On 06.06.2018 16:02, Rowland Penny via samba wrote:> > On your DC, set the AD DNS domain in the domain and the IP of your DC in the nameserver parameter of the /etc/resolv.conf file. For example: > > domain samdom.example.com > nameserver 10.99.0.1So "domain" and not "search"? I had "search" set due to the result of some discussion on the list.> >> I seem to remember having read here on the list, that it is no good >> idea to mix samba versions in a domain. If there is sound advice to >> do it anyways, I would be up for trying it. However, as I have >> written above, I messed up the uid/gid ranges. To my understanding, >> later versions of Samba (like 4.5) _require_ the ranges to comply to >> the defaults as denoted by the wiki. > There is nothing to stop you using different versions on DCs and you > can do the same with Unix domain members, unless you are using the 'ad' > backend and are NOT using Domain Users as the users Unix primary group.Why and how would I _not_ do this?> It is however, best practise to use the same major version, just to get > similar capabilities on all machines. > >> I will do that. I am using RSAT. Would I eradicate the complete site >> associated with the dead DC? Or which containers/objects in >> particular? > If the DC was the only one at a site and you have no other computers at > that site, then yes you can delete the site.No, there are other computers at the site, Windows clients and Linux members. I was able to remove the NTDS "connection" entry from Sites and Services. However, I wasn't able to remove the DC itself from Sites and Service as well as from "Domain Controllers" in ADUC. I get "Windows cannot delete object [...] because: The specified module could not be found."> > RowlandThanks a lot, Rowland! Ole> > >
On 6/6/2018 10:26 AM, Ole Traupe via samba wrote:> > > On 06.06.2018 16:02, Rowland Penny via samba wrote: >> >> On your DC, set the AD DNS domain in the domain and the IP of your DC >> in the nameserver parameter of the /etc/resolv.conf file. For example: >> >> domain samdom.example.com >> nameserver 10.99.0.1 > > So "domain" and not "search"? I had "search" set due to the result of > some discussion on the list. > > >> >>> I seem to remember having read here on the list, that it is no good >>> idea to mix samba versions in a domain. If there is sound advice to >>> do it anyways, I would be up for trying it. However, as I have >>> written above, I messed up the uid/gid ranges. To my understanding, >>> later versions of Samba (like 4.5) _require_ the ranges to comply to >>> the defaults as denoted by the wiki. >> There is nothing to stop you using different versions on DCs and you >> can do the same with Unix domain members, unless you are using the 'ad' >> backend and are NOT using Domain Users as the users Unix primary group. > > Why and how would I _not_ do this? > > >> It is however, best practise to use the same major version, just to get >> similar capabilities on all machines. >> >>> I will do that. I am using RSAT. Would I eradicate the complete site >>> associated with the dead DC? Or which containers/objects in >>> particular? >> If the DC was the only one at a site and you have no other computers at >> that site, then yes you can delete the site. > > No, there are other computers at the site, Windows clients and Linux > members. > > I was able to remove the NTDS "connection" entry from Sites and Services. > > However, I wasn't able to remove the DC itself from Sites and Service > as well as from "Domain Controllers" in ADUC. I get "Windows cannot > delete object [...] because: The specified module could not be found." > > >> >> Rowland > > Thanks a lot, Rowland! > > Ole > >> >> >> >Ole, Start in sites and services before attempting to delete from ADUC. after you deleted the NTDS settings, right click on the dead DC and choose properties, object and see if 'Protect from accidental deletion is checked. If so uncheck and try again. -JAMES
On 06.06.2018 16:41, lingpanda101 wrote:> Ole, > > Start in sites and services before attempting to delete from ADUC. > after you deleted the NTDS settings, right click on the dead DC and > choose properties, object and see if 'Protect from accidental deletion > is checked. If so uncheck and try again. > > -JAMES >I did, and it is not protected. Ole
On Wed, 6 Jun 2018 16:26:53 +0200 Ole Traupe via samba <samba at lists.samba.org> wrote:> > > On 06.06.2018 16:02, Rowland Penny via samba wrote: > > > > On your DC, set the AD DNS domain in the domain and the IP of your > > DC in the nameserver parameter of the /etc/resolv.conf file. For > > example: > > > > domain samdom.example.com > > nameserver 10.99.0.1 > > So "domain" and not "search"? I had "search" set due to the result of > some discussion on the list.DOH! no it should be search and it now says so on the DC wikipage.> > > > >> I seem to remember having read here on the list, that it is no good > >> idea to mix samba versions in a domain. If there is sound advice to > >> do it anyways, I would be up for trying it. However, as I have > >> written above, I messed up the uid/gid ranges. To my understanding, > >> later versions of Samba (like 4.5) _require_ the ranges to comply > >> to the defaults as denoted by the wiki. > > There is nothing to stop you using different versions on DCs and you > > can do the same with Unix domain members, unless you are using the > > 'ad' backend and are NOT using Domain Users as the users Unix > > primary group. > > Why and how would I _not_ do this?Perhaps I should have been a little more precise, you shouldn't use versions earlier than 4.6.0 with versions >= 4.6.0 on Unix domain members, if you also set 'idmap config <DOMAIN> : unix_primary_group yes' on the >= 4.6.0 machines.> > However, I wasn't able to remove the DC itself from Sites and Service > as well as from "Domain Controllers" in ADUC. I get "Windows cannot > delete object [...] because: The specified module could not be found." >You may have to remove it with ldbdelete, try an ldbsearch on the DC first, if you can find it, ldbdelete should be able to delete it. Rowland
On 06.06.2018 17:42, Rowland Penny via samba wrote:> On Wed, 6 Jun 2018 16:26:53 +0200 > Ole Traupe via samba <samba at lists.samba.org> wrote: > >> >> On 06.06.2018 16:02, Rowland Penny via samba wrote: >>> On your DC, set the AD DNS domain in the domain and the IP of your >>> DC in the nameserver parameter of the /etc/resolv.conf file. For >>> example: >>> >>> domain samdom.example.com >>> nameserver 10.99.0.1 >> So "domain" and not "search"? I had "search" set due to the result of >> some discussion on the list. > DOH! no it should be search and it now says so on the DC wikipage. > >>>> I seem to remember having read here on the list, that it is no good >>>> idea to mix samba versions in a domain. If there is sound advice to >>>> do it anyways, I would be up for trying it. However, as I have >>>> written above, I messed up the uid/gid ranges. To my understanding, >>>> later versions of Samba (like 4.5) _require_ the ranges to comply >>>> to the defaults as denoted by the wiki. >>> There is nothing to stop you using different versions on DCs and you >>> can do the same with Unix domain members, unless you are using the >>> 'ad' backend and are NOT using Domain Users as the users Unix >>> primary group. >> Why and how would I _not_ do this? > Perhaps I should have been a little more precise, you shouldn't use > versions earlier than 4.6.0 with versions >= 4.6.0 on Unix domain > members, if you also set 'idmap config <DOMAIN> : unix_primary_group > yes' on the >= 4.6.0 machines. > >> However, I wasn't able to remove the DC itself from Sites and Service >> as well as from "Domain Controllers" in ADUC. I get "Windows cannot >> delete object [...] because: The specified module could not be found." >> > You may have to remove it with ldbdelete, try an ldbsearch on the DC > first, if you can find it, ldbdelete should be able to delete it. > > Rowland > >Thank you for the clarifications and the additional advice. I will try that. Ole