[Samba] Error removing Windows DC from AD

Pietro Stäheli pietro.staeheli at ngworx.ag
Fri Jun 22 14:55:11 UTC 2018 

Hi,

On 20/06/2018 20:38, Andrew Bartlett wrote:
> To be clear, we don't replicate sysvol, you need to work that out
> yourself (yes, this sucks).
> 

Right, I'm doing that with Robocopy from the Windows DC initially, then 
with rsync.

>> Is there any further preparation I need to do on the Windows server side
>> to make a clean demotion possible? I can force the removal of the
>> Windows DC but this led to leftover data in the LDAP database and DNS
>> that I have to excise by hand, which I don't find ideal.
>>
>> I'm thankful for any advice on how to accomplish this.
> 
> samba-tool domain demote --remove-other-dead-server
> 

Unfortunately this causes the following error:

# samba-tool domain demote --remove-other-dead-server=DC
Removing nTDSConnection: CN=6e15b4f5-1863-4259-8817-c7835ed7815e,CN=NTDS 
Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=lan
Removing nTDSDSA: CN=NTDS 
Settings,CN=DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=lan 
(and any children)
ERROR(ldb): uncaught exception - subtree_delete: Unable to delete a 
non-leaf node (it has 1 children)!
   File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", 
line 176, in _run
     return self.run(*args, **kwargs)
   File "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py", line 
721, in run
     remove_dc.remove_dc(samdb, logger, remove_other_dead_server)
   File "/usr/lib/python2.7/dist-packages/samba/remove_dc.py", line 422, 
in remove_dc
     remove_dns_account=True)
   File "/usr/lib/python2.7/dist-packages/samba/remove_dc.py", line 350, 
in offline_remove_ntds_dc
     remove_dns_account=remove_dns_account)
   File "/usr/lib/python2.7/dist-packages/samba/remove_dc.py", line 229, 
in offline_remove_server
     samdb.delete(server_dn)
A transaction is still active in ldb context [0x560a67adb490] on 
tdb:///var/lib/samba/private/sam.ldb

(never mind that this is now on DC1, not DC3, I've torn down the test 
environment a few times)

Manual removal of 
'CN=DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=lan' 
in ADSIEdit didn't go well and caused all replication to break at some 
point. I must be missing something here but I can't quite figure out 
what exactly.

Best regards,
Pietro Stäheli

More information about the samba mailing list