On 18/07/19 11:42, Rowland penny via samba wrote:> Well, 'dns-dc2' is the user for Bind9 on dc2, so you shouldn't try to > create it yourself. > > Easiest way will be to remove all mention of the dead DC, then use > 'samba_upgradedns' to upgrade to the internal dns server, then run it > again to upgrade to Bind9 again, this will create the required user > for you. > > RowlandI'm not sure if your advice applies. What I'm trying to achieve is to trick dc2 to forget about dc1 so I can demote dc2. Dc1 is not dead, I want it live and well! I'm trying to kill dc2 and make dc1 also forget about it. Makes sense? The entire record ldbedit (on dc2) complains about: # record 4032 dn: CN=dns-dc1,CN=Users,DC=example,DC=co,DC=uk objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user cn: dns-dc1 description: DNS Service Account for skippy instanceType: 4 whenCreated: 20130810204304.0Z whenChanged: 20130810204304.0Z uSNCreated: 3228 name: dns-dc1 objectGUID: 5daf1211-78c3-45a0-a1c6-ec490451ef71 userAccountControl: 512 codePage: 0 countryCode: 0 pwdLastSet: 130206409840000000 primaryGroupID: 513 objectSid: S-1-5-21-156202952-582183142-927750060-1186 accountExpires: 9223372036854775807 sAMAccountName: dns-dc1 sAMAccountType: 805306368 servicePrincipalName: DNS/dc1.example.co.uk objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=example,DC=co,DC ?=uk isCriticalSystemObject: TRUE uSNChanged: 3372 distinguishedName: CN=dns-dc1,CN=Users,DC=example,DC=co,DC=uk All I did was replacing dc1 with dc2. I need to be careful with switching DNS etc. Both dc1 and dc2 currently own all FSMO roles and I already have some problems because of that. Adam
On 18/07/2019 12:17, Adam Weremczuk via samba wrote:> On 18/07/19 11:42, Rowland penny via samba wrote: > >> Well, 'dns-dc2' is the user for Bind9 on dc2, so you shouldn't try to >> create it yourself. >> >> Easiest way will be to remove all mention of the dead DC, then use >> 'samba_upgradedns' to upgrade to the internal dns server, then run it >> again to upgrade to Bind9 again, this will create the required user >> for you. >> >> Rowland > > I'm not sure if your advice applies. > What I'm trying to achieve is to trick dc2 to forget about dc1 so I > can demote dc2. > Dc1 is not dead, I want it live and well! > I'm trying to kill dc2 and make dc1 also forget about it. > Makes sense? > > The entire record ldbedit (on dc2) complains about: > > # record 4032 > dn: CN=dns-dc1,CN=Users,DC=example,DC=co,DC=uk > objectClass: top > objectClass: person > objectClass: organizationalPerson > objectClass: user > cn: dns-dc1 > description: DNS Service Account for skippy > instanceType: 4 > whenCreated: 20130810204304.0Z > whenChanged: 20130810204304.0Z > uSNCreated: 3228 > name: dns-dc1 > objectGUID: 5daf1211-78c3-45a0-a1c6-ec490451ef71 > userAccountControl: 512 > codePage: 0 > countryCode: 0 > pwdLastSet: 130206409840000000 > primaryGroupID: 513 > objectSid: S-1-5-21-156202952-582183142-927750060-1186 > accountExpires: 9223372036854775807 > sAMAccountName: dns-dc1 > sAMAccountType: 805306368 > servicePrincipalName: DNS/dc1.example.co.uk > objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=example,DC=co,DC > ?=uk > isCriticalSystemObject: TRUE > uSNChanged: 3372 > distinguishedName: CN=dns-dc1,CN=Users,DC=example,DC=co,DC=uk > > All I did was replacing dc1 with dc2. > > I need to be careful with switching DNS etc. > Both dc1 and dc2 currently own all FSMO roles and I already have some > problems because of that. > > Adam >I would clone the DC you want keep, move the clone away from the domain (easiest way, unplug the ethernet) then remove the old dead DC from this and ensure it works. If you want to use Bind9 and don't have the 'dns-*' user, then run samba-upgradedns as I said earlier. Once you are sure just what to do, turn off the DC you don't want and then carry out the clean up procedure you used on the clone. This should get you back to just one DC. Rowland
On 18/07/19 12:33, Rowland penny via samba wrote:> I would clone the DC you want keep, move the clone away from the > domain (easiest way, unplug the ethernet) then remove the old dead DC > from this and ensure it works. If you want to use Bind9 and don't have > the 'dns-*' user, then run samba-upgradedns as I said earlier. > > Once you are sure just what to do, turn off the DC you don't want and > then carry out the clean up procedure you used on the clone. This > should get you back to just one DC. > > RowlandA bit more clarification and background info. Dc1 is a physical server running tonnes of critical stuff. It can't easily be cloned or even disconnected. It was set up before my time and for years the company had only one domain controller. The problem is dc1 server is a single point of failure. I have already deployed a Proxmox stack which will provide much more redundancy. It will also allow to decouple numerous various services of dc1 server and run them in separate LXC containers. Once everything is migrated I'm still planning to have a single domain controller since the hosting environment itself will be very resilient. My plan is to: 1. Demote dc2 and make dc1 forget about it 2. Annihilate dc2 3. Gradually fix all config problems on dc1 4. Deploy brand new dc3 LXC container running newer samba version 5. Replicate AD from dc1 to dc3 and test 6. Dcpromo dc3 to own all roles 7. Annihilate dc1 That's quite a few steps but I'm still badly stuck on no 1 :( Adam