Re: [Samba] Server GC/name.dom/dom is not registered with our KDC: Miscellaneous failure (see text): Server (GC/name/dom@DOM) unknown
- Date: Tue, 5 Sep 2017 17:12:40 +0200
- From: Sven Schwedas via samba <samba@xxxxxxxxxxxxxxx>
- Subject: Re: [Samba] Server GC/name.dom/dom is not registered with our KDC: Miscellaneous failure (see text): Server (GC/name/dom@DOM) unknown
On 2017-09-05 16:52, L.P.H. van Belle wrote:
> Yes, if you flexible with reinstalling, you could..
I don't want another quick and dirty solution that turns out to break
half a year down the line, I'm fine with nuking half my DCs if that
means getting to a clean state.
Besides, recreating containers is faster than manually messing around in
/var/lib on each one of them.
> I suggest the following, move fsmo roles to villach-dc and check database replications.
DB replication is already spewing errors, what am I to look out for?
> Remove the most faulty one first, graz-dc-1b, from the domain. ( check and cleanup DNS and AD! Very important )
What to check for? What to clean up?
> You dont have to reinstall the complete os, just cleanup as told, and reprovisioning that server again.
Adding a new DC with the same hostname as the old DC is what got me into
trouble last time. I'll pass up on that offer.
>>> Then remove a failty server and re-add it as a new installed DC.
>>> ( the good DS with FSMO)
>>> First backup: /var/lib/samba/private/secrets.keytab
>>> Remove the incorrect entries from keytab file with ktutil rkt
>>> list -e -t
>> Might as well just nuke graz-dc-sem and add a complete new DC
>> from scratch, no?
> No, and yes, but i preffer no, not needed (yet).
> Start with the keytab cleanup
> Check the dns record if the uuid A PTR and hostnames resolve to the correct server.
> If thats the case, then no, cleanup of keytab is, i think, sufficient.
Just to confirm the order: Clean up the keytab, if that doesn't work,
start removing servers?
> Yes, if its really a mess. ;-)
> Then, first a an new DC, then remove, just make sure you always have 2 dc's up and running (correctly)
Servers in Villach seem to run fine, thank $DEITY, so I'll leave them
alone for now.
>>> Now re-provision and you should have correct working DC's again.
>>> ! Before re-provisioning, make sure all OLD records dns and
>> AD are gone.
>> I still have undeleteable replication records from the last
>> time I had to nuke a DC, nobody replied to my emails on that issue.
> Ok, now, im out of office in about 10 min, but mail that subject for me again> I'll have a look.
First message on that topic:
Last message, where I mentioned the replication bug:
> Own and if you dont use it, ApacheDirectoryStudio can help a lot with cleanup of these kind of things.
Currently I'm using the ADSI MMC snap-in, any downsides compared to ADS?
> But just make sure you know what you delete, for you mess up the AD even more.
That why I'm not touching anything without a full list.
Mit freundlichen Grüßen, / Best Regards,
Sven Schwedas, Systemadministrator
Mail/XMPP sven.schwedas@xxxxxx | Skype sven.schwedas
TAO Digital | Lendplatz 45 | A8020 Graz
https://www.tao-digital.at | Tel +43 680 301 7167
To unsubscribe from this list go to the following URL and read the