On 06.06.2018 14:44, lingpanda101 wrote:> >> ** SNIP ** >> >> Actually, the DCs (resolv.conf) were pointing to each other >> initially, and I think that was at least one root of the evil. I >> think this advice in the Samba wiki actually is rather bad (and >> unnecessary with Samba, as has been pointed out, before?). > Using Bind I find it's necessary to point the DC to itself. I had no > issues pointing to another DC with the internal DNS. The Wiki actually > mentions best practice for a multi DC environment as it relates to a > Windows setup. I do think it's unnecessary with Samba however.I fear, it is contra-productive in case you loose the other DC the one DC is pointing to.>> >> Regarding demoting the dead DC: My Samba version is rather old >> (4.2.5). The problem is that I chose the uid/gid scopes unwisely. And >> I read on some patch notes that I can't update anymore, because newer >> versions of Samba actually require those scopes to be set in a very >> specific way. So perhaps demoting via the newly available method is >> not an option here. > Can you repair or replace the dead DC with a current Samba version? > Join then transfer the FSMO roles? I would advise not using the same > hostname.I plan on replacing the dead DC very soon, the hardware is in shipping. I seem to remember having read here on the list, that it is no good idea to mix samba versions in a domain. If there is sound advice to do it anyways, I would be up for trying it. However, as I have written above, I messed up the uid/gid ranges. To my understanding, later versions of Samba (like 4.5) _require_ the ranges to comply to the defaults as denoted by the wiki.>> >> What I can think of is: >> - removing the dead DC from the clients DNS config, of course >> - removing it from AD DNS >> - removing it from AD Sites and Services >> - and removing it from AD Users and Computers > Yes to all the above. The key is to remove all service records in DNS > that reference the bad DC. It's easier to use RSAT for this. Make sure > you remove all NTDS connections as well that reference the dead DC. > Reference the Wiki as it does a good job displaying an example of > running '# samba-tool domain demote --remove-other-dead-server=DC2'. > It shows all that seems necessary.I will do that. I am using RSAT. Would I eradicate the complete site associated with the dead DC? Or which containers/objects in particular?>> >> What else does the Samba script for demoting a DC do? Can I do that >> manually, too? I repeat: it was not the FSMO role holder. > I don't know.Thank you very much, James!>> Thanks again for any advice! >> Ole >> >> >> > > -JAMES >
On Wed, 6 Jun 2018 15:40:48 +0200 Ole Traupe via samba <samba at lists.samba.org> wrote:> > > On 06.06.2018 14:44, lingpanda101 wrote: > > > >> ** SNIP ** > >> > >> Actually, the DCs (resolv.conf) were pointing to each other > >> initially, and I think that was at least one root of the evil. I > >> think this advice in the Samba wiki actually is rather bad (and > >> unnecessary with Samba, as has been pointed out, before?). > > Using Bind I find it's necessary to point the DC to itself. I had > > no issues pointing to another DC with the internal DNS. The Wiki > > actually mentions best practice for a multi DC environment as it > > relates to a Windows setup. I do think it's unnecessary with Samba > > however.Just where does it say this ? I will fix it Basically all you need is what is on the DC page: Configuring the DNS Resolver Domain members in an AD use DNS to locate services, such as LDAP and Kerberos. For that, they need to use a DNS server that is able to resolve the AD DNS zone. On your DC, set the AD DNS domain in the domain and the IP of your DC in the nameserver parameter of the /etc/resolv.conf file. For example: domain samdom.example.com nameserver 10.99.0.1> I seem to remember having read here on the list, that it is no good > idea to mix samba versions in a domain. If there is sound advice to > do it anyways, I would be up for trying it. However, as I have > written above, I messed up the uid/gid ranges. To my understanding, > later versions of Samba (like 4.5) _require_ the ranges to comply to > the defaults as denoted by the wiki.There is nothing to stop you using different versions on DCs and you can do the same with Unix domain members, unless you are using the 'ad' backend and are NOT using Domain Users as the users Unix primary group. It is however, best practise to use the same major version, just to get similar capabilities on all machines.> I will do that. I am using RSAT. Would I eradicate the complete site > associated with the dead DC? Or which containers/objects in > particular?If the DC was the only one at a site and you have no other computers at that site, then yes you can delete the site. Rowland
On 6/6/2018 10:02 AM, Rowland Penny via samba wrote:> On Wed, 6 Jun 2018 15:40:48 +0200 > Ole Traupe via samba <samba at lists.samba.org> wrote: > >> >> On 06.06.2018 14:44, lingpanda101 wrote: >>>> ** SNIP ** >>>> >>>> Actually, the DCs (resolv.conf) were pointing to each other >>>> initially, and I think that was at least one root of the evil. I >>>> think this advice in the Samba wiki actually is rather bad (and >>>> unnecessary with Samba, as has been pointed out, before?). >>> Using Bind I find it's necessary to point the DC to itself. I had >>> no issues pointing to another DC with the internal DNS. The Wiki >>> actually mentions best practice for a multi DC environment as it >>> relates to a Windows setup. I do think it's unnecessary with Samba >>> however. > Just where does it say this ? > I will fix itHi Rowland, I'm referencing here under ' DNS Configuration on Domain Controller' https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory#DNS_Configuration_on_Domain_Controllers "The following is a best practice for DNS configuration on domain controllers (DC): Set the local IP of a DC as secondary or tertiary|nameserver|entry in its|/etc/resolv.conf|file and use a different Active Directory (AD) DNS server IP from the forest as primary name server" It's saying to point to each other as primary. Which is best practice to avoid a island issue. I don't think it's really an issue with Samba though.> Basically all you need is what is on the DC page: > > Configuring the DNS Resolver > > Domain members in an AD use DNS to locate services, such as LDAP and Kerberos. For that, they need to use a DNS server that is able to resolve the AD DNS zone. > > On your DC, set the AD DNS domain in the domain and the IP of your DC in the nameserver parameter of the /etc/resolv.conf file. For example: > > domain samdom.example.com > nameserver 10.99.0.1 > > ** SNIP ** > Rowland > > >-JAMES
On 06.06.2018 16:02, Rowland Penny via samba wrote:> > On your DC, set the AD DNS domain in the domain and the IP of your DC in the nameserver parameter of the /etc/resolv.conf file. For example: > > domain samdom.example.com > nameserver 10.99.0.1So "domain" and not "search"? I had "search" set due to the result of some discussion on the list.> >> I seem to remember having read here on the list, that it is no good >> idea to mix samba versions in a domain. If there is sound advice to >> do it anyways, I would be up for trying it. However, as I have >> written above, I messed up the uid/gid ranges. To my understanding, >> later versions of Samba (like 4.5) _require_ the ranges to comply to >> the defaults as denoted by the wiki. > There is nothing to stop you using different versions on DCs and you > can do the same with Unix domain members, unless you are using the 'ad' > backend and are NOT using Domain Users as the users Unix primary group.Why and how would I _not_ do this?> It is however, best practise to use the same major version, just to get > similar capabilities on all machines. > >> I will do that. I am using RSAT. Would I eradicate the complete site >> associated with the dead DC? Or which containers/objects in >> particular? > If the DC was the only one at a site and you have no other computers at > that site, then yes you can delete the site.No, there are other computers at the site, Windows clients and Linux members. I was able to remove the NTDS "connection" entry from Sites and Services. However, I wasn't able to remove the DC itself from Sites and Service as well as from "Domain Controllers" in ADUC. I get "Windows cannot delete object [...] because: The specified module could not be found."> > RowlandThanks a lot, Rowland! Ole> > >
On 06.06.2018 16:02, Rowland Penny via samba wrote:> >> I seem to remember having read here on the list, that it is no good >> idea to mix samba versions in a domain. If there is sound advice to >> do it anyways, I would be up for trying it. However, as I have >> written above, I messed up the uid/gid ranges. To my understanding, >> later versions of Samba (like 4.5) _require_ the ranges to comply to >> the defaults as denoted by the wiki. > There is nothing to stop you using different versions on DCs and you > can do the same with Unix domain members, unless you are using the 'ad' > backend and are NOT using Domain Users as the users Unix primary group. > It is however, best practise to use the same major version, just to get > similar capabilities on all machines. >So in theory, if I hadn't messed up my id map ranges (domain groups start with 2000), and if I hadn't begun removing stuff manually, and if I wouldn't use Domain Users as primary group, I could have joined an up-to-date DC and used the new script for demoting the dead one. I am not trying to sound sarcastic. I am trying to understand, and see whether perhaps there is still hope for such a maneuver. Ole