On 30.08.19 11:01, Andrew Bartlett wrote:> On Fri, 2019-08-30 at 10:56 +0200, Stefan G. Weichinger via samba > wrote: >> I happily and trustfully use Louis' backup-script from >> >> https://github.com/thctlo/samba4 >> >> to dump AD content via cronjob. >> >> Is it necessary/recommended to do that on *each* samba DC? Is there >> something server-specific in the dump(s) or is it enough to do that >> once >> per domain? > > I'm very sorry to advise that this script is not race-free in the > locking done on the AD databases, which is why we have written the > 'samba-tool domain backup offline' tool which holds the correct locks.Thanks for the info, I will write another cronjob using that tool.> You should only need to back up the domain on one DC as long as you are > confident the DC is correctly synchronised, including sysvol.Ok, fine. IMO I would set that up on the DC holding the FSMO roles?
On 30/08/2019 10:14, Stefan G. Weichinger via samba wrote:> On 30.08.19 11:01, Andrew Bartlett wrote: >> On Fri, 2019-08-30 at 10:56 +0200, Stefan G. Weichinger via samba >> wrote: >>> I happily and trustfully use Louis' backup-script from >>> >>> https://github.com/thctlo/samba4 >>> >>> to dump AD content via cronjob. >>> >>> Is it necessary/recommended to do that on *each* samba DC? Is there >>> something server-specific in the dump(s) or is it enough to do that >>> once >>> per domain? >> I'm very sorry to advise that this script is not race-free in the >> locking done on the AD databases, which is why we have written the >> 'samba-tool domain backup offline' tool which holds the correct locks. > Thanks for the info, I will write another cronjob using that tool.Be prepared to put your administrators password in the cronjob> >> You should only need to back up the domain on one DC as long as you are >> confident the DC is correctly synchronised, including sysvol. > Ok, fine. IMO I would set that up on the DC holding the FSMO roles?That would probably be a good decision, though you could use any DC, you will be backingup the domain and not the DC. Rowland
On Fri, 2019-08-30 at 10:20 +0100, Rowland penny via samba wrote:> On 30/08/2019 10:14, Stefan G. Weichinger via samba wrote: > > On 30.08.19 11:01, Andrew Bartlett wrote: > > > On Fri, 2019-08-30 at 10:56 +0200, Stefan G. Weichinger via samba > > > wrote: > > > > I happily and trustfully use Louis' backup-script from > > > > > > > > https://github.com/thctlo/samba4 > > > > > > > > to dump AD content via cronjob. > > > > > > > > Is it necessary/recommended to do that on *each* samba DC? Is there > > > > something server-specific in the dump(s) or is it enough to do that > > > > once > > > > per domain? > > > I'm very sorry to advise that this script is not race-free in the > > > locking done on the AD databases, which is why we have written the > > > 'samba-tool domain backup offline' tool which holds the correct locks. > > Thanks for the info, I will write another cronjob using that tool. > Be prepared to put your administrators password in the cronjobThe offline backup does not require a password, only root privileges. While not tested or intended, it would not shock me if the online tool operated successfully with --machine-pass set, to use the DC's own password (assuming running on a DC). Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
On 30.08.19 11:20, Rowland penny via samba wrote:>> Ok, fine. IMO I would set that up on the DC holding the FSMO roles? > > That would probably be a good decision, though you could use any DC, you > will be backingup the domain and not the DC.Sure, I just thought that this would be somehow the source of all syncing and therefore the best source for the backup.