Re: [Samba] Recurrent DNS issues after DC loss
- Date: Wed, 6 Jun 2018 08:44:50 -0400
- From: lingpanda101 via samba <samba@xxxxxxxxxxxxxxx>
- Subject: Re: [Samba] Recurrent DNS issues after DC loss
On 6/6/2018 4:54 AM, Ole Traupe via samba wrote:
Using Bind I find it's necessary to point the DC to itself. I had no
issues pointing to another DC with the internal DNS. The Wiki actually
mentions best practice for a multi DC environment as it relates to a
Windows setup. I do think it's unnecessary with Samba however.
On 05.06.2018 20:39, lingpanda101 wrote:
On 6/5/2018 2:11 PM, Ole Traupe via samba wrote:
I have a domain in production on two sites (subnets, via "Sites and
Services") with originally two DCs. One went down due to HDD (-> old
hardware) error. Now, occasionally, clients cant access/find the
file server (domain member). This does not occur on all clients at
the same time, however, so I am rather sure it is not the file
server itself, but a DNS problem.
I couldn't find anything diagnostic in the logs. Default log level
was not informative, I think, while log level 10 I just could not
Can someone recommend a log level? Should I look on the DC or on the
Do I have to remove the offline DC completely from DNS and Sites and
Services for this mess to stop?
I appreciate any advice.
If you haven't already removed the dead DC from your network you
should do that first.
Your clients DNS may still be pointing to the offline DC causing look
up delays. Also did you have your DC's pointing to themselves for DNS
or each other?
** SNIP **
Actually, the DCs (resolv.conf) were pointing to each other initially,
and I think that was at least one root of the evil. I think this
advice in the Samba wiki actually is rather bad (and unnecessary with
Samba, as has been pointed out, before?).
Can you repair or replace the dead DC with a current Samba version? Join
then transfer the FSMO roles? I would advise not using the same hostname.
Regarding demoting the dead DC: My Samba version is rather old
(4.2.5). The problem is that I chose the uid/gid scopes unwisely. And
I read on some patch notes that I can't update anymore, because newer
versions of Samba actually require those scopes to be set in a very
specific way. So perhaps demoting via the newly available method is
not an option here.
Yes to all the above. The key is to remove all service records in DNS
that reference the bad DC. It's easier to use RSAT for this. Make sure
you remove all NTDS connections as well that reference the dead DC.
Reference the Wiki as it does a good job displaying an example of
running '# samba-tool domain demote --remove-other-dead-server=DC2'. It
shows all that seems necessary.
What I can think of is:
- removing the dead DC from the clients DNS config, of course
- removing it from AD DNS
- removing it from AD Sites and Services
- and removing it from AD Users and Computers
What else does the Samba script for demoting a DC do? Can I do that
manually, too? I repeat: it was not the FSMO role holder.
I don't know.
Thanks again for any advice!
To unsubscribe from this list go to the following URL and read the