Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Messages - chris.holmes

Pages: [1]
1
I've come up with a solution but I'm not sure what the cause is.

Problem: User logging into a domain connection computer for the first time. (no profile on the machine, roaming or non-roaming profile doesn't matter)
User is presented with the "Hi, we are setting things up for you..." animation. This animation runs for 15 minutes or until the power management turns the screen off.
Then the user can log in. All subsiquent logins are fast. Connecting for the first time via Remote Desktop Connection doesn't present the "Hi... " animation and logs in almost right away.

Solution: Use a GPO to disable the "Hi..." animation on login. First time login's directly on the machine go quickly.
Computer Configuration > Administrative Templates > System > Logon
Set the “Show First Sign-In Animation” option to “Disabled”

Zentyal Core 6.1.6 - Windows 10 Pro 2004, 1909, 1804 (tested broken and fixed)

Not sure if this is part of a bigger problem but I think it can be marked as solved.

2
My system is too far gone. I was able to export the Users and Groups and the sysvol directory.
Rebuilding a new Primary Domain Controller, imported users and groups.
Note: Exporting doesn't sets user passwords to "password". If you have end user passwords, you can change them before import.

I was able to migrate user profiles to the remade domain but login into the local workstation and using this tool:
User Profile Transfer Wizard
http://www.forensit.com/downloads.html
It also joins the new domain at the same time. Huge time saver.

I have my server running in a VM with snapshots replicating offsite. I've been able to roll back my DC as a test.

3
Installation and Upgrades / Re: Zentyal locks during boot
« on: January 04, 2021, 10:37:26 pm »
Same issue for me, but it starts complaining at BIND and this fix didn't work. I know this is an old dead topic but I'm dead in the water right now.
Rolling back the server to this morning didn't work.

<UPDATE> I had to roll the server WAY back to get it working again. I'm going to have to redo my system.

4
I was able to transfer the roles and demote the server as described.
Creating a new Secondary Domain Controller.

This will leave me in a position that I will never have a working Domain panel for a Primary Domain Controller. Hmmm....

Thank you for your help.

5
Thank you for the response. Yes Backup but I need to take my own advice in that an untested backup is not a backup.
I had the PDC virtualize on a ZFS volume and my snapshots are corrupt, and so are my offsite replications.
This is very alarming with ZFS and something I'm looking into. The system my SDC is on a different machine and doesn't have this issue.

Sorry if I was unclear about what caused the main issue but it wasn't the set expiry command, it was the "samba_upgradedns --dns-backend=local" then setting it back to  BIND9_DLZ. I might of been able to save it if I ran "samba-tool domain exportkeytab dns.keytab --principal=dns-$(hostname)" first, but there were many other issues.

Regarding the dns.keytab fix - Worked like a charm. Thank you. "samba-tool domain exportkeytab dns.keytab --principal=dns-$(hostname)"

Domain Controller fix:

1. Show the list of who owns the rolls by using:
samba-tool fsmo show

2. Seize all the FSMO roles to the SDC by running this command on the SDC:
samba-tool fsmo seize --role=all

3. Demote the broken domain controller - https://wiki.samba.org/index.php/Demoting_a_Samba_AD_DC

4. Don't change anything in the Zentyal WebAdminconsole Domain Panel

5. Create a new SDC and join it to the domain.

Questions:
1. Is there a way to get the WebAdminconsole Domain Panel updated on the now PDC?

I will be backing up the SDC as is (via the Zentyal WebAdminconsole and a tested snapshot of the system) and will try this out over the weekend.
Will post the outcome.

Thank you, I've gone from panic to hope.



 



6
Zentyal Version 6.1.6 running only as a domain controller / DNS server.
Primary and Secondary DNS Servers. NOT using roaming profiles. Have all my scripts and the workstation group policy backed up.

Problem 1: My Primary domain controller (PDC) is dead.
Secondary Domain Controller is functional (SDC), domain authentication is working. The license key is the only thing left of the PDC.
What do I need to do to create a new Primary Domain Controller for my domain so I don't loose all the user accounts, connected computers etc.?

I'm assuming turn the SDC into a PDC and create a new SDC, but documentation on that is mainly on migrating from a Windows PDC.

Problem 2: (which lead to the dead PDC)
DNS not updating automatically. Got the following error after adding the noexpiry flag to the dns-<PDC> account.

Exit value: 1 at root command kinit -k -t /var/lib/samba/private/dns.keytab dns-zentyal failed.
Error output: kinit: Password incorrect

How do I properly set the password in the dns.keytab file to get DNS updating properly again?

Explaination of Problem 2:
The password for the dns-<PDC> was manually changed via the Users and Computer Management screen. The fix I found to reset the password on the dns-<PDC> account was the start of the cause of Problem 1.
THIS IS BAD DO NOT DO - (samba_upgradedns --dns-backend=local then back to BIND9_DLZ)

This is me putting down the shovel to get out of the hole. Thank you in advance.

Pages: [1]