search for: pdc_emulator

...db it gets the next available ID on >>> that DC, as users or groups are unlikely to contact in exactly the >>> same order on other DCs, they will get different IDs. This means >>> that you need to sync idmap.ldb between DCs, usually from the DC >>> that holds the PDC_Emulator FSMO role to all other DCs. >>> >>> Rowland >>> >>> >> Hi Rowland, >> >> Precisely, I want to check that the the contents of idmap.ldb are >> equal on the two DCs, so for example i want that a specific query for >> Administrator...

...available ID on > >>> that DC, as users or groups are unlikely to contact in exactly the > >>> same order on other DCs, they will get different IDs. This means > >>> that you need to sync idmap.ldb between DCs, usually from the DC > >>> that holds the PDC_Emulator FSMO role to all other DCs. > >>> > >>> Rowland > >>> > >>> > >> Hi Rowland, > >> > >> Precisely, I want to check that the the contents of idmap.ldb are > >> equal on the two DCs, so for example i want that a sp...

...acts idmap.ldb it gets the next available ID on > > that DC, as users or groups are unlikely to contact in exactly the > > same order on other DCs, they will get different IDs. This means > > that you need to sync idmap.ldb between DCs, usually from the DC > > that holds the PDC_Emulator FSMO role to all other DCs. > > > > Rowland > > > > > Hi Rowland, > > Precisely, I want to check that the the contents of idmap.ldb are > equal on the two DCs, so for example i want that a specific query for > Administrator to both DCs doesn't return...

...r > or group contacts idmap.ldb it gets the next available ID on that DC, > as users or groups are unlikely to contact in exactly the same > order on other DCs, they will get different IDs. This means that you > need to sync idmap.ldb between DCs, usually from the DC that holds the > PDC_Emulator FSMO role to all other DCs. > > Rowland > > Hi Rowland, Precisely, I want to check that the the contents of idmap.ldb are equal on the two DCs, so for example i want that a specific query for Administrator to both DCs doesn't return different ids. The idmap.ldb file on the DC...

...ning it with sudo and '-Uadministrator' appeared to work. Hrm, looks like a bug to me. > The thing is, if Samba had a working way of syncing sysvol between DCs, > it wouldn't matter, but I would image that users would like to do > everything on one DC (probably the one with the PDC_Emulator FSMO role) > and then sync sysvol to all other DCS. If the gpo commands are creating > things on other DCs, then that isn't going to work. That's a good point. There was some progress fixing this at some point, but I don't recall what happened with that. I think perhaps you can...

....int. > _ldap._tcp.pdc._msdcs.mad.mater.int has SRV record 0 100 389 awing.mad.mater.int. > _ldap._tcp.pdc._msdcs.mad.mater.int has SRV record 0 100 389 cwing.mad.mater.int. > > > What could have happened ? Just curious. There is a bug for this, whilst there is code to create the PDC_Emulators SRV record after the FSMO role is moved, there isn't any code to remove it, so you can end up up like yourself, with a record for every DC the PDC_emulator role has been on. Just remove the wrong records with samba-tool. Rowland

...ldap._tcp.pdc._msdcs.mad.mater.int has SRV record 0 100 389 bwing.mad.mater.int. _ldap._tcp.pdc._msdcs.mad.mater.int has SRV record 0 100 389 awing.mad.mater.int. _ldap._tcp.pdc._msdcs.mad.mater.int has SRV record 0 100 389 cwing.mad.mater.int. Which clearly shows you have three records for the PDC_Emulator DC and like that FSMO role, there can only be one, the DC that holds the role, you should delete the two incorrect ones. I have two DC's and this is the output from my domain: host -t SRV _ldap._tcp.pdc._msdcs.samdom.example.com _ldap._tcp.pdc._msdcs.samdom.example.com has SRV record 0 100...

...his means that when a user or group contacts idmap.ldb it gets the next available ID on that DC, as users or groups are unlikely to contact in exactly the same order on other DCs, they will get different IDs. This means that you need to sync idmap.ldb between DCs, usually from the DC that holds the PDC_Emulator FSMO role to all other DCs. Rowland

...host, it contacts *one of the DCs* and sets it there. It > should then be replicated to the others. > The thing is, if Samba had a working way of syncing sysvol between DCs, it wouldn't matter, but I would image that users would like to do everything on one DC (probably the one with the PDC_Emulator FSMO role) and then sync sysvol to all other DCS. If the gpo commands are creating things on other DCs, then that isn't going to work. Rowland

...pends on the various users and groups having the same ID on every DC, the problem with that is, you cannot depend on every DC giving the same IDs to users and groups, they are handed out on a 'first come' basis. This is why you need to sync idmap.ldb from one DC (usually the one holding the PDC_Emulator FSMO role) to all others. > > I still do not understand why on my DCs "getent group" and "getent > user" do not return the Windows groups and users, but that is > probably a cosmetic thing as you can get all info via wbinfo and > samba-tool. Just for this case...

...first time that I read the above, I had to read it a few times before I fully understood it. The reason being, on first scan I thought that Antonio was trying to join an NT4-style PDC to an AD domain, which isn't the case. What he is trying to do is replace an AD DC that currently holds the PDC_Emulator FSMO role. There are no such terms as 'PDC' and 'primary' associated with AD, all DC's are equal (apart from the FSMO roles and they can be on any DC) Sorry if that sounds like preaching, but it is just the way (along with a lot of others) that I see it. > All steps have...

Greetings, All! I've added a new DC to the working AD, transferred FSMO roles (checked, all 7 are ok') and (supposedly) correctly demoted the old DC. SchemaMasterRole owner: CN=NTDS Settings,CN=DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN= InfrastructureMasterRole owner: CN=NTDS Settings,CN=DC2,CN=Servers,CN=Default-First-Site-Name,CN=S RidAllocationMasterRole owner: CN=NTDS

...idmap.ldb , but this works exactly the same as the first DC, ID's are allocated mostly on a 'first come' basis, this means the users and groups on separate DC's can and will get different ID's, so you need to sync idmap.ldb between DC's, usually from the DC that has the PDC_Emulator FSMO role. I thought this was all mentioned in the wiki. Rowland

..., but this works exactly the same as the first DC, ID's are > allocated mostly on a 'first come' basis, this means the users and groups on > separate DC's can and will get different ID's, so you need to sync idmap.ldb > between DC's, usually from the DC that has the PDC_Emulator FSMO role. > I thought this was all mentioned in the wiki. Shouldn't this be taken from LDAP, since I use WINBIND mappings? -- Best regards, Andrey Repin

...ss, you never know your luck. > > > Have you checked replication with: > samba-tool drs relication > yes, OK > > Have you checked each DC's database with: > samba-tool dbcheck > yes, OK > > > have you tried to replicate from the DC that holds the PDC_Emulator FSMO > role to the other two > yes > > Have you checked replication with: > samba-tool ldapcmp > > there' s error: > > samba-tool ldapcmp ldap://landc ldap://nextcloud domain -U administrator > > * Comparing [DOMAIN] context... > > * Objects to be...

...server in /etc/resolv.conf ? yes but one of them has 127.0.0.1 can make any difference ? Have you checked replication with: samba-tool drs relication yes, OK Have you checked each DC's database with: samba-tool dbcheck yes, OK have you tried to replicate from the DC that holds the PDC_Emulator FSMO role to the other two yes Have you checked replication with: samba-tool ldapcmp there' s error: samba-tool ldapcmp ldap://landc ldap://nextcloud domain -U administrator * Comparing [DOMAIN] context... * Objects to be compared: 309 Comparing: 'CN=NEXTCLOUD,OU=DOMAIN CONTROLL...

On 14/04/2023 14:20, Luis Peromarta via samba wrote: > Apologies. Now I get it. Only one SRV record for the PCD emulator. I will delete the other 2. Yes, one PDC_Emulator, one dns record. > > If I transfer the FSMO role will that be updated then ? On a samba AD DC, the samba_dnsupdate script is run at start up and then every 10 minutes, this script uses a file called dns_update_list and if a required dns record is missing, it is created. One of these reco...

Hi folks, I have got two DCs and I want to check that the builtin ids are equal on both DCs. I have searched extensively, but I have not found what tool to use to get this information. I do not use winbindd on the DCs. I would be very grateful, if somebody could give me information about this. Best regards, Peter

We've added an extra DC for redundancy to the Debian based Active Directory. We updated our older smaba version to the current one, and joined a new DC. Then the commands where givven to move all the FSMO roles Which we verified with "samba-tool fsmo show", which showed that all roles are on the new DC. However in DNS all underscore srv records of the AD services still point to the

...ne of the lines from the list is this: > > # The PDC emulator > ${IF_PDC}SRV _ldap._tcp.pdc._msdcs.${DNSDOMAIN}??????????????????? > ${HOSTNAME} 389 > > I think if you check again, you will now have the required SRV record, > but you may also have another record for the old pdc_emulator role > owner. Whilst it seems there is code to add the _ldap._tcp.pdc record, > there doesn't seem to any to remove it from the old role owner. > > You can remove the incorrect record (if you have it) with 'samba-tool > dns delete' > > Rowland > > >...