samba - Jun 2016 - Fwd: Re: Problem with Samba4 DB

hi mathias

let me confirm your statement
so.. you think if we demote those 2 DC server that already offline, the 
DNS will be running well
well if this is one of option we have, i will consider to upgrade our 
FSMO DC from samba 4.1.X  to 4.4.x , by the way, are there any 
consideration if we update samba directly from 4.1 to 4.4 ?

let me answer some of your question
*1 - what command are you launching to update your DNS? What are error 
messages?*
*2 - what are the DNS names of new entry which refuse to be added? Same 
question for the two DC your colleague removed from AD?*
/# samba-tool dns add pdc domain.co.id milis A 172.16.99.49//
//Password for [administrator at domain.CO.ID]://
//ERROR(runtime): uncaught exception - (1383,
'WERR_INTERNAL_DB_ERROR')//
//  File 
"/usr/local/samba/lib64/python2.6/site-packages/samba/netcmd/__init__.py",
line 175, in _run//
//    return self.run(*args, **kwargs)//
//  File 
"/usr/local/samba/lib64/python2.6/site-packages/samba/netcmd/dns.py", 
line 1067, in run//
//    0, server, zone, name, add_rec_buf, None)/



*3 - what version of Samba are you running?* 4.1 >> New versions include 
a command switch to remove DC from AD database from another DC. In 
others words you could cleanup database from old DC entries.
     yes i will try this,

*4 - what gives the following commands? And what are DNS name and IP  of 
your FSMO owner?*
/DNS : pdc.domain.co.id //
//InfrastructureMasterRole owner: CN=NTDS 
Settings,CN=PDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=co,DC=id//
//RidAllocationMasterRole owner: CN=NTDS 
Settings,CN=PDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=co,DC=id//
//PdcEmulationMasterRole owner: CN=NTDS 
Settings,CN=PDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=co,DC=id//
//DomainNamingMasterRole owner: CN=NTDS 
Settings,CN=PDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=co,DC=id//
//SchemaMasterRole owner: CN=NTDS 
Settings,CN=PDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=co,DC=id//
/
TIA
Zhia

On 14/06/2016 15:36, mathias dufresne wrote:
> Oki Doki. First the fact you can't add new DNS entry in your DNS zones 
> is not a blocking point to remove a DC. It's a blcoking point to add 
> new entries. Now you are the one deciding if you would remove it or 
> not, but seriously, for me that's not a reason to keep up it running: 
> you can replace it by another DC which will do exactly the same job 
> and if you are lucky enough you would be able to add new DNS entries 
> again.
>
> Anyway, several questions now:
> 1 - what command are you launching to update your DNS? What are error 
> messages?
> 2 - what are the DNS names of new entry which refuse to be added? Same 
> question for the two DC your colleague removed from AD?
> 3 - what version of Samba are you running? New versions include a 
> command switch to remove DC from AD database from another DC. In 
> others words you could cleanup database from old DC entries.
> 4 - what gives the following commands? And what are DNS name and IP  
> of your FSMO owner?
> samba-tool dns query dc200 AD.DOMAIN.TLD AD.DOMAIN.TLD SOA
> samba-tool dns query dc200 _msdcs.AD.DOMAIN.TLD _msdcs.AD.DOMAIN.TLD SOA
>
>
>
>
>
>
> 2016-06-14 3:47 GMT+02:00 bentunx <bentunx at gmail.com 
> <mailto:bentunx at gmail.com>>:
>
>
>
>     Thx mathias for your reply
>
>     First, yes im using internal DNS,  i just try to add new dns from
>     other dc but it doesnt work, i think the (maybe) corrupted dns
>     data already sync to other dc
>
>     And i still run my samba4 installation, because sofar the only
>     problem is, i cant add new dns record
>
>     In other case i found up one of my team just re install 2 samba4
>     server in site office with different AD domain without demote
>     first .. i dont know if this issue related to my dns problem ..
>
>     Is this the only DC involved in that issue? If yes I would stop
>     the service on that DC the avoid contamination of others (I don't
>     know if this issue can propagate but I'm sure I would learn if it
>     is in prod ;)
>
>     In prod, what you really want is your AD works. No matter which DC
>     is FSMO nor if some DC get reinstalled. Remove the DC from your AD
>     to limit risks, investigate later if you wan to, repair first but
>     repair AD, not the DC.
>
>     Then I must admit you have AD as you speak DNS.
>     Perhaps you are running internal DNS, in that case you can only
>     push DNS modification on DC declared as SOA in LDAP DB. If broken
>     DC is SOA, it is also certainly FSMO, move FSMO and SOA on some
>     other host (you can stop broken DC first, no matter).
>
>     If you are running BIND9_DLZ DNS back end you can simply change
>     your clients DNS resolver to use another DC, as Bind + DLZ knows
>     it can modify it's DB (its zones) every DC using Bind + DLZ as DNS
>     back end would reply they are SOA and so they all will accept DNS
>     modification requests.
>
>     Cheers,
>
>     mathias
>
>     2016-06-13 9:29 GMT+02:00 bentunx <bentunx at gmail.com
>     <mailto:bentunx at gmail.com> <mailto:bentunx at gmail.com
>     <mailto:bentunx at gmail.com>>>:
>
>        dear all
>
>        i have problem with my samba4 installation
>        currently we still using samba 4.1.11
>        we have many about 30 site office who is connected to the head
>        office by Vpn with 1 mbps
>        i have 2 DC in  head office and have oen DC in every Site office
>
>        since yesterday i found out in my one off my DC in head office, the
>        Main DC (the DC that we make as first DNS in other DC in head
>     office
>        of site office) , we cant add new DNS entry, then i try to dbcheck
>        --cross-ncs --fix --yes , and dbcheck --reindex
>        and still i cant add new DNS Entry
>        /Password for [administrator at Domain.CO.ID
>     <mailto:administrator at Domain.CO.ID>
>        <mailto:administrator at Domain.CO.ID
>     <mailto:administrator at Domain.CO.ID>>]://
>
>        //ERROR(runtime): uncaught exception - (1383,
>        'WERR_INTERNAL_DB_ERROR')//
>        //  File
>     
"/usr/local/samba/lib64/python2.6/site-packages/samba/netcmd/__init__.py",
>        line 175, in _run//
>        //    return self.run(*args, **kwargs)//
>        //  File
>     
"/usr/local/samba/lib64/python2.6/site-packages/samba/netcmd/dns.py",
>     line
>        1067, in run//
>        //    0, server, zone, name, add_rec_buf, None)/
>
>
>        and today i found up samba process take 100% of my CPU usage ..
>        can anyone here help me to give me some hint ?
>
>        Zhia
>        --    To unsubscribe from this list go to the following URL and
>     read the
>        instructions: https://lists.samba.org/mailman/options/samba
>
>
>
>
>     -- 
>     To unsubscribe from this list go to the following URL and read the
>     instructions: https://lists.samba.org/mailman/options/samba
>
>

On 15/06/16 10:14, bentunx wrote:
> hi mathias
>
> let me confirm your statement
> so.. you think if we demote those 2 DC server that already offline, 
> the DNS will be running well
> well if this is one of option we have, i will consider to upgrade our 
> FSMO DC from samba 4.1.X  to 4.4.x , by the way, are there any 
> consideration if we update samba directly from 4.1 to 4.4 ?
>
> let me answer some of your question
> *1 - what command are you launching to update your DNS? What are error 
> messages?*
> *2 - what are the DNS names of new entry which refuse to be added? 
> Same question for the two DC your colleague removed from AD?*
> /# samba-tool dns add pdc domain.co.id milis A 172.16.99.49//
> //Password for [administrator at domain.CO.ID]://
> //ERROR(runtime): uncaught exception - (1383,
'WERR_INTERNAL_DB_ERROR')//
> //  File 
>
"/usr/local/samba/lib64/python2.6/site-packages/samba/netcmd/__init__.py",
> line 175, in _run//
> //    return self.run(*args, **kwargs)//
> //  File 
>
"/usr/local/samba/lib64/python2.6/site-packages/samba/netcmd/dns.py",
> line 1067, in run//
> //    0, server, zone, name, add_rec_buf, None)/
>
>
>
> *3 - what version of Samba are you running?* 4.1 >> New versions 
> include a command switch to remove DC from AD database from another 
> DC. In others words you could cleanup database from old DC entries.
>     yes i will try this,
>
> *4 - what gives the following commands? And what are DNS name and IP  
> of your FSMO owner?*
> /DNS : pdc.domain.co.id //
> //InfrastructureMasterRole owner: CN=NTDS 
>
Settings,CN=PDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=co,DC=id//
> //RidAllocationMasterRole owner: CN=NTDS 
>
Settings,CN=PDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=co,DC=id//
> //PdcEmulationMasterRole owner: CN=NTDS 
>
Settings,CN=PDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=co,DC=id//
> //DomainNamingMasterRole owner: CN=NTDS 
>
Settings,CN=PDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=co,DC=id//
> //SchemaMasterRole owner: CN=NTDS 
>
Settings,CN=PDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=co,DC=id//
> /
> TIA
> Zhia
>
There should be no problem with upgrading to 4.4.4, in fact there could 
be several benefits including a much improved samba-tool fsmo code, this 
will show you all the fsmo role owners:

SchemaMasterRole owner: CN=NTDS 
Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com
InfrastructureMasterRole owner: CN=NTDS 
Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com
RidAllocationMasterRole owner: CN=NTDS 
Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com
PdcEmulationMasterRole owner: CN=NTDS 
Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com
DomainNamingMasterRole owner: CN=NTDS 
Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com
DomainDnsZonesMasterRole owner: CN=NTDS 
Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com
ForestDnsZonesMasterRole owner: CN=NTDS 
Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com

But, you should always backup Samba before upgrading.

Rowland

Thx for your advice
> There should be no problem with upgrading to 4.4.4, in fact there 
> could be several benefits including a much improved samba-tool fsmo 
> code, this will show you all the fsmo role owners:
>
> SchemaMasterRole owner: CN=NTDS 
>
Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com
> InfrastructureMasterRole owner: CN=NTDS 
>
Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com
> RidAllocationMasterRole owner: CN=NTDS 
>
Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com
> PdcEmulationMasterRole owner: CN=NTDS 
>
Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com
> DomainNamingMasterRole owner: CN=NTDS 
>
Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com
> DomainDnsZonesMasterRole owner: CN=NTDS 
>
Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com
> ForestDnsZonesMasterRole owner: CN=NTDS 
>
Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com
>
> But, you should always backup Samba before upgrading.
>
> Rowland
>
>

dear roland and mathias


i already upgrade samba server version to 4.4.4

i have domote 3 of 4 offline dc successfully

one dc that i cant demote shown this error message

/**//*[root at pdc ~]# samba-tool domain demote 
--remove-other-dead-server=dc25*//*
*//*ERROR: Demote failed: DemoteException: dc25 is not an AD DC in 
domain.co.id*//*
*//*A transaction is still active in ldb context [0x1c11b00] on 
tdb:///usr/local/samba/private/sam.ldb*//*
*/

i  still cant change my DNS
i have another suspect, maybe it caused by authority problem ?
because error message while deleting DNS by RSAT /*
*//*"the record cannot be deleted, The Local Security Authority Database 
Contains an internal inconsistency"*/

On 15/06/2016 18:02, Rowland penny wrote:
> On 15/06/16 10:14, bentunx wrote:
>> hi mathias
>>
>> let me confirm your statement
>> so.. you think if we demote those 2 DC server that already offline, 
>> the DNS will be running well
>> well if this is one of option we have, i will consider to upgrade our 
>> FSMO DC from samba 4.1.X  to 4.4.x , by the way, are there any 
>> consideration if we update samba directly from 4.1 to 4.4 ?
>>
>> let me answer some of your question
>> *1 - what command are you launching to update your DNS? What are 
>> error messages?*
>> *2 - what are the DNS names of new entry which refuse to be added? 
>> Same question for the two DC your colleague removed from AD?*
>> /# samba-tool dns add pdc domain.co.id milis A 172.16.99.49//
>> //Password for [administrator at domain.CO.ID]://
>> //ERROR(runtime): uncaught exception - (1383, 
>> 'WERR_INTERNAL_DB_ERROR')//
>> //  File 
>>
"/usr/local/samba/lib64/python2.6/site-packages/samba/netcmd/__init__.py",
>> line 175, in _run//
>> //    return self.run(*args, **kwargs)//
>> //  File 
>>
"/usr/local/samba/lib64/python2.6/site-packages/samba/netcmd/dns.py",
>> line 1067, in run//
>> //    0, server, zone, name, add_rec_buf, None)/
>>
>>
>>
>> *3 - what version of Samba are you running?* 4.1 >> New versions 
>> include a command switch to remove DC from AD database from another 
>> DC. In others words you could cleanup database from old DC entries.
>>     yes i will try this,
>>
>> *4 - what gives the following commands? And what are DNS name and IP  
>> of your FSMO owner?*
>> /DNS : pdc.domain.co.id //
>> //InfrastructureMasterRole owner: CN=NTDS 
>>
Settings,CN=PDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=co,DC=id//
>> //RidAllocationMasterRole owner: CN=NTDS 
>>
Settings,CN=PDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=co,DC=id//
>> //PdcEmulationMasterRole owner: CN=NTDS 
>>
Settings,CN=PDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=co,DC=id//
>> //DomainNamingMasterRole owner: CN=NTDS 
>>
Settings,CN=PDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=co,DC=id//
>> //SchemaMasterRole owner: CN=NTDS 
>>
Settings,CN=PDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=co,DC=id//
>> /
>> TIA
>> Zhia
>>
>
> There should be no problem with upgrading to 4.4.4, in fact there 
> could be several benefits including a much improved samba-tool fsmo 
> code, this will show you all the fsmo role owners:
>
> SchemaMasterRole owner: CN=NTDS 
>
Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com
> InfrastructureMasterRole owner: CN=NTDS 
>
Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com
> RidAllocationMasterRole owner: CN=NTDS 
>
Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com
> PdcEmulationMasterRole owner: CN=NTDS 
>
Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com
> DomainNamingMasterRole owner: CN=NTDS 
>
Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com
> DomainDnsZonesMasterRole owner: CN=NTDS 
>
Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com
> ForestDnsZonesMasterRole owner: CN=NTDS 
>
Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com
>
> But, you should always backup Samba before upgrading.
>
> Rowland
>
>