[Samba] Demote a dead PDC: residuals in "DNS" console
Ole Traupe
ole.traupe at tu-berlin.de
Fri Oct 30 14:32:29 UTC 2015
Am 30.10.2015 um 15:20 schrieb James:
> On 10/30/2015 10:11 AM, Ole Traupe wrote:
>>
>>
>> Am 30.10.2015 um 14:56 schrieb James:
>>> On 10/30/2015 9:19 AM, Ole Traupe wrote:
>>>>
>>>>
>>>> Am 30.10.2015 um 13:33 schrieb James:
>>>>> On 10/29/2015 9:56 AM, Ole Traupe wrote:
>>>>>>
>>>>>>
>>>>>> Am 29.10.2015 um 14:37 schrieb James:
>>>>>>> On 10/29/2015 9:15 AM, Ole Traupe wrote:
>>>>>>>>
>>>>>>>>
>>>>>>>> Am 29.10.2015 um 13:54 schrieb mathias dufresne:
>>>>>>>>> Thank you for hint to this VBS script. In fact I alraedy saw
>>>>>>>>> it but I'm not
>>>>>>>>> too confident in my VB knowledge, so I didn't use that script,
>>>>>>>>> prefering
>>>>>>>>> rely on Samba command and shell scripts to work around issues.
>>>>>>>>>
>>>>>>>>> You spoke about SOA record which wasn't changed, same here.
>>>>>>>>> There is
>>>>>>>>> another DNS record I had to change:
>>>>>>>>> _ldap._tcp.pdc._msdcs.samba.domain.tld.
>>>>>>>>
>>>>>>>> Yes, I can confirm that I had to change that one, too.
>>>>>>>>
>>>>>>>>>
>>>>>>>>> I spoke about removing removed-DCs from sites and the command
>>>>>>>>> to do that
>>>>>>>>> could be:
>>>>>>>>> ldbdel -H $sam -b
>>>>>>>>> 'cn=sites,CN=Configuration,DC=samba,DC=domain,DC=tld'
>>>>>>>>> CN=removed-DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samba,DC=domain,DC=tld
>>>>>>>>>
>>>>>>>>> Deleted 1 record
>>>>>>>>>
>>>>>>>>> To get list of all contents in sites:
>>>>>>>>> ldbsearch -H $sam -b
>>>>>>>>> 'cn=sites,CN=Configuration,DC=samba,DC=domain,DC=tld'
>>>>>>>>> cn=* dn
>>>>>>>>>
>>>>>>>>> This will list all entries in "sites" container.
>>>>>>>>>
>>>>>>>>> Looking
>>>>>>>>> into
>>>>>>>>> CN=Servers,CN=Default-First-Site-Name,cn=sites,CN=Configuration,DC=samba,DC=domain,DC=tld
>>>>>>>>> ldbsearch -H $sam -b
>>>>>>>>> 'CN=Servers,CN=Default-First-Site-Name,cn=sites,CN=Configuration,DC=ad,DC=dgfip,DC=finances,DC=gouv,DC=fr'
>>>>>>>>>
>>>>>>>>> cn=* dn
>>>>>>>>>
>>>>>>>>> There are 4 entries in that container per declared DC in the
>>>>>>>>> site. Only the
>>>>>>>>> one mentioned earlier had to be removed manually, the three
>>>>>>>>> others should
>>>>>>>>> have been removed during demote process as I didn't removed by
>>>>>>>>> myself and
>>>>>>>>> they weren't present before I manually perform mentioned clean
>>>>>>>>> up.
>>>>>>>>
>>>>>>>> Thank you for the further details. I can't really say anything
>>>>>>>> about these entries or commands. There was only one entry in
>>>>>>>> the ADSS console for my former PDC, and the script got rid of
>>>>>>>> that.
>>>>>>>>
>>>>>>>> Best,
>>>>>>>> Ole
>>>>>>>>
>>>>>>>>
>>>>>>>>>
>>>>>>>>> Cheers,
>>>>>>>>>
>>>>>>>>> mathias
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> 2015-10-29 12:38 GMT+01:00 Ole Traupe <ole.traupe at tu-berlin.de>:
>>>>>>>>>
>>>>>>>>>> Hi mathias,
>>>>>>>>>>
>>>>>>>>>> thanks for the heads-up! However, my AD Sites and Services is
>>>>>>>>>> clear, too.
>>>>>>>>>> I followed the suggestion here
>>>>>>>>>> https://wiki.samba.org/index.php/Demote_a_Samba_AD_DC
>>>>>>>>>> to use this
>>>>>>>>>>
>>>>>>>>>> http://gallery.technet.microsoft.com/scriptcenter/d31f091f-2642-4ede-9f97-0e1cc4d577f3#content
>>>>>>>>>>
>>>>>>>>>> script.
>>>>>>>>>>
>>>>>>>>>> Copy the contents of the "Visual Basic" box to a text file
>>>>>>>>>> and rename it
>>>>>>>>>> to "something.vbs". Run the vb script as admin e.g. on a Win
>>>>>>>>>> 7 64 bit
>>>>>>>>>> (worked for me) domain member client being logged on as
>>>>>>>>>> "Administrator".
>>>>>>>>>> This removed my former PDC from ADUC and ADSS.
>>>>>>>>>>
>>>>>>>>>> Best,
>>>>>>>>>> Ole
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> Am 29.10.2015 um 12:16 schrieb mathias dufresne:
>>>>>>>>>>
>>>>>>>>>>> Hi,
>>>>>>>>>>>
>>>>>>>>>>> I played with demote recently on a test AD domain composed
>>>>>>>>>>> with Samba
>>>>>>>>>>> version 4.3.0 and 4.3.1. I demoted all version 4.3.0.
>>>>>>>>>>>
>>>>>>>>>>> I was facing same issue as you. I written long mails here to
>>>>>>>>>>> explain how I
>>>>>>>>>>> managed that. My DNS looks clear now.
>>>>>>>>>>>
>>>>>>>>>>> Today I played with AD sites and I found in default sites
>>>>>>>>>>> all demoted DC.
>>>>>>>>>>> They weren't removed from DNS DB nor here. For now I have no
>>>>>>>>>>> idea how to
>>>>>>>>>>> get rid of these DC in my sites configuration without ADUC.
>>>>>>>>>>>
>>>>>>>>>>> So you should have a look into your AD Sites configuration
>>>>>>>>>>> tool to check
>>>>>>>>>>> if
>>>>>>>>>>> they were correctly removed.
>>>>>>>>>>>
>>>>>>>>>>> Cheers,
>>>>>>>>>>>
>>>>>>>>>>> mathias
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> 2015-10-29 10:01 GMT+01:00 Ole Traupe
>>>>>>>>>>> <ole.traupe at tu-berlin.de>:
>>>>>>>>>>>
>>>>>>>>>>> Ok, I made a backup following the Samba wiki and then did
>>>>>>>>>>> this. Had to
>>>>>>>>>>>> wait a bit between updating the SOA's because I got a
>>>>>>>>>>>> strange error
>>>>>>>>>>>> message
>>>>>>>>>>>> saying that a time value for the non-update of some
>>>>>>>>>>>> resource cleanup
>>>>>>>>>>>> wasn't
>>>>>>>>>>>> set. But a few minutes later I could update the second SOA
>>>>>>>>>>>> as well, and
>>>>>>>>>>>> now
>>>>>>>>>>>> the Samba log is clean.
>>>>>>>>>>>>
>>>>>>>>>>>> Ole
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> Am 28.10.2015 um 16:42 schrieb Ole Traupe:
>>>>>>>>>>>>
>>>>>>>>>>>> Hi,
>>>>>>>>>>>>> I demoted my PDC (DC1) forcefully, because replication
>>>>>>>>>>>>> (among others)
>>>>>>>>>>>>> wasn't working anymore due to hard disk failure and I was
>>>>>>>>>>>>> afraid of
>>>>>>>>>>>>> spending a lot of time on nothing.
>>>>>>>>>>>>>
>>>>>>>>>>>>> With DC1 offline I seized the FSMO roles on DC2 (4.2.5),
>>>>>>>>>>>>> restarted
>>>>>>>>>>>>> Samba,
>>>>>>>>>>>>> and found errors in the samba log due to the missing DC1.
>>>>>>>>>>>>>
>>>>>>>>>>>>> I removed the two DNS entries created according to this site:
>>>>>>>>>>>>> https://wiki.samba.org/index.php/Check_and_fix_DNS_entries_on_DC_joins
>>>>>>>>>>>>>
>>>>>>>>>>>>> I applied the script suggested here:
>>>>>>>>>>>>> https://wiki.samba.org/index.php/Demote_a_Samba_AD_DC
>>>>>>>>>>>>> This removed the DC1 entry in ADUC and "Active Directory
>>>>>>>>>>>>> Sites and
>>>>>>>>>>>>> Services".
>>>>>>>>>>>>>
>>>>>>>>>>>>> However, the error persists (10 minute interval; sanitized):
>>>>>>>>>>>>> # /usr/local/samba/sbin/samba_dnsupdate: couldn't get
>>>>>>>>>>>>> address for '
>>>>>>>>>>>>> dc1.my.domain.de': not found
>>>>>>>>>>>>>
>>>>>>>>>>>>> Likely due to further DNS entries, the last-mentioned site
>>>>>>>>>>>>> suggests to
>>>>>>>>>>>>> remove them by hand. Most of the containers in the DNS
>>>>>>>>>>>>> console have only
>>>>>>>>>>>>> duplicate entries for DC1/2, so no problem. However, 3 don't:
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> (removed subfolder and client PC entries; sanitized,
>>>>>>>>>>>>> translated where
>>>>>>>>>>>>> necessary GR->EN)
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> *DNS/DC2/Forward-Lookupzones/my.domain.de*
>>>>>>>>>>>>>
>>>>>>>>>>>>> Name Type Data Time stamp
>>>>>>>>>>>>> (identical to parent folder) Source of Authority
>>>>>>>>>>>>> (SOA) [3],
>>>>>>>>>>>>> dc1.my.domain.de., hostmaster.my.domain.de. ?28.?10.?2015
>>>>>>>>>>>>> 15:00:00
>>>>>>>>>>>>> (identical to parent folder) Nameserver (NS)
>>>>>>>>>>>>> dc1.my.domain.de.
>>>>>>>>>>>>> Static
>>>>>>>>>>>>> (identical to parent folder) Host (A) IP__of__DC1
>>>>>>>>>>>>> Static
>>>>>>>>>>>>> (identical to parent folder) Host (A) IP__of__DC2
>>>>>>>>>>>>> Static
>>>>>>>>>>>>> DC2 Host (A) 130.149.34.118 ?29.?07.?2015 13:00:00
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> *DNS/DC2/Forward-Lookupzones/_msdcs.my.domain.de*
>>>>>>>>>>>>>
>>>>>>>>>>>>> (identical to parent folder) Source of Authority
>>>>>>>>>>>>> (SOA) [3],
>>>>>>>>>>>>> dc1.my.domain.de., hostmaster.my.domain.de. ?28.?10.?2015
>>>>>>>>>>>>> 15:00:00
>>>>>>>>>>>>> (identical to parent folder) Nameserver (NS)
>>>>>>>>>>>>> dc1.my.domain.de.
>>>>>>>>>>>>> Static
>>>>>>>>>>>>> objectGUID__of__DC2 Alias (CNAME) DC2.my.domain.de.
>>>>>>>>>>>>> ?29.?07.?2015
>>>>>>>>>>>>> 13:00:00
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> *DNS/DC2/Forward-Lookupzones/_msdcs.my.domain.de/pdc/_tcp*
>>>>>>>>>>>>>
>>>>>>>>>>>>> _ldap Service Identification (SRV) [0][100][389]
>>>>>>>>>>>>> dc1.my.domain.de
>>>>>>>>>>>>> .
>>>>>>>>>>>>> Static
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> What to do in these cases? Is it safe to open the
>>>>>>>>>>>>> properties of the
>>>>>>>>>>>>> non-duplicate entries and replace DC1 with DC2?
>>>>>>>>>>>>>
>>>>>>>>>>>>> Ole
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> --
>>>>>>>>>>>> To unsubscribe from this list go to the following URL and
>>>>>>>>>>>> read the
>>>>>>>>>>>> instructions: https://lists.samba.org/mailman/options/samba
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>> --
>>>>>>>>>> To unsubscribe from this list go to the following URL and
>>>>>>>>>> read the
>>>>>>>>>> instructions: https://lists.samba.org/mailman/options/samba
>>>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>> When I demoted DC's in the past. I used ADSS, ADUC and ADSI to
>>>>>>> delete all traces. ADSI was necessary to delete all NTDS traces.
>>>>>>> This was on Samba 4.0.X versions. I take it you have no
>>>>>>> replication issues pointing to the old DC either?
>>>>>>>
>>>>>>
>>>>>> I had a replication issue (connection attempt with the demoted
>>>>>> DC) before I ran the script from the wiki. I wasn't able to
>>>>>> delete ADUC and ADSS entries for the DC by hand.
>>>>>>
>>>>>> What did you do in ADSI?
>>>>>>
>>>>>>
>>>>>>
>>>>> I deleted the demoted DC as well as it's NTDS settings from it's
>>>>> Site. I then went into all other DC's and deleted the
>>>>> automatically generated KCC connections pointing to the demoted
>>>>> DC. These are located inside the NTDS settings container.
>>>>>
>>>>> Normally you can do this from inside ADSS. However I would
>>>>> received a error. That's why I had to use ADSI.
>>>>
>>>> Good to know. Seem to be gone, too, in my case.
>>>>
>>>>
>>>>
>>> Did you also update NS record in DNS to point to your new DC that
>>> matches your SOA?
>>>
>> Explain please. Which entry exactly?
>>
>>
> If you open the DNS Manager, expand forward lookup zone and expand
> your domain zone. You will see your SOA record along with the NS
> record that matches the DC that holds this role.
>
Thanks. Yes, I had to update those manually.
More information about the samba
mailing list