.. Reminder for header structure: Parts (H1) : #################### with overline Chapters (H2) : ******************** with overline Sections (H3) : ==================== Subsections (H4) : -------------------- Subsubsections (H5) : ^^^^^^^^^^^^^^^^^^^^ Paragraphs (H6) : """"""""""""""""""""" .. |date| date:: .. meta:: :description: Rebuilding a crashed Domain Controller :keywords: crash, Samba-AD, documentation .. _recovering_ad_from_crash: ###################################### Rebuilding a crashed Domain Controller ###################################### .. note:: In this documentation, it is assumed: * That the crashed domain controller is called *srvads1*. * That the healthy domain controller is called *srvads2*. * That the domain is called *mydomain.lan*. In the instructions described below, you will replace *mydomain.lan* with your own domain name and *srvads* with the machine name of your choice. ********************************************** If the AD is a primary DC (with the FSMO role) ********************************************** * Check which AD is FSMO: :command:`samba-tool fsmo show` should return information like this: .. code-block:: bash SchemaMasterRole owner: CN=NTDS Settings,CN=srvads1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=lan InfrastructureMasterRole owner: CN=NTDS Settings,CN=srvads1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=lan RidAllocationMasterRole owner: CN=NTDS Settings,CN=srvads1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=lan PdcEmulationMasterRole owner: CN=NTDS Settings,CN=srvads1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=lan DomainNamingMasterRole owner: CN=NTDS Settings,CN=srvads1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=lan DomainDnsZonesMasterRole owner: CN=NTDS Settings,CN=srvads1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=lan ForestDnsZonesMasterRole owner: CN=NTDS Settings,CN=srvads1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=lan *srvads1* is therefore the FSMO in our example. * Indicate to the remaining AD that *srvads1* no longer exists: .. code-block:: bash samba-tool domain demote --remove-other-dead-server=srvads1 * Transfer the roles to another AD: .. attention:: Before performing the role transfer, it is necessary to ensure that the domain controller that is lost will **never again** be reused. .. code-block:: bash samba-tool fsmo transfer --role=all .. hint:: List of roles to be seized or transferred: ``--role=ROLE`` - rid=RidAllocationMasterRole - schema=SchemaMasterRole - pdc=PdcEmulationMasterRole - naming=DomainNamingMasterRole - infrastructure=InfrastructureMasterRole - domaindns=DomainDnsZonesMasterRole - forestdns=ForestDnsZonesMasterRole - all=all of the above You must provide an Admin user and password. * If a rights issue arises: .. code-block:: bash samba-tool fsmo transfer --role=all -U administrator * Check the rights: The command **samba-tool fsmo show** must return: .. code-block:: bash SchemaMasterRole owner: CN=NTDS Settings,CN=srvads2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=lan InfrastructureMasterRole owner: CN=NTDS Settings,CN=srvads2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=lan RidAllocationMasterRole owner: CN=NTDS Settings,CN=srvads2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=lan PdcEmulationMasterRole owner: CN=NTDS Settings,CN=srvads2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=lan DomainNamingMasterRole owner: CN=NTDS Settings,CN=srvads2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=lan DomainDnsZonesMasterRole owner: CN=NTDS Settings,CN=srvads2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=lan ForestDnsZonesMasterRole owner: CN=NTDS Settings,CN=srvads2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=lan * Check the AD database with dbcheck: .. code-block:: bash samba-tool dbcheck --cross-ncs --fix * Notify the new role to the Domain Controller: .. code-block:: bash samba-tool fsmo seize --role=all * Affect all FSMO roles to another Domain Controller; *************************************************** If the AD is a secondary DC (without the FSMO role) *************************************************** * Recreate a new machine by following DC install documentation. * Downgrade *srvads1*: .. code-block:: bash samba-tool domain demote --remove-other-dead-server=srvads1 systemctl restart samba-ad-dc * Rebuild a *srvads1* domain controller by following the :ref:`usual procedure for Debian ` or the :ref:`usual procedure for RedHat8 and derived distributions ` and join the server in the domain; * Ensure that the DNS fields are created correctly: .. code-block:: bash samba_dnsupdate --verbose * If there are still some *fails*, use this method which also allows you to bypass kerberos: .. code-block:: bash samba_dnsupdate --use-samba-tool ******************************* Validating the new installation ******************************* * Test the connection to the DNS from the :guilabel:`DNS Active Directory console`: .. figure:: ../images/samba_dns_active_directory_fr.png :align: center :scale: 100% :alt: Active Directory DNS console Active Directory DNS console * Test the connection from the :guilabel:`Active Directory Users and Computers` console: .. figure:: ../images/samba_users_and_computers_active_directory.png :align: center :scale: 100% :alt: Active Directory Users and Computers console Active Directory Users and Computers console * Check the status of the replications with :command:`samba-tool drs showrepl`: .. code-block:: bash samba-tool drs showrepl ************ Useful links ************ * https://wiki.samba.org/index.php/Flexible_Single-Master_Operations_(FSMO)_Roles * https://wiki.samba.org/index.php/Transferring_and_Seizing_FSMO_Roles * https://www.it-connect.fr/seizing-de-roles-fsmo/