.. Reminder for header structure:        
  Parts (H1)          : #################### with overline
  Chapters (H2)       : ******************** with overline
  Sections (H3)       : ====================
  Subsections (H4)    : --------------------
  Subsubsections (H5) : ^^^^^^^^^^^^^^^^^^^^
  Paragraphs (H6)     : """""""""""""""""""""

.. |date| date::

.. meta::
  :description: Rebuilding a crashed Domain Controller
  :keywords: crash, Samba-AD, documentation

.. _recovering_ad_from_crash:

######################################
Rebuilding a crashed Domain Controller
######################################

.. warning::

  **NEVER** restore a snapshot. It would break the Samba replication system. Please use the following documentation instead.

.. note::

  In this documentation, it is assumed:

  * That the crashed domain controller is called *srvads1*.

  * That the healthy domain controller is called *srvads2*.

  * That the domain is called *mydomain.lan*.

  In the instructions described below, you will replace *mydomain.lan* with your own domain name and *srvads* with the machine name of your choice.

.. attention::

   In this documentation, it is assumed:
    
   * You are using a system under Debian-based system.

   * To restart samba on RHEL and Derivatives, please replace "samba-ad-dc" with "samba".


**********************************************
If the AD is a primary DC (with the FSMO role)
**********************************************

* Check which AD is FSMO:

  :command:`samba-tool fsmo show` should return information like this:

  .. code-block:: bash

    SchemaMasterRole owner: CN=NTDS Settings,CN=srvads1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=lan
    InfrastructureMasterRole owner: CN=NTDS Settings,CN=srvads1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=lan
    RidAllocationMasterRole owner: CN=NTDS Settings,CN=srvads1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=lan
    PdcEmulationMasterRole owner: CN=NTDS Settings,CN=srvads1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=lan
    DomainNamingMasterRole owner: CN=NTDS Settings,CN=srvads1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=lan
    DomainDnsZonesMasterRole owner: CN=NTDS Settings,CN=srvads1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=lan
    ForestDnsZonesMasterRole owner: CN=NTDS Settings,CN=srvads1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=lan

  *srvads1* is therefore the FSMO in our example.

* Indicate to the remaining AD that *srvads1* no longer exists:

  .. code-block:: bash

    samba-tool domain demote --remove-other-dead-server=srvads1
    systemctl restart samba-ad-dc || systemctl restart samba

* Transfer the roles to another AD:

  .. attention::

    Before performing the role transfer, it is necessary to ensure that the domain controller that is lost will **never again** be reused.

  .. code-block:: bash

    samba-tool fsmo transfer --role=all

  .. hint::

    List of roles to be seized or transferred:

    ``--role=ROLE``

      - rid=RidAllocationMasterRole
      - schema=SchemaMasterRole
      - pdc=PdcEmulationMasterRole
      - naming=DomainNamingMasterRole
      - infrastructure=InfrastructureMasterRole
      - domaindns=DomainDnsZonesMasterRole
      - forestdns=ForestDnsZonesMasterRole
      - all=all of the above  You must provide an Admin user and password.

* If a rights issue arises:

  .. code-block:: bash

    samba-tool fsmo transfer --role=all -U administrator

* Check the rights:

  The command **samba-tool fsmo show** must return:

  .. code-block:: bash

    SchemaMasterRole owner: CN=NTDS Settings,CN=srvads2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=lan
    InfrastructureMasterRole owner: CN=NTDS Settings,CN=srvads2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=lan
    RidAllocationMasterRole owner: CN=NTDS Settings,CN=srvads2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=lan
    PdcEmulationMasterRole owner: CN=NTDS Settings,CN=srvads2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=lan
    DomainNamingMasterRole owner: CN=NTDS Settings,CN=srvads2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=lan
    DomainDnsZonesMasterRole owner: CN=NTDS Settings,CN=srvads2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=lan
    ForestDnsZonesMasterRole owner: CN=NTDS Settings,CN=srvads2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=lan

* Check the AD database with dbcheck:

  .. code-block:: bash

    samba-tool dbcheck --cross-ncs --fix

* Notify the new role to the Domain Controller:

  .. code-block:: bash

    samba-tool fsmo seize --role=all

* Affect all FSMO roles to another Domain Controller;

***************************************************
If the AD is a secondary DC (without the FSMO role)
***************************************************

* Recreate a new machine by following DC install documentation.

* Downgrade *srvads1*:

  .. code-block:: bash

    samba-tool domain demote --remove-other-dead-server=srvads1
    systemctl restart samba-ad-dc




* Rebuild a *srvads1* domain controller by following the :ref:`usual procedure for Debian <server_secondary_debian>` or the :ref:`usual procedure for RedHat8 and derived distributions <server_secondary_redhat>` and join the server in the domain;

* Ensure that the DNS fields are created correctly:

  .. code-block:: bash

    samba_dnsupdate --verbose

* If there are still some *fails*, use this method which also allows you to bypass kerberos:

  .. code-block:: bash

    samba_dnsupdate  --use-samba-tool

*******************************
Validating the new installation
*******************************

* Test the connection to the DNS from the :guilabel:`DNS Active Directory console`:

  .. figure:: images/samba_dns_active_directory_fr.png
    :align: center
    :scale: 100%
    :alt: Active Directory DNS console

    Active Directory DNS console

* Test the connection from the :guilabel:`Active Directory Users and Computers` console:

  .. figure:: images/samba_users_and_computers_active_directory.png
    :align: center
    :scale: 100%
    :alt: Active Directory Users and Computers console

    Active Directory Users and Computers console

* Check the status of the replications with :command:`samba-tool drs showrepl`:

  .. code-block:: bash

    samba-tool drs showrepl

************
Useful links
************

* https://wiki.samba.org/index.php/Flexible_Single-Master_Operations_(FSMO)_Roles

* https://wiki.samba.org/index.php/Transferring_and_Seizing_FSMO_Roles

* https://www.it-connect.fr/seizing-de-roles-fsmo/
