I have fix it.
It seams to work.
Just for documentation:
- demote dc2 from AD (the online AND offline way) [1]
- Remove nearly all files in .../sabmba/private/* (first of all *ldb and
*tdb files, dns and so on. I have Keytab and named.conf leave untouched.)
- stop samba and bind on dc2 and poweroff the machine
- restore backup from dc1
- demote dc2 from AD on DC1 (the offline way) [1]
- test dns (dig ... @dc1.samdom.example.com) and in RSAT
- start dc2 and join as domain controller [2]
- sync AD from dc1 to dc2 with option --sync-full [3]
- test dns again (dig ... @dc1.samdom.example.com and dig ...
@dc2.samdom.example.com)
- test login and network shares on windows (test this with a never
logged on user at this machine. The first time I get an error: "the
registration of the service user profile service failed" after reboot
windows it works)
[1]
https://wiki.samba.org/index.php/Demoting_a_Samba_AD_DC#Demoting_an_Offline_Domain_Controller
[2]
https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory#Joining_the_Active_Directory_as_a_Domain_Controller
[3]
https://wiki.samba.org/index.php/Manually_Replicating_Directory_Partitions
Thanks a lot Rowland and L.P.H.
Best Regards,
On 17.01.19 16:57, Rowland Penny via samba wrote:> On Thu, 17 Jan 2019 16:33:16 +0100
> basti via samba <samba at lists.samba.org> wrote:
>
>> On 17.01.19 16:22, Rowland Penny via samba wrote:
>>
>>> Rule 1, if you have another running DC, do not recover a DC from a
>>> backup.
>>
>> I see. I have recover the backup a second time in a test env without
>> network. Now it look like OK.
>>
>> my plan:
>>
>> 1. shutdown dc2
>> 2. start dc1 with network
>>
>> 3. and now ??? can I already start dc2?
>>
>> Or should I start it without network and delete all DNS entries?
>> I think when I Update/Add or delete a DNS entry on dc1 before I start
>> dc2 the soa serial should be increase
>>
>> What you opinion Rowland?
>>
>
> The problem with backups is, they quickly become old. If you apply a
> backup to a DC, it will become the DC at the time the backup was taken,
> if you now start this up in a domain with another DC in it, the two DCs
> will not be in sync, at this point, I think replication hell will set
> in.
>
> If DC2 is working okay, then leave it alone, demote DC1 and start again
> by joining a new DC.
>
> You should only use backups as a last resort and then only to restore
> one DC, which you should then seize all the FSMO roles to, and then
> join other new DCs to this.
>
> Rowland
>