thr3ads.net - samba - [Samba] How to Migrate Samba AD from one server to another [Oct 2016]

If this information is useful, please help other people find it:
Share via:

Paul R. Ganci

2016-Oct-03 01:57 UTC

[Samba] How to Migrate Samba AD from one server to another

On 10/02/2016 06:15 PM, Paul R. Ganci via samba wrote:> On 09/11/2016 10:38 AM, Paul R. Ganci via samba wrote:
>
>> On 09/11/2016 01:23 AM, Rowland Penny via samba wrote:
>> Rowland, thanks for your reply. What you describe is pretty simple in 
>> principle. It is the details about which I am confused. There are 3 
>> aspects of a Samba 4 AD that have to be properly setup for the AD to 
>> function correctly. Namely the Samba configuration, Kerberos and DNS. 
>> If any of these are incorrectly configured the AD will not function. 
>> So here are my questions regarding the details of what you describe.
>> <snip>
>> 6.) Transfer FSMO roles
>>
>> 7.) Demote old DC
>>
> So I successfully moved the DC to another server. However when I try 
> to demote the old DC I get this error.
>
> nikita> samba-tool domain demote -Uadministrator
> Using nureyev.myhome.example.com as partner server for the demotion
> Password for [MYHOME\administrator]:
> Deactivating inbound replication
> Asking partner server nureyev.myhome.example.com to synchronize from us
> Changing userControl and container
> Error while demoting, re-enabling inbound replication
> ERROR(<type 'exceptions.RuntimeError'>): Error while sending
a
> removeDsServer of 
>
CN=NIKITA,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=myhome,DC=example,DC=com:
> - (31, 'WERR_GENERAL_FAILURE')
>   File
"/usr/lib64/python2.6/site-packages/samba/netcmd/domain.py",
> line 921, in run
>     drsuapiBind.DsRemoveDSServer(drsuapi_handle, 1, req1)
>
> Does anyone have a clue as to why I cannot demote the old DC? I am at 
> a loss as to what is wrong. All the FSMO transfered properly to the 
> new server. I did sync the sysvol so I am not sure what happened here 
> because everything was good at one point. What I am finding now is 
> that on what I want to be the PDC I have this:
>
> > samba-tool drs showrepl
> Default-First-Site-Name\NUREYEV
> DSA Options: 0x00000001
> DSA object GUID: 275c02e7-7077-4b10-ab71-77efeb93bb6b
> DSA invocationId: 0fcda6bb-9435-4852-ac8d-660af8443d34
>
> ==== INBOUND NEIGHBORS ===>
> ==== OUTBOUND NEIGHBORS ===>
> ==== KCC CONNECTION OBJECTS ===>
>
> But on the old DC that I want to demote I have this:
> > samba-tool drs showrepl
> Default-First-Site-Name\NIKITA
> DSA Options: 0x00000001
> DSA object GUID: ba98d422-c8a7-4ac3-9196-8eec84e4445a
> DSA invocationId: c47710e7-8649-4c2f-bf82-f26c8d23effc
>
> ==== INBOUND NEIGHBORS ===>
> DC=DomainDnsZones,DC=myhome,DC=example,DC=com
>     Default-First-Site-Name\NUREYEV via RPC
>         DSA object GUID: 275c02e7-7077-4b10-ab71-77efeb93bb6b
>         Last attempt @ Sun Oct  2 18:10:24 2016 MDT failed, result 2 
> (WERR_BADFILE)
>         301 consecutive failure(s).
>         Last success @ NTTIME(0)
> <snip>
>
> Any suggestions as how to debug/fix this problem so I can demote the 
> old DC?
>So I discovered that on the new DC it appears a NTDS record is missing. 
On DC nikita.myhome.example.com

 > ldbsearch -H /var/lib/samba/private/sam.ldb '(invocationid=*)' 
--cross-ncs objectguid
# record 1
dn: CN=NTDS 
Settings,CN=NUREYEV,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=myhome,DC=example,DC=com
objectGUID: 275c02e7-7077-4b10-ab71-77efeb93bb6b

# record 2
dn: CN=NTDS 
Settings,CN=NIKITA,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=myhome,DC=example,DC=com
objectGUID: ba98d422-c8a7-4ac3-9196-8eec84e4445a

# returned 2 records
# 2 entries
# 0 referrals

but on the new DC nureyev.myhome.example.com:

 > ldbsearch -H /var/lib/samba/private/sam.ldb '(invocationid=*)' 
--cross-ncs objectguid
# record 1
dn: CN=NTDS 
Settings,CN=NUREYEV,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=myhome,DC=example,DC=com
objectGUID: 275c02e7-7077-4b10-ab71-77efeb93bb6b

# returned 1 records
# 1 entries
# 0 referrals

How is it that one of the entries is now missing? IS there someway to 
fix this problem? It appears that the the new DC server object is there 
and known by both DCs but the old DC object is missing from the new DC 
server?
-- 
Paul (ganci at nurdog.com)
Cell: (303)257-5208

Paul R. Ganci

2016-Oct-03 04:01 UTC

head link

[Samba] How to Migrate Samba AD from one server to another

On 10/02/2016 07:57 PM, Paul R. Ganci via samba wrote:>
>
> On 10/02/2016 06:15 PM, Paul R. Ganci via samba wrote:
>> On 09/11/2016 10:38 AM, Paul R. Ganci via samba wrote:
>>
>>> On 09/11/2016 01:23 AM, Rowland Penny via samba wrote:
>>> Rowland, thanks for your reply. What you describe is pretty simple 
>>> in principle. It is the details about which I am confused. There
are
>>> 3 aspects of a Samba 4 AD that have to be properly setup for the AD
>>> to function correctly. Namely the Samba configuration, Kerberos and
>>> DNS. If any of these are incorrectly configured the AD will not 
>>> function. So here are my questions regarding the details of what
you
>>> describe.
>>> <snip>
>>> 6.) Transfer FSMO roles
>>>
>>> 7.) Demote old DC
>>>
>> So I successfully moved the DC to another server. However when I try 
>> to demote the old DC I get this error.
>>
>> nikita> samba-tool domain demote -Uadministrator
>> Using nureyev.myhome.example.com as partner server for the demotion
>> Password for [MYHOME\administrator]:
>> Deactivating inbound replication
>> Asking partner server nureyev.myhome.example.com to synchronize from us
>> Changing userControl and container
>> Error while demoting, re-enabling inbound replication
>> ERROR(<type 'exceptions.RuntimeError'>): Error while
sending a
>> removeDsServer of 
>>
CN=NIKITA,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=myhome,DC=example,DC=com:
>> - (31, 'WERR_GENERAL_FAILURE')
>>   File
"/usr/lib64/python2.6/site-packages/samba/netcmd/domain.py",
>> line 921, in run
>>     drsuapiBind.DsRemoveDSServer(drsuapi_handle, 1, req1)
>>
>> Does anyone have a clue as to why I cannot demote the old DC? I am at 
>> a loss as to what is wrong. All the FSMO transfered properly to the 
>> new server. I did sync the sysvol so I am not sure what happened here 
>> because everything was good at one point. What I am finding now is 
>> that on what I want to be the PDC I have this:
>>
>> > samba-tool drs showrepl
>> Default-First-Site-Name\NUREYEV
>> DSA Options: 0x00000001
>> DSA object GUID: 275c02e7-7077-4b10-ab71-77efeb93bb6b
>> DSA invocationId: 0fcda6bb-9435-4852-ac8d-660af8443d34
>>
>> ==== INBOUND NEIGHBORS ===>>
>> ==== OUTBOUND NEIGHBORS ===>>
>> ==== KCC CONNECTION OBJECTS ===>>
>>
>> But on the old DC that I want to demote I have this:
>> > samba-tool drs showrepl
>> Default-First-Site-Name\NIKITA
>> DSA Options: 0x00000001
>> DSA object GUID: ba98d422-c8a7-4ac3-9196-8eec84e4445a
>> DSA invocationId: c47710e7-8649-4c2f-bf82-f26c8d23effc
>>
>> ==== INBOUND NEIGHBORS ===>>
>> DC=DomainDnsZones,DC=myhome,DC=example,DC=com
>>     Default-First-Site-Name\NUREYEV via RPC
>>         DSA object GUID: 275c02e7-7077-4b10-ab71-77efeb93bb6b
>>         Last attempt @ Sun Oct  2 18:10:24 2016 MDT failed, result 2 
>> (WERR_BADFILE)
>>         301 consecutive failure(s).
>>         Last success @ NTTIME(0)
>> <snip>
>>
>> Any suggestions as how to debug/fix this problem so I can demote the 
>> old DC?
>>
> So I discovered that on the new DC it appears a NTDS record is 
> missing. On DC nikita.myhome.example.com
>
> > ldbsearch -H /var/lib/samba/private/sam.ldb '(invocationid=*)'
> --cross-ncs objectguid
> # record 1
> dn: CN=NTDS 
>
Settings,CN=NUREYEV,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=myhome,DC=example,DC=com
> objectGUID: 275c02e7-7077-4b10-ab71-77efeb93bb6b
>
> # record 2
> dn: CN=NTDS 
>
Settings,CN=NIKITA,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=myhome,DC=example,DC=com
> objectGUID: ba98d422-c8a7-4ac3-9196-8eec84e4445a
>
> # returned 2 records
> # 2 entries
> # 0 referrals
>
> but on the new DC nureyev.myhome.example.com:
>
> > ldbsearch -H /var/lib/samba/private/sam.ldb '(invocationid=*)'
> --cross-ncs objectguid
> # record 1
> dn: CN=NTDS 
>
Settings,CN=NUREYEV,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=myhome,DC=example,DC=com
> objectGUID: 275c02e7-7077-4b10-ab71-77efeb93bb6b
>
> # returned 1 records
> # 1 entries
> # 0 referrals
>
> How is it that one of the entries is now missing? IS there someway to 
> fix this problem? It appears that the the new DC server object is 
> there and known by both DCs but the old DC object is missing from the 
> new DC server?I am seeing this error in the old DC log file

   Failed to bind to uuid e3514235-4b06-11d1-ab04-00c04fc2dcd2 for 
ncacn_ip_tcp:192.168.1.11[1024,seal,krb5,target_hostname=275c02e7-7077-4b10-ab71-77efeb93bb6b._msdcs.myhome.example.com,target_principal=GC/nureyev.myhome.example.com/myhome.example.com,abstract_syntax=e3514235-4b06-11d1-ab04-00c04fc2dcd2/0x00000004,localaddress=192.168.1.11]
NT_STATUS_UNSUCCESSFUL

I just don't know how to fix it. Can I edit 
/var/lib/samba/private/sam.ldb and add the missing entry for

# record 2
dn: CN=NTDS 
Settings,CN=NIKITA,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=myhome,DC=example,DC=com
objectGUID: ba98d422-c8a7-4ac3-9196-8eec84e4445a

or can I just take the old DC offline and simply

 > samba-tool domain demote --remove-other-dead-server=NIKITA

-- 
Paul (ganci at nurdog.com)
Cell: (303)257-5208

Rowland Penny

2016-Oct-03 07:49 UTC

head link

[Samba] How to Migrate Samba AD from one server to another

On Sun, 2 Oct 2016 22:01:32 -0600
"Paul R. Ganci via samba" <samba at lists.samba.org> wrote:
> 
> 
> On 10/02/2016 07:57 PM, Paul R. Ganci via samba wrote:
> >
> >
> > On 10/02/2016 06:15 PM, Paul R. Ganci via samba wrote:
> >> On 09/11/2016 10:38 AM, Paul R. Ganci via samba wrote:
> >>
> >>> On 09/11/2016 01:23 AM, Rowland Penny via samba wrote:
> >>> Rowland, thanks for your reply. What you describe is pretty
> >>> simple in principle. It is the details about which I am
confused.
> >>> There are 3 aspects of a Samba 4 AD that have to be properly
> >>> setup for the AD to function correctly. Namely the Samba
> >>> configuration, Kerberos and DNS. If any of these are
incorrectly
> >>> configured the AD will not function. So here are my questions
> >>> regarding the details of what you describe.
> >>> <snip>
> >>> 6.) Transfer FSMO roles
> >>>
> >>> 7.) Demote old DC
> >>>
> >> So I successfully moved the DC to another server. However when I
> >> try to demote the old DC I get this error.
> >>
> >> nikita> samba-tool domain demote -Uadministrator
> >> Using nureyev.myhome.example.com as partner server for the
demotion
> >> Password for [MYHOME\administrator]:
> >> Deactivating inbound replication
> >> Asking partner server nureyev.myhome.example.com to synchronize
> >> from us Changing userControl and container
> >> Error while demoting, re-enabling inbound replication
> >> ERROR(<type 'exceptions.RuntimeError'>): Error while
sending a
> >> removeDsServer of 
> >>
CN=NIKITA,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=myhome,DC=example,DC=com:
> >> - (31, 'WERR_GENERAL_FAILURE')
> >>   File
> >>
"/usr/lib64/python2.6/site-packages/samba/netcmd/domain.py", line
> >> 921, in run drsuapiBind.DsRemoveDSServer(drsuapi_handle, 1, req1)
> >>
> >> Does anyone have a clue as to why I cannot demote the old DC? I am
> >> at a loss as to what is wrong. All the FSMO transfered properly to
> >> the new server. I did sync the sysvol so I am not sure what
> >> happened here because everything was good at one point. What I am
> >> finding now is that on what I want to be the PDC I have this:
> >>
> >> > samba-tool drs showrepl
> >> Default-First-Site-Name\NUREYEV
> >> DSA Options: 0x00000001
> >> DSA object GUID: 275c02e7-7077-4b10-ab71-77efeb93bb6b
> >> DSA invocationId: 0fcda6bb-9435-4852-ac8d-660af8443d34
> >>
> >> ==== INBOUND NEIGHBORS ===> >>
> >> ==== OUTBOUND NEIGHBORS ===> >>
> >> ==== KCC CONNECTION OBJECTS ===> >>
> >>
> >> But on the old DC that I want to demote I have this:
> >> > samba-tool drs showrepl
> >> Default-First-Site-Name\NIKITA
> >> DSA Options: 0x00000001
> >> DSA object GUID: ba98d422-c8a7-4ac3-9196-8eec84e4445a
> >> DSA invocationId: c47710e7-8649-4c2f-bf82-f26c8d23effc
> >>
> >> ==== INBOUND NEIGHBORS ===> >>
> >> DC=DomainDnsZones,DC=myhome,DC=example,DC=com
> >>     Default-First-Site-Name\NUREYEV via RPC
> >>         DSA object GUID: 275c02e7-7077-4b10-ab71-77efeb93bb6b
> >>         Last attempt @ Sun Oct  2 18:10:24 2016 MDT failed, result
> >> 2 (WERR_BADFILE)
> >>         301 consecutive failure(s).
> >>         Last success @ NTTIME(0)
> >> <snip>
> >>
> >> Any suggestions as how to debug/fix this problem so I can demote
> >> the old DC?
> >>
> > So I discovered that on the new DC it appears a NTDS record is 
> > missing. On DC nikita.myhome.example.com
> >
> > > ldbsearch -H /var/lib/samba/private/sam.ldb
'(invocationid=*)'
> > --cross-ncs objectguid
> > # record 1
> > dn: CN=NTDS 
> >
Settings,CN=NUREYEV,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=myhome,DC=example,DC=com
> > objectGUID: 275c02e7-7077-4b10-ab71-77efeb93bb6b
> >
> > # record 2
> > dn: CN=NTDS 
> >
Settings,CN=NIKITA,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=myhome,DC=example,DC=com
> > objectGUID: ba98d422-c8a7-4ac3-9196-8eec84e4445a
> >
> > # returned 2 records
> > # 2 entries
> > # 0 referrals
> >
> > but on the new DC nureyev.myhome.example.com:
> >
> > > ldbsearch -H /var/lib/samba/private/sam.ldb
'(invocationid=*)'
> > --cross-ncs objectguid
> > # record 1
> > dn: CN=NTDS 
> >
Settings,CN=NUREYEV,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=myhome,DC=example,DC=com
> > objectGUID: 275c02e7-7077-4b10-ab71-77efeb93bb6b
> >
> > # returned 1 records
> > # 1 entries
> > # 0 referrals
> >
> > How is it that one of the entries is now missing? IS there someway
> > to fix this problem? It appears that the the new DC server object
> > is there and known by both DCs but the old DC object is missing
> > from the new DC server?
> I am seeing this error in the old DC log file
> 
>    Failed to bind to uuid e3514235-4b06-11d1-ab04-00c04fc2dcd2 for 
>
ncacn_ip_tcp:192.168.1.11[1024,seal,krb5,target_hostname=275c02e7-7077-4b10-ab71-77efeb93bb6b._msdcs.myhome.example.com,target_principal=GC/nureyev.myhome.example.com/myhome.example.com,abstract_syntax=e3514235-4b06-11d1-ab04-00c04fc2dcd2/0x00000004,localaddress=192.168.1.11]
> NT_STATUS_UNSUCCESSFUL
> 
> I just don't know how to fix it. Can I edit 
> /var/lib/samba/private/sam.ldb and add the missing entry for
> 
> # record 2
> dn: CN=NTDS 
>
Settings,CN=NIKITA,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=myhome,DC=example,DC=com
> objectGUID: ba98d422-c8a7-4ac3-9196-8eec84e4445a
> 
> or can I just take the old DC offline and simply
> 
>  > samba-tool domain demote --remove-other-dead-server=NIKITA
> 
Known problem, see here:

https://wiki.samba.org/index.php/Verifying_and_Creating_a_DC_DNS_Record

Rowland

Possibly Parallel Threads

Search for more maybe matching threads

samba - Oct 2016 - How to Migrate Samba AD from one server to another

[Samba] How to Migrate Samba AD from one server to another

[Samba] How to Migrate Samba AD from one server to another

[Samba] How to Migrate Samba AD from one server to another

Possibly Parallel Threads