Web lists-archives.com

Re: [Samba] Recurrent DNS issues after DC loss

On 06.06.2018 14:44, lingpanda101 wrote:

** SNIP **

Actually, the DCs (resolv.conf) were pointing to each other initially, and I think that was at least one root of the evil. I think this advice in the Samba wiki actually is rather bad (and unnecessary with Samba, as has been pointed out, before?).
Using Bind I find it's necessary to point the DC to itself. I had no issues pointing to another DC with the internal DNS. The Wiki actually mentions best practice for a multi DC environment as it relates to a Windows setup. I do think it's unnecessary with Samba however.

I fear, it is contra-productive in case you loose the other DC the one DC is pointing to.

Regarding demoting the dead DC: My Samba version is rather old (4.2.5). The problem is that I chose the uid/gid scopes unwisely. And I read on some patch notes that I can't update anymore, because newer versions of Samba actually require those scopes to be set in a very specific way. So perhaps demoting via the newly available method is not an option here.
Can you repair or replace the dead DC with a current Samba version? Join then transfer the FSMO roles? I would advise not using the same hostname.

I plan on replacing the dead DC very soon, the hardware is in shipping.

I seem to remember having read here on the list, that it is no good idea to mix samba versions in a domain. If there is sound advice to do it anyways, I would be up for trying it. However, as I have written above, I messed up the uid/gid ranges. To my understanding, later versions of Samba (like 4.5) _require_ the ranges to comply to the defaults as denoted by the wiki.

What I can think of is:
- removing the dead DC from the clients DNS config, of course
- removing it from AD DNS
- removing it from AD Sites and Services
- and removing it from AD Users and Computers
Yes to all the above. The key is to remove all service records in DNS that reference the bad DC. It's easier to use RSAT for this. Make sure you remove all NTDS connections as well that reference the dead DC. Reference the Wiki as it does a good job displaying an example of running '# samba-tool domain demote --remove-other-dead-server=DC2'. It shows all that seems necessary.

I will do that. I am using RSAT. Would I eradicate the complete site associated with the dead DC? Or which containers/objects in particular?

What else does the Samba script for demoting a DC do? Can I do that manually, too? I repeat: it was not the FSMO role holder.
I don't know.

Thank you very much, James!

Thanks again for any advice!


To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba