Line 26: |
Line 26: |
| Also check the timezone is correct. | | Also check the timezone is correct. |
| | | |
− | Fixes a Potential problem where kerberos and the AD server get out of sync. Has failed to permanently resolve the problem on sliceyToo, but did make it go away for a day while rebooting failed. | + | Fixes a Potential problem where kerberos and the AD server get out of sync. Has failed to permanently resolve the problem on sliceyToo, but did make it go away for a day while rebooting failed. |
| | | |
| == Reset Machine Password == | | == Reset Machine Password == |
Line 37: |
Line 37: |
| | | |
| Reference: [http://www.implbits.com/about/blog/tabid/78/post/don-t-rejoin-to-fix-the-trust-relationship-between-this-workstation-and-the-primary-domain-failed/default.aspx DON'T REJOIN TO FIX] | | Reference: [http://www.implbits.com/about/blog/tabid/78/post/don-t-rejoin-to-fix-the-trust-relationship-between-this-workstation-and-the-primary-domain-failed/default.aspx DON'T REJOIN TO FIX] |
− | I have tried rejoining the computers to domain. It didn't fix. | + | I have tried rejoining the computers to domain. It didn't fix. |
| | | |
| == Remove Stale Entries to the Old Domain Controller from ldap == | | == Remove Stale Entries to the Old Domain Controller from ldap == |
| | | |
− | The previous Domain Controller with all the FSMO roles was named vm. It died a sudden death and was not cleanly demoted from the domain. | + | The previous Domain Controller with all the FSMO roles was named vm. It died a sudden death and was not cleanly demoted from the domain. |
| + | |
| + | |
| + | === cleaning out the _msdcs record === |
| + | Find the extra entry |
| + | |
| + | |
| + | <pre>samba-tool dns query bob _msdcs.ad.pumpingstationone.org @ ALL |
| + | Name=, Records=2, Children=0 |
| + | SOA: serial=5, refresh=900, retry=600, expire=86400, minttl=0, ns=vm.ad.pumpingstationone.org., email=hostmaster.ad.pumpingstationone.org. (flags=600000f0, serial=5, ttl=3600) |
| + | NS: vm.ad.pumpingstationone.org. (flags=600000f0, serial=1, ttl=900) |
| + | Name=8e76c887-c322-4e20-98df-372fa8801c44, Records=1, Children=0 |
| + | CNAME: vm.ad.pumpingstationone.org. (flags=f0, serial=110, ttl=900) |
| + | Name=dc, Records=0, Children=2 |
| + | Name=domains, Records=0, Children=1 |
| + | Name=e3fac096-8349-4e28-8fda-91d32e6ec7c0, Records=1, Children=0 |
| + | CNAME: bob.ad.pumpingstationone.org. (flags=f0, serial=110, ttl=900) |
| + | Name=gc, Records=0, Children=2 |
| + | </pre> |
| + | |
| + | In this case, the extra record is the one that resolves to vm.ad.pumpingstaitonone.org: 8e76c887-c322-4e20-98df-372fa8801c44 |
| + | |
| + | Delete it: |
| + | samba-tool dns delete bob _msdcs.ad.pumpingstationone.org 8e76c887-c322-4e20-98df-372fa8801c44 CNAME vm.ad.pumpingstationone.org |
| + | |
| + | |
| + | === gc records === |
| + | |
| + | samba-tool dns query bob _msdcs.ad.pumpingstationone.org gc ALL |
| + | |
| + | Delete A or AAAA record that is not a Domain controller |
| + | samba-tool dns delete bob _msdcs.ad.pumpingstationone.org gc A ${IP4_Address} |
| + | samba-tool dns delete bob _msdcs.ad.pumpingstationone.org gc AAAA ${IP6_Address} |
| + | |
| + | I had a lot of stale entries, as ip address have changed before. |
| + | |
| + | === _tcp.gc records === |
| + | |
| + | samba-tool dns query bob _msdcs.ad.pumpingstationone.org _tcp.gc ALL |
| + | |
| + | delete SRV records poining to removed machines |
| + | |
| + | samba-tool dns delete bob _msdcs.ad.pumpingstationone.org _ldap._tcp.gc SRV 'vm.ad.pumpingstationone.org. 3268 0 100' |
| + | |
| + | === _tcp.dc records === |
| + | |
| + | samba-tool dns query bob _msdcs.ad.pumpingstationone.org _tcp.dc ALL |
| + | |
| + | delete the extra records for _ldap and _kerberos |
| + | |
| + | samba-tool dns delete bob _msdcs.ad.pumpingstationone.org _kerberos._tcp.dc SRV 'vm.ad.pumpingstationone.org. 88 0 100' |
| + | samba-tool dns delete bob _msdcs.ad.pumpingstationone.org _ldap._tcp.dc SRV 'vm.ad.pumpingstationone.org. 389 0 100' |
| + | |
| + | === _tcp.pdc records === |
| + | |
| + | samba-tool dns query bob _msdcs.ad.pumpingstationone.org _tcp.pdc ALL |
| + | |
| + | delete the extra _ldap records: |
| + | |
| + | samba-tool dns delete bob _msdcs.ad.pumpingstationone.org _ldap._tcp.pdc SRV 'vm.ad.pumpingstationone.org. 389 0 100' |
| + | |
| + | === _tcp records records === |
| + | |
| + | samba-tool dns query bob ad.pumpingstationone.org _tcp ALL |
| + | |
| + | delete the extra _gc, _kerberos, _kpasswd, and _ldap records |
| + | |
| + | samba-tool dns delete bob ad.pumpingstationone.org _gc._tcp SRV 'vm.ad.pumpingstationone.org. 3268 0 100' |
| + | samba-tool dns delete bob ad.pumpingstationone.org _kerberos._tcp SRV 'vm.ad.pumpingstationone.org. 88 0 100' |
| + | samba-tool dns delete bob ad.pumpingstationone.org _kpasswd._tcp SRV 'vm.ad.pumpingstationone.org. 464 0 100' |
| + | samba-tool dns delete bob ad.pumpingstationone.org _ldap._tcp SRV 'vm.ad.pumpingstationone.org. 389 0 100' |
| + | |
| + | === _udp records === |
| + | |
| + | samba-tool dns query bob ad.pumpingstationone.org _udp ALL |
| + | |
| + | delete the extra _kerberos and _kpasswd records |
| + | |
| + | samba-tool dns delete bob ad.pumpingstationone.org _kerberos._udp SRV 'vm.ad.pumpingstationone.org. 88 0 100' |
| + | samba-tool dns delete bob ad.pumpingstationone.org _kpasswd._udp SRV 'vm.ad.pumpingstationone.org. 464 0 100' |
| + | |
| + | |
| + | === _tcp.Default-First-Site-Name._sites records === |
| + | |
| + | samba-tool dns query bob ad.pumpingstationone.org _tcp.Default-First-Site-Name._sites ALL |
| + | |
| + | delete extra _kerberos, _ldap, and _gc records |
| + | |
| + | samba-tool dns delete bob ad.pumpingstationone.org _kerberos._tcp.Default-First-Site-Name._sites SRV 'vm.ad.pumpingstationone.org. 88 0 100' |
| + | samba-tool dns delete bob ad.pumpingstationone.org _ldap._tcp.Default-First-Site-Name._sites SRV 'vm.ad.pumpingstationone.org. 389 0 100' |
| + | samba-tool dns delete bob ad.pumpingstationone.org _gc._tcp.Default-First-Site-Name._sites SRV 'vm.ad.pumpingstationone.org. 3268 0 100' |
| + | |
| + | === _tcp.b83beba7-1a4b-4801-a2bd-8ee8ea0eb626.domains records === |
| + | |
| + | |
| + | find the domain guid: |
| + | |
| + | samba-tool dns query bob _msdcs.ad.pumpingstationone.org domains ALL |
| + | |
| + | In my case it was <code>Name=b83beba7-1a4b-4801-a2bd-8ee8ea0eb626, Records=0, Children=1</code> |
| + | |
| + | samba-tool dns query bob _msdcs.ad.pumpingstationone.org _tcp.b83beba7-1a4b-4801-a2bd-8ee8ea0eb626.domains ALL |
| + | |
| + | delete the _ldap record |
| + | |
| + | samba-tool dns delete bob _msdcs.ad.pumpingstationone.org _ldap._tcp.b83beba7-1a4b-4801-a2bd-8ee8ea0eb626.domains SRV 'vm.ad.pumpingstationone.org. 389 0 100' |
| + | |
| + | === _tcp.Default-First-Site-Name._sites.gc === |
| + | |
| + | samba-tool dns query bob _msdcs.ad.pumpingstationone.org _tcp.Default-First-Site-Name._sites.gc ALL |
| + | |
| + | delete extra _ldap records |
| + | |
| + | samba-tool dns delete bob _msdcs.ad.pumpingstationone.org _ldap._tcp.Default-First-Site-Name._sites.gc SRV 'vm.ad.pumpingstationone.org. 3268 0 100' |
| + | |
| + | === _tcp.Default-First-Site-Name._sites.dc === |
| + | |
| + | samba-tool dns query bob _msdcs.ad.pumpingstationone.org _tcp.Default-First-Site-Name._sites.dc ALL |
| + | |
| + | delete extra _kerberos and _ldap records |
| + | |
| + | samba-tool dns delete bob _msdcs.ad.pumpingstationone.org _kerberos._tcp.Default-First-Site-Name._sites.dc SRV 'vm.ad.pumpingstationone.org. 88 0 100' |
| + | samba-tool dns delete bob _msdcs.ad.pumpingstationone.org _ldap._tcp.Default-First-Site-Name._sites.dc SRV 'vm.ad.pumpingstationone.org. 389 0 100' |
| + | |
| + | === More stale entries === |
| + | |
| + | The primary problem has been resolved, but I am going to document stale entries left behind |
| + | * CN=NTDS Settings,CN=VM,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ad,DC=pumpingstationone,DC=org |
| + | ** Removing this entry removed the box from the replication pool in <code> samba-tool drs showrepl</code> |