Rebuilding a crashed Domain Controller

Warning

NEVER restore a snapshot. It would break the Samba replication system. Please use the following documentation instead.

Note

In this documentation, it is assumed:

  • That the crashed domain controller is called srvads1.

  • That the healthy domain controller is called srvads2.

  • That the domain is called mydomain.lan.

In the instructions described below, you will replace mydomain.lan with your own domain name and srvads with the machine name of your choice.

Attention

In this documentation, it is assumed:

  • You are using a system under Debian-based system.

  • To restart samba on RHEL and Derivatives, please replace “samba-ad-dc” with “samba”.

If the AD is a primary DC (with the FSMO role)

  • Check which AD is FSMO:

    samba-tool fsmo show should return information like this:

    SchemaMasterRole owner: CN=NTDS Settings,CN=srvads1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=lan
    InfrastructureMasterRole owner: CN=NTDS Settings,CN=srvads1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=lan
    RidAllocationMasterRole owner: CN=NTDS Settings,CN=srvads1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=lan
    PdcEmulationMasterRole owner: CN=NTDS Settings,CN=srvads1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=lan
    DomainNamingMasterRole owner: CN=NTDS Settings,CN=srvads1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=lan
    DomainDnsZonesMasterRole owner: CN=NTDS Settings,CN=srvads1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=lan
    ForestDnsZonesMasterRole owner: CN=NTDS Settings,CN=srvads1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=lan
    

    srvads1 is therefore the FSMO in our example.

  • Indicate to the remaining AD that srvads1 no longer exists:

    samba-tool domain demote --remove-other-dead-server=srvads1
    systemctl restart samba-ad-dc || systemctl restart samba
    
  • Transfer the roles to another AD:

    Attention

    Before performing the role transfer, it is necessary to ensure that the domain controller that is lost will never again be reused.

    samba-tool fsmo transfer --role=all
    

    Hint

    List of roles to be seized or transferred:

    --role=ROLE

    • rid=RidAllocationMasterRole

    • schema=SchemaMasterRole

    • pdc=PdcEmulationMasterRole

    • naming=DomainNamingMasterRole

    • infrastructure=InfrastructureMasterRole

    • domaindns=DomainDnsZonesMasterRole

    • forestdns=ForestDnsZonesMasterRole

    • all=all of the above You must provide an Admin user and password.

  • If a rights issue arises:

    samba-tool fsmo transfer --role=all -U administrator
    
  • Check the rights:

    The command samba-tool fsmo show must return:

    SchemaMasterRole owner: CN=NTDS Settings,CN=srvads2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=lan
    InfrastructureMasterRole owner: CN=NTDS Settings,CN=srvads2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=lan
    RidAllocationMasterRole owner: CN=NTDS Settings,CN=srvads2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=lan
    PdcEmulationMasterRole owner: CN=NTDS Settings,CN=srvads2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=lan
    DomainNamingMasterRole owner: CN=NTDS Settings,CN=srvads2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=lan
    DomainDnsZonesMasterRole owner: CN=NTDS Settings,CN=srvads2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=lan
    ForestDnsZonesMasterRole owner: CN=NTDS Settings,CN=srvads2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=lan
    
  • Check the AD database with dbcheck:

    samba-tool dbcheck --cross-ncs --fix
    
  • Notify the new role to the Domain Controller:

    samba-tool fsmo seize --role=all
    
  • Affect all FSMO roles to another Domain Controller;

If the AD is a secondary DC (without the FSMO role)

  • Recreate a new machine by following DC install documentation.

  • Downgrade srvads1:

    samba-tool domain demote --remove-other-dead-server=srvads1
    systemctl restart samba-ad-dc
    
  • Rebuild a srvads1 domain controller by following the usual procedure for Debian or the usual procedure for RedHat8 and derived distributions and join the server in the domain;

  • Ensure that the DNS fields are created correctly:

    samba_dnsupdate --verbose
    
  • If there are still some fails, use this method which also allows you to bypass kerberos:

    samba_dnsupdate  --use-samba-tool
    

Validating the new installation

  • Test the connection to the DNS from the DNS Active Directory console:

    Active Directory DNS console

    Active Directory DNS console

  • Test the connection from the Active Directory Users and Computers console:

    Active Directory Users and Computers console

    Active Directory Users and Computers console

  • Check the status of the replications with samba-tool drs showrepl:

    samba-tool drs showrepl