On 18/07/19 12:33, Rowland penny via samba wrote:> I would clone the DC you want keep, move the clone away from the > domain (easiest way, unplug the ethernet) then remove the old dead DC > from this and ensure it works. If you want to use Bind9 and don't have > the 'dns-*' user, then run samba-upgradedns as I said earlier. > > Once you are sure just what to do, turn off the DC you don't want and > then carry out the clean up procedure you used on the clone. This > should get you back to just one DC. > > RowlandA bit more clarification and background info. Dc1 is a physical server running tonnes of critical stuff. It can't easily be cloned or even disconnected. It was set up before my time and for years the company had only one domain controller. The problem is dc1 server is a single point of failure. I have already deployed a Proxmox stack which will provide much more redundancy. It will also allow to decouple numerous various services of dc1 server and run them in separate LXC containers. Once everything is migrated I'm still planning to have a single domain controller since the hosting environment itself will be very resilient. My plan is to: 1. Demote dc2 and make dc1 forget about it 2. Annihilate dc2 3. Gradually fix all config problems on dc1 4. Deploy brand new dc3 LXC container running newer samba version 5. Replicate AD from dc1 to dc3 and test 6. Dcpromo dc3 to own all roles 7. Annihilate dc1 That's quite a few steps but I'm still badly stuck on no 1 :( Adam
On 18/07/2019 12:55, Adam Weremczuk via samba wrote:> On 18/07/19 12:33, Rowland penny via samba wrote: > >> I would clone the DC you want keep, move the clone away from the >> domain (easiest way, unplug the ethernet) then remove the old dead DC >> from this and ensure it works. If you want to use Bind9 and don't >> have the 'dns-*' user, then run samba-upgradedns as I said earlier. >> >> Once you are sure just what to do, turn off the DC you don't want and >> then carry out the clean up procedure you used on the clone. This >> should get you back to just one DC. >> >> Rowland > > A bit more clarification and background info. > > Dc1 is a physical server running tonnes of critical stuff. > It can't easily be cloned or even disconnected. > It was set up before my time and for years the company had only one > domain controller.Very bad move and you have been asked to pick up the pieces> The problem is dc1 server is a single point of failure.And it appears to have failed.> I have already deployed a Proxmox stack which will provide much more > redundancy. > It will also allow to decouple numerous various services of dc1 server > and run them in separate LXC containers.I do hope that (if you are going to be running Bind9) that the Samba DC and Bind9 will run in the same container.> Once everything is migrated I'm still planning to have a single domain > controller since the hosting environment itself will be very resilient. > > My plan is to: > 1. Demote dc2 and make dc1 forget about it > 2. Annihilate dc2 > 3. Gradually fix all config problems on dc1 > 4. Deploy brand new dc3 LXC container running newer samba version > 5. Replicate AD from dc1 to dc3 and test > 6. Dcpromo dc3 to own all roles > 7. Annihilate dc1 > > That's quite a few steps but I'm still badly stuck on no 1 :(OK, from my understanding DC1 is using the internal dns and DC2 is using Bind9. I would ensure your clients only use DC1, turn off Bind9 on DC2 and then run samba-upgradedns to use the internal dns server, this will cure one of your problems. You may have to delete the 'dns-dc2' user manually. There is more to it than just renaming 'dns-dc2' to 'dns-dc1'. If you then want to demote DC2, you will need to get into idmap.ldb and make some changes, I would start by trying to change the FSMO role holders to DC1, the ultimate aim will be to get replication working, speaking of which, have you tried this command: samba-tool drs replicate ldap://DC2 ldap://DC1 all Rowland
On 18/07/19 13:19, Rowland penny via samba wrote:> OK, from my understanding DC1 is using the internal dns and DC2 is > using Bind9.It's the other way round. On dc1 port 53 is mapped to /usr/sbin/named -u bind. On dc2 it's /usr/sbin/samba. I wasn't sure what to do when I deployed dc2. I remember installing bind9 on dc2 but then purging it. BTW - does it matter for replication which backend is being used? Or is everything expected to fully populate regardless of the DNS backend choice?> I would ensure your clients only use DC1What's the best way to achieve it? Through a local firewall?> turn off Bind9 on DC2 and then run samba-upgradedns to use the > internal dns server, this will cure one of your problems. You may have > to delete the 'dns-dc2' user manually. There is more to it than just > renaming 'dns-dc2' to 'dns-dc1'. > > If you then want to demote DC2, you will need to get into idmap.ldb > and make some changes, I would start by trying to change the FSMO role > holders to DC1, the ultimate aim will be to get replication working >I thought the plan was to forcefully demote dc2 and dc1 suffers from too many config issues to rely on replication.> speaking of which, have you tried this command: > > samba-tool drs replicate ldap://DC2 ldap://DC1 allIs it safe to run knowing data on both might be over a week out of sync? What's the worst that can happen?