Sven Schwedas
2017-Apr-20 16:00 UTC
[Samba] NT_STATUS_NO_LOGON_SERVERS after removing a DC and WERR_BADFILE when trying to remove broken DC
On 2017-04-07 13:44, Sven Schwedas via samba wrote:> In the end I just upgraded all DCs to 4.5 and remote-deleted the broken > ones. Seemed to work without a hitch, manual removal was only necessary > to remove the IPs from DNS\_msdcs.ourdomain\gc\.Apparently not, adding new DCs failed with "WERR_DS_DATABASE_ERROR". `samba-tool dbcheck --fix` solved that. With that out of the way, the join seemed to work. • DNS records as per https://wiki.samba.org/index.php/Verifying_and_Creating_a_DC_DNS_Record were missing, after adding them, the replication is working as well. • File server verified to work, including authentication. • However, the server is still missing from the following DNS records: – Domain [host -t A ad.tao.at.] – LDAP SRV records [host -t SRV _ldap._tcp.ad.tao.at.] – KRB5 SRV records [host -t SRV _kerberos._tcp.ad.tao.at.] – …and all the others I can find in the MMC DNS snap-in (_gc, _kpasswd, etc. pp.) • Kerberos works, but I'm not sure it's actually using the new server, given the DNS issues. Can I just add the SRV records manually? Should this be documented in the wiki?> I'll try adding new DCs on a date that's not "Friday two hours before I > disappear for vacation". > > On 2017-03-29 16:51, Sven Schwedas via samba wrote: >> Situation: Trying to upgrade Samba from 4.1 to 4.5 without disruption >> too much by adding new DCs and demoting old ones. >> >> After bringing online the first 4.5 DC, I ran `demote >> --remove-other-dead-server=` on that DC to remove one of the old 4.1 DCs >> (held no FSMO roles). That seemed to run fine (the DC had been offline >> for a few weeks at that point and I didn't want to restore it just for >> demotion.) >> >> At that point, some (but not all) of our file servers started throwing >> NT_STATUS_NO_LOGON_SERVERS (smbd) and >> NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND (winbind -P). Windows' RSAT tools >> also completely fail to connect to the domain. >> >> Some of the old DCs started throwing "Failed to bind to uuid >> e3514235-4b06-11d1-ab04-00c04fc2dcd2 for >> e3514235-4b06-11d1-ab04-00c04fc2dcd2 at ncacn_ip_tcp:7e4973ba-4093-4523-a70f-7caa4845e34d._msdcs.ad.tao.at[1024,seal,krb5] >> NT_STATUS_UNSUCCESSFUL" errors >> >> Attempts to remove the new ADDC fail with "(2, 'WERR_BADFILE')". >> >> >> So… How the fuck do I recover from this? What's even wrong? >> >> >> > > >-- Mit freundlichen Grüßen, / Best Regards, Sven Schwedas, Systemadministrator Mail/XMPP sven.schwedas at tao.at | Skype sven.schwedas TAO Digital | Lendplatz 45 | A8020 Graz https://www.tao-digital.at | Tel +43 680 301 7167 https://pave.software – PAVE Password Manager -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 659 bytes Desc: OpenPGP digital signature URL: <http://lists.samba.org/pipermail/samba/attachments/20170420/71e8d046/signature.sig>
Rowland Penny
2017-Apr-20 16:38 UTC
[Samba] NT_STATUS_NO_LOGON_SERVERS after removing a DC and WERR_BADFILE when trying to remove broken DC
On Thu, 20 Apr 2017 18:00:24 +0200 Sven Schwedas via samba <samba at lists.samba.org> wrote:> On 2017-04-07 13:44, Sven Schwedas via samba wrote: > > In the end I just upgraded all DCs to 4.5 and remote-deleted the > > broken ones. Seemed to work without a hitch, manual removal was > > only necessary to remove the IPs from DNS\_msdcs.ourdomain\gc\. > > Apparently not, adding new DCs failed with "WERR_DS_DATABASE_ERROR". > `samba-tool dbcheck --fix` solved that. > > With that out of the way, the join seemed to work. > > • DNS records as per > https://wiki.samba.org/index.php/Verifying_and_Creating_a_DC_DNS_Record > were missing, after adding them, the replication is working as well. > > • File server verified to work, including authentication. > > • However, the server is still missing from the following DNS records: > > – Domain [host -t A ad.tao.at.] > – LDAP SRV records [host -t SRV _ldap._tcp.ad.tao.at.] > – KRB5 SRV records [host -t SRV _kerberos._tcp.ad.tao.at.] > – …and all the others I can find in the MMC DNS snap-in (_gc, > _kpasswd, etc. pp.) > > • Kerberos works, but I'm not sure it's actually using the new server, > given the DNS issues. > > > Can I just add the SRV records manually? Should this be documented in > the wiki?Try running 'samba_dnsupdate --use-samba-tool' on the new DC Rowland
Sven Schwedas
2017-Apr-21 08:26 UTC
[Samba] NT_STATUS_NO_LOGON_SERVERS after removing a DC and WERR_BADFILE when trying to remove broken DC
On 2017-04-20 18:38, Rowland Penny wrote:> On Thu, 20 Apr 2017 18:00:24 +0200 > Sven Schwedas via samba <samba at lists.samba.org> wrote: > >> On 2017-04-07 13:44, Sven Schwedas via samba wrote: >>> In the end I just upgraded all DCs to 4.5 and remote-deleted the >>> broken ones. Seemed to work without a hitch, manual removal was >>> only necessary to remove the IPs from DNS\_msdcs.ourdomain\gc\. >> >> Apparently not, adding new DCs failed with "WERR_DS_DATABASE_ERROR". >> `samba-tool dbcheck --fix` solved that. >> >> With that out of the way, the join seemed to work. >> >> • DNS records as per >> https://wiki.samba.org/index.php/Verifying_and_Creating_a_DC_DNS_Record >> were missing, after adding them, the replication is working as well. >> >> • File server verified to work, including authentication. >> >> • However, the server is still missing from the following DNS records: >> >> – Domain [host -t A ad.tao.at.] >> – LDAP SRV records [host -t SRV _ldap._tcp.ad.tao.at.] >> – KRB5 SRV records [host -t SRV _kerberos._tcp.ad.tao.at.] >> – …and all the others I can find in the MMC DNS snap-in (_gc, >> _kpasswd, etc. pp.) >> >> • Kerberos works, but I'm not sure it's actually using the new server, >> given the DNS issues. >> >> >> Can I just add the SRV records manually? Should this be documented in >> the wiki? > > Try running 'samba_dnsupdate --use-samba-tool' on the new DCThat did the trick.> Rowland >-- Mit freundlichen Grüßen, / Best Regards, Sven Schwedas, Systemadministrator Mail/XMPP sven.schwedas at tao.at | Skype sven.schwedas TAO Digital | Lendplatz 45 | A8020 Graz https://www.tao-digital.at | Tel +43 680 301 7167 https://pave.software – PAVE Password Manager -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 659 bytes Desc: OpenPGP digital signature URL: <http://lists.samba.org/pipermail/samba/attachments/20170421/41c51780/signature.sig>
Maybe Matching Threads
- NT_STATUS_NO_LOGON_SERVERS after removing a DC and WERR_BADFILE when trying to remove broken DC
- Server GC/name.dom/dom is not registered with our KDC: Miscellaneous failure (see text): Server (GC/name/dom@DOM) unknown
- Server GC/name.dom/dom is not registered with our KDC: Miscellaneous failure (see text): Server (GC/name/dom@DOM) unknown
- Server GC/name.dom/dom is not registered with our KDC: Miscellaneous failure (see text): Server (GC/name/dom@DOM) unknown
- Server GC/name.dom/dom is not registered with our KDC: Miscellaneous failure (see text): Server (GC/name/dom@DOM) unknown