Rebuilding a crashed Domain Controller

Note

In this documentation, it is assumed:

• That the crashed domain controller is called srvads1.

• That the healthy domain controller is called srvads2.

• That the domain is called mydomain.lan.

In the instructions described below, you will replace mydomain.lan with your own domain name and srvads with the machine name of your choice.

If the AD is a primary DC (with the FSMO role)

• Check which AD is FSMO:

  samba-tool fsmo show should return information like this:

  SchemaMasterRole owner: CN=NTDS Settings,CN=srvads1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=lan
  InfrastructureMasterRole owner: CN=NTDS Settings,CN=srvads1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=lan
  RidAllocationMasterRole owner: CN=NTDS Settings,CN=srvads1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=lan
  PdcEmulationMasterRole owner: CN=NTDS Settings,CN=srvads1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=lan
  DomainNamingMasterRole owner: CN=NTDS Settings,CN=srvads1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=lan
  DomainDnsZonesMasterRole owner: CN=NTDS Settings,CN=srvads1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=lan
  ForestDnsZonesMasterRole owner: CN=NTDS Settings,CN=srvads1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=lan
  

  srvads1 is therefore the FSMO in our example.

• Indicate to the remaining AD that srvads1 no longer exists:

  samba-tool domain demote --remove-other-dead-server=srvads1
  

• Transfer the roles to another AD:

  Attention

  Before performing the role transfer, it is necessary to ensure that the domain controller that is lost will never again be reused.

  samba-tool fsmo transfer --role=all
  

  Hint

  List of roles to be seized or transferred:

  --role=ROLE

  • rid=RidAllocationMasterRole

  • schema=SchemaMasterRole

  • pdc=PdcEmulationMasterRole

  • naming=DomainNamingMasterRole

  • infrastructure=InfrastructureMasterRole

  • domaindns=DomainDnsZonesMasterRole

  • forestdns=ForestDnsZonesMasterRole

  • all=all of the above You must provide an Admin user and password.

• If a rights issue arises:

  samba-tool fsmo transfer --role=all -U administrator
  

• Check the rights:

  The command samba-tool fsmo show must return:

  SchemaMasterRole owner: CN=NTDS Settings,CN=srvads2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=lan
  InfrastructureMasterRole owner: CN=NTDS Settings,CN=srvads2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=lan
  RidAllocationMasterRole owner: CN=NTDS Settings,CN=srvads2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=lan
  PdcEmulationMasterRole owner: CN=NTDS Settings,CN=srvads2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=lan
  DomainNamingMasterRole owner: CN=NTDS Settings,CN=srvads2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=lan
  DomainDnsZonesMasterRole owner: CN=NTDS Settings,CN=srvads2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=lan
  ForestDnsZonesMasterRole owner: CN=NTDS Settings,CN=srvads2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=lan
  

• Check the AD database with dbcheck:

  samba-tool dbcheck --cross-ncs --fix
  

• Notify the new role to the Domain Controller:

  samba-tool fsmo seize --role=all
  

• Affect all FSMO roles to another Domain Controller;

If the AD is a secondary DC (without the FSMO role)

• Recreate a new machine by following DC install documentation.

• Downgrade srvads1:

  samba-tool domain demote --remove-other-dead-server=srvads1
  systemctl restart samba-ad-dc
  

• Rebuild a srvads1 domain controller by following the usual procedure for Debian or the usual procedure for RedHat8 and derived distributions and join the server in the domain;

• Ensure that the DNS fields are created correctly:

  samba_dnsupdate --verbose
  

• If there are still some fails, use this method which also allows you to bypass kerberos:

  samba_dnsupdate  --use-samba-tool
  

Validating the new installation

• Test the connection to the DNS from the DNS Active Directory console:

  

  Active Directory DNS console

• Test the connection from the Active Directory Users and Computers console:

  

  Active Directory Users and Computers console

• Check the status of the replications with samba-tool drs showrepl:

  samba-tool drs showrepl
  

Useful links

• https://wiki.samba.org/index.php/Flexible_Single-Master_Operations_(FSMO)_Roles

• https://wiki.samba.org/index.php/Transferring_and_Seizing_FSMO_Roles

• https://www.it-connect.fr/seizing-de-roles-fsmo/