samba - Apr 2017 - NT_STATUS_NO_LOGON_SERVERS after removing a DC and WERR_BADFILE when trying to remove broken DC

On 2017-04-07 13:44, Sven Schwedas via samba wrote:
> In the end I just upgraded all DCs to 4.5 and remote-deleted the broken
> ones. Seemed to work without a hitch, manual removal was only necessary
> to remove the IPs from DNS\_msdcs.ourdomain\gc\.
Apparently not, adding new DCs failed with "WERR_DS_DATABASE_ERROR".
`samba-tool dbcheck --fix` solved that.

With that out of the way, the join seemed to work.

• DNS records as per
https://wiki.samba.org/index.php/Verifying_and_Creating_a_DC_DNS_Record
were missing, after adding them, the replication is working as well.

• File server verified to work, including authentication.

• However, the server is still missing from the following DNS records:

 – Domain [host -t A ad.tao.at.]
 – LDAP SRV records [host -t SRV _ldap._tcp.ad.tao.at.]
 – KRB5 SRV records [host -t SRV _kerberos._tcp.ad.tao.at.]
 – …and all the others I can find in the MMC DNS snap-in (_gc, _kpasswd,
etc. pp.)

• Kerberos works, but I'm not sure it's actually using the new server,
given the DNS issues.


Can I just add the SRV records manually? Should this be documented in
the wiki?
> I'll try adding new DCs on a date that's not "Friday two hours
before I
> disappear for vacation".
> 
> On 2017-03-29 16:51, Sven Schwedas via samba wrote:
>> Situation: Trying to upgrade Samba from 4.1 to 4.5 without disruption
>> too much by adding new DCs and demoting old ones.
>>
>> After bringing online the first 4.5 DC, I ran `demote
>> --remove-other-dead-server=` on that DC to remove one of the old 4.1
DCs
>> (held no FSMO roles). That seemed to run fine (the DC had been offline
>> for a few weeks at that point and I didn't want to restore it just
for
>> demotion.)
>>
>> At that point, some (but not all) of our file servers started throwing
>> NT_STATUS_NO_LOGON_SERVERS (smbd) and
>> NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND (winbind -P). Windows' RSAT
tools
>> also completely fail to connect to the domain.
>>
>> Some of the old DCs started throwing "Failed to bind to uuid
>> e3514235-4b06-11d1-ab04-00c04fc2dcd2 for
>> e3514235-4b06-11d1-ab04-00c04fc2dcd2 at
ncacn_ip_tcp:7e4973ba-4093-4523-a70f-7caa4845e34d._msdcs.ad.tao.at[1024,seal,krb5]
>> NT_STATUS_UNSUCCESSFUL" errors
>>
>> Attempts to remove the new ADDC fail with "(2,
'WERR_BADFILE')".
>>
>>
>> So… How the fuck do I recover from this? What's even wrong?
>>
>>
>>
> 
> 
> 
-- 
Mit freundlichen Grüßen, / Best Regards,
Sven Schwedas, Systemadministrator
Mail/XMPP sven.schwedas at tao.at | Skype sven.schwedas
TAO Digital | Lendplatz 45 | A8020 Graz
https://www.tao-digital.at | Tel +43 680 301 7167
https://pave.software – PAVE Password Manager

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 659 bytes
Desc: OpenPGP digital signature
URL:
<http://lists.samba.org/pipermail/samba/attachments/20170420/71e8d046/signature.sig>

On Thu, 20 Apr 2017 18:00:24 +0200
Sven Schwedas via samba <samba at lists.samba.org> wrote:
> On 2017-04-07 13:44, Sven Schwedas via samba wrote:
> > In the end I just upgraded all DCs to 4.5 and remote-deleted the
> > broken ones. Seemed to work without a hitch, manual removal was
> > only necessary to remove the IPs from DNS\_msdcs.ourdomain\gc\.
> 
> Apparently not, adding new DCs failed with
"WERR_DS_DATABASE_ERROR".
> `samba-tool dbcheck --fix` solved that.
> 
> With that out of the way, the join seemed to work.
> 
> • DNS records as per
> https://wiki.samba.org/index.php/Verifying_and_Creating_a_DC_DNS_Record
> were missing, after adding them, the replication is working as well.
> 
> • File server verified to work, including authentication.
> 
> • However, the server is still missing from the following DNS records:
> 
>  – Domain [host -t A ad.tao.at.]
>  – LDAP SRV records [host -t SRV _ldap._tcp.ad.tao.at.]
>  – KRB5 SRV records [host -t SRV _kerberos._tcp.ad.tao.at.]
>  – …and all the others I can find in the MMC DNS snap-in (_gc,
> _kpasswd, etc. pp.)
> 
> • Kerberos works, but I'm not sure it's actually using the new
server,
> given the DNS issues.
> 
> 
> Can I just add the SRV records manually? Should this be documented in
> the wiki?
Try running 'samba_dnsupdate --use-samba-tool' on the new DC

Rowland

On 2017-04-20 18:38, Rowland Penny wrote:
> On Thu, 20 Apr 2017 18:00:24 +0200
> Sven Schwedas via samba <samba at lists.samba.org> wrote:
> 
>> On 2017-04-07 13:44, Sven Schwedas via samba wrote:
>>> In the end I just upgraded all DCs to 4.5 and remote-deleted the
>>> broken ones. Seemed to work without a hitch, manual removal was
>>> only necessary to remove the IPs from DNS\_msdcs.ourdomain\gc\.
>>
>> Apparently not, adding new DCs failed with
"WERR_DS_DATABASE_ERROR".
>> `samba-tool dbcheck --fix` solved that.
>>
>> With that out of the way, the join seemed to work.
>>
>> • DNS records as per
>> https://wiki.samba.org/index.php/Verifying_and_Creating_a_DC_DNS_Record
>> were missing, after adding them, the replication is working as well.
>>
>> • File server verified to work, including authentication.
>>
>> • However, the server is still missing from the following DNS records:
>>
>>  – Domain [host -t A ad.tao.at.]
>>  – LDAP SRV records [host -t SRV _ldap._tcp.ad.tao.at.]
>>  – KRB5 SRV records [host -t SRV _kerberos._tcp.ad.tao.at.]
>>  – …and all the others I can find in the MMC DNS snap-in (_gc,
>> _kpasswd, etc. pp.)
>>
>> • Kerberos works, but I'm not sure it's actually using the new
server,
>> given the DNS issues.
>>
>>
>> Can I just add the SRV records manually? Should this be documented in
>> the wiki?
> 
> Try running 'samba_dnsupdate --use-samba-tool' on the new DC
That did the trick.
> Rowland
> 
-- 
Mit freundlichen Grüßen, / Best Regards,
Sven Schwedas, Systemadministrator
Mail/XMPP sven.schwedas at tao.at | Skype sven.schwedas
TAO Digital | Lendplatz 45 | A8020 Graz
https://www.tao-digital.at | Tel +43 680 301 7167
https://pave.software – PAVE Password Manager

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 659 bytes
Desc: OpenPGP digital signature
URL:
<http://lists.samba.org/pipermail/samba/attachments/20170421/41c51780/signature.sig>