Caponato's Notebook

I try to keep Samba servers up to date at least on a weekly basis. This is my routine:

You can locally back up your domain and save this file for disaster recovery purposes, but:

• This is no replacement for a second DC.
• It is useful in case of a disaster or if you inadvertently break the AD.
• A domain can be rebuilt with these backup files.
• Perform a backup of each DC for redundancy purposes.
• Save your backup files in a safe place, outside of your building.
• See this article for more info.
• This utility can also be run from a member server — please see the note below regarding required packages.

samba-tool domain backup online --targetdir=/backup/dc1/ --server=dc1 -U "MAD\Administrator"

Please be aware that in recent Samba versions (>4.20), both `samba-ad-provision` and `samba-dsdb-modules` packages are needed to perform a backup. If you are running this on a DC, chances are these are already installed.

• Find and delete “tombstone” items:

samba-tool domain tombstones expunge --tombstone-lifetime=0

• Check domain databases and automatically fix issues:

samba-tool dbcheck --cross-ncs --fix --yes

• Visually check out-of-date-ness of DCs:

samba-tool visualize uptodateness -rS --utf8

• I also like a quick reminder of who owns the FSMO roles:

samba-tool fsmo show | cut -f1-2 -d,

• Check time service (Chrony) and system time:

chronyc tracking && timedatectl status

• Update your machine (Not to a major Samba version! Follow this article to upgrade Samba):

apt-get update && apt-get dist-upgrade && apt autoremove -y && apt-get autoclean && apt-get clean && apt-get remove --purge $(dpkg -l | awk '/^rc/{print $2}')

It is very important to have SysVol and idmap.ldb synced from the PDC FSMO role owner.

Also, if you have transferred FSMO roles, I suggest you check the DNS entries for the PDC Emulator role. See PDC FSMO DNS entry check.

I suggest you script this and run it on a regular basis.

Caponato's Samba notebook. Start here or return to Main menu.