samba - Nov 2019 - 4.9.x -> 4.10.x : any major things to consider?

Am 26.11.19 um 20:53 schrieb Stefan G. Weichinger via
samba:
> Am 26.11.19 um 20:50 schrieb Rowland penny via samba:
>> On 26/11/2019 19:44, Stefan G. Weichinger via samba wrote:
>>> Am 26.11.19 um 20:39 schrieb Rowland penny via samba:
>>>
>>>>> I assume I have to start over: demote that DC2 etc
>>>>>
>>>>> Should have left office when I could an hour ago.
>>>>>
>>>> Definitely sounds like you should, you are probably tired and
it is
>>>> easy? to make mistakes when you are tired.
>>> So you suggest to let the domain run on ADC1 only ... and do the
>>> demoting etc tmrw ?
>>>
>>> Sounds right. Although it would also feel good to fix it before
bed.
>>>
>>>
>>>
>> If the domain is going to get little use overnight, then yes, you could
>> do this, but I was really referring to not doing things when you are
>> tired ;-)
>>
>> If you are going to let the domain run overnight on one DC, then I
would
>> demote the second DC before you go home ;-)
> 
> I *am* at home, that's even more sad ;-)
> 
> And why not "rejoin" as well ... ?
I think I won't demote right now and just leave it as it is. So far the
shares etc work fine ...

the samba-ad-dc.service doesn't even start so I assume it won't make
much difference (no communication anyway)? I could shutdown the whole
server.

-

I plan to demote DC2 ("adc2"= hostname) remotely tomorrow.

After that I would like to learn how to re-add it.

https://wiki.samba.org/index.php/Demoting_a_Samba_AD_DC#Demoting_an_Offline_Domain_Controller

says:

"You must not reconnect a DC to the network, that was demoted remotely.
Your AD can get inconsistent."

which scares me a bit. What does that mean exactly? I have to reconnect
with the same old hostname, but is it sufficient if I clear
adc2:/var/lib/samba before to make it a brandnew machine?

thanks all, good night and good backups

On 26/11/2019 20:23, Stefan G. Weichinger via samba
wrote:
> Am 26.11.19 um 20:53 schrieb Stefan G. Weichinger via samba:
>> Am 26.11.19 um 20:50 schrieb Rowland penny via samba:
>>> On 26/11/2019 19:44, Stefan G. Weichinger via samba wrote:
>>>> Am 26.11.19 um 20:39 schrieb Rowland penny via samba:
>>>>
>>>>>> I assume I have to start over: demote that DC2 etc
>>>>>>
>>>>>> Should have left office when I could an hour ago.
>>>>>>
>>>>> Definitely sounds like you should, you are probably tired
and it is
>>>>> easy? to make mistakes when you are tired.
>>>> So you suggest to let the domain run on ADC1 only ... and do
the
>>>> demoting etc tmrw ?
>>>>
>>>> Sounds right. Although it would also feel good to fix it before
bed.
>>>>
>>>>
>>>>
>>> If the domain is going to get little use overnight, then yes, you
could
>>> do this, but I was really referring to not doing things when you
are
>>> tired ;-)
>>>
>>> If you are going to let the domain run overnight on one DC, then I
would
>>> demote the second DC before you go home ;-)
>> I *am* at home, that's even more sad ;-)
>>
>> And why not "rejoin" as well ... ?
> I think I won't demote right now and just leave it as it is. So far the
> shares etc work fine ...
>
> the samba-ad-dc.service doesn't even start so I assume it won't
make
> much difference (no communication anyway)? I could shutdown the whole
> server.
>
> -
>
> I plan to demote DC2 ("adc2"= hostname) remotely tomorrow.
>
> After that I would like to learn how to re-add it.
>
>
https://wiki.samba.org/index.php/Demoting_a_Samba_AD_DC#Demoting_an_Offline_Domain_Controller
>
> says:
>
> "You must not reconnect a DC to the network, that was demoted
remotely.
> Your AD can get inconsistent."
>
> which scares me a bit. What does that mean exactly? I have to reconnect
> with the same old hostname, but is it sufficient if I clear
> adc2:/var/lib/samba before to make it a brandnew machine?
>
> thanks all, good night and good backups
>
>
Ah, that could be worded better ;-)

What it means is:

If a DC fails for some reason and is stopped and then demoted on another 
DC (the failed DC is no longer a DC), you must not simply fix the old DC 
and restart it. This is because the domain no longer recognises the 
demoted DC, but it will still think it is a DC and will try to replicate 
to and from the domain, this will destroy your domain.

Rowland

Am 26.11.19 um 21:37 schrieb Rowland penny via samba:
> Ah, that could be worded better ;-)
> 
> What it means is:
> 
> If a DC fails for some reason and is stopped and then demoted on another
> DC (the failed DC is no longer a DC), you must not simply fix the old DC
> and restart it. This is because the domain no longer recognises the
> demoted DC, but it will still think it is a DC and will try to replicate
> to and from the domain, this will destroy your domain.
So if I not only fix DC-old but install it from scratch (= clean
/var/lib/samba ... anything else?) that will work?