?On 2/10/2024, 3:43 PM, "samba on behalf of bd730c5053df9efb via
samba" <samba-bounces at lists.samba.org <mailto:samba-bounces at
lists.samba.org> on behalf of samba at lists.samba.org <mailto:samba at
lists.samba.org>> wrote:
On Tuesday, September 24th, 2024 at 15:29, bd730c5053df9efb via samba <samba
at lists.samba.org <mailto:samba at lists.samba.org>> wrote:
> Hi all!
>
> I demoted a samba 4.10.8 (slackware 14.2) ad dc called DC1 and joined to
the domain a samba 4.20.4 (debian 12.7) called DC3. There is also a samba 4.18.9
(slackware 15.0) ad dc called DC2 which for the moment holds all the FSMO roles.
The whole replacing an ad dc with another one worked out great but when I run
the command samba-tool dbcheck --cross-ncs on DC2 I got 3 "NOTES" and
2 "WARNING" stating (the DN has been obscured and
"513a2ea7-9ad8-496f-93db-2532cc6e9c45" was the GUID of DC1):
> Checking 4694 objects
> NOTE: old (due to rename or delete) DN string component for lastKnownParent
in object CN=NTDS
Settings\0ADEL:513a2ea7-9ad8-496f-93db-2532cc6e9c45,CN=DC1\0ADEL:3ccd9bf3-e19a-49d9-a1a1-6afe151b72b3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ad,DC=samdom,DC=com
-
CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ad,DC=samdom,DC=com
> Not fixing old string component
> WARNING: target DN is deleted for msDS-NC-Replica-Locations in object
CN=7e37a80b-2ead-4031-8acc-6f995ef154aa,CN=Partitions,CN=Configuration,DC=ad,DC=samdom,DC=com
-
<GUID=513a2ea7-9ad8-496f-93db-2532cc6e9c45>;<RMD_ADDTIME=132153595350000000>;<RMD_CHANGETIME=132153595350000000>;<RMD_FLAGS=0>;<RMD_INVOCID=3bbdc703-999b-4163-9d34-66692d318854>;<RMD_LOCAL_USN=4729>;<RMD_ORIGINATING_USN=3707>;<RMD_VERSION=1>;CN=NTDS
Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ad,DC=samdom,DC=com
>
> Target GUID points at deleted DN 'CN=NTDS
Settings\\0ADEL:513a2ea7-9ad8-496f-93db-2532cc6e9c45,CN=DC1\\0ADEL:3ccd9bf3-e19a-49d9-a1a1-6afe151b72b3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ad,DC=samdom,DC=com'
> Not removing
> WARNING: target DN is deleted for msDS-NC-Replica-Locations in object
CN=c178fbfd-d5dc-42fe-88d1-1a03f5e4222a,CN=Partitions,CN=Configuration,DC=ad,DC=samdom,DC=com
-
<GUID=513a2ea7-9ad8-496f-93db-2532cc6e9c45>;<RMD_ADDTIME=132153595350000000>;<RMD_CHANGETIME=132153595350000000>;<RMD_FLAGS=0>;<RMD_INVOCID=3bbdc703-999b-4163-9d34-66692d318854>;<RMD_LOCAL_USN=4727>;<RMD_ORIGINATING_USN=3715>;<RMD_VERSION=1>;CN=NTDS
Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ad,DC=samdom,DC=com
>
> Target GUID points at deleted DN 'CN=NTDS
Settings\\0ADEL:513a2ea7-9ad8-496f-93db-2532cc6e9c45,CN=DC1\\0ADEL:3ccd9bf3-e19a-49d9-a1a1-6afe151b72b3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ad,DC=samdom,DC=com'
> Not removing
> NOTE: old (due to rename or delete) DN string component for lastKnownParent
in object
CN=ee52ad50-8b1e-4597-bb00-8000af11ba33\0ADEL:b1d22847-24b7-4aeb-954a-6efc0078447a,CN=Deleted
Objects,CN=Configuration,DC=ad,DC=samdom,DC=com - CN=NTDS
Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ad,DC=samdom,DC=com
> Not fixing old string component
> NOTE: old (due to rename or delete) DN string component for
rIDSetReferences in object CN=DC1,CN=Computers,DC=ad,DC=samdom,DC=com - CN=RID
Set,CN=DC1,OU=Domain Controllers,DC=ad,DC=samdom,DC=com
> Not fixing old string component
> Checked 4694 objects (2 errors)
>
> So, after this I executed the command samba-tool dbcheck --cross-ncs --fix
but as I wasn't sure about what it would do I answered "N" to all
the questions, here is the transcript of the command:
> Checking 4694 objects
> NOTE: old (due to rename or delete) DN string component for lastKnownParent
in object CN=NTDS
Settings\0ADEL:513a2ea7-9ad8-496f-93db-2532cc6e9c45,CN=DC1\0ADEL:3ccd9bf3-e19a-49d9-a1a1-6afe151b72b3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ad,DC=samdom,DC=com
-
CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ad,DC=samdom,DC=com
> Change DN to
<GUID=3ccd9bf3-e19a-49d9-a1a1-6afe151b72b3>;CN=DC1\0ADEL:3ccd9bf3-e19a-49d9-a1a1-6afe151b72b3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ad,DC=samdom,DC=com?
[y/N/all/none]
>
> Not fixing old string component
> WARNING: target DN is deleted for msDS-NC-Replica-Locations in object
CN=7e37a80b-2ead-4031-8acc-6f995ef154aa,CN=Partitions,CN=Configuration,DC=ad,DC=samdom,DC=com
-
<GUID=513a2ea7-9ad8-496f-93db-2532cc6e9c45>;<RMD_ADDTIME=132153595350000000>;<RMD_CHANGETIME=132153595350000000>;<RMD_FLAGS=0>;<RMD_INVOCID=3bbdc703-999b-4163-9d34-66692d318854>;<RMD_LOCAL_USN=4729>;<RMD_ORIGINATING_USN=3707>;<RMD_VERSION=1>;CN=NTDS
Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ad,DC=samdom,DC=com
>
> Target GUID points at deleted DN 'CN=NTDS
Settings\\0ADEL:513a2ea7-9ad8-496f-93db-2532cc6e9c45,CN=DC1\\0ADEL:3ccd9bf3-e19a-49d9-a1a1-6afe151b72b3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ad,DC=samdom,DC=com'
> Remove stale DN link? [y/N/all/none]
> Not removing
> WARNING: target DN is deleted for msDS-NC-Replica-Locations in object
CN=c178fbfd-d5dc-42fe-88d1-1a03f5e4222a,CN=Partitions,CN=Configuration,DC=ad,DC=samdom,DC=com
-
<GUID=513a2ea7-9ad8-496f-93db-2532cc6e9c45>;<RMD_ADDTIME=132153595350000000>;<RMD_CHANGETIME=132153595350000000>;<RMD_FLAGS=0>;<RMD_INVOCID=3bbdc703-999b-4163-9d34-66692d318854>;<RMD_LOCAL_USN=4727>;<RMD_ORIGINATING_USN=3715>;<RMD_VERSION=1>;CN=NTDS
Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ad,DC=samdom,DC=com
>
> Target GUID points at deleted DN 'CN=NTDS
Settings\\0ADEL:513a2ea7-9ad8-496f-93db-2532cc6e9c45,CN=DC1\\0ADEL:3ccd9bf3-e19a-49d9-a1a1-6afe151b72b3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ad,DC=samdom,DC=com'
> Remove stale DN link? [y/N/all/none]
> Not removing
> NOTE: old (due to rename or delete) DN string component for lastKnownParent
in object
CN=ee52ad50-8b1e-4597-bb00-8000af11ba33\0ADEL:b1d22847-24b7-4aeb-954a-6efc0078447a,CN=Deleted
Objects,CN=Configuration,DC=ad,DC=samdom,DC=com - CN=NTDS
Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ad,DC=samdom,DC=com
> Change DN to <GUID=513a2ea7-9ad8-496f-93db-2532cc6e9c45>;CN=NTDS
Settings\0ADEL:513a2ea7-9ad8-496f-93db-2532cc6e9c45,CN=DC1\0ADEL:3ccd9bf3-e19a-49d9-a1a1-6afe151b72b3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ad,DC=samdom,DC=com?
[y/N/all/none]
>
> Not fixing old string component
> NOTE: old (due to rename or delete) DN string component for
rIDSetReferences in object CN=DC1,CN=Computers,DC=ad,DC=samdom,DC=com - CN=RID
Set,CN=DC1,OU=Domain Controllers,DC=ad,DC=samdom,DC=com
> Change DN to <GUID=1acf56eb-0283-4a67-9970-91fa433885bd>;CN=RID
Set,CN=DC1,CN=Computers,DC=ad,DC=samdom,DC=com? [y/N/all/none]
>
> Not fixing old string component
> Checked 4694 objects (2 errors)
>
> I ask someone with more experience with this command, would it be safe to
answer Y to these questions?
>
> Thanks in advance!
> Best regards,
> Dave.
>
> Sent with Proton Mail secure email.
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
<https://lists.samba.org/mailman/options/samba>
Hi all!
I answer myself just in case someone comes here looking for this. I took a
snapshot of the VM's where the dc's are running before running the fix
just in case. I ran the command "samba-tool dbcheck --cross-ncs --fix"
command and answered Y to the questions and everything seems to be working ok.
Best regards.
Dave.
This only works reliably if you have no other replicas.............
In the past , with VM's I always shut them all down to "cold"
then do a snapshot, then if needed bring them ALL back to point in time with
master back first.
Anything else can lead to corruption, also when doing this VM point in time, be
aware the VM clock will be wrong and as such clients will deauthenticate , if
the epoc is too far.
Finally if you are using the VM as a time server, it will issue bad epoc to all
clients until it gets synced back to current time.
Generally I bring it on, with the network disconnected check the time, force
when needed. Then reconnect & force NTP to external.
Then do each backup the same way... but it STILL screws with the time stamps
in the databases if you are not careful.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
<https://lists.samba.org/mailman/options/samba>