samba - Oct 2015 - unique index violation on objectSid on samba ad

Let me explain myself here. We ship video surveillance systems with
build-in ad domain controllers on 2 servers. Right now we have 4 active
projects and 3 more this year. Provisioning dc's by hand each time is a
pain I would like to avoid.

There's not much I want from a domain: groups 'video' and 'video
admins' to
exist, gpo's to auto redirect user profiles to network share and to prevent
users from video and video admins group from windows login and a some
specific password age settings.

But if I would have to do this manually for every new system...

So please advise me how to make a template domain for this setup.

2015-10-19 16:33 GMT+03:00 Rowland Penny <rowlandpenny241155 at
gmail.com>:
> On 19/10/15 14:07, Krutskikh Ivan wrote:
>
>> ok =( Guess I should repeat all the work from scratch. So just to check
if
>> I got it right:
>>
>> 1) Create a new container. Provision a ad dc on it. Can I join some
>> machine
>> to apply some gpo's and to create users at this point? I'll
delete it
>> afterwards
>>
>
> Well NO , there is no point.
>
>
>> 2) Power down the container from 1) and use it as a template for every
>> other dc I need just by changing ip/dns
>>
>
> NO, clone the container BEFORE you provision Samba, at this point you can
> use it as a template.
>
>
>> 3) Create another template for the second domain. Clone it and attach
for
>> each new dc from 2)
>>
>
> Why do you need different DCs ? if they are all going to be in the same
> realm, you can use 'sites', if they aren't, then they need to
be totally
> different DNS domains and realms. Speaking of which, all machines in a
> realm need to be using the same DNS domain, you seem to using different
> domains on your original DCs (dc.office.mtt & bdc.tsnr.mtt)
>
> Will this work? The dc's would work in different lan's.
>>
>
> Don't recommend it.
>
> Rowland
>
>
>
>> 2015-10-19 15:39 GMT+03:00 Marc Muehlfeld <mmuehlfeld at
samba.org>:
>>
>> Hello Ivan,
>>>
>>> Am 19.10.2015 um 12:42 schrieb Krutskikh Ivan:
>>>
>>>> I think, I've done something stupid here. At first I've
created 2 lxc
>>>> containers and provisioned one as dc.office.mtt and joined
second one to
>>>> the first ad bdc.tsnr.mtt.
>>>>
>>> You should not name your DC something like "backup"
(bdc). If the first
>>> one (dc) gets lost, you only have one. There's no primary,
secondary,
>>> etc. in an AD.
>>>
>>> But this isn't your problem :-)
>>>
>>>
>>>
>>> Then I've cloned those containers several times
>>>> and changed ip adresses and dns names of new containers to
different
>>>> subnets.
>>>>
>>> This was the mistake you made. Don't join and then clone! DCs
have GUIDs
>>> inside the AD. If you change the name/IP after the join, you have
two
>>> hosts with the same GUID in AD and you will of course get
replication
>>> problems.
>>>
>>> Is this already in production or just with a large number of
>>> user/computers? If not, start from scratch. I think it's much
less work
>>> and risk to prevent upcomming trouble in future.
>>>
>>> 1. Install first DC
>>> 2. Provision a domain on it
>>> 3. Install second DC as template (just install OS + Samba, but
don't
>>> join!)
>>> 4. Clone your machine
>>> 5. Give the clone a new hostname and IP
>>> 6. Join the cloned machine to the domain
>>> 7. Repeat 4-6 for all DCs you want to create.
>>>
>>>
>>>
>>> Regards,
>>> Marc
>>>
>>>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

Do you know scripts?
Do you read a little bit about Samba? Kerberos? Keytab?

Yes samba-tool domain provision take time. On my VMs (almost same concept
as your containers (I feel like that had to be mentioned) it take something
like 12 seconds. Almost the same for joining a DC to the domain.

I install my Samba domains using scripts. These script provision the first
DC then join the others.

Of course I wrote these scripts myself and that is time, or work, or both.

So to achieve that you will have to work too. But be reassured: it is
possible :)

2015-10-19 16:02 GMT+02:00 Krutskikh Ivan <stein.hak at gmail.com>:
> Let me explain myself here. We ship video surveillance systems with
> build-in ad domain controllers on 2 servers. Right now we have 4 active
> projects and 3 more this year. Provisioning dc's by hand each time is a
> pain I would like to avoid.
>
> There's not much I want from a domain: groups 'video' and
'video admins' to
> exist, gpo's to auto redirect user profiles to network share and to
prevent
> users from video and video admins group from windows login and a some
> specific password age settings.
>
> But if I would have to do this manually for every new system...
>
> So please advise me how to make a template domain for this setup.
>
> 2015-10-19 16:33 GMT+03:00 Rowland Penny <rowlandpenny241155 at
gmail.com>:
>
> > On 19/10/15 14:07, Krutskikh Ivan wrote:
> >
> >> ok =( Guess I should repeat all the work from scratch. So just to
check
> if
> >> I got it right:
> >>
> >> 1) Create a new container. Provision a ad dc on it. Can I join
some
> >> machine
> >> to apply some gpo's and to create users at this point?
I'll delete it
> >> afterwards
> >>
> >
> > Well NO , there is no point.
> >
> >
> >> 2) Power down the container from 1) and use it as a template for
every
> >> other dc I need just by changing ip/dns
> >>
> >
> > NO, clone the container BEFORE you provision Samba, at this point you
can
> > use it as a template.
> >
> >
> >> 3) Create another template for the second domain. Clone it and
attach
> for
> >> each new dc from 2)
> >>
> >
> > Why do you need different DCs ? if they are all going to be in the
same
> > realm, you can use 'sites', if they aren't, then they need
to be totally
> > different DNS domains and realms. Speaking of which, all machines in a
> > realm need to be using the same DNS domain, you seem to using
different
> > domains on your original DCs (dc.office.mtt & bdc.tsnr.mtt)
> >
> > Will this work? The dc's would work in different lan's.
> >>
> >
> > Don't recommend it.
> >
> > Rowland
> >
> >
> >
> >> 2015-10-19 15:39 GMT+03:00 Marc Muehlfeld <mmuehlfeld at
samba.org>:
> >>
> >> Hello Ivan,
> >>>
> >>> Am 19.10.2015 um 12:42 schrieb Krutskikh Ivan:
> >>>
> >>>> I think, I've done something stupid here. At first
I've created 2 lxc
> >>>> containers and provisioned one as dc.office.mtt and joined
second one
> to
> >>>> the first ad bdc.tsnr.mtt.
> >>>>
> >>> You should not name your DC something like "backup"
(bdc). If the first
> >>> one (dc) gets lost, you only have one. There's no primary,
secondary,
> >>> etc. in an AD.
> >>>
> >>> But this isn't your problem :-)
> >>>
> >>>
> >>>
> >>> Then I've cloned those containers several times
> >>>> and changed ip adresses and dns names of new containers to
different
> >>>> subnets.
> >>>>
> >>> This was the mistake you made. Don't join and then clone!
DCs have
> GUIDs
> >>> inside the AD. If you change the name/IP after the join, you
have two
> >>> hosts with the same GUID in AD and you will of course get
replication
> >>> problems.
> >>>
> >>> Is this already in production or just with a large number of
> >>> user/computers? If not, start from scratch. I think it's
much less work
> >>> and risk to prevent upcomming trouble in future.
> >>>
> >>> 1. Install first DC
> >>> 2. Provision a domain on it
> >>> 3. Install second DC as template (just install OS + Samba, but
don't
> >>> join!)
> >>> 4. Clone your machine
> >>> 5. Give the clone a new hostname and IP
> >>> 6. Join the cloned machine to the domain
> >>> 7. Repeat 4-6 for all DCs you want to create.
> >>>
> >>>
> >>>
> >>> Regards,
> >>> Marc
> >>>
> >>>
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
> >
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

Am 19.10.2015 um 16:02 schrieb Krutskikh Ivan:
> Let me explain myself here. We ship video surveillance systems with
> build-in ad domain controllers on 2 servers. Right now we have 4 active
> projects and 3 more this year. Provisioning dc's by hand each time is a
> pain I would like to avoid.
> 
> There's not much I want from a domain: groups 'video' and
'video admins' to
> exist, gpo's to auto redirect user profiles to network share and to
prevent
> users from video and video admins group from windows login and a some
> specific password age settings.

What is the reason to ship that system with an DC? I don't know your
system, but usually this kind of equipment is something I want to
_integrate_ into my network and not run it as a part that manages my
network.

Why not make it a domain member or standalone system with local users?


> But if I would have to do this manually for every new system...
You can script very easy around samba-tool the provisining, the join of
the second DC, user/group creation, etc.


And if you really want to work with cloning, then provision the first,
join the second, do all your change, take a snapshot of both. Then you
have the same setup again for the next customer. As long as the
customers never will met and two of your systems come into the same
network, is is no problem, because the domain would have the same name,
SID, etc.



Regards,
Marc

>And if you really want to work with cloning, then provision the first,
>join the second, do all your change, take a snapshot of both. Then you
>have the same setup again for the next customer. As long as the
>customers never will met and two of your systems come into the same
>network, is is no problem, because the domain would have the same name,
>SID, etc.
I did more or less so and it resulted in subj problem. I guess some
experiments is needed


2015-10-19 18:13 GMT+03:00 Marc Muehlfeld <mmuehlfeld at samba.org>:
> Am 19.10.2015 um 16:02 schrieb Krutskikh Ivan:
> > Let me explain myself here. We ship video surveillance systems with
> > build-in ad domain controllers on 2 servers. Right now we have 4
active
> > projects and 3 more this year. Provisioning dc's by hand each time
is a
> > pain I would like to avoid.
> >
> > There's not much I want from a domain: groups 'video' and
'video admins'
> to
> > exist, gpo's to auto redirect user profiles to network share and
to
> prevent
> > users from video and video admins group from windows login and a some
> > specific password age settings.
>
>
> What is the reason to ship that system with an DC? I don't know your
> system, but usually this kind of equipment is something I want to
> _integrate_ into my network and not run it as a part that manages my
> network.
>
> Why not make it a domain member or standalone system with local users?
>
>
>
> > But if I would have to do this manually for every new system...
>
> You can script very easy around samba-tool the provisining, the join of
> the second DC, user/group creation, etc.
>
>
> And if you really want to work with cloning, then provision the first,
> join the second, do all your change, take a snapshot of both. Then you
> have the same setup again for the next customer. As long as the
> customers never will met and two of your systems come into the same
> network, is is no problem, because the domain would have the same name,
> SID, etc.
>
>
>
> Regards,
> Marc
>