Univention Bugzilla – Bug 33510
Rejoin of Site DC does not work without samba4/join/site
Last modified: 2020-07-03 20:53:01 CEST
If a dc was moved to a site with the help of the rsat ad tools, the system cannot be rejoined without a correctly adopted samba4/join/site ucr variable. The system is joined against the default-first-site - afterwards you have references in both sites. The current dc object (at default-first-site) uses a corrupt ntds object. The site property within is still set to the old site. This leads to drs replication issues with this system. The fix is to remove the old objects underneath the old site with the help of adsi-editor or ldbedit directly. Afterwards the connection entry for the system itself underneath its ntds settings object has to be removed and the whole system underneath default-first-site can be moved to the old site (where it was located before). This will immediately lead to an inconsistent drs replication status for the whole domain - it should fix itself after a while - perhaps a "samba-tool drs kcc" is needed - at least it helps if you run it directly after the move operation. I see several "fixes" here: 1. Point out that it is needed to set samba4/join/site after moving a system to a site by hand in the manual 2. automatically monitor a site move and set the variable (listener?) 3. Tests in univention-join and warnings perhaps (if the system currently is located underneath a site and the ucr variable isn't set) At least a customer had this issue and I was able to reproduce it with UCS 3.1-1 and moved dc backups.
Question: Does the AD site tool create/update the DNS records? > 2. automatically monitor a site move and set the variable (listener?) Probably an LDB-module would be required since the site-objects are not replicated to OpenLDAP. The other option would be to make a listener watch the site specific DNS records. > 3. Tests in univention-join and warnings perhaps (if the system currently is located underneath a site and the ucr variable isn't set) Yes, or even simply use that site to join to, if the UCR variable is not set. If it is set, the joinscript should probably abort or issue a bold warning.
(In reply to Arvid Requate from comment #1) > Question: Does the AD site tool create/update the DNS records? In fact I didn't monitor if the initial move action to a site updates the old default-first-site records (removing the entry there) and I cannot quickly check this as I did the rejoin against default-first site afterwards in order to reproduce the issue (so the records should be created there again by univention-join) :) - but what I can say for sure is that the new site records were correctly made. I now just moved a dc back to default-first-site. It seems that the old entries for the site specific records won't get cleaned up. The system is still listed there. That's nasty...
This issue has been filed against UCS 4.2. UCS 4.2 is out of maintenance and many UCS components have changed in later releases. Thus, this issue is now being closed. If this issue still occurs in newer UCS versions, please use "Clone this bug" or reopen it and update the UCS version. In this case please provide detailed information on how this issue is affecting you.