samba - Oct 2016 - How to Migrate Samba AD from one server to another

On 09/11/2016 01:23 AM, Rowland Penny via samba wrote:
> On Sun, 11 Sep 2016 00:48:09 -0600
> "Paul R. Ganci via samba" <samba at lists.samba.org> wrote:
>> essentially do what I want? Basically clone the AD on another server.
>> Then is it as easy as joining the new server to the domain and then
>> demoting the old server? How do others do this task?
> If you just want to replace a DC with another DC, then you only need to
> add the new DC to the domain, let replication do its thing, transfer
> any FSMO roles from the old DC to the new DC, demote old DC and then
> turn off the old DC.
Rowland, thanks for your reply. What you describe is pretty simple in 
principle. It is the details about which I am confused. There are 3 
aspects of a Samba 4 AD that have to be properly setup for the AD to 
function correctly. Namely the Samba configuration, Kerberos and DNS. If 
any of these are incorrectly configured the AD will not function. So 
here are my questions regarding the details of what you describe.

0.) Backup up the old DC.

1.) I assume two of the preparation steps would be to point the new DC 
DNS (/etc/resolv.conf) to the old DC server DNS and then take the 
smb.conf configuration from the old DC and move to the new DC. Is that 
correct?

2.) After the preparation step in 1, is it sufficient to just issue

 > samba-tool domain join mydom.example.com DC -Uadministrator 
--realm=MYDOM.EXAMPLE.COM --dns-backend=BIND9_DLZ

to get the AD added to the domain and replication to occur?

3.) What will actually get replicated? From what I could sketch together 
from the web the DNS will be moved. I know how to handle that but are 
there any entries that have to be manually added as indicated from some 
web sites I have found?

4.) What about the kerberos configuration? Do I configure kerberos on 
the new DC as it was on the old DC? Does that happen at step 1 and then 
do the samba-tool join or does replication take care of the keytab files 
and config?

5.) Do I have to manually set the sysvol ACLs via:

 > samba-tool ntacl sysvolreset

as suggested by some sites?

6.) Transfer FSMO roles

7.) Demote old DC

8.) Anything else I am missing?

-- 
Paul (ganci at nurdog.com)
Cell: (303)257-5208

See inline comments:


On Sun, 11 Sep 2016 10:38:22 -0600
"Paul R. Ganci via samba" <samba at lists.samba.org> wrote:
> On 09/11/2016 01:23 AM, Rowland Penny via samba wrote:
> > On Sun, 11 Sep 2016 00:48:09 -0600
> > "Paul R. Ganci via samba" <samba at lists.samba.org>
wrote:
> >> essentially do what I want? Basically clone the AD on another
> >> server. Then is it as easy as joining the new server to the domain
> >> and then demoting the old server? How do others do this task?
> > If you just want to replace a DC with another DC, then you only
> > need to add the new DC to the domain, let replication do its thing,
> > transfer any FSMO roles from the old DC to the new DC, demote old
> > DC and then turn off the old DC.
> Rowland, thanks for your reply. What you describe is pretty simple in 
> principle. It is the details about which I am confused. There are 3 
> aspects of a Samba 4 AD that have to be properly setup for the AD to 
> function correctly. Namely the Samba configuration, Kerberos and DNS.
> If any of these are incorrectly configured the AD will not function.
> So here are my questions regarding the details of what you describe.
> 
> 0.) Backup up the old DC.
Well, yes, just in case.
> 
> 1.) I assume two of the preparation steps would be to point the new
> DC DNS (/etc/resolv.conf) to the old DC server DNS
Possibly, it just needs to point to a DC in the domain, and if you only
have one.....
> and then take the 
> smb.conf configuration from the old DC and move to the new DC. 
No, definitely NO. The join will create a new one.

> 
> 2.) After the preparation step in 1, is it sufficient to just issue
> 
>  > samba-tool domain join mydom.example.com DC -Uadministrator 
> --realm=MYDOM.EXAMPLE.COM --dns-backend=BIND9_DLZ
> 
> to get the AD added to the domain and replication to occur?
Yes, it will become just another DC.
> 
> 3.) What will actually get replicated? From what I could sketch
> together from the web the DNS will be moved. I know how to handle
> that but are there any entries that have to be manually added as
> indicated from some web sites I have found?
Everything should get created except for a few dns objects and these
will get created the first time samba is started, but there is a gotcha,
it needs to use the computers kerberos ticket to do this, so you need
to change /etc/resolv.conf to point to itself before you start samba.
Once everything is correct and all dns objects exist, you can
reset /etc/resolv.conf.
> 
> 4.) What about the kerberos configuration? Do I configure kerberos on 
> the new DC as it was on the old DC? Does that happen at step 1 and
> then do the samba-tool join or does replication take care of the
> keytab files and config?
You will need to create /etc/krb5.conf before running the join command,
it needs to look just like this:

[libdefaults]
	default_realm = <PUT YOUR REALM HERE>
	dns_lookup_realm = false
	dns_lookup_kdc = true
> 
> 5.) Do I have to manually set the sysvol ACLs via:
> 
>  > samba-tool ntacl sysvolreset
> 
> as suggested by some sites?
Good point and something I missed, you will need to sync sysvol from
the old DC to the new one and then run 'samba-tool ntacl sysvolreset'
or you could use 'osync', see here for info:

https://wiki.samba.org/index.php/Bidirectional_Rsync/osync_based_SysVol_replication_workaround
> 
> 6.) Transfer FSMO roles
> 
> 7.) Demote old DC
> 
> 8.) Anything else I am missing?
> 
Not that I can think, but if I have missed anything, somebody is bound
to point it out ;-)

Rowland

On 09/11/2016 10:38 AM, Paul R. Ganci via samba wrote:
> On 09/11/2016 01:23 AM, Rowland Penny via samba wrote:
> Rowland, thanks for your reply. What you describe is pretty simple in 
> principle. It is the details about which I am confused. There are 3 
> aspects of a Samba 4 AD that have to be properly setup for the AD to 
> function correctly. Namely the Samba configuration, Kerberos and DNS. 
> If any of these are incorrectly configured the AD will not function. 
> So here are my questions regarding the details of what you describe.
> <snip>
> 6.) Transfer FSMO roles
>
> 7.) Demote old DC
>
So I successfully moved the DC to another server. However when I try to 
demote the old DC I get this error.

nikita> samba-tool domain demote -Uadministrator
Using nureyev.myhome.example.com as partner server for the demotion
Password for [MYHOME\administrator]:
Deactivating inbound replication
Asking partner server nureyev.myhome.example.com to synchronize from us
Changing userControl and container
Error while demoting, re-enabling inbound replication
ERROR(<type 'exceptions.RuntimeError'>): Error while sending a 
removeDsServer of 
CN=NIKITA,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=myhome,DC=example,DC=com:
- (31, 'WERR_GENERAL_FAILURE')
   File "/usr/lib64/python2.6/site-packages/samba/netcmd/domain.py", 
line 921, in run
     drsuapiBind.DsRemoveDSServer(drsuapi_handle, 1, req1)

Does anyone have a clue as to why I cannot demote the old DC? I am at a 
loss as to what is wrong. All the FSMO transfered properly to the new 
server. I did sync the sysvol so I am not sure what happened here 
because everything was good at one point. What I am finding now is that 
on what I want to be the PDC I have this:

 > samba-tool drs showrepl
Default-First-Site-Name\NUREYEV
DSA Options: 0x00000001
DSA object GUID: 275c02e7-7077-4b10-ab71-77efeb93bb6b
DSA invocationId: 0fcda6bb-9435-4852-ac8d-660af8443d34

==== INBOUND NEIGHBORS ===
==== OUTBOUND NEIGHBORS ===
==== KCC CONNECTION OBJECTS ===

But on the old DC that I want to demote I have this:
 > samba-tool drs showrepl
Default-First-Site-Name\NIKITA
DSA Options: 0x00000001
DSA object GUID: ba98d422-c8a7-4ac3-9196-8eec84e4445a
DSA invocationId: c47710e7-8649-4c2f-bf82-f26c8d23effc

==== INBOUND NEIGHBORS ===
DC=DomainDnsZones,DC=myhome,DC=example,DC=com
     Default-First-Site-Name\NUREYEV via RPC
         DSA object GUID: 275c02e7-7077-4b10-ab71-77efeb93bb6b
         Last attempt @ Sun Oct  2 18:10:24 2016 MDT failed, result 2 
(WERR_BADFILE)
         301 consecutive failure(s).
         Last success @ NTTIME(0)

DC=ForestDnsZones,DC=myhome,DC=example,DC=com
     Default-First-Site-Name\NUREYEV via RPC
         DSA object GUID: 275c02e7-7077-4b10-ab71-77efeb93bb6b
         Last attempt @ Sun Oct  2 18:10:24 2016 MDT failed, result 2 
(WERR_BADFILE)
         301 consecutive failure(s).
         Last success @ NTTIME(0)

DC=myhome,DC=example,DC=com
     Default-First-Site-Name\NUREYEV via RPC
         DSA object GUID: 275c02e7-7077-4b10-ab71-77efeb93bb6b
         Last attempt @ Sun Oct  2 18:10:24 2016 MDT failed, result 2 
(WERR_BADFILE)
         301 consecutive failure(s).
         Last success @ NTTIME(0)

CN=Schema,CN=Configuration,DC=myhome,DC=example,DC=com
     Default-First-Site-Name\NUREYEV via RPC
         DSA object GUID: 275c02e7-7077-4b10-ab71-77efeb93bb6b
         Last attempt @ Sun Oct  2 18:10:24 2016 MDT failed, result 2 
(WERR_BADFILE)
         301 consecutive failure(s).
         Last success @ NTTIME(0)

CN=Configuration,DC=myhome,DC=example,DC=com
     Default-First-Site-Name\NUREYEV via RPC
         DSA object GUID: 275c02e7-7077-4b10-ab71-77efeb93bb6b
         Last attempt @ Sun Oct  2 18:10:24 2016 MDT failed, result 2 
(WERR_BADFILE)
         301 consecutive failure(s).
         Last success @ NTTIME(0)

==== OUTBOUND NEIGHBORS ===
DC=DomainDnsZones,DC=myhome,DC=example,DC=com
     Default-First-Site-Name\NUREYEV via RPC
         DSA object GUID: 275c02e7-7077-4b10-ab71-77efeb93bb6b
         Last attempt @ Sun Oct  2 18:11:50 2016 MDT failed, result 2 
(WERR_BADFILE)
         90 consecutive failure(s).
         Last success @ NTTIME(0)

DC=ForestDnsZones,DC=myhome,DC=example,DC=com
     Default-First-Site-Name\NUREYEV via RPC
         DSA object GUID: 275c02e7-7077-4b10-ab71-77efeb93bb6b
         Last attempt @ Sun Oct  2 18:11:50 2016 MDT failed, result 2 
(WERR_BADFILE)
         90 consecutive failure(s).
         Last success @ NTTIME(0)

DC=myhome,DC=example,DC=com
     Default-First-Site-Name\NUREYEV via RPC
         DSA object GUID: 275c02e7-7077-4b10-ab71-77efeb93bb6b
         Last attempt @ Sun Oct  2 18:11:50 2016 MDT failed, result 2 
(WERR_BADFILE)
         90 consecutive failure(s).
         Last success @ NTTIME(0)

CN=Schema,CN=Configuration,DC=myhome,DC=example,DC=com
     Default-First-Site-Name\NUREYEV via RPC
         DSA object GUID: 275c02e7-7077-4b10-ab71-77efeb93bb6b
         Last attempt @ Sun Oct  2 18:11:50 2016 MDT failed, result 2 
(WERR_BADFILE)
         90 consecutive failure(s).
         Last success @ NTTIME(0)

CN=Configuration,DC=myhome,DC=example,DC=com
     Default-First-Site-Name\NUREYEV via RPC
         DSA object GUID: 275c02e7-7077-4b10-ab71-77efeb93bb6b
         Last attempt @ Sun Oct  2 18:11:50 2016 MDT failed, result 2 
(WERR_BADFILE)
         90 consecutive failure(s).
         Last success @ NTTIME(0)

==== KCC CONNECTION OBJECTS ===
Connection --
     Connection name: 2b332225-20d4-486f-8b38-87c56c64f707
     Enabled        : TRUE
     Server DNS name : nureyev.myhome.example.com
     Server DN name  : CN=NTDS 
Settings,CN=NUREYEV,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=myhome,DC=example,DC=com
         TransportType: RPC
         options: 0x00000001
Warning: No NC replicated for Connection!

Any suggestions as how to debug/fix this problem so I can demote the old DC?

-- 
Paul (ganci at example.com)
Cell: (303)257-5208

On 10/02/2016 06:15 PM, Paul R. Ganci via samba wrote:
> On 09/11/2016 10:38 AM, Paul R. Ganci via samba wrote:
>
>> On 09/11/2016 01:23 AM, Rowland Penny via samba wrote:
>> Rowland, thanks for your reply. What you describe is pretty simple in 
>> principle. It is the details about which I am confused. There are 3 
>> aspects of a Samba 4 AD that have to be properly setup for the AD to 
>> function correctly. Namely the Samba configuration, Kerberos and DNS. 
>> If any of these are incorrectly configured the AD will not function. 
>> So here are my questions regarding the details of what you describe.
>> <snip>
>> 6.) Transfer FSMO roles
>>
>> 7.) Demote old DC
>>
> So I successfully moved the DC to another server. However when I try 
> to demote the old DC I get this error.
>
> nikita> samba-tool domain demote -Uadministrator
> Using nureyev.myhome.example.com as partner server for the demotion
> Password for [MYHOME\administrator]:
> Deactivating inbound replication
> Asking partner server nureyev.myhome.example.com to synchronize from us
> Changing userControl and container
> Error while demoting, re-enabling inbound replication
> ERROR(<type 'exceptions.RuntimeError'>): Error while sending
a
> removeDsServer of 
>
CN=NIKITA,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=myhome,DC=example,DC=com:
> - (31, 'WERR_GENERAL_FAILURE')
>   File
"/usr/lib64/python2.6/site-packages/samba/netcmd/domain.py",
> line 921, in run
>     drsuapiBind.DsRemoveDSServer(drsuapi_handle, 1, req1)
>
> Does anyone have a clue as to why I cannot demote the old DC? I am at 
> a loss as to what is wrong. All the FSMO transfered properly to the 
> new server. I did sync the sysvol so I am not sure what happened here 
> because everything was good at one point. What I am finding now is 
> that on what I want to be the PDC I have this:
>
> > samba-tool drs showrepl
> Default-First-Site-Name\NUREYEV
> DSA Options: 0x00000001
> DSA object GUID: 275c02e7-7077-4b10-ab71-77efeb93bb6b
> DSA invocationId: 0fcda6bb-9435-4852-ac8d-660af8443d34
>
> ==== INBOUND NEIGHBORS ===>
> ==== OUTBOUND NEIGHBORS ===>
> ==== KCC CONNECTION OBJECTS ===>
>
> But on the old DC that I want to demote I have this:
> > samba-tool drs showrepl
> Default-First-Site-Name\NIKITA
> DSA Options: 0x00000001
> DSA object GUID: ba98d422-c8a7-4ac3-9196-8eec84e4445a
> DSA invocationId: c47710e7-8649-4c2f-bf82-f26c8d23effc
>
> ==== INBOUND NEIGHBORS ===>
> DC=DomainDnsZones,DC=myhome,DC=example,DC=com
>     Default-First-Site-Name\NUREYEV via RPC
>         DSA object GUID: 275c02e7-7077-4b10-ab71-77efeb93bb6b
>         Last attempt @ Sun Oct  2 18:10:24 2016 MDT failed, result 2 
> (WERR_BADFILE)
>         301 consecutive failure(s).
>         Last success @ NTTIME(0)
> <snip>
>
> Any suggestions as how to debug/fix this problem so I can demote the 
> old DC?
>
So I discovered that on the new DC it appears a NTDS record is missing. 
On DC nikita.myhome.example.com

 > ldbsearch -H /var/lib/samba/private/sam.ldb '(invocationid=*)' 
--cross-ncs objectguid
# record 1
dn: CN=NTDS 
Settings,CN=NUREYEV,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=myhome,DC=example,DC=com
objectGUID: 275c02e7-7077-4b10-ab71-77efeb93bb6b

# record 2
dn: CN=NTDS 
Settings,CN=NIKITA,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=myhome,DC=example,DC=com
objectGUID: ba98d422-c8a7-4ac3-9196-8eec84e4445a

# returned 2 records
# 2 entries
# 0 referrals

but on the new DC nureyev.myhome.example.com:

 > ldbsearch -H /var/lib/samba/private/sam.ldb '(invocationid=*)' 
--cross-ncs objectguid
# record 1
dn: CN=NTDS 
Settings,CN=NUREYEV,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=myhome,DC=example,DC=com
objectGUID: 275c02e7-7077-4b10-ab71-77efeb93bb6b

# returned 1 records
# 1 entries
# 0 referrals

How is it that one of the entries is now missing? IS there someway to 
fix this problem? It appears that the the new DC server object is there 
and known by both DCs but the old DC object is missing from the new DC 
server?
-- 
Paul (ganci at nurdog.com)
Cell: (303)257-5208