demote error

Andreas Oster aoster at
Wed Jun 27 12:03:28 MDT 2012

Am 27.06.2012 18:50, schrieb Matthieu Patou:
> On 06/27/2012 12:49 AM, Daniele Dario wrote:
>> On Wed, 2012-06-27 at 09:38 +0200, Andreas Oster wrote:
>>> Am 27.06.2012 09:24, schrieb Daniele Dario:
>>>> On Wed, 2012-06-27 at 07:29 +0200, Andreas Oster wrote:
>>>>> Am 12.04.2012 16:29, schrieb Daniele Dario:
>>>>>> Sorry,
>>>>>> the problem was that I didn't submit the -U administrator statement.
>>>>>> Using it all works.
>>>>>> Again sorry,
>>>>>> Daniele.
>>>>>> On Thu, 2012-04-12 at 15:44 +0200, Daniele Dario wrote:
>>>>>>> Hi samba team,
>>>>>>> I've seen in other threads that with Version
>>>>>>> 4.0.0alpha20-GIT-81d1749
>>>>>>> replication of DNS partitions between DCs now should be automatic
>>>>>>> so I
>>>>>>> decided to try to demote my secondary DC to try to join it again
>>>>>>> to the
>>>>>>> domain and see if replication starts also for me.
>>>>>>> Trying to run samba-tool domain demote -d 10 it fails with
>>>>>>> ...
>>>>>>> ../librpc/rpc/dcerpc_util.c:140: auth_pad_length 12
>>>>>>>       drsuapi_DsReplicaSync: struct drsuapi_DsReplicaSync
>>>>>>>          out: struct drsuapi_DsReplicaSync
>>>>>>>              result                   : WERR_OK
>>>>>>> rpc reply data:
>>>>>>> [0000] 00 00 00 00                                       ....
>>>>>>> lpcfg_servicenumber: couldn't find ldb
>>>>>>> added interface eth0 ip=fe80::20e:cff:fe3c:b729%eth0
>>>>>>> bcast=fe80::ffff:ffff:ffff:ffff%eth0 netmask=ffff:ffff:ffff:ffff::
>>>>>>> added interface eth0 ip= bcast=
>>>>>>> netmask=
>>>>>>> added interface eth0 ip=fe80::20e:cff:fe3c:b729%eth0
>>>>>>> bcast=fe80::ffff:ffff:ffff:ffff%eth0 netmask=ffff:ffff:ffff:ffff::
>>>>>>> added interface eth0 ip= bcast=
>>>>>>> netmask=
>>>>>>> Changing userControl and container
>>>>>>> Error while demoting, re-enabling inbound replication
>>>>>>> ldb:acl_modify: options
>>>>>>> Sorting rpmd with attid exception 3 rDN=CN DN=CN=NTDS
>>>>>>> Settings,CN=KDC02,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=saitelitalia,DC=local
>>>>>>> ERROR(ldb): Error while changing account control - LDAP error 1
>>>>>>> LDAP_OPERATIONS_ERROR -  <00002020: Operation unavailable without
>>>>>>> authentication> <>
>>>>>>>    File
>>>>>>> "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/",
>>>>>>> line 288, in run
>>>>>>>      attrs=["userAccountControl"])
>>>>>>> how can I proceed to solve the problem?
>>>>>>> Thanks in advance,
>>>>>>> Daniele
>>>>> Hello Daniele,
>>>>> can you tell me if samba needs to be stopped before demoting ?
>>>>> Thanks
>>>>> Andreas
>>>> Hello Andreas,
>>>> I did not stop it when I demoted the DC.
>>>> I think that stop samba on the DC to demote would prevent
>>>> replicas/syncs
>>>> to other DCs so the command would fail.
>>>> Daniele.
>>> Hello Daniele,
>>> thank you for the fast reply. You are right, samba needs to be running
>>> for demoting.
>>> I have managed to demote the second DC but am now stuck as I am unable
>>> to re-join it to the domain. I aways get errors when trying to do so :-(
>>> I already tried to add a a new posting but the attachment (log file)
>>> is to big and needs to be reviewed by the moderator.
>>> best regards
>>> Andreas
>> Hi Andreas,
>> I've seen that after demote of "secondary" DCs, the DNS record related
>> to the DC is still present in the _msdcs zone (it happened to me, don't
>> know if it was due to me or to the fact I started with very old releases
>> and had to manually add the record).
> When I wrote the demote option for samba-tool we didn't really had the
> DNS stored in the AD that's why I haven't done the cleanup of this
> records. I think adding the code in samba-tool shouldn't be too
> complicated.
> If too complicated then please file a bug report for a enhancement request.
>> Once I manually removed it using samba-tool dns delete, I was again able
>> to re-join the DC and I've seen that with latest git version of samba4
>> replication started automatically also for DNS zones.
> I'm not too sure to understand why old DNS records would prevent samba
> to join a second time as a DC, it should in the end update the DNS
> records cleanly.
> Matthieu.
Hello Matthieu,

Daniele tried to help me with a re-joining problem I have at the moment.
He told me that he had a similar problem which he could solve by
removing some leftover DNS entries of the demoted DC. As it turned out,
I seem to have some other, more severe issue. Today Andrew Bartlett
helped me with identifying the cause of the failing re-join of my second
DC (see posting "Need urgent help with samba4 DC re-join"). Something
seems to have gone terrible wrong when I tried to manually start
replication of ForestDnsZones and DomainDnsZones, some time ago.
Unfortunately I have not been able to do the changes he asked me to do,
as the ldbedit command throws an error when trying to commit the
changes. Luckily I did a VMware snapshot before demoting the second DC.
I have now reverted back and my second DC is working again, but the
faulty entries still exist.

Maybe you can have a look at the conversation in the following thread:
  "Need urgent help with samba4 DC re-join"

Thank you for your kind help

best regards


More information about the samba-technical mailing list