Re: [Samba] Recurrent DNS issues after DC loss
- Date: Wed, 6 Jun 2018 15:40:48 +0200
- From: Ole Traupe via samba <samba@xxxxxxxxxxxxxxx>
- Subject: Re: [Samba] Recurrent DNS issues after DC loss
On 06.06.2018 14:44, lingpanda101 wrote:
Using Bind I find it's necessary to point the DC to itself. I had no
issues pointing to another DC with the internal DNS. The Wiki actually
mentions best practice for a multi DC environment as it relates to a
Windows setup. I do think it's unnecessary with Samba however.
** SNIP **
Actually, the DCs (resolv.conf) were pointing to each other
initially, and I think that was at least one root of the evil. I
think this advice in the Samba wiki actually is rather bad (and
unnecessary with Samba, as has been pointed out, before?).
I fear, it is contra-productive in case you loose the other DC the one
DC is pointing to.
Can you repair or replace the dead DC with a current Samba version?
Join then transfer the FSMO roles? I would advise not using the same
Regarding demoting the dead DC: My Samba version is rather old
(4.2.5). The problem is that I chose the uid/gid scopes unwisely. And
I read on some patch notes that I can't update anymore, because newer
versions of Samba actually require those scopes to be set in a very
specific way. So perhaps demoting via the newly available method is
not an option here.
I plan on replacing the dead DC very soon, the hardware is in shipping.
I seem to remember having read here on the list, that it is no good idea
to mix samba versions in a domain. If there is sound advice to do it
anyways, I would be up for trying it. However, as I have written above,
I messed up the uid/gid ranges. To my understanding, later versions of
Samba (like 4.5) _require_ the ranges to comply to the defaults as
denoted by the wiki.
Yes to all the above. The key is to remove all service records in DNS
that reference the bad DC. It's easier to use RSAT for this. Make sure
you remove all NTDS connections as well that reference the dead DC.
Reference the Wiki as it does a good job displaying an example of
running '# samba-tool domain demote --remove-other-dead-server=DC2'.
It shows all that seems necessary.
What I can think of is:
- removing the dead DC from the clients DNS config, of course
- removing it from AD DNS
- removing it from AD Sites and Services
- and removing it from AD Users and Computers
I will do that. I am using RSAT. Would I eradicate the complete site
associated with the dead DC? Or which containers/objects in particular?
What else does the Samba script for demoting a DC do? Can I do that
manually, too? I repeat: it was not the FSMO role holder.
I don't know.
Thank you very much, James!
Thanks again for any advice!
To unsubscribe from this list go to the following URL and read the