http:///https:///api.php?action=feedcontributions&user=Putt1ck&feedformat=atomSambaWiki - User contributions [en]2024-03-28T13:54:07ZUser contributionsMediaWiki 1.39.5https://wiki.samba.org/index.php?title=Deleted_AD_zone&diff=17556Deleted AD zone2021-06-24T04:00:47Z<p>Putt1ck: </p>
<hr />
<div>In the event that someone accidentally deletes the AD domain zone (which is remarkably easy to do with the standard Microsoft AD tools and much has been written about ways to restore it on Windows servers, depending on how long before you notice that's what happened) your domain will cease to function correctly, more or less entirely for machines outside the primary LAN. Services using LDAP auth should continue to work as normal.</br><br />
<br />
All is not lost though, and restoring the zone and domain functionality will not take long and does not require that you have any backups.</br><br />
<br />
''NB this is based on a real world successful recovery and has not been "lab tested"; the domain in question was using the internal DNS server.''<br />
<br />
* Recreate the zone with<br />
<br />
samba-tool dns zonecreate A-DC domain.local -U admin.username<br />
<br />
where in the test case A-DC was what we think of in old-fashioned terms as the PDC e.g. has the FSMO roles - may or may not be relevant, only some lab testing will tell.<br />
<br />
The zone starts to populate itself fairly quickly with stuff from the LAN.<br />
<br />
* On the other DCs restart samba<br />
<br />
service samba-ad-dc restart<br />
<br />
That gets the zone recreated on the DCs, and they start to replicate the info from A-DC, and populate with local machines a little while later (you can check progress with<br />
<br />
samba-tool dns query this-DC domain.local @ ALL -U admin.username<br />
)</br><br />
<br />
* You then get the DCs all joined up again (getting their A records to appear in the zone) by running<br />
<br />
samba_dnsupdate --verbose --use-samba-tool --rpc-server-ip ip.of.each.dc --all-names<br />
<br />
It's possible you only need to run the above from each DC to one other (the A-DC) above and then it will all just replicate, but in the real world recovery process we went belt and braces and did it from each DC to each other DC.</br><br />
<br />
At this point recovery back to normal function is just a matter of time, and not a very long time in our example; no more issues were reported after 15 minutes of this process being completed (3 sites, a few hundred clients and 7 DCs).</div>Putt1ckhttps://wiki.samba.org/index.php?title=Deleted_AD_zone&diff=17555Deleted AD zone2021-06-23T13:53:13Z<p>Putt1ck: </p>
<hr />
<div>In the event that someone accidentally deletes the AD domain zone (which is remarkably easy to do with the standard Microsoft AD tools and much has been written about ways to restore it on Windows servers, depending on how long before you notice that's what happened) your domain will cease to function correctly, more or less entirely for machines outside the primary LAN. Services using LDAP auth should continue to work as normal.</br><br />
<br />
All is not lost though, and restoring the zone and domain functionality will not take long and does not require that you have any backups.</br><br />
<br />
''NB this is based on a real world successful recovery and has not been "lab tested"; the domain in question was using the internal DNS server.''<br />
<br />
* Recreate the zone with<br />
<br />
samba-tool dns zonecreate A-DC domain.local -U admin.username<br />
<br />
where in the test case A-DC was what we think of in old-fashioned terms as the PDC e.g. has the FSMO roles - may or may not be relevant, only some lab testing will tell.<br />
<br />
The zone starts to populate itself fairly quickly with stuff from the LAN.<br />
<br />
* On the other DCs restart samba<br />
<br />
service samba-ad-dc restart<br />
<br />
That gets the zone recreated on the DCs, and they start to replicate the info from A-DC, and populate with local machines a little while later (you can check progress with<br />
<br />
samba-tool dns query this-DC domain.local @ ALL -U admin.username<br />
)</br><br />
<br />
* You then get the DCs all joined up again (getting their A records to appear in the zone) by running<br />
<br />
samba_dnsupdate --verbose --use-samba-tool --rpc-server-ip ip.of.each.dc --all-names<br />
<br />
It's possible you only need to run the above from each DC to one other (the A-DC) above and then it will all just replicate, but in the real world recovery process we went belt and braces and did it from each DC to each other DC.</br><br />
<br />
At this point recovery back to normal function is just a matter of time, and not a very long time in our example; no more issuee were reported after 15 minutes of this process being completed (3 sites, a few hundred clients and 7 DCs).</div>Putt1ckhttps://wiki.samba.org/index.php?title=Deleted_AD_zone&diff=17554Deleted AD zone2021-06-23T13:52:52Z<p>Putt1ck: </p>
<hr />
<div>In the event that someone accidentally deletes the AD domain zone (which is remarkably easy to do with the standard Microsoft AD tools and much has been written about ways to restore it on Windows servers, depending on how long before you notice that's what happened) your domain will cease to function correctly, more or less entirely for machines outside the primary LAN. Services using LDAP auth should continue to work as normal.</br><br />
<br />
All is not lost though, and restoring the zone and domain functionality will not take long and does not require that you have any backups.</br><br />
<br />
''NB this is based on a real world successful recovery and has not been "lab tested"; the domain in question was using the internal DNS server.''<br />
<br />
* Recreate the zone with<br />
<br />
samba-tool dns zonecreate A-DC domain.local -U admin.username<br />
<br />
where in the test case A-DC was what we think of in old-fashioned terms as the PDC e.g. has the FSMO roles - may or may not be relevant, only some lab testing will tell.<br />
<br />
The zone starts to populate itself fairly quickly with stuff from the LAN.<br />
<br />
* On the other DCs restart samba<br />
<br />
service samba-ad-dc restart)<br />
<br />
That gets the zone recreated on the DCs, and they start to replicate the info from A-DC, and populate with local machines a little while later (you can check progress with<br />
<br />
samba-tool dns query this-DC domain.local @ ALL -U admin.username<br />
)</br><br />
<br />
* You then get the DCs all joined up again (getting their A records to appear in the zone) by running<br />
<br />
samba_dnsupdate --verbose --use-samba-tool --rpc-server-ip ip.of.each.dc --all-names<br />
<br />
It's possible you only need to run the above from each DC to one other (the A-DC) above and then it will all just replicate, but in the real world recovery process we went belt and braces and did it from each DC to each other DC.</br><br />
<br />
At this point recovery back to normal function is just a matter of time, and not a very long time in our example; no more issuee were reported after 15 minutes of this process being completed (3 sites, a few hundred clients and 7 DCs).</div>Putt1ckhttps://wiki.samba.org/index.php?title=Deleted_AD_zone&diff=17553Deleted AD zone2021-06-23T13:52:12Z<p>Putt1ck: </p>
<hr />
<div>In the event that someone accidentally deletes the AD domain zone (which is remarkably easy to do with the standard Microsoft AD tools and much has been written about ways to restore it on Windows servers, depending on how long before you notice that's what happened) your domain will cease to function correctly, more or less entirely for machines outside the primary LAN. Services using LDAP auth should continue to work as normal.</br><br />
<br />
All is not lost though, and restoring the zone and domain functionality will not take long and does not require that you have any backups.</br><br />
<br />
''NB this is based on a real world successful recovery and has not been "lab tested"; the domain in question was using the internal DNS server.''<br />
<br />
* Recreate the zone with<br />
<br />
samba-tool dns zonecreate A-DC domain.local -U admin.username<br />
<br />
where in the test case A-DC was what we think of in old-fashioned terms as the PDC e.g. has the FSMO roles - may or may not be relevant, only some lab testing will tell.<br />
<br />
The zone starts to populate itself fairly quickly with stuff from the LAN.<br />
<br />
* On the other DCs restart samba<br />
<br />
service samba-ad-dc restart)<br />
<br />
That gets the zone recreated on the DCs, and thy start to replicate, and populate with local machines a little while later (you can check progress with<br />
<br />
samba-tool dns query this-DC domain.local @ ALL -U admin.username<br />
)</br><br />
<br />
* You then get the DCs all joined up again (getting their A records to appear in the zone) by running<br />
<br />
samba_dnsupdate --verbose --use-samba-tool --rpc-server-ip ip.of.each.dc --all-names<br />
<br />
It's possible you only need to run the above from each DC to one other (the A-DC) above and then it will all just replicate, but in the real world recovery process we went belt and braces and did it from each DC to each other DC.</br><br />
<br />
At this point recovery back to normal function is just a matter of time, and not a very long time in our example; no more issuee were reported after 15 minutes of this process being completed (3 sites, a few hundred clients and 7 DCs).</div>Putt1ckhttps://wiki.samba.org/index.php?title=Deleted_AD_zone&diff=17552Deleted AD zone2021-06-23T13:51:36Z<p>Putt1ck: </p>
<hr />
<div>In the event that someone accidentally deletes the AD domain zone (which is remarkably easy to do with the standard Microsoft AD tools and much has been written about ways to restore it on Windows servers, depending on how long before you notice that's what happened) your domain will cease to function correctly, more or less entirely for machines outside the primary LAN. Services using LDAP auth should continue to work as normal.</br><br />
<br />
All is not lost though, and restoring the zone and domain functionality will not take long and does not require that you have any backups.</br><br />
<br />
''NB this is based on a real world successful recovery and has not been "lab tested"; the domain in question was using the internal DNS server.''<br />
<br />
* Recreate the zone with<br />
<br />
samba-tool dns zonecreate A-DC domain.local -U admin.username<br />
<br />
where in the test case A-DC was what we think of in old-fashioned terms as the PDC e.g. has the FSMO roles - may or may not be relevant, only tests will tell.<br />
<br />
The zone starts to populate itself fairly quickly with stuff from the LAN.<br />
<br />
* On the other DCs restart samba<br />
<br />
service samba-ad-dc restart)<br />
<br />
That gets the zone recreated on the DCs, and thy start to replicate, and populate with local machines a little while later (you can check progress with<br />
<br />
samba-tool dns query this-DC domain.local @ ALL -U admin.username<br />
)</br><br />
<br />
* You then get the DCs all joined up again (getting their A records to appear in the zone) by running<br />
<br />
samba_dnsupdate --verbose --use-samba-tool --rpc-server-ip ip.of.each.dc --all-names<br />
<br />
It's possible you only need to run the above from each DC to one other (the A-DC) above and then it will all just replicate, but in the real world recovery process we went belt and braces and did it from each DC to each other DC.</br><br />
<br />
At this point recovery back to normal function is just a matter of time, and not a very long time in our example; no more issuee were reported after 15 minutes of this process being completed (3 sites, a few hundred clients and 7 DCs).</div>Putt1ckhttps://wiki.samba.org/index.php?title=Deleted_AD_zone&diff=17551Deleted AD zone2021-06-23T13:11:28Z<p>Putt1ck: </p>
<hr />
<div>Holding page for Chris Puttick<br />
Test edit</div>Putt1ckhttps://wiki.samba.org/index.php?title=User_Documentation&diff=17549User Documentation2021-06-23T12:32:54Z<p>Putt1ck: </p>
<hr />
<div>* [[FAQ|Frequently Asked Questions (FAQ)]]<br />
* [[Samba Release Planning]]<br />
* [[Samba_Features_added/changed_(by_release)|Samba Release Notes]]<br />
* [[Obtaining Samba]]<br />
* [[Installing Samba]]<br />
:* [[Operating System Requirements]]<br />
::* [[Package Dependencies Required to Build Samba]]<br />
::* [[File System Support]]<br />
:* [[Build Samba from Source]]<br />
:* [[Distribution-specific Package Installation]]<br />
* [[Updating Samba]]<br />
<br />
<br />
<br />
<br />
* [[Domain Control]]<br />
:* [[Active Directory Domain Controller]]<br />
::* [[Active Directory Naming FAQ]]<br />
::* [[Setting up Samba as an Active Directory Domain Controller]]<br />
::* [[Joining a Samba DC to an Existing Active Directory]]<br />
::* [[Joining a Windows Server 2008 / 2008 R2 DC to a Samba AD]]<br />
::* [[Joining a Windows Server 2012 / 2012 R2 DC to a Samba AD]]<br />
::* [[Migrating a Samba NT4 Domain to Samba AD (Classic Upgrade)]]<br />
::* [[Demoting a Samba AD DC]]<br />
::* [[The Samba AD DNS Back Ends]]<br />
:::* [[Samba Internal DNS Back End]]<br />
:::* [[BIND9_DLZ DNS Back End]]<br />
::::* [[Setting up a BIND DNS Server]]<br />
::::* [[Configure DHCP to update DNS records with BIND9]]<br />
:::* [[Testing Dynamic DNS Updates]]<br />
::* [[Managing the Samba AD DC Service]]<br />
::* [[Configuring Winbindd on a Samba AD DC]]<br />
::* [[Time Synchronisation]]<br />
::* [[Verifying the Directory Replication Statuses]]<br />
::* [[Manually Replicating Directory Partitions]]<br />
::* [[Running a Samba AD DC with MIT Kerberos KDC]]<br />
::* [[Migrating the ntvfs File Server Back End to s3fs]]<br />
::* [[Samba AD DC Port Usage]]<br />
::* [[Samba AD DC Troubleshooting]]<br />
::* [[Password Settings Objects]]<br />
::* [[Running Samba AD Domain Controllers in large domains]]<br />
::* [[Using the lmdb database backend]]<br />
<br />
<br />
<br />
:* [[NT4 Domains]]<br />
::* [[Setting up Samba as an NT4 PDC (Quick Start)]]<br />
:::* [[Samba NT4 PDC Port Usage]]<br />
::* [[Setting up Samba as an NT4 BDC]]<br />
::* [[Required Settings for Samba NT4 Domains]]<br />
<br />
<br />
* [[Domain Membership]]<br />
:* [[Joining a Windows Client or Server to a Domain]]<br />
::* [[Windows DNS Configuration]]<br />
:* [[Joining a Linux or Unix Host to a Domain]]<br />
::* [[Linux and Unix DNS Configuration]]<br />
::* [[Setting up Samba as a Domain Member]]<br />
:::* [[Identity Mapping Back Ends]]<br />
::::* [[idmap config ad]] (RFC2307)<br />
::::* [[idmap config rid]]<br />
::::* [[idmap config autorid]]<br />
::::* [[Local accounts]]<br />
:::* [[Authenticating Domain Users Using PAM]]<br />
:::* [[PAM Offline Authentication]]<br />
::* [[Samba Domain Member Port Usage]]<br />
:* [[Joining a Mac OS X Client to a Domain]]<br />
::* [[Mac OS X DNS Configuration]]<br />
:* [[Configuring FreeDOS to Access a Samba Share]]<br />
:* [[Troubleshooting Samba Domain Members]]<br />
<br />
<br />
* [[Setting_up_Samba_as_a_Standalone_Server|Standalone Server]]<br />
:* [[Setting up Samba as a Standalone Server]]<br />
<br />
<br />
* [[CTDB and Clustered Samba]]<br />
<br />
<br />
* [[Advanced Configuration]]<br />
:* [[Configuring Logging on a Samba Server]]<br />
::* [[Setting up Audit Logging]]<br />
:* [[DNS Administration]]<br />
::* [[Changing the DNS Back End of a Samba AD DC]]<br />
::* [[DNS administration]]<br />
::* [[DNS troubleshooting]]<br />
:::* [[Dns_tkey_negotiategss: TKEY is unacceptable]]<br />
:::* [[Deleted AD zone]]<br />
:* [[Setting up RFC2307 in AD]]<br />
:* [[Print Server Support]]<br />
::* [[Setting up Samba as a Print Server]]<br />
::* [[Setting up Automatic Printer Driver Downloads for Windows Clients]]<br />
::* [[Creating Custom Paper Sizes]]<br />
::* [[Setting up Network Printer Ports]]<br />
::* [[Virtual PDF Printer]]<br />
:* [[Active Directory Sites]]<br />
:* [[Samba AD Schema]]<br />
::* [[AD Schema Version Support]]<br />
::* [[Samba AD schema extensions]]<br />
:* [[Virtual File System Modules]]<br />
:* [[Generating Keytabs]]<br />
<br />
<br />
<br />
<br />
<br />
* [[Replication]]<br />
:* [[Distributed File System (DFS)]]<br />
::* [[SysVol replication (DFS-R)]]<br />
:::* [[Rsync based SysVol replication workaround]] (Samba DCs only)<br />
:::* [[Bidirectional Rsync/Unison based SysVol replication workaround]] (Samba DCs only)<br />
:::* [[Bidirectional Rsync/osync based SysVol replication workaround]] (Samba DCs only)<br />
:::* [[Robocopy based SysVol replication workaround]] (Samba DCs -> Windows DCs)<br />
:* [[Directory Replication Service (DRS)]]<br />
<br />
<br />
<br />
<br />
<br />
* [[Common Administration Tasks]]<br />
:* [[The Windows remote server administration tools (RSAT)]]<br />
::* [[Installing RSAT]]<br />
:* [[Remote and local management of Samba]]<br />
::* [[User and group management]]<br />
:::* [[Maintaining Unix Attributes in AD using ADUC]]<br />
:::* [[Administer Unix Attributes in AD using samba-tool and ldb-tools]]<br />
:* [[Backup and restore]]<br />
::* [[Back up and Restoring a Samba AD DC]]<br />
::* [[Back up and Restoring a Samba Domain Member]]<br />
:* [[Samba File Serving]]<br />
::* [[Setting up a Share Using Windows ACLs]]<br />
::* [[Setting up a Share Using POSIX ACLs]]<br />
::* [[Special file shares]]<br />
:::* [[User Home Folders]]<br />
:::* [[Roaming Windows User Profiles]]<br />
::::* [[Configuring Windows Profile Folder Redirections]]<br />
:::* [[Setting up a Share Without Authentication]]<br />
:* [[Flexible Single-Master Operations (FSMO) Roles]]<br />
::* [[Transferring and Seizing FSMO Roles]]<br />
:* [[The AD functional levels]]<br />
::* [[Raising the Functional Levels]]<br />
:* [[Changing the IP Address of a Samba AD DC]]<br />
:* [[Configuring LDAP over SSL (LDAPS) on a Samba AD DC]]<br />
:* [[Delegating administrative permissions to non-administrators]]<br />
::* [[Delegation/Joining_Machines_to_a_Domain|Joining Machines to a Domain]]<br />
::* [[Delegation/Account_management|Account management]]<br />
:* [[Administer workstations]]<br />
::* [[Managing local groups on domain members via GPO restricted groups]]<br />
:* [[Working with Active Directory encoded LDAP values]]<br />
:* [[Performance Tuning]]<br />
:* [[Configure Samba to Bind to Specific Interfaces]]<br />
:* [[Server-Side_Copy|Improving performance with server-side copy]]<br />
:* [[Samba AD Smart Card Login]]<br />
:* [[VPN Single SignOn with Samba AD]]<br />
:* [[Authenticating other services against Samba AD]]<br />
::* [[Authenticating Apache against Active Directory]]<br />
::* [[OpenSSH Single sign-on]]<br />
::* [[Authenticating Dovecot against Active Directory]]<br />
:* [[openLDAP as proxy to AD]]<br />
:* [[Client specific logging]]<br />
:* [[Configure Samba to Work Better with Mac OS X]]<br />
<br />
<br />
<br />
<br />
* Security<br />
:* [[Samba_Security_Documentation|Samba Security Documentation]]<br />
<br />
<br />
<br />
<br />
* [[Terms and Abbreviations]]<br />
<br />
<br />
<br />
<br />
<br />
* [[Getting Help]]<br />
:* [https://lists.samba.org/mailman/listinfo/samba Samba Mailing List]<br />
:* [https://www.samba.org/samba/support/ Commercial Support]<br />
<br />
<br />
<br />
<br />
<br />
* [[Contribute]]<br />
:* [[Bug Reporting]]<br />
:* [[How To Write Samba Documentation]]</div>Putt1ck