Post by Aaron Haslett via samba-technical
The exists shell script for backing up a domain doesn't lock things
properly while doing the backup and could end up with a corrupt backup
or cause a lockup.Â Here's a new python script that actually works,
along with tests and required fixes.
I haven't looked into this in detail, but I have a few questions/comments:
- Can you write down in words would the new command is supposed to do?
- The most important part of a backup is always the restore!
I come across a few sites already, which tried to restore
DCs from a VM snapshot and corrupted the replication state.
I think we really need a corresponding restore command
and make it relatively hard to restore the backup without
using the restore command.
The restore command should also do this on the backup databases:
- reset highestCommittedUSN to 1 and invent a new invocationID
that will be used for further replPropertyMetaData stamps
- samba-tool domain demote --remove-other-dead-server for all
- create a new machine account and NTDSDsa object (with the new
- samba-tool fsmo seize for all roles
- change the krbtgt passwords twice
So that the restored domain will never replicate with any existing
DC, as it's only a last resort if really all DCs are broken.
Can you please read through the C related patches and fix
tab vs. whitespaces or missing whitespaces.