Thx mathias for your reply
First, yes im using internal DNS, i just try to add new dns from other
dc but it doesnt work, i think the (maybe) corrupted dns data already
sync to other dc
And i still run my samba4 installation, because sofar the only problem
is, i cant add new dns record
In other case i found up one of my team just re install 2 samba4 server
in site office with different AD domain without demote first .. i dont
know if this issue related to my dns problem ..
Is this the only DC involved in that issue? If yes I would stop the
service on that DC the avoid contamination of others (I don't know if
this issue can propagate but I'm sure I would learn if it is in prod ;)
In prod, what you really want is your AD works. No matter which DC is
FSMO nor if some DC get reinstalled. Remove the DC from your AD to limit
risks, investigate later if you wan to, repair first but repair AD, not
the DC.
Then I must admit you have AD as you speak DNS.
Perhaps you are running internal DNS, in that case you can only push DNS
modification on DC declared as SOA in LDAP DB. If broken DC is SOA, it
is also certainly FSMO, move FSMO and SOA on some other host (you can
stop broken DC first, no matter).
If you are running BIND9_DLZ DNS back end you can simply change your
clients DNS resolver to use another DC, as Bind + DLZ knows it can
modify it's DB (its zones) every DC using Bind + DLZ as DNS back end
would reply they are SOA and so they all will accept DNS modification
requests.
Cheers,
mathias
2016-06-13 9:29 GMT+02:00 bentunx <bentunx at gmail.com
<mailto:bentunx at gmail.com>>:
dear all
i have problem with my samba4 installation
currently we still using samba 4.1.11
we have many about 30 site office who is connected to the head
office by Vpn with 1 mbps
i have 2 DC in head office and have oen DC in every Site office
since yesterday i found out in my one off my DC in head office, the
Main DC (the DC that we make as first DNS in other DC in head office
of site office) , we cant add new DNS entry, then i try to dbcheck
--cross-ncs --fix --yes , and dbcheck --reindex
and still i cant add new DNS Entry
/Password for [administrator at Domain.CO.ID
<mailto:administrator at Domain.CO.ID>]://
//ERROR(runtime): uncaught exception - (1383,
'WERR_INTERNAL_DB_ERROR')//
// File
"/usr/local/samba/lib64/python2.6/site-packages/samba/netcmd/__init__.py",
line 175, in _run//
// return self.run(*args, **kwargs)//
// File
"/usr/local/samba/lib64/python2.6/site-packages/samba/netcmd/dns.py",
line
1067, in run//
// 0, server, zone, name, add_rec_buf, None)/
and today i found up samba process take 100% of my CPU usage ..
can anyone here help me to give me some hint ?
Zhia
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Oki Doki. First the fact you can't add new DNS entry in your DNS zones is not a blocking point to remove a DC. It's a blcoking point to add new entries. Now you are the one deciding if you would remove it or not, but seriously, for me that's not a reason to keep up it running: you can replace it by another DC which will do exactly the same job and if you are lucky enough you would be able to add new DNS entries again. Anyway, several questions now: 1 - what command are you launching to update your DNS? What are error messages? 2 - what are the DNS names of new entry which refuse to be added? Same question for the two DC your colleague removed from AD? 3 - what version of Samba are you running? New versions include a command switch to remove DC from AD database from another DC. In others words you could cleanup database from old DC entries. 4 - what gives the following commands? And what are DNS name and IP of your FSMO owner? samba-tool dns query dc200 AD.DOMAIN.TLD AD.DOMAIN.TLD SOA samba-tool dns query dc200 _msdcs.AD.DOMAIN.TLD _msdcs.AD.DOMAIN.TLD SOA 2016-06-14 3:47 GMT+02:00 bentunx <bentunx at gmail.com>:> > > Thx mathias for your reply > > First, yes im using internal DNS, i just try to add new dns from other dc > but it doesnt work, i think the (maybe) corrupted dns data already sync to > other dc > > And i still run my samba4 installation, because sofar the only problem is, > i cant add new dns record > > In other case i found up one of my team just re install 2 samba4 server in > site office with different AD domain without demote first .. i dont know if > this issue related to my dns problem .. > > Is this the only DC involved in that issue? If yes I would stop the > service on that DC the avoid contamination of others (I don't know if this > issue can propagate but I'm sure I would learn if it is in prod ;) > > In prod, what you really want is your AD works. No matter which DC is FSMO > nor if some DC get reinstalled. Remove the DC from your AD to limit risks, > investigate later if you wan to, repair first but repair AD, not the DC. > > Then I must admit you have AD as you speak DNS. > Perhaps you are running internal DNS, in that case you can only push DNS > modification on DC declared as SOA in LDAP DB. If broken DC is SOA, it is > also certainly FSMO, move FSMO and SOA on some other host (you can stop > broken DC first, no matter). > > If you are running BIND9_DLZ DNS back end you can simply change your > clients DNS resolver to use another DC, as Bind + DLZ knows it can modify > it's DB (its zones) every DC using Bind + DLZ as DNS back end would reply > they are SOA and so they all will accept DNS modification requests. > > Cheers, > > mathias > > 2016-06-13 9:29 GMT+02:00 bentunx <bentunx at gmail.com <mailto: > bentunx at gmail.com>>: > > dear all > > i have problem with my samba4 installation > currently we still using samba 4.1.11 > we have many about 30 site office who is connected to the head > office by Vpn with 1 mbps > i have 2 DC in head office and have oen DC in every Site office > > since yesterday i found out in my one off my DC in head office, the > Main DC (the DC that we make as first DNS in other DC in head office > of site office) , we cant add new DNS entry, then i try to dbcheck > --cross-ncs --fix --yes , and dbcheck --reindex > and still i cant add new DNS Entry > /Password for [administrator at Domain.CO.ID > <mailto:administrator at Domain.CO.ID>]:// > > //ERROR(runtime): uncaught exception - (1383, > 'WERR_INTERNAL_DB_ERROR')// > // File > > "/usr/local/samba/lib64/python2.6/site-packages/samba/netcmd/__init__.py", > line 175, in _run// > // return self.run(*args, **kwargs)// > // File > "/usr/local/samba/lib64/python2.6/site-packages/samba/netcmd/dns.py", > line > 1067, in run// > // 0, server, zone, name, add_rec_buf, None)/ > > > and today i found up samba process take 100% of my CPU usage .. > can anyone here help me to give me some hint ? > > Zhia > -- To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
hi mathias
let me confirm your statement
so.. you think if we demote those 2 DC server that already offline, the
DNS will be running well
well if this is one of option we have, i will consider to upgrade our
FSMO DC from samba 4.1.X to 4.4.x , by the way, are there any
consideration if we update samba directly from 4.1 to 4.4 ?
let me answer some of your question
*1 - what command are you launching to update your DNS? What are error
messages?*
*2 - what are the DNS names of new entry which refuse to be added? Same
question for the two DC your colleague removed from AD?*
/# samba-tool dns add pdc domain.co.id milis A 172.16.99.49//
//Password for [administrator at domain.CO.ID]://
//ERROR(runtime): uncaught exception - (1383,
'WERR_INTERNAL_DB_ERROR')//
// File
"/usr/local/samba/lib64/python2.6/site-packages/samba/netcmd/__init__.py",
line 175, in _run//
// return self.run(*args, **kwargs)//
// File
"/usr/local/samba/lib64/python2.6/site-packages/samba/netcmd/dns.py",
line 1067, in run//
// 0, server, zone, name, add_rec_buf, None)/
*3 - what version of Samba are you running?* 4.1 >> New versions include
a command switch to remove DC from AD database from another DC. In
others words you could cleanup database from old DC entries.
yes i will try this,
*4 - what gives the following commands? And what are DNS name and IP of
your FSMO owner?*
/DNS : pdc.domain.co.id //
//InfrastructureMasterRole owner: CN=NTDS
Settings,CN=PDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=co,DC=id//
//RidAllocationMasterRole owner: CN=NTDS
Settings,CN=PDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=co,DC=id//
//PdcEmulationMasterRole owner: CN=NTDS
Settings,CN=PDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=co,DC=id//
//DomainNamingMasterRole owner: CN=NTDS
Settings,CN=PDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=co,DC=id//
//SchemaMasterRole owner: CN=NTDS
Settings,CN=PDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=co,DC=id//
/
TIA
Zhia
On 14/06/2016 15:36, mathias dufresne wrote:> Oki Doki. First the fact you can't add new DNS entry in your DNS zones
> is not a blocking point to remove a DC. It's a blcoking point to add
> new entries. Now you are the one deciding if you would remove it or
> not, but seriously, for me that's not a reason to keep up it running:
> you can replace it by another DC which will do exactly the same job
> and if you are lucky enough you would be able to add new DNS entries
> again.
>
> Anyway, several questions now:
> 1 - what command are you launching to update your DNS? What are error
> messages?
> 2 - what are the DNS names of new entry which refuse to be added? Same
> question for the two DC your colleague removed from AD?
> 3 - what version of Samba are you running? New versions include a
> command switch to remove DC from AD database from another DC. In
> others words you could cleanup database from old DC entries.
> 4 - what gives the following commands? And what are DNS name and IP
> of your FSMO owner?
> samba-tool dns query dc200 AD.DOMAIN.TLD AD.DOMAIN.TLD SOA
> samba-tool dns query dc200 _msdcs.AD.DOMAIN.TLD _msdcs.AD.DOMAIN.TLD SOA
>
>
>
>
>
>
> 2016-06-14 3:47 GMT+02:00 bentunx <bentunx at gmail.com
> <mailto:bentunx at gmail.com>>:
>
>
>
> Thx mathias for your reply
>
> First, yes im using internal DNS, i just try to add new dns from
> other dc but it doesnt work, i think the (maybe) corrupted dns
> data already sync to other dc
>
> And i still run my samba4 installation, because sofar the only
> problem is, i cant add new dns record
>
> In other case i found up one of my team just re install 2 samba4
> server in site office with different AD domain without demote
> first .. i dont know if this issue related to my dns problem ..
>
> Is this the only DC involved in that issue? If yes I would stop
> the service on that DC the avoid contamination of others (I don't
> know if this issue can propagate but I'm sure I would learn if it
> is in prod ;)
>
> In prod, what you really want is your AD works. No matter which DC
> is FSMO nor if some DC get reinstalled. Remove the DC from your AD
> to limit risks, investigate later if you wan to, repair first but
> repair AD, not the DC.
>
> Then I must admit you have AD as you speak DNS.
> Perhaps you are running internal DNS, in that case you can only
> push DNS modification on DC declared as SOA in LDAP DB. If broken
> DC is SOA, it is also certainly FSMO, move FSMO and SOA on some
> other host (you can stop broken DC first, no matter).
>
> If you are running BIND9_DLZ DNS back end you can simply change
> your clients DNS resolver to use another DC, as Bind + DLZ knows
> it can modify it's DB (its zones) every DC using Bind + DLZ as DNS
> back end would reply they are SOA and so they all will accept DNS
> modification requests.
>
> Cheers,
>
> mathias
>
> 2016-06-13 9:29 GMT+02:00 bentunx <bentunx at gmail.com
> <mailto:bentunx at gmail.com> <mailto:bentunx at gmail.com
> <mailto:bentunx at gmail.com>>>:
>
> dear all
>
> i have problem with my samba4 installation
> currently we still using samba 4.1.11
> we have many about 30 site office who is connected to the head
> office by Vpn with 1 mbps
> i have 2 DC in head office and have oen DC in every Site office
>
> since yesterday i found out in my one off my DC in head office, the
> Main DC (the DC that we make as first DNS in other DC in head
> office
> of site office) , we cant add new DNS entry, then i try to dbcheck
> --cross-ncs --fix --yes , and dbcheck --reindex
> and still i cant add new DNS Entry
> /Password for [administrator at Domain.CO.ID
> <mailto:administrator at Domain.CO.ID>
> <mailto:administrator at Domain.CO.ID
> <mailto:administrator at Domain.CO.ID>>]://
>
> //ERROR(runtime): uncaught exception - (1383,
> 'WERR_INTERNAL_DB_ERROR')//
> // File
>
"/usr/local/samba/lib64/python2.6/site-packages/samba/netcmd/__init__.py",
> line 175, in _run//
> // return self.run(*args, **kwargs)//
> // File
>
"/usr/local/samba/lib64/python2.6/site-packages/samba/netcmd/dns.py",
> line
> 1067, in run//
> // 0, server, zone, name, add_rec_buf, None)/
>
>
> and today i found up samba process take 100% of my CPU usage ..
> can anyone here help me to give me some hint ?
>
> Zhia
> -- To unsubscribe from this list go to the following URL and
> read the
> instructions: https://lists.samba.org/mailman/options/samba
>
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
>