samba-tool dbcheck utility enables you to detect and fix problems in the Samba AD database.
You must run the check and fix command on every Samba AD DC locally, because some fixes apply to non-replicated attributes and modifications are not replicated to other DCs.
To check the AD database, run:
# samba-tool dbcheck --cross-ncs
--cross-ncs option checks all AD partitions (naming contexts). Without this option, the tool only checks the main domain partition.
To fix reported errors, run:
# samba-tool dbcheck --cross-ncs --fix
You will get prompted whether or not you want to fix each individual error. Choosing 'all' will fix all errors that are the exact same type of problem.
If you pass the
--yes parameter to the command, all questions are automatically answered with
yes. Note that if you omit the
--yes parameter, the database check executes three
fsync() calls for each object. This can result in a longer run duration. For example, passing the
--yes parameter to the command fixed 3500 objects in 10 seconds in our test environment. Without this parameter, the command required 4:50 minutes for the same operation.
After a repair, re-check the database to verify a successful operation.