samba - Sep 2014 - Broken domain

Hi all,

Hoping someone can help me out here.

My 5 DC production domain (4.1.7 Ubuntu 12.04) is in a bit of a state.

I attempted an upgrade from 4.1.5 to 4.1.7 which appeared to work, but now
we have replication errors and am unable to add any new DNS entries. I am
now certain that we've fallen foul of the DomainDnsZones DeletedObjects
problem that I've been reading about in various posts on the lists.

My DC=DOMAINDNSZONES,DC=EXAMPLE,DC=INTERNAL,DC=COM.ldb files are now
between 3 and 4GB on each of the DC's. Doing an ldapsearch ( ldbsearch -H
DC=DOMAINDNSZONES,DC=ESSENCE,DC=INTERNAL,DC=COM.ldb 'isDeleted=TRUE' dn
)on
each DC returns a different number of objects ranging from 387000 down to
88000 on the FSMO DC. Almost all of these are stale isDeleted entries.

I am currently attempting a Bind migration on a test DC as this is toted as
a possible fix (any successes out there with this?).

A matter of note for the lists: When I originally provisioned my domain
(classic upgrade from Samba3) I created a new OU for Groups and moved all
groups into it, this is a mistake if you want to migrate to Bind as the
migration script needs CN=DnsAdmins to be in Users OU, if it isn't the
script errors. I moved DnsAdmins back to Users to get the script to
complete.

At present I'm holding the domain together with bits of string and sticky
tape - having to reboot one of my DC's every 30 mins just to keep things
ticking over.

I have tried many variations of joining a new DC to the domain but that has
failed, so my current plan is to create a test version of my FSMO DC using
BIND_DLZ (using a current snapshot of the FSMO DC) and get things to a
working state there, and then replace this on the production site and
re-join new DC's to rebuild things. Obviously, not best practice but I
can't think of any other way of getting things stable again.

I have tried manually editing the .ldb files but they are so inflated now
that any vim edits just time out and error.

Thanks,
Chris.

-- 
ACS (Alavoine Computer Services Ltd)
Chris Alavoine
mob +44 (0)7724 710 730
www.alavoinecs.co.uk
http://twitter.com/#!/alavoinecs
http://www.linkedin.com/pub/chris-alavoine/39/606/192

Hi Chris,

We have seen this, and with us the problems were that serious that we 
called in the guys from sernet help us solve it.

Why can you not add a new dc to the domain? Does it fail when trying to 
replicate the DomainDnsZones partition? Or some other problem?

What helped us is:

-reduce the size of DomainDnsZones with many lines like "ldbdel -d 0 -H 
sam.ldb "<GUID=66fd6cd4-a9dc-4d05-ab0c-dc915fce6adb>"
--show-recycled
--relax"

- you should then (normally) be able to add a new DC.

But perhaps your problems are bigger..?

MJ


On 09/29/2014 01:51 PM, Chris Alavoine wrote:
> Hi all,
>
> Hoping someone can help me out here.
>
> My 5 DC production domain (4.1.7 Ubuntu 12.04) is in a bit of a state.
>
> I attempted an upgrade from 4.1.5 to 4.1.7 which appeared to work, but now
> we have replication errors and am unable to add any new DNS entries. I am
> now certain that we've fallen foul of the DomainDnsZones DeletedObjects
> problem that I've been reading about in various posts on the lists.
>
> My DC=DOMAINDNSZONES,DC=EXAMPLE,DC=INTERNAL,DC=COM.ldb files are now
> between 3 and 4GB on each of the DC's. Doing an ldapsearch ( ldbsearch
-H
> DC=DOMAINDNSZONES,DC=ESSENCE,DC=INTERNAL,DC=COM.ldb
'isDeleted=TRUE' dn )on
> each DC returns a different number of objects ranging from 387000 down to
> 88000 on the FSMO DC. Almost all of these are stale isDeleted entries.
>
> I am currently attempting a Bind migration on a test DC as this is toted as
> a possible fix (any successes out there with this?).
>
> A matter of note for the lists: When I originally provisioned my domain
> (classic upgrade from Samba3) I created a new OU for Groups and moved all
> groups into it, this is a mistake if you want to migrate to Bind as the
> migration script needs CN=DnsAdmins to be in Users OU, if it isn't the
> script errors. I moved DnsAdmins back to Users to get the script to
> complete.
>
> At present I'm holding the domain together with bits of string and
sticky
> tape - having to reboot one of my DC's every 30 mins just to keep
things
> ticking over.
>
> I have tried many variations of joining a new DC to the domain but that has
> failed, so my current plan is to create a test version of my FSMO DC using
> BIND_DLZ (using a current snapshot of the FSMO DC) and get things to a
> working state there, and then replace this on the production site and
> re-join new DC's to rebuild things. Obviously, not best practice but I
> can't think of any other way of getting things stable again.
>
> I have tried manually editing the .ldb files but they are so inflated now
> that any vim edits just time out and error.
>
> Thanks,
> Chris.
>