samba - Feb 2016 - DC validity test needed?

Hi all,

Context: Samba 4.3.3 as AD domain.

These days main work is to work on backup / restore. Both worked well after
spotting hard links into $samba/private/dns/sam.ldb.d (thanks to the wiki :)

All the following is how I see things related to restore a domain from
backup, that's not The Truth. All comments would be welcomed.

a- prerequisites
For me when restoring a database we must shutdown all others DC, at least
shutdown Samba services on them, then we can restore data and start one DC.

b- restore (status after)
This one DC started is using a database which contains all others DC, all
DC declared at backup time, but we still have only one working DC, the one
we restored.

c- rebuild a working domain
Next step is to re-join all others DC. Here a join is needed and not only a
restart of Samba service to force our DCs to use the same DB, the one from
the DC we restored.

First if you disagree with that, please tell me (and tell me why :p)

This process is almost working: some DC still refuse to synchronize after
join, sometimes refuse to join... little issues which seem to be
auto-solvable: mostly restarting the broken command (sometimes after a
reboot) is solving the issue.

So why do I post?

I've got one DC which refuse to join correctly even after reboot, even
using a brand new VM.
I finally tried to demote that DC before re-join it.

And here is the strange thing: Samba tries to connect on non-working DC to
demote itself, which means there is no test of how is working remote DC
before trying to deal with.

Process to chose a DC from Windows client side is to use some _ldap SRV
record, potentially redo that search including AD site to get answer
related to our AD Site only, then using the received list of DC Windows
client send LDAP reaquest (some simple one) to every DC to find one which
replies to that LDAP request.

It seems this process of finding a working DC is missing at least when
trying a demote...

Best regards,

mathias

There is an optino --server=<some DC> to force usage of <some DC>
for
synchronize with during demote, replacing auto-find of a working DC.

This option is also available for samba-tool domain join, to force usage of
specific DC at join time. This one is very useful during join following
restoration (at least in my own case)

2016-02-09 15:11 GMT+01:00 mathias dufresne <infractory at gmail.com>:
> Hi all,
>
> Context: Samba 4.3.3 as AD domain.
>
> These days main work is to work on backup / restore. Both worked well
> after spotting hard links into $samba/private/dns/sam.ldb.d (thanks to the
> wiki :)
>
> All the following is how I see things related to restore a domain from
> backup, that's not The Truth. All comments would be welcomed.
>
> a- prerequisites
> For me when restoring a database we must shutdown all others DC, at least
> shutdown Samba services on them, then we can restore data and start one DC.
>
> b- restore (status after)
> This one DC started is using a database which contains all others DC, all
> DC declared at backup time, but we still have only one working DC, the one
> we restored.
>
> c- rebuild a working domain
> Next step is to re-join all others DC. Here a join is needed and not only
> a restart of Samba service to force our DCs to use the same DB, the one
> from the DC we restored.
>
> First if you disagree with that, please tell me (and tell me why :p)
>
> This process is almost working: some DC still refuse to synchronize after
> join, sometimes refuse to join... little issues which seem to be
> auto-solvable: mostly restarting the broken command (sometimes after a
> reboot) is solving the issue.
>
> So why do I post?
>
> I've got one DC which refuse to join correctly even after reboot, even
> using a brand new VM.
> I finally tried to demote that DC before re-join it.
>
> And here is the strange thing: Samba tries to connect on non-working DC to
> demote itself, which means there is no test of how is working remote DC
> before trying to deal with.
>
> Process to chose a DC from Windows client side is to use some _ldap SRV
> record, potentially redo that search including AD site to get answer
> related to our AD Site only, then using the received list of DC Windows
> client send LDAP reaquest (some simple one) to every DC to find one which
> replies to that LDAP request.
>
> It seems this process of finding a working DC is missing at least when
> trying a demote...
>
> Best regards,
>
> mathias
>