any existing
DC, as it's only a last resort if really all DCs are broken.
Can you please read through the C related patches and fix
tab vs. whitespaces or missing whitespaces.
Thanks!
metze
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20180323/cc7bb9cc/signature.sig>
More information about the samba-technical
mailing list