samba - Oct 2015 - unique index violation on objectSid on samba ad

ok =( Guess I should repeat all the work from scratch. So just to check if
I got it right:

1) Create a new container. Provision a ad dc on it. Can I join some machine
to apply some gpo's and to create users at this point? I'll delete it
afterwards

2) Power down the container from 1) and use it as a template for every
other dc I need just by changing ip/dns

3) Create another template for the second domain. Clone it and attach for
each new dc from 2)

Will this work? The dc's would work in different lan's.

2015-10-19 15:39 GMT+03:00 Marc Muehlfeld <mmuehlfeld at samba.org>:
> Hello Ivan,
>
> Am 19.10.2015 um 12:42 schrieb Krutskikh Ivan:
> > I think, I've done something stupid here. At first I've
created 2 lxc
> > containers and provisioned one as dc.office.mtt and joined second one
to
> > the first ad bdc.tsnr.mtt.
>
> You should not name your DC something like "backup" (bdc). If the
first
> one (dc) gets lost, you only have one. There's no primary, secondary,
> etc. in an AD.
>
> But this isn't your problem :-)
>
>
>
> > Then I've cloned those containers several times
> > and changed ip adresses and dns names of new containers to different
> > subnets.
>
> This was the mistake you made. Don't join and then clone! DCs have
GUIDs
> inside the AD. If you change the name/IP after the join, you have two
> hosts with the same GUID in AD and you will of course get replication
> problems.
>
> Is this already in production or just with a large number of
> user/computers? If not, start from scratch. I think it's much less work
> and risk to prevent upcomming trouble in future.
>
> 1. Install first DC
> 2. Provision a domain on it
> 3. Install second DC as template (just install OS + Samba, but don't
join!)
> 4. Clone your machine
> 5. Give the clone a new hostname and IP
> 6. Join the cloned machine to the domain
> 7. Repeat 4-6 for all DCs you want to create.
>
>
>
> Regards,
> Marc
>

On 19/10/15 14:07, Krutskikh Ivan wrote:
> ok =( Guess I should repeat all the work from scratch. So just to check if
> I got it right:
>
> 1) Create a new container. Provision a ad dc on it. Can I join some machine
> to apply some gpo's and to create users at this point? I'll delete
it
> afterwards
Well NO , there is no point.
>
> 2) Power down the container from 1) and use it as a template for every
> other dc I need just by changing ip/dns
NO, clone the container BEFORE you provision Samba, at this point you 
can use it as a template.
>
> 3) Create another template for the second domain. Clone it and attach for
> each new dc from 2)
Why do you need different DCs ? if they are all going to be in the same 
realm, you can use 'sites', if they aren't, then they need to be
totally
different DNS domains and realms. Speaking of which, all machines in a 
realm need to be using the same DNS domain, you seem to using different 
domains on your original DCs (dc.office.mtt & bdc.tsnr.mtt)
> Will this work? The dc's would work in different lan's.
Don't recommend it.

Rowland
>
> 2015-10-19 15:39 GMT+03:00 Marc Muehlfeld <mmuehlfeld at samba.org>:
>
>> Hello Ivan,
>>
>> Am 19.10.2015 um 12:42 schrieb Krutskikh Ivan:
>>> I think, I've done something stupid here. At first I've
created 2 lxc
>>> containers and provisioned one as dc.office.mtt and joined second
one to
>>> the first ad bdc.tsnr.mtt.
>> You should not name your DC something like "backup" (bdc). If
the first
>> one (dc) gets lost, you only have one. There's no primary,
secondary,
>> etc. in an AD.
>>
>> But this isn't your problem :-)
>>
>>
>>
>>> Then I've cloned those containers several times
>>> and changed ip adresses and dns names of new containers to
different
>>> subnets.
>> This was the mistake you made. Don't join and then clone! DCs have
GUIDs
>> inside the AD. If you change the name/IP after the join, you have two
>> hosts with the same GUID in AD and you will of course get replication
>> problems.
>>
>> Is this already in production or just with a large number of
>> user/computers? If not, start from scratch. I think it's much less
work
>> and risk to prevent upcomming trouble in future.
>>
>> 1. Install first DC
>> 2. Provision a domain on it
>> 3. Install second DC as template (just install OS + Samba, but
don't join!)
>> 4. Clone your machine
>> 5. Give the clone a new hostname and IP
>> 6. Join the cloned machine to the domain
>> 7. Repeat 4-6 for all DCs you want to create.
>>
>>
>>
>> Regards,
>> Marc
>>

Let me explain myself here. We ship video surveillance systems with
build-in ad domain controllers on 2 servers. Right now we have 4 active
projects and 3 more this year. Provisioning dc's by hand each time is a
pain I would like to avoid.

There's not much I want from a domain: groups 'video' and 'video
admins' to
exist, gpo's to auto redirect user profiles to network share and to prevent
users from video and video admins group from windows login and a some
specific password age settings.

But if I would have to do this manually for every new system...

So please advise me how to make a template domain for this setup.

2015-10-19 16:33 GMT+03:00 Rowland Penny <rowlandpenny241155 at
gmail.com>:
> On 19/10/15 14:07, Krutskikh Ivan wrote:
>
>> ok =( Guess I should repeat all the work from scratch. So just to check
if
>> I got it right:
>>
>> 1) Create a new container. Provision a ad dc on it. Can I join some
>> machine
>> to apply some gpo's and to create users at this point? I'll
delete it
>> afterwards
>>
>
> Well NO , there is no point.
>
>
>> 2) Power down the container from 1) and use it as a template for every
>> other dc I need just by changing ip/dns
>>
>
> NO, clone the container BEFORE you provision Samba, at this point you can
> use it as a template.
>
>
>> 3) Create another template for the second domain. Clone it and attach
for
>> each new dc from 2)
>>
>
> Why do you need different DCs ? if they are all going to be in the same
> realm, you can use 'sites', if they aren't, then they need to
be totally
> different DNS domains and realms. Speaking of which, all machines in a
> realm need to be using the same DNS domain, you seem to using different
> domains on your original DCs (dc.office.mtt & bdc.tsnr.mtt)
>
> Will this work? The dc's would work in different lan's.
>>
>
> Don't recommend it.
>
> Rowland
>
>
>
>> 2015-10-19 15:39 GMT+03:00 Marc Muehlfeld <mmuehlfeld at
samba.org>:
>>
>> Hello Ivan,
>>>
>>> Am 19.10.2015 um 12:42 schrieb Krutskikh Ivan:
>>>
>>>> I think, I've done something stupid here. At first I've
created 2 lxc
>>>> containers and provisioned one as dc.office.mtt and joined
second one to
>>>> the first ad bdc.tsnr.mtt.
>>>>
>>> You should not name your DC something like "backup"
(bdc). If the first
>>> one (dc) gets lost, you only have one. There's no primary,
secondary,
>>> etc. in an AD.
>>>
>>> But this isn't your problem :-)
>>>
>>>
>>>
>>> Then I've cloned those containers several times
>>>> and changed ip adresses and dns names of new containers to
different
>>>> subnets.
>>>>
>>> This was the mistake you made. Don't join and then clone! DCs
have GUIDs
>>> inside the AD. If you change the name/IP after the join, you have
two
>>> hosts with the same GUID in AD and you will of course get
replication
>>> problems.
>>>
>>> Is this already in production or just with a large number of
>>> user/computers? If not, start from scratch. I think it's much
less work
>>> and risk to prevent upcomming trouble in future.
>>>
>>> 1. Install first DC
>>> 2. Provision a domain on it
>>> 3. Install second DC as template (just install OS + Samba, but
don't
>>> join!)
>>> 4. Clone your machine
>>> 5. Give the clone a new hostname and IP
>>> 6. Join the cloned machine to the domain
>>> 7. Repeat 4-6 for all DCs you want to create.
>>>
>>>
>>>
>>> Regards,
>>> Marc
>>>
>>>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>