Rebuilding a crashed Domain Controller
Note
In this documentation, it is assumed:
That the crashed domain controller is called srvads1.
That the healthy domain controller is called srvads2.
That the domain is called mydomain.lan.
In the instructions described below, you will replace mydomain.lan with your own domain name and srvads with the machine name of your choice.
Attention
In this documentation, it is assumed:
You are using a system under Debian-based system.
To restart samba on RHEL and Derivatives, please replace “samba-ad-dc” with “samba”.
If the AD is a primary DC (with the FSMO role)
Check which AD is FSMO:
samba-tool fsmo show should return information like this:
SchemaMasterRole owner: CN=NTDS Settings,CN=srvads1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=lan InfrastructureMasterRole owner: CN=NTDS Settings,CN=srvads1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=lan RidAllocationMasterRole owner: CN=NTDS Settings,CN=srvads1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=lan PdcEmulationMasterRole owner: CN=NTDS Settings,CN=srvads1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=lan DomainNamingMasterRole owner: CN=NTDS Settings,CN=srvads1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=lan DomainDnsZonesMasterRole owner: CN=NTDS Settings,CN=srvads1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=lan ForestDnsZonesMasterRole owner: CN=NTDS Settings,CN=srvads1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=lan
srvads1 is therefore the FSMO in our example.
Indicate to the remaining AD that srvads1 no longer exists:
samba-tool domain demote --remove-other-dead-server=srvads1 systemctl restart samba-ad-dc || systemctl restart samba
Transfer the roles to another AD:
Attention
Before performing the role transfer, it is necessary to ensure that the domain controller that is lost will never again be reused.
samba-tool fsmo transfer --role=all
Hint
List of roles to be seized or transferred:
--role=ROLE
rid=RidAllocationMasterRole
schema=SchemaMasterRole
pdc=PdcEmulationMasterRole
naming=DomainNamingMasterRole
infrastructure=InfrastructureMasterRole
domaindns=DomainDnsZonesMasterRole
forestdns=ForestDnsZonesMasterRole
all=all of the above You must provide an Admin user and password.
If a rights issue arises:
samba-tool fsmo transfer --role=all -U administrator
Check the rights:
The command samba-tool fsmo show must return:
SchemaMasterRole owner: CN=NTDS Settings,CN=srvads2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=lan InfrastructureMasterRole owner: CN=NTDS Settings,CN=srvads2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=lan RidAllocationMasterRole owner: CN=NTDS Settings,CN=srvads2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=lan PdcEmulationMasterRole owner: CN=NTDS Settings,CN=srvads2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=lan DomainNamingMasterRole owner: CN=NTDS Settings,CN=srvads2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=lan DomainDnsZonesMasterRole owner: CN=NTDS Settings,CN=srvads2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=lan ForestDnsZonesMasterRole owner: CN=NTDS Settings,CN=srvads2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=lan
Check the AD database with dbcheck:
samba-tool dbcheck --cross-ncs --fix
Notify the new role to the Domain Controller:
samba-tool fsmo seize --role=all
Affect all FSMO roles to another Domain Controller;
If the AD is a secondary DC (without the FSMO role)
Recreate a new machine by following DC install documentation.
Downgrade srvads1:
samba-tool domain demote --remove-other-dead-server=srvads1 systemctl restart samba-ad-dc
Rebuild a srvads1 domain controller by following the usual procedure for Debian or the usual procedure for RedHat8 and derived distributions and join the server in the domain;
Ensure that the DNS fields are created correctly:
samba_dnsupdate --verbose
If there are still some fails, use this method which also allows you to bypass kerberos:
samba_dnsupdate --use-samba-tool
Validating the new installation
Test the connection to the DNS from the DNS Active Directory console:
Test the connection from the Active Directory Users and Computers console:
Check the status of the replications with samba-tool drs showrepl:
samba-tool drs showrepl