Massimo Donato - Adcom.it
2018-Feb-07 13:45 UTC
[Samba] after a couple of year of success is not possible to add workstations to domain
*//* Hi Denis, Il 06/02/2018 20:05, Denis Cardon via samba ha scritto:> Hi Massimo, > >> Il 05/02/2018 16:41, Rowland Penny ha scritto: >>> On Mon, 5 Feb 2018 16:01:27 +0100 >>> "Massimo Donato - Adcom.it via samba" <samba at lists.samba.org> wrote: >>> >>>> */Hi all, >>>> after a couple of year of successfully working samba AD DC is >>>> not possible to add workstations to domain >>>> since a few day ago in windows i get a messagge complaining that the >>>> account previously exists. ant that to try access with a different >>>> account. after some investigation i found that the backupDC was in >>>> hardware fault. the primary seems to work great, but still unable to >>>> add workstation to domain. >>>> seems like something is missing, >>>> samba version is 4.7.4(upgraded during investigation) >>>> >>>> any advice ? where to look ? >>>> >>> One of the problems here is that you are thinking in terms of 'primary' >>> and 'backup' DCs. You haven't got a 'primary' DC or a 'backup' DC, you >>> just have two DCs and they should both contain exactly the same data in >>> AD. Problem is, when your second DC became faulty, it may have >>> corrupted AD on the DC and then replicated this corruption to the >>> first DC. >>> >>> I would turn off the faulty DC (if it is still running), demote the >>> dead DC and then run 'samba-tool dbcheck' >>> >>> But, before I tried to do anything, I would ensure that the first DC >>> was fully backed up. >>> >>> Rowland >>> >>> >> thank you Rowland for your answer., >> i understend what you mean regarding DC, there was just two dc. >> the faulty DC is no more in our datacenter(disk dead) >> so i have one DC that is corrupted, i have a backup, but only after >> corruption. >> dbcheck is good, even with ncs option, 0 errors >> any other advice to check ? > > which server is/was the RID FSMO role owner? > > DenisI think the one still lives, was the forst one i configured. i tryed something just not to bother all the list, may this help ? [root at zeus log]# samba-tool dbcheck --fix WARNING: The "profile acls" option is deprecated Checking 309 objects Checked 309 objects (0 errors) [root at zeus log]# samba-tool dbcheck --cross-nc --fix WARNING: The "profile acls" option is deprecated Checking 3578 objects Checked 3578 objects (0 errors) [root at zeus log]# samba-tool drs showrepl WARNING: The "profile acls" option is deprecated Default-First-Site-Name\ZEUS DSA Options: 0x00000001 DSA object GUID: e0a28581-6f38-4a9e-b593-43b65cafb872 DSA invocationId: adb5b609-20d2-4b4c-a8da-1bdb74dc444e ==== INBOUND NEIGHBORS === ==== OUTBOUND NEIGHBORS === ==== KCC CONNECTION OBJECTS === --- Questa email è stata esaminata alla ricerca di virus da AVG. http://www.avg.com
massimo Donato
2018-Feb-07 16:57 UTC
[Samba] after a couple of year of success is not possible to add workstations to domain
Hi to all, *//* Il 07/02/2018 14:45, Massimo Donato - Adcom.it via samba ha scritto:> *//* > Hi Denis, > > Il 06/02/2018 20:05, Denis Cardon via samba ha scritto: >> Hi Massimo, >> >>> Il 05/02/2018 16:41, Rowland Penny ha scritto: >>>> On Mon, 5 Feb 2018 16:01:27 +0100 >>>> "Massimo Donato - Adcom.it via samba" <samba at lists.samba.org> wrote: >>>> >>>>> */Hi all, >>>>> after a couple of year of successfully working samba AD DC is >>>>> not possible to add workstations to domain >>>>> since a few day ago in windows i get a messagge complaining that the >>>>> account previously exists. ant that to try access with a different >>>>> account. after some investigation i found that the backupDC was in >>>>> hardware fault. the primary seems to work great, but still unable to >>>>> add workstation to domain. >>>>> seems like something is missing, >>>>> samba version is 4.7.4(upgraded during investigation) >>>>> >>>>> any advice ? where to look ? >>>>> >>>> One of the problems here is that you are thinking in terms of >>>> 'primary' >>>> and 'backup' DCs. You haven't got a 'primary' DC or a 'backup' DC, you >>>> just have two DCs and they should both contain exactly the same >>>> data in >>>> AD. Problem is, when your second DC became faulty, it may have >>>> corrupted AD on the DC and then replicated this corruption to the >>>> first DC. >>>> >>>> I would turn off the faulty DC (if it is still running), demote the >>>> dead DC and then run 'samba-tool dbcheck' >>>> >>>> But, before I tried to do anything, I would ensure that the first DC >>>> was fully backed up. >>>> >>>> Rowland >>>> >>>> >>> thank you Rowland for your answer., >>> i understend what you mean regarding DC, there was just two dc. >>> the faulty DC is no more in our datacenter(disk dead) >>> so i have one DC that is corrupted, i have a backup, but only after >>> corruption. >>> dbcheck is good, even with ncs option, 0 errors >>> any other advice to check ? >> >> which server is/was the RID FSMO role owner? >> >> Denis > I think the one still lives, was the forst one i configured. > > i tryed something just not to bother all the list, may this help ? > > [root at zeus log]# samba-tool dbcheck --fix > WARNING: The "profile acls" option is deprecated > Checking 309 objects > Checked 309 objects (0 errors) > [root at zeus log]# samba-tool dbcheck --cross-nc --fix > WARNING: The "profile acls" option is deprecated > Checking 3578 objects > Checked 3578 objects (0 errors) > [root at zeus log]# samba-tool drs showrepl > WARNING: The "profile acls" option is deprecated > Default-First-Site-Name\ZEUS > DSA Options: 0x00000001 > DSA object GUID: e0a28581-6f38-4a9e-b593-43b65cafb872 > DSA invocationId: adb5b609-20d2-4b4c-a8da-1bdb74dc444e > > ==== INBOUND NEIGHBORS ===> > ==== OUTBOUND NEIGHBORS ===> > ==== KCC CONNECTION OBJECTS ===also tryed this and no errors:any idea on how to remove the dead server from dns entries ? [root at zeus /]# host -t SRV _kerberos._udp.somdomain.com. _kerberos._udp.somdomain.com has SRV record 0 100 88 zeus.somdomain.com. _kerberos._udp.somdomain.com has SRV record 0 100 88 backupdc.somdomain.com. [root at zeus /]# host -t SRV _ldap._tcp.somdomain.com _ldap._tcp.somdomain.com has SRV record 0 100 389 zeus.somdomain.com. _ldap._tcp.somdomain.com has SRV record 0 100 389 backupdc.somdomain.com. --- Questa email è stata esaminata alla ricerca di virus da AVG. http://www.avg.com
Denis Cardon
2018-Feb-07 17:40 UTC
[Samba] after a couple of year of success is not possible to add workstations to domain
Hi Massimo,>>> >>>> Il 05/02/2018 16:41, Rowland Penny ha scritto: >>>>> On Mon, 5 Feb 2018 16:01:27 +0100 >>>>> "Massimo Donato - Adcom.it via samba" <samba at lists.samba.org> wrote: >>>>> >>>>>> */Hi all, >>>>>> after a couple of year of successfully working samba AD DC is >>>>>> not possible to add workstations to domain >>>>>> since a few day ago in windows i get a messagge complaining that the >>>>>> account previously exists. ant that to try access with a different >>>>>> account. after some investigation i found that the backupDC was in >>>>>> hardware fault. the primary seems to work great, but still unable to >>>>>> add workstation to domain. >>>>>> seems like something is missing, >>>>>> samba version is 4.7.4(upgraded during investigation) >>>>>> >>>>>> any advice ? where to look ? >>>>>> >>>>> One of the problems here is that you are thinking in terms of >>>>> 'primary' >>>>> and 'backup' DCs. You haven't got a 'primary' DC or a 'backup' DC, you >>>>> just have two DCs and they should both contain exactly the same >>>>> data in >>>>> AD. Problem is, when your second DC became faulty, it may have >>>>> corrupted AD on the DC and then replicated this corruption to the >>>>> first DC. >>>>> >>>>> I would turn off the faulty DC (if it is still running), demote the >>>>> dead DC and then run 'samba-tool dbcheck' >>>>> >>>>> But, before I tried to do anything, I would ensure that the first DC >>>>> was fully backed up. >>>>> >>>>> Rowland >>>>> >>>>> >>>> thank you Rowland for your answer., >>>> i understend what you mean regarding DC, there was just two dc. >>>> the faulty DC is no more in our datacenter(disk dead) >>>> so i have one DC that is corrupted, i have a backup, but only after >>>> corruption. >>>> dbcheck is good, even with ncs option, 0 errors >>>> any other advice to check ? >>> >>> which server is/was the RID FSMO role owner? >>> >>> Denis >> I think the one still lives, was the forst one i configured. >> >> i tryed something just not to bother all the list, may this help ? >> >> [root at zeus log]# samba-tool dbcheck --fix >> WARNING: The "profile acls" option is deprecated >> Checking 309 objects >> Checked 309 objects (0 errors) >> [root at zeus log]# samba-tool dbcheck --cross-nc --fix >> WARNING: The "profile acls" option is deprecated >> Checking 3578 objects >> Checked 3578 objects (0 errors) >> [root at zeus log]# samba-tool drs showrepl >> WARNING: The "profile acls" option is deprecated >> Default-First-Site-Name\ZEUS >> DSA Options: 0x00000001 >> DSA object GUID: e0a28581-6f38-4a9e-b593-43b65cafb872 >> DSA invocationId: adb5b609-20d2-4b4c-a8da-1bdb74dc444e >> >> ==== INBOUND NEIGHBORS ===>> >> ==== OUTBOUND NEIGHBORS ===>> >> ==== KCC CONNECTION OBJECTS ===> also tryed this and no errors: > any idea on how to remove the dead server from dns entries ? > > [root at zeus /]# host -t SRV _kerberos._udp.somdomain.com. > _kerberos._udp.somdomain.com has SRV record 0 100 88 zeus.somdomain.com. > _kerberos._udp.somdomain.com has SRV record 0 100 88 > backupdc.somdomain.com. > [root at zeus /]# host -t SRV _ldap._tcp.somdomain.com > _ldap._tcp.somdomain.com has SRV record 0 100 389 zeus.somdomain.com. > _ldap._tcp.somdomain.com has SRV record 0 100 389 backupdc.somdomain.com.if you are in 4.7, then samba-tool domain demote --remove-other-dead-server=backupdc it should remove both the computer/ntdsa entries and the dns entries. Cheers, Denis> > > > > > --- > Questa email è stata esaminata alla ricerca di virus da AVG. > http://www.avg.com-- Denis Cardon Tranquil IT Systems Les Espaces Jules Verne, bâtiment A 12 avenue Jules Verne 44230 Saint Sébastien sur Loire tel : +33 (0) 2.40.97.57.55 http://www.tranquil-it-systems.fr
Possibly Parallel Threads
- after a couple of year of success is not possible to add workstations to domain
- after a couple of year of success is not possible to add workstations to domain
- after a couple of year of success is not possible to add workstations to domain
- domain provision again ?
- domain provision again ?