There is an optino --server=<some DC> to force usage of <some DC>
for
synchronize with during demote, replacing auto-find of a working DC.
This option is also available for samba-tool domain join, to force usage of
specific DC at join time. This one is very useful during join following
restoration (at least in my own case)
2016-02-09 15:11 GMT+01:00 mathias dufresne <infractory at gmail.com>:
> Hi all,
>
> Context: Samba 4.3.3 as AD domain.
>
> These days main work is to work on backup / restore. Both worked well
> after spotting hard links into $samba/private/dns/sam.ldb.d (thanks to the
> wiki :)
>
> All the following is how I see things related to restore a domain from
> backup, that's not The Truth. All comments would be welcomed.
>
> a- prerequisites
> For me when restoring a database we must shutdown all others DC, at least
> shutdown Samba services on them, then we can restore data and start one DC.
>
> b- restore (status after)
> This one DC started is using a database which contains all others DC, all
> DC declared at backup time, but we still have only one working DC, the one
> we restored.
>
> c- rebuild a working domain
> Next step is to re-join all others DC. Here a join is needed and not only
> a restart of Samba service to force our DCs to use the same DB, the one
> from the DC we restored.
>
> First if you disagree with that, please tell me (and tell me why :p)
>
> This process is almost working: some DC still refuse to synchronize after
> join, sometimes refuse to join... little issues which seem to be
> auto-solvable: mostly restarting the broken command (sometimes after a
> reboot) is solving the issue.
>
> So why do I post?
>
> I've got one DC which refuse to join correctly even after reboot, even
> using a brand new VM.
> I finally tried to demote that DC before re-join it.
>
> And here is the strange thing: Samba tries to connect on non-working DC to
> demote itself, which means there is no test of how is working remote DC
> before trying to deal with.
>
> Process to chose a DC from Windows client side is to use some _ldap SRV
> record, potentially redo that search including AD site to get answer
> related to our AD Site only, then using the received list of DC Windows
> client send LDAP reaquest (some simple one) to every DC to find one which
> replies to that LDAP request.
>
> It seems this process of finding a working DC is missing at least when
> trying a demote...
>
> Best regards,
>
> mathias
>