Moving S4Connector and FSMO Role to Backupserver

In some cases reprovisioning as described in this article:

is not possible. This article describes a way between reprovisioning and backup2master scenario.
So there is an other way to repair the samba database on the master. Therefor you have to move the s4connector to the backupserver. If you do not have a backupserver, this article is not suitable.
After the s4connector ist estiblished and running you can also move the fsmo roles to the backup server.

Moving the Connector

Step 1 on both servers

Save the ucr variables on the master and compare them with these on the backupserver

ucr dump |grep connector > connector-ucr-master
vimdiff connector-ucr-master connector-ucr-backup

just the connector/s4/autostart variable should differ.

Save and compare the connector mapping:

cd /etc/univention/connector/s4/
md5sum mapping
cp /etc/univention/connector/s4/* /root/con-mapping

Compare the md5sum of the mapping file and adjust differences on the backupserver or copy the mapping file from the master to the backup.

Step 2 on the master

systemctl stop univention-s4-connector.service
ucr set connector/s4/autostart='no'

Remove the S4-Connector Service from the master

udm computers/domaincontroller_master modify --dn  $(univention-ldapsearch -LLLo ldif-wrap=no cn=$(hostname) dn | sed -ne 's|dn: ||p'|grep -i 'cn=dc' ) --remove service="S4 Connector"

There may be found a dhcp object, and the modification failes silently. so make sure the changes are done:

univention-ldapsearch -LLLo ldif-wrap=no cn=master univentionService

univentionService: S4 Connector should not be listed anymore on the master.

Step 3 on the backup - activate S4-Connector

Make sure there are no rejects left from previous start.

ls -lah /var/lib/univention-connector/s4/
ls -lah /var/lib/univention-connector/s4/tmp/

You should not find some “pickle files” here.
Now you can simply activate the connector with running the joinscript:

univention-run-join-scripts --force --run-scripts 97univention-s4-connector.inst

After that make sure the connector is running on the server
You may want to add a new user to check, if the synchronisation is working and the new user is added in samba4 on the backup.

Moving the fsmo role

The fsmo roles can be transfered to other samba DCs. The standard case is, that the master is the captain of the roles, but the backup is also capable of holding the roles.
You can check with:

samba-tool fsmo show

This will show you that the master ist the “captain” of the roles:

SchemaMasterRole owner: CN=NTDS Settings,CN=MASTER,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=schein,DC=ig
InfrastructureMasterRole owner: CN=NTDS Settings,CN=MASTER,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=schein,DC=ig
RidAllocationMasterRole owner: CN=NTDS Settings,CN=MASTER,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=schein,DC=ig
PdcEmulationMasterRole owner: CN=NTDS Settings,CN=MASTER,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=schein,DC=ig
DomainNamingMasterRole owner: CN=NTDS Settings,CN=MASTER,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=schein,DC=ig
DomainDnsZonesMasterRole owner: CN=NTDS Settings,CN=MASTER,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=schein,DC=ig
ForestDnsZonesMasterRole owner: CN=NTDS Settings,CN=MASTER,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=schein,DC=ig

Step 1 on the backup

samba-tool fsmo seize --role=all -U Administrator

You will need the Administrator credentials.
After that check with samba-tool fsmo show again.
You should check on each samba dc that the BACKUP - hostname is now in the output.
Please also check the replication with samba-tool drs showrepl.

Remove samba from the master (if the database is corrupt)

Step 1 - removing the app

Stop samba if it is still running

/etc/init.d/samba stop

and check with

ps aufx |grep samba

After that you can uninstall the “Active Directory Domain Controller” app via UMC or via terminal
univention-app remove samba4

  • After removing the app make sure the ldap service (slapd) is running and the joinstatus (univention-check-join-status) is okay.

Step 2 - installing samba4 again

  • Make sure the directory/var/lib/samba/private/ exist Maybe it was corruped or you moved the hole directory before.
mkdir -p /var/lib/samba/private

Check if the backup is available and responsive for joining:

samba-tool domain info "backupserver-fqdn"
e.G.
# samba-tool domain info "backup.schein.ig"

Install samba4 step by step:

apt-get install univention-samba4

Joining to the backupserver during the installation will fail, because credentials are necessary, so after that you have to run

univention-run-join-scripts --ask-pass

Now samba should be ready again, so you can check the database and synchronization:

samba-tool domain info <fqdn of the master>
samba-tool drs showrepl
samba-tool dbcheck --cross-ncs
(also check this on the other samba-dcs)
/usr/share/univention-samba4/scripts/check_essential_samba4_dns_records.sh

You can also try to adjust or set a gpo with RSAT tool connecting with the master.

Try to add a new user on the master. This user should be replicated to the backup via listener/notifier and synced via samba drs protocoll to the master.
so an univention-s4search <newuser> should find the user.

Step 3 - installing s4-connector again.

apt-get install univention-s4-connector
univention-check-join-status

To move the connector back on the master and setting the fsmo roles to the master again, follow the steps shown in this article in reverse order.