Hi, Just to reiterate an important point, the 'domain backup' command is there to backup your domain information, not your DC. If you still have a working domain, then you can recover any DC by simply rejoining it to the domain. Do not use backup/restore to recover an individual DC. If you want to recover your entire domain (i.e. power off all your DCs and start again from scratch), then that's when you restore from a backup file. So yes, it's still a good idea to do backups regardless of how many DCs you have running. However, in this case, the backup file from only one of the DCs would ever be used to restore the domain. It's still fine to backup every DC, but the only real point of doing so is extra insurance in case the first backup file doesn't recover the domain properly. See also: https://wiki.samba.org/index.php/Back_up_and_Restoring_a_Samba_AD_DC Cheers, Tim On 18/07/19 12:32 AM, Joachim Lindenberg via samba wrote:> Afaik one is not supposed to ever restore a DC in case you are running multiple. Thus I am wondering why you want to do (online or not) backups at all. > Or did that rule change? > Regards, Joachim > > -----Urspr?ngliche Nachricht----- > Von: samba <samba-bounces at lists.samba.org> Im Auftrag von Ivan Juri?ic via samba > Gesendet: Wednesday, 17 July 2019 13:39 > An: samba at lists.samba.org > Betreff: [Samba] domain backup online > > On my primary Samba AD DC server all work ok when doing online backup, but on my secudary server I have error: > > ERROR(<type 'exceptions.IndexError'>): uncaught exception - list index out of range > File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 177, in _run > return self.run(*args, **kwargs) > File "/usr/lib/python2.7/dist-packages/samba/netcmd/domain_backup.py", > line 237, in run > new_sid = get_sid_for_restore(remote_sam) > File "/usr/lib/python2.7/dist-packages/samba/netcmd/domain_backup.py", > line 73, in get_sid_for_restore > rid = int(res[0].get('rIDNextRID')[0]) > > > How to fix? > > Complete output: > > root at dc2:/var/log# samba-tool domain backup online --server=dc2.intra.mydomain.com --targetdir=/media/backup -Uadministrator at intra.mydomain.com > workgroup is MYDOMAIN > realm is intra.mydomain.com > Calling bare provision > Looking up IPv4 addresses > Looking up IPv6 addresses > No IPv6 address will be assigned > Setting up share.ldb > Setting up secrets.ldb > Setting up the registry > Setting up the privileges database > Setting up idmap db > Setting up SAM db > Setting up sam.ldb partitions and settings Setting up sam.ldb rootDSE Pre-loading the Samba 4 and AD schema Unable to determine the DomainSID, can not enforce uniqueness constraint on local domainSIDs > > A Kerberos configuration suitable for Samba AD has been generated at /media/backup/tmphyBvX0/private/krb5.conf > Merge the contents of this file with your system krb5.conf or replace it with this one. Do not create a symlink! > Provision OK for domain DN DC=intra,DC=mydomain,DC=com Starting replication Using DS_BIND_GUID_W2K3 Schema-DN[CN=Schema,CN=Configuration,DC=intra,DC=mydomain,DC=com] > objects[402/1550] linked_values[0/0] > Schema-DN[CN=Schema,CN=Configuration,DC=intra,DC=mydomain,DC=com] > objects[804/1550] linked_values[0/0] > Schema-DN[CN=Schema,CN=Configuration,DC=intra,DC=mydomain,DC=com] > objects[1206/1550] linked_values[0/0] > Schema-DN[CN=Schema,CN=Configuration,DC=intra,DC=mydomain,DC=com] > objects[1550/1550] linked_values[0/0] > Analyze and apply schema objects > Partition[CN=Configuration,DC=intra,DC=mydomain,DC=com] > objects[402/1618] linked_values[0/0] > Partition[CN=Configuration,DC=intra,DC=mydomain,DC=com] > objects[804/1618] linked_values[0/0] > Partition[CN=Configuration,DC=intra,DC=mydomain,DC=com] > objects[1206/1618] linked_values[0/0] > Partition[CN=Configuration,DC=intra,DC=mydomain,DC=com] > objects[1608/1618] linked_values[0/0] > Partition[CN=Configuration,DC=intra,DC=mydomain,DC=com] > objects[1618/1618] linked_values[30/30] > Replicating critical objects from the base DN of the domain Partition[DC=intra,DC=mydomain,DC=com] objects[98/98] linked_values[24/24] Partition[DC=intra,DC=mydomain,DC=com] objects[385/287] linked_values[28/28] Done with always replicated NC (base, config, schema) Replicating DC=DomainDnsZones,DC=intra,DC=mydomain,DC=com > Partition[DC=DomainDnsZones,DC=intra,DC=mydomain,DC=com] objects[42/42] linked_values[0/0] Replicating DC=ForestDnsZones,DC=intra,DC=mydomain,DC=com > Partition[DC=ForestDnsZones,DC=intra,DC=mydomain,DC=com] objects[19/19] linked_values[0/0] Committing SAM database Setting isSynccomonized and dsServiceName Cloned domain MYDOMAIN (SID S-1-5-21-1643297388-1269305111-252802184) > ERROR(<type 'exceptions.IndexError'>): uncaught exception - list index out of range > File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 177, in _run > return self.run(*args, **kwargs) > File "/usr/lib/python2.7/dist-packages/samba/netcmd/domain_backup.py", > line 237, in run > new_sid = get_sid_for_restore(remote_sam) > File "/usr/lib/python2.7/dist-packages/samba/netcmd/domain_backup.py", > line 73, in get_sid_for_restore > rid = int(res[0].get('rIDNextRID')[0]) > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >
On 18. 07. 2019. 04:49, Tim Beale wrote:> Hi, > > Just to reiterate an important point, the 'domain backup' command is > there to backup your domain information, not your DC.Any good suggestion for make full domain backup in online? (without stop service)?> > If you still have a working domain, then you can recover any DC by > simply rejoining it to the domain. Do not use backup/restore to recover > an individual DC.Domain work , I just wont extra backup.> > If you want to recover your entire domain (i.e. power off all your DCs > and start again from scratch), then that's when you restore from a > backup file.Any better way for recover domain? I have cc 1500 accounts on my domain and if going from scratch I will be on big mess with users and ther profiles.> > So yes, it's still a good idea to do backups regardless of how many DCs > you have running.Have dc1 (main) and dc2 (secondary)> > However, in this case, the backup file from only one of the DCs would > ever be used to restore the domain. It's still fine to backup every DC, > but the only real point of doing so is extra insurance in case the first > backup file doesn't recover the domain properly. > > See also: > https://wiki.samba.org/index.php/Back_up_and_Restoring_a_Samba_AD_DC > > Cheers, > Tim > > On 18/07/19 12:32 AM, Joachim Lindenberg via samba wrote: >> Afaik one is not supposed to ever restore a DC in case you are running multiple. Thus I am wondering why you want to do (online or not) backups at all. >> Or did that rule change? >> Regards, Joachim >> >> -----Urspr?ngliche Nachricht----- >> Von: samba <samba-bounces at lists.samba.org> Im Auftrag von Ivan Juri?ic via samba >> Gesendet: Wednesday, 17 July 2019 13:39 >> An: samba at lists.samba.org >> Betreff: [Samba] domain backup online >> >> On my primary Samba AD DC server all work ok when doing online backup, but on my secudary server I have error: >> >> ERROR(<type 'exceptions.IndexError'>): uncaught exception - list index out of range >> File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 177, in _run >> return self.run(*args, **kwargs) >> File "/usr/lib/python2.7/dist-packages/samba/netcmd/domain_backup.py", >> line 237, in run >> new_sid = get_sid_for_restore(remote_sam) >> File "/usr/lib/python2.7/dist-packages/samba/netcmd/domain_backup.py", >> line 73, in get_sid_for_restore >> rid = int(res[0].get('rIDNextRID')[0]) >> >> >> How to fix? >> >> Complete output: >> >> root at dc2:/var/log# samba-tool domain backup online --server=dc2.intra.mydomain.com --targetdir=/media/backup -Uadministrator at intra.mydomain.com >> workgroup is MYDOMAIN >> realm is intra.mydomain.com >> Calling bare provision >> Looking up IPv4 addresses >> Looking up IPv6 addresses >> No IPv6 address will be assigned >> Setting up share.ldb >> Setting up secrets.ldb >> Setting up the registry >> Setting up the privileges database >> Setting up idmap db >> Setting up SAM db >> Setting up sam.ldb partitions and settings Setting up sam.ldb rootDSE Pre-loading the Samba 4 and AD schema Unable to determine the DomainSID, can not enforce uniqueness constraint on local domainSIDs >> >> A Kerberos configuration suitable for Samba AD has been generated at /media/backup/tmphyBvX0/private/krb5.conf >> Merge the contents of this file with your system krb5.conf or replace it with this one. Do not create a symlink! >> Provision OK for domain DN DC=intra,DC=mydomain,DC=com Starting replication Using DS_BIND_GUID_W2K3 Schema-DN[CN=Schema,CN=Configuration,DC=intra,DC=mydomain,DC=com] >> objects[402/1550] linked_values[0/0] >> Schema-DN[CN=Schema,CN=Configuration,DC=intra,DC=mydomain,DC=com] >> objects[804/1550] linked_values[0/0] >> Schema-DN[CN=Schema,CN=Configuration,DC=intra,DC=mydomain,DC=com] >> objects[1206/1550] linked_values[0/0] >> Schema-DN[CN=Schema,CN=Configuration,DC=intra,DC=mydomain,DC=com] >> objects[1550/1550] linked_values[0/0] >> Analyze and apply schema objects >> Partition[CN=Configuration,DC=intra,DC=mydomain,DC=com] >> objects[402/1618] linked_values[0/0] >> Partition[CN=Configuration,DC=intra,DC=mydomain,DC=com] >> objects[804/1618] linked_values[0/0] >> Partition[CN=Configuration,DC=intra,DC=mydomain,DC=com] >> objects[1206/1618] linked_values[0/0] >> Partition[CN=Configuration,DC=intra,DC=mydomain,DC=com] >> objects[1608/1618] linked_values[0/0] >> Partition[CN=Configuration,DC=intra,DC=mydomain,DC=com] >> objects[1618/1618] linked_values[30/30] >> Replicating critical objects from the base DN of the domain Partition[DC=intra,DC=mydomain,DC=com] objects[98/98] linked_values[24/24] Partition[DC=intra,DC=mydomain,DC=com] objects[385/287] linked_values[28/28] Done with always replicated NC (base, config, schema) Replicating DC=DomainDnsZones,DC=intra,DC=mydomain,DC=com >> Partition[DC=DomainDnsZones,DC=intra,DC=mydomain,DC=com] objects[42/42] linked_values[0/0] Replicating DC=ForestDnsZones,DC=intra,DC=mydomain,DC=com >> Partition[DC=ForestDnsZones,DC=intra,DC=mydomain,DC=com] objects[19/19] linked_values[0/0] Committing SAM database Setting isSynccomonized and dsServiceName Cloned domain MYDOMAIN (SID S-1-5-21-1643297388-1269305111-252802184) >> ERROR(<type 'exceptions.IndexError'>): uncaught exception - list index out of range >> File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 177, in _run >> return self.run(*args, **kwargs) >> File "/usr/lib/python2.7/dist-packages/samba/netcmd/domain_backup.py", >> line 237, in run >> new_sid = get_sid_for_restore(remote_sam) >> File "/usr/lib/python2.7/dist-packages/samba/netcmd/domain_backup.py", >> line 73, in get_sid_for_restore >> rid = int(res[0].get('rIDNextRID')[0]) >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >> >>
Hi Tim, thanks for the clarification. I am wondering why that statement is not prominently on the wiki page you reference. Ivan, online backup of linux systems (without LVM snapshots) is imho a disaster of its own (unless you tweak your installation to use LVM snapshots), as is full system encryption (at least if you don?t like to enter passphrases during every restart). Therefore I am running my DCs as virtual machines on Hyper-VM which supports encryption via Bitlocker and consistent backup (using my own software) of the entire Hyper-V including all virtual machines. For windows guest this triggers the standard VSS integration, for linux guests it is only fsync, but that is actually more likely consistent than most linux backup tools. Best Regards, Joachim -----Urspr?ngliche Nachricht----- Von: Tim Beale <timbeale at catalyst.net.nz> Gesendet: Thursday, 18 July 2019 04:50 An: Joachim Lindenberg <samba at lindenberg.one>; 'Ivan Juri?i?' <ivan at jurisic.org>; samba at lists.samba.org Betreff: Re: [Samba] domain backup online Hi, Just to reiterate an important point, the 'domain backup' command is there to backup your domain information, not your DC. If you still have a working domain, then you can recover any DC by simply rejoining it to the domain. Do not use backup/restore to recover an individual DC. If you want to recover your entire domain (i.e. power off all your DCs and start again from scratch), then that's when you restore from a backup file. So yes, it's still a good idea to do backups regardless of how many DCs you have running. However, in this case, the backup file from only one of the DCs would ever be used to restore the domain. It's still fine to backup every DC, but the only real point of doing so is extra insurance in case the first backup file doesn't recover the domain properly. See also: https://wiki.samba.org/index.php/Back_up_and_Restoring_a_Samba_AD_DC Cheers, Tim On 18/07/19 12:32 AM, Joachim Lindenberg via samba wrote:> Afaik one is not supposed to ever restore a DC in case you are running multiple. Thus I am wondering why you want to do (online or not) backups at all. > Or did that rule change? > Regards, Joachim > > -----Urspr?ngliche Nachricht----- > Von: samba <samba-bounces at lists.samba.org> Im Auftrag von Ivan Juri?ic > via samba > Gesendet: Wednesday, 17 July 2019 13:39 > An: samba at lists.samba.org > Betreff: [Samba] domain backup online > > On my primary Samba AD DC server all work ok when doing online backup, but on my secudary server I have error: > > ERROR(<type 'exceptions.IndexError'>): uncaught exception - list index out of range > File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 177, in _run > return self.run(*args, **kwargs) > File > "/usr/lib/python2.7/dist-packages/samba/netcmd/domain_backup.py", > line 237, in run > new_sid = get_sid_for_restore(remote_sam) > File > "/usr/lib/python2.7/dist-packages/samba/netcmd/domain_backup.py", > line 73, in get_sid_for_restore > rid = int(res[0].get('rIDNextRID')[0]) > > > How to fix? > > Complete output: > > root at dc2:/var/log# samba-tool domain backup online > --server=dc2.intra.mydomain.com --targetdir=/media/backup > -Uadministrator at intra.mydomain.com > workgroup is MYDOMAIN > realm is intra.mydomain.com > Calling bare provision > Looking up IPv4 addresses > Looking up IPv6 addresses > No IPv6 address will be assigned > Setting up share.ldb > Setting up secrets.ldb > Setting up the registry > Setting up the privileges database > Setting up idmap db > Setting up SAM db > Setting up sam.ldb partitions and settings Setting up sam.ldb rootDSE > Pre-loading the Samba 4 and AD schema Unable to determine the > DomainSID, can not enforce uniqueness constraint on local domainSIDs > > A Kerberos configuration suitable for Samba AD has been generated at > /media/backup/tmphyBvX0/private/krb5.conf > Merge the contents of this file with your system krb5.conf or replace it with this one. Do not create a symlink! > Provision OK for domain DN DC=intra,DC=mydomain,DC=com Starting > replication Using DS_BIND_GUID_W2K3 > Schema-DN[CN=Schema,CN=Configuration,DC=intra,DC=mydomain,DC=com] > objects[402/1550] linked_values[0/0] > Schema-DN[CN=Schema,CN=Configuration,DC=intra,DC=mydomain,DC=com] > objects[804/1550] linked_values[0/0] > Schema-DN[CN=Schema,CN=Configuration,DC=intra,DC=mydomain,DC=com] > objects[1206/1550] linked_values[0/0] > Schema-DN[CN=Schema,CN=Configuration,DC=intra,DC=mydomain,DC=com] > objects[1550/1550] linked_values[0/0] > Analyze and apply schema objects > Partition[CN=Configuration,DC=intra,DC=mydomain,DC=com] > objects[402/1618] linked_values[0/0] > Partition[CN=Configuration,DC=intra,DC=mydomain,DC=com] > objects[804/1618] linked_values[0/0] > Partition[CN=Configuration,DC=intra,DC=mydomain,DC=com] > objects[1206/1618] linked_values[0/0] > Partition[CN=Configuration,DC=intra,DC=mydomain,DC=com] > objects[1608/1618] linked_values[0/0] > Partition[CN=Configuration,DC=intra,DC=mydomain,DC=com] > objects[1618/1618] linked_values[30/30] Replicating critical objects > from the base DN of the domain Partition[DC=intra,DC=mydomain,DC=com] > objects[98/98] linked_values[24/24] > Partition[DC=intra,DC=mydomain,DC=com] objects[385/287] > linked_values[28/28] Done with always replicated NC (base, config, > schema) Replicating DC=DomainDnsZones,DC=intra,DC=mydomain,DC=com > Partition[DC=DomainDnsZones,DC=intra,DC=mydomain,DC=com] > objects[42/42] linked_values[0/0] Replicating > DC=ForestDnsZones,DC=intra,DC=mydomain,DC=com > Partition[DC=ForestDnsZones,DC=intra,DC=mydomain,DC=com] > objects[19/19] linked_values[0/0] Committing SAM database Setting > isSynccomonized and dsServiceName Cloned domain MYDOMAIN (SID > S-1-5-21-1643297388-1269305111-252802184) > ERROR(<type 'exceptions.IndexError'>): uncaught exception - list index out of range > File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 177, in _run > return self.run(*args, **kwargs) > File > "/usr/lib/python2.7/dist-packages/samba/netcmd/domain_backup.py", > line 237, in run > new_sid = get_sid_for_restore(remote_sam) > File > "/usr/lib/python2.7/dist-packages/samba/netcmd/domain_backup.py", > line 73, in get_sid_for_restore > rid = int(res[0].get('rIDNextRID')[0]) > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >
On 18/07/2019 07:11, Ivan Juri?i? via samba wrote:> On 18. 07. 2019. 04:49, Tim Beale wrote: >> Hi, >> >> Just to reiterate an important point, the 'domain backup' command is >> there to backup your domain information, not your DC. > Any good suggestion for make full domain backup in online? (without stop > service)? >> If you still have a working domain, then you can recover any DC by >> simply rejoining it to the domain. Do not use backup/restore to recover >> an individual DC. > Domain work , I just wont extra backup.OK, what Tim pointed out is, when you run the samba-tool backup command, you are backing up the domain data, not an individual DC. Whilst you have one working DC, you do not need any backups, you should demote any none working DC's (forcibly if necessary) and create new DC's You only need a backup if you suffer a catastrophic failure and need to rebuild your entire domain. With good backups, you should be able to rebuild your domain. Note that the samba-tool backup tools will not backup any data in shares other than the default ones created by a provision or join. You will need to back these up separately. You only really need to backup on one DC, but backing up other DC's for redundancy reasons will not hurt. Rowland
On 2019-07-18 18:11, Ivan Juri?i? wrote:> On 18. 07. 2019. 04:49, Tim Beale wrote: > >> Just to reiterate an important point, the 'domain backup' command is >> there to backup your domain information, not your DC. > Any good suggestion for make full domain backup in online? (without > stop service)?The online backup is a full backup of your domain. You do not have to stop the Samba services to make an online backup.>> If you want to recover your entire domain (i.e. power off all your >> DCs >> and start again from scratch), then that's when you restore from a >> backup file. > > Any better way for recover domain? I have cc 1500 accounts on my > domain and if going from scratch I will be on big mess with users and > ther profiles.You only start from scratch with respect to your DCs. The ~1500 user accounts are all stored in your backup-file. So when you restore the backup, those users will all be present on the restored DC. The point I'm trying to make is you don't use the backup-file when you need to recover a single DC. You use it when you need to recover *all* your DCs, i.e. your entire domain. The AD domain database is distributed across the DCs. For example, let's say an admin inadvertently modifies or deletes an object in the database that breaks an AD service. This database change gets replicated out to all DCs, so now the service is broken across the whole domain. You can't just replace a DC to fix the problem, because the new DC will just end up with another distributed copy of the same broken database. If you don't know which of the 1000s of database objects is incorrect, the simplest solution might be to roll back to a known working copy of the domain database. This is where the 'samba-tool domain backup restore' command comes in. You can't have two separate copies of the same domain database, so first you need to stop all the DCs that are using the broken copy of the domain database. Next, you restore a new/repurposed DC with the backed-up 'good' copy of the domain database. Then you rejoin the DCs and they receive the good copy of the database as well. Note that you have to rejoin all the DCs - you can't just restart samba on the old DCs. Restarting samba (rather than rejoining) will mean the DC still uses the old broken copy of the database. You will then have two different domain databases in use, DCs operating at cross-purposes, and the whole thing will be a complete mess.