> On 09/11/2016 01:23 AM, Rowland Penny via samba wrote:
> Rowland, thanks for your reply. What you describe is pretty simple in
> principle. It is the details about which I am confused. There are 3
> aspects of a Samba 4 AD that have to be properly setup for the AD to
> function correctly. Namely the Samba configuration, Kerberos and DNS.
> If any of these are incorrectly configured the AD will not function.
> So here are my questions regarding the details of what you describe.
> <snip>
> 6.) Transfer FSMO roles
>
> 7.) Demote old DC
>
So I successfully moved the DC to another server. However when I try to
demote the old DC I get this error.
nikita> samba-tool domain demote -Uadministrator
Using nureyev.myhome.example.com as partner server for the demotion
Password for [MYHOME\administrator]:
Deactivating inbound replication
Asking partner server nureyev.myhome.example.com to synchronize from us
Changing userControl and container
Error while demoting, re-enabling inbound replication
ERROR(<type 'exceptions.RuntimeError'>): Error while sending a
removeDsServer of
CN=NIKITA,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=myhome,DC=example,DC=com:
- (31, 'WERR_GENERAL_FAILURE')
File "/usr/lib64/python2.6/site-packages/samba/netcmd/domain.py",
line 921, in run
drsuapiBind.DsRemoveDSServer(drsuapi_handle, 1, req1)
Does anyone have a clue as to why I cannot demote the old DC? I am at a
loss as to what is wrong. All the FSMO transfered properly to the new
server. I did sync the sysvol so I am not sure what happened here
because everything was good at one point. What I am finding now is that
on what I want to be the PDC I have this:
> samba-tool drs showrepl
Default-First-Site-Name\NUREYEV
DSA Options: 0x00000001
DSA object GUID: 275c02e7-7077-4b10-ab71-77efeb93bb6b
DSA invocationId: 0fcda6bb-9435-4852-ac8d-660af8443d34
==== INBOUND NEIGHBORS ====
==== OUTBOUND NEIGHBORS ====
==== KCC CONNECTION OBJECTS ====
But on the old DC that I want to demote I have this:
> samba-tool drs showrepl
Default-First-Site-Name\NIKITA
DSA Options: 0x00000001
DSA object GUID: ba98d422-c8a7-4ac3-9196-8eec84e4445a
DSA invocationId: c47710e7-8649-4c2f-bf82-f26c8d23effc
==== INBOUND NEIGHBORS ====
DC=DomainDnsZones,DC=myhome,DC=example,DC=com
Default-First-Site-Name\NUREYEV via RPC
DSA object GUID: 275c02e7-7077-4b10-ab71-77efeb93bb6b
Last attempt @ Sun Oct 2 18:10:24 2016 MDT failed, result 2
(WERR_BADFILE)
301 consecutive failure(s).
Last success @ NTTIME(0)
DC=ForestDnsZones,DC=myhome,DC=example,DC=com
Default-First-Site-Name\NUREYEV via RPC
DSA object GUID: 275c02e7-7077-4b10-ab71-77efeb93bb6b
Last attempt @ Sun Oct 2 18:10:24 2016 MDT failed, result 2
(WERR_BADFILE)
301 consecutive failure(s).
Last success @ NTTIME(0)
DC=myhome,DC=example,DC=com
Default-First-Site-Name\NUREYEV via RPC
DSA object GUID: 275c02e7-7077-4b10-ab71-77efeb93bb6b
Last attempt @ Sun Oct 2 18:10:24 2016 MDT failed, result 2
(WERR_BADFILE)
301 consecutive failure(s).
Last success @ NTTIME(0)
CN=Schema,CN=Configuration,DC=myhome,DC=example,DC=com
Default-First-Site-Name\NUREYEV via RPC
DSA object GUID: 275c02e7-7077-4b10-ab71-77efeb93bb6b
Last attempt @ Sun Oct 2 18:10:24 2016 MDT failed, result 2
(WERR_BADFILE)
301 consecutive failure(s).
Last success @ NTTIME(0)
CN=Configuration,DC=myhome,DC=example,DC=com
Default-First-Site-Name\NUREYEV via RPC
DSA object GUID: 275c02e7-7077-4b10-ab71-77efeb93bb6b
Last attempt @ Sun Oct 2 18:10:24 2016 MDT failed, result 2
(WERR_BADFILE)
301 consecutive failure(s).
Last success @ NTTIME(0)
==== OUTBOUND NEIGHBORS ====
DC=DomainDnsZones,DC=myhome,DC=example,DC=com
Default-First-Site-Name\NUREYEV via RPC
DSA object GUID: 275c02e7-7077-4b10-ab71-77efeb93bb6b
Last attempt @ Sun Oct 2 18:11:50 2016 MDT failed, result 2
(WERR_BADFILE)
90 consecutive failure(s).
Last success @ NTTIME(0)
DC=ForestDnsZones,DC=myhome,DC=example,DC=com
Default-First-Site-Name\NUREYEV via RPC
DSA object GUID: 275c02e7-7077-4b10-ab71-77efeb93bb6b
Last attempt @ Sun Oct 2 18:11:50 2016 MDT failed, result 2
(WERR_BADFILE)
90 consecutive failure(s).
Last success @ NTTIME(0)
DC=myhome,DC=example,DC=com
Default-First-Site-Name\NUREYEV via RPC
DSA object GUID: 275c02e7-7077-4b10-ab71-77efeb93bb6b
Last attempt @ Sun Oct 2 18:11:50 2016 MDT failed, result 2
(WERR_BADFILE)
90 consecutive failure(s).
Last success @ NTTIME(0)
CN=Schema,CN=Configuration,DC=myhome,DC=example,DC=com
Default-First-Site-Name\NUREYEV via RPC
DSA object GUID: 275c02e7-7077-4b10-ab71-77efeb93bb6b
Last attempt @ Sun Oct 2 18:11:50 2016 MDT failed, result 2
(WERR_BADFILE)
90 consecutive failure(s).
Last success @ NTTIME(0)
CN=Configuration,DC=myhome,DC=example,DC=com
Default-First-Site-Name\NUREYEV via RPC
DSA object GUID: 275c02e7-7077-4b10-ab71-77efeb93bb6b
Last attempt @ Sun Oct 2 18:11:50 2016 MDT failed, result 2
(WERR_BADFILE)
90 consecutive failure(s).
Last success @ NTTIME(0)
==== KCC CONNECTION OBJECTS ====
Connection --
Connection name: 2b332225-20d4-486f-8b38-87c56c64f707
Enabled : TRUE
Server DNS name : nureyev.myhome.example.com
Server DN name : CN=NTDS
Settings,CN=NUREYEV,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=myhome,DC=example,DC=com
TransportType: RPC
options: 0x00000001
Warning: No NC replicated for Connection!
Any suggestions as how to debug/fix this problem so I can demote the old DC?
--
Paul (ga...@example.com)
> <snip>
>
> Any suggestions as how to debug/fix this problem so I can demote the
> old DC?
>
So I discovered that on the new DC it appears a NTDS record is missing.
On DC nikita.myhome.example.com
> ldbsearch -H /var/lib/samba/private/sam.ldb '(invocationid=*)'
--cross-ncs objectguid
# record 1
dn: CN=NTDS
Settings,CN=NUREYEV,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=myhome,DC=example,DC=com
objectGUID: 275c02e7-7077-4b10-ab71-77efeb93bb6b
# record 2
dn: CN=NTDS
Settings,CN=NIKITA,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=myhome,DC=example,DC=com
objectGUID: ba98d422-c8a7-4ac3-9196-8eec84e4445a
# returned 2 records
# 2 entries
# 0 referrals
but on the new DC nureyev.myhome.example.com:
> ldbsearch -H /var/lib/samba/private/sam.ldb '(invocationid=*)'
--cross-ncs objectguid
# record 1
dn: CN=NTDS
Settings,CN=NUREYEV,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=myhome,DC=example,DC=com
objectGUID: 275c02e7-7077-4b10-ab71-77efeb93bb6b
# returned 1 records
# 1 entries
# 0 referrals
How is it that one of the entries is now missing? IS there someway to
fix this problem? It appears that the the new DC server object is there
and known by both DCs but the old DC object is missing from the new DC
server?
--
Paul (ga...@nurdog.com)
I am seeing this error in the old DC log file
Failed to bind to uuid e3514235-4b06-11d1-ab04-00c04fc2dcd2 for
ncacn_ip_tcp:192.168.1.11[1024,seal,krb5,target_hostname=275c02e7-7077-4b10-ab71-77efeb93bb6b._msdcs.myhome.example.com,target_principal=GC/nureyev.myhome.example.com/myhome.example.com,abstract_syntax=e3514235-4b06-11d1-ab04-00c04fc2dcd2/0x00000004,localaddress=192.168.1.11]
NT_STATUS_UNSUCCESSFUL
I just don't know how to fix it. Can I edit
/var/lib/samba/private/sam.ldb and add the missing entry for
# record 2
dn: CN=NTDS
Settings,CN=NIKITA,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=myhome,DC=example,DC=com
objectGUID: ba98d422-c8a7-4ac3-9196-8eec84e4445a
or can I just take the old DC offline and simply
> samba-tool domain demote --remove-other-dead-server=NIKITA
Known problem, see here:
https://wiki.samba.org/index.php/Verifying_and_Creating_a_DC_DNS_Record
Rowland
Well I did what was indicated from the wiki and discovered that
replication worked at first. However the replication killed the DC1
(nikita.myhome.example.com) such that it no longer worked. I think the
problem is that there was a record on DC1 that looked like this:
# record 206
dn: CN=NIKITA,OU=Domain Controllers,DC=myhome,DC=example,DC=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
objectClass: computer
cn: NIKITA
instanceType: 4
whenCreated: 20130804214231.0Z
uSNCreated: 3583
name: NIKITA
objectGUID: 4f3beaa6-1111-46b8-b435-2ae15861ee14
userAccountControl: 532480
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
localPolicyFlags: 0
pwdLastSet: 130201261510000000
primaryGroupID: 516
objectSid: S-1-5-21-729452656-3029571206-2736118167-1000
accountExpires: 9223372036854775807
logonCount: 0
sAMAccountName: NIKITA$
sAMAccountType: 805306369
operatingSystem: Samba
operatingSystemVersion: 4.0.7-SerNet-RedHat-4.el6
dNSHostName: nikita.myhome.example.com
objectCategory:
CN=Computer,CN=Schema,CN=Configuration,DC=myhome,DC=example,DC=
com
isCriticalSystemObject: TRUE
rIDSetReferences: CN=RID Set,CN=NIKITA,OU=Domain
Controllers,DC=myhome,DC=exampled
og,DC=com
serverReferenceBL:
CN=NIKITA,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN
=Configuration,DC=myhome,DC=example,DC=com
msDS-SupportedEncryptionTypes: 31
servicePrincipalName: HOST/nikita.myhome.example.com
servicePrincipalName: HOST/nikita.myhome.example.com/MYHOME
servicePrincipalName: ldap/nikita.myhome.example.com/MYHOME
servicePrincipalName: GC/nikita.myhome.example.com/myhome.example.com
servicePrincipalName: ldap/nikita.myhome.example.com
servicePrincipalName: HOST/nikita.myhome.example.com/myhome.example.com
servicePrincipalName: ldap/nikita.myhome.example.com/myhome.example.com
servicePrincipalName: HOST/NIKITA
servicePrincipalName:
E3514235-4B06-11D1-AB04-00C04FC2DCD2/ba98d422-c8a7-4ac3-
9196-8eec84e4445a/myhome.example.com
servicePrincipalName:
ldap/ba98d422-c8a7-4ac3-9196-8eec84e4445a._msdcs.myhome.
example.com
servicePrincipalName: ldap/NIKITA
servicePrincipalName: RestrictedKrbHost/NIKITA
servicePrincipalName: RestrictedKrbHost/nikita.myhome.example.com
servicePrincipalName:
ldap/nikita.myhome.example.com/DomainDnsZones.myhome.example.com
servicePrincipalName:
ldap/nikita.myhome.example.com/ForestDnsZones.myhome.example.com
servicePrincipalName: nfs/nikita
servicePrincipalName: nfs/nikita.myhome.example.com
lastLogonTimestamp: 131198490436935340
whenChanged: 20161002023043.0Z
uSNChanged: 5716
lastLogon: 131199325446020720
distinguishedName: CN=NIKITA,OU=Domain
Controllers,DC=myhome,DC=example,DC=com
But on DC2 (nureyev.myhome.example.com) there was only this:
# record 1
dn: CN=NIKITA,CN=Computers,DC=myhome,DC=example,DC=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
objectClass: computer
instanceType: 4
whenCreated: 20130804214231.0Z
uSNCreated: 3237
objectGUID: 4f3beaa6-1111-46b8-b435-2ae15861ee14
codePage: 0
countryCode: 0
localPolicyFlags: 0
pwdLastSet: 130201261510000000
objectSid: S-1-5-21-729452656-3029571206-2736118167-1000
accountExpires: 9223372036854775807
sAMAccountName: NIKITA$
sAMAccountType: 805306369
operatingSystem: Samba
operatingSystemVersion: 4.0.7-SerNet-RedHat-4.el6
dNSHostName: nikita.myhome.example.com
rIDSetReferences: CN=RID
Set,CN=NIKITA,CN=Computers,DC=myhome,DC=example,DC=com
servicePrincipalName: HOST/nikita.myhome.example.com
servicePrincipalName: HOST/nikita.myhome.example.com/MYHOME
servicePrincipalName: ldap/nikita.myhome.example.com/MYHOME
servicePrincipalName: GC/nikita.myhome.example.com/myhome.example.com
servicePrincipalName: ldap/nikita.myhome.example.com
servicePrincipalName: HOST/nikita.myhome.example.com/myhome.example.com
servicePrincipalName: ldap/nikita.myhome.example.com/myhome.example.com
servicePrincipalName: HOST/NIKITA
servicePrincipalName:
E3514235-4B06-11D1-AB04-00C04FC2DCD2/ba98d422-c8a7-4ac3-
9196-8eec84e4445a/myhome.example.com
servicePrincipalName:
ldap/ba98d422-c8a7-4ac3-9196-8eec84e4445a._msdcs.myhome.
example.com
servicePrincipalName: ldap/NIKITA
servicePrincipalName: RestrictedKrbHost/NIKITA
servicePrincipalName: RestrictedKrbHost/nikita.myhome.example.com
servicePrincipalName:
ldap/nikita.myhome.example.com/DomainDnsZones.myhome.example.com
servicePrincipalName:
ldap/nikita.myhome.example.com/ForestDnsZones.myhome.example.com
servicePrincipalName: nfs/nikita
servicePrincipalName: nfs/nikita.myhome.example.com
objectCategory:
CN=Computer,CN=Schema,CN=Configuration,DC=myhome,DC=example,DC=
com
msDS-SupportedEncryptionTypes: 31
serverReferenceBL:
CN=NIKITA,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN
=Configuration,DC=myhome,DC=example,DC=com
lastLogonTimestamp: 131198490436935340
userAccountControl: 4096
isCriticalSystemObject: FALSE
primaryGroupID: 515
whenChanged: 20161002235437.0Z
cn: NIKITA
name: NIKITA
uSNChanged: 3827
distinguishedName: CN=NIKITA,CN=Computers,DC=myhome,DC=example,DC=com
I think that when I tried to demote DC1 before replication was working
that caused the DC1 to change the Domain Controller record
dn: CN=NIKITA,OU=Domain Controllers,DC=myhome,DC=example,DC=com
to simply a computer record
dn: CN=NIKITA,CN=Computers,DC=myhome,DC=example,DC=com
completely screwing up DC1.
Thankfully I made a backup and could put things back the way they were.
I will try again next weekend but this time I will make sure replication
is working 1st. That means doing the wiki DNS fix to get replication to
work first.
I think I was so close to having this all work.
--
Paul (ga...@example.com)
Cell: (303)257-5208
--