Peter Grotz - Obel und Partner GbR
2014-Aug-26 15:47 UTC
[Samba] Samba 4 fsmo-handling on crashed dc-server
Hallo, we have two dcs in one domain which is located in separate subnets. These subnets are connected by a routed vpn. How must I handle fsmo roles when one of these dcs fails and will maybe be repaired and reconnected? A transfer of the fsmo roles is not possible until the dc is repaired, so should the fsmos be seized from the other dc? Can anybody give me a hint how to handle this situation? Thanks, -Peter
Hello Peter, Am 26.08.2014 17:47, schrieb Peter Grotz - Obel und Partner GbR:> we have two dcs in one domain which is located in separate subnets. These > subnets are connected by a routed vpn. > > How must I handle fsmo roles when one of these dcs fails and will maybe be > repaired and reconnected? > > A transfer of the fsmo roles is not possible until the dc is > repaired, so should the fsmos be seized from the other dc? Can > anybody give me a hint how to handle this situation?There are different situations: 1.) The crashed DC owns none of the FSMO roles: You have nothing to do if the repaired DC comes back. 2.) The crashed DC has at least one of the FSMO roles: 2.a.) the DC can be repaired: You have nothing to do. You _must not_ seize the roles in the meantime! 2.b.) the DC can't be repaired: You seize the roles on one of the remaining DCs. But you must ensure that the DC really never comes back! Otherwise two DCs are owning the same roles, what could have serious consequences. You have to remove the DC from the domain. But demoting is currently only possible for DCs, that are still working. Demoting foreign DCs is broken: https://bugzilla.samba.org/show_bug.cgi?id=10595 Regards, Marc PS: I had put the extension of the FSMO documentation on my to-do list. We're having often questions about FSMO meanwhile.