"Resetting" a DC (and other stories)

Kev Latimer klatimer at tolent.co.uk
Wed Apr 25 04:56:25 MDT 2012

On 24/04/2012 17:57, Matthieu Patou wrote:
> On 04/24/2012 01:15 AM, Kev Latimer wrote:
>> Morning all,
>> To cut a long story short, (I'm doing another post in a minute with 
>> my actual problem), is there a way to get a DC to "forget" everything 
>> it knows about AD and force it replicate from a nominated "known 
>> good" DC?  In a sense, resetting it but without trying to 
>> unjoin/rejoin the domain?  Delete sam.ldb or the contents of 
>> sam.ldb.d/ for example?  I've a situation where replication has gone 
>> a little awry I'd like to see if there's a quick way of just getting 
>> a DC to start again...
>> I've tried samba-tool drs replicate but that is throwing the error 
>> I'm trying to clear...
>   --sync-forced         use SYNC_FORCED to force inbound replication
>   --sync-all            use SYNC_ALL to replicate from all DCs
>   --full-sync           resync all objects
> Try --full-sync, also maybe the best is to rejoin ?
> Matthieu.
(Forgot to send to list - my bad...)

Thanks Matthieu, that's pretty much what I was after.  Unfortunately, it 
seems when I do either of those, the same error I'm trying to clear is 
still causing problems.

What is the correct procedure for rejoining?  I've tried to do a 
"samba-tool domain demote" to relieve it of DC duties with the intention 
of deleting the resultant computer account in the normal fashion but 
that command just results in:

root at olddc:/usr/local/samba# bin/samba-tool domain demote
Using firstdc.tolent.local as partner server for the demotion
Desactivating inbound replication
Asking partner server firstdc.tolent.local to synchronize from us
Changing userControl and container
Error while demoting, re-enabling inbound replication
ERROR(ldb): Error while changing account control - LDAP error 1 
LDAP_OPERATIONS_ERROR - <00002020: Operation unavailable without 
authentication> <>

My next thought is to stop samba on olddc, remove /usr/local/samba, 
reinstall and do a clean join - reading some earlier posts seem to 
suggest this rejoin might just "take over" the role of olddc, as long as 
it has the same name?




More information about the samba-technical mailing list