Zentyal Forum, Linux Small Business Server
Zentyal Server => Directory and Authentication => Topic started by: chris.holmes on November 20, 2020, 05:17:27 am
-
Zentyal Version 6.1.6 running only as a domain controller / DNS server.
Primary and Secondary DNS Servers. NOT using roaming profiles. Have all my scripts and the workstation group policy backed up.
Problem 1: My Primary domain controller (PDC) is dead.
Secondary Domain Controller is functional (SDC), domain authentication is working. The license key is the only thing left of the PDC.
What do I need to do to create a new Primary Domain Controller for my domain so I don't loose all the user accounts, connected computers etc.?
I'm assuming turn the SDC into a PDC and create a new SDC, but documentation on that is mainly on migrating from a Windows PDC.
Problem 2: (which lead to the dead PDC)
DNS not updating automatically. Got the following error after adding the noexpiry flag to the dns-<PDC> account.
Exit value: 1 at root command kinit -k -t /var/lib/samba/private/dns.keytab dns-zentyal failed.
Error output: kinit: Password incorrect
How do I properly set the password in the dns.keytab file to get DNS updating properly again?
Explaination of Problem 2:
The password for the dns-<PDC> was manually changed via the Users and Computer Management screen. The fix I found to reset the password on the dns-<PDC> account was the start of the cause of Problem 1.
THIS IS BAD DO NOT DO - (samba_upgradedns --dns-backend=local then back to BIND9_DLZ)
This is me putting down the shovel to get out of the hole. Thank you in advance.
-
:)
1 Backup!
1.1 Backup!
1.2 Read https://wiki.samba.org/index.php/Transferring_and_Seizing_FSMO_Roles (https://wiki.samba.org/index.php/Transferring_and_Seizing_FSMO_Roles)
(Zentyal provides the /usr/share/zentyal-samba/ad-migrate that manages this operation)
Bear in mind that the Webadmin Domain panel will be outdated Don't change anything here! https://doc.zentyal.org/en/directory.html#total-migration (https://doc.zentyal.org/en/directory.html#total-migration)
2 Your initial problem was probably fixable by creating a new dns.keytab with this command:
samba-tool domain exportkeytab dns.keytab --principal=dns-$(hostname)
(I've never seen before the setexpiry command crashing a kerberos principal. Could you paste here the logs?)
In order to fix your issue read this: https://wiki.samba.org/index.php/Dns_tkey_negotiategss:_TKEY_is_unacceptable (https://wiki.samba.org/index.php/Dns_tkey_negotiategss:_TKEY_is_unacceptable) In spite of your previous experience, temporarily changing the DNS Back End, should fix your issue (I have done it in a VM right now and it fixed the dns-$(hostname) which password I changed manually just before) Try it in a VM before to proceed in production!
You can check the fix this way:
samba_dnsupdate --verbose --all-names
Cheers!
-
Thank you for the response. Yes Backup but I need to take my own advice in that an untested backup is not a backup.
I had the PDC virtualize on a ZFS volume and my snapshots are corrupt, and so are my offsite replications.
This is very alarming with ZFS and something I'm looking into. The system my SDC is on a different machine and doesn't have this issue.
Sorry if I was unclear about what caused the main issue but it wasn't the set expiry command, it was the "samba_upgradedns --dns-backend=local" then setting it back to BIND9_DLZ. I might of been able to save it if I ran "samba-tool domain exportkeytab dns.keytab --principal=dns-$(hostname)" first, but there were many other issues.
Regarding the dns.keytab fix - Worked like a charm. Thank you. "samba-tool domain exportkeytab dns.keytab --principal=dns-$(hostname)"
Domain Controller fix:
1. Show the list of who owns the rolls by using:
samba-tool fsmo show
2. Seize all the FSMO roles to the SDC by running this command on the SDC:
samba-tool fsmo seize --role=all
3. Demote the broken domain controller - https://wiki.samba.org/index.php/Demoting_a_Samba_AD_DC
4. Don't change anything in the Zentyal WebAdminconsole Domain Panel
5. Create a new SDC and join it to the domain.
Questions:
1. Is there a way to get the WebAdminconsole Domain Panel updated on the now PDC?
I will be backing up the SDC as is (via the Zentyal WebAdminconsole and a tested snapshot of the system) and will try this out over the weekend.
Will post the outcome.
Thank you, I've gone from panic to hope.
-
:)
Regarding your question, I think that there's no easy way of updating the Webadmin > Domain panel :P https://doc.zentyal.org/en/directory.html#total-migration (https://doc.zentyal.org/en/directory.html#total-migration)
Cheers!
-
I was able to transfer the roles and demote the server as described.
Creating a new Secondary Domain Controller.
This will leave me in a position that I will never have a working Domain panel for a Primary Domain Controller. Hmmm....
Thank you for your help.
-
My system is too far gone. I was able to export the Users and Groups and the sysvol directory.
Rebuilding a new Primary Domain Controller, imported users and groups.
Note: Exporting doesn't sets user passwords to "password". If you have end user passwords, you can change them before import.
I was able to migrate user profiles to the remade domain but login into the local workstation and using this tool:
User Profile Transfer Wizard
http://www.forensit.com/downloads.html
It also joins the new domain at the same time. Huge time saver.
I have my server running in a VM with snapshots replicating offsite. I've been able to roll back my DC as a test.
-
:)
It's an interesting tool.
Actually, if it weren't for the need to join the machines to the domain, more of the times I would prefer to migrate the data from old servers to a fresh install instead of upgrading them(especially if you have your shares in a dedicated disk)
Thank you!