samba-tool domain demote

Greg Dickie greg at justaguy.ca
Fri Sep 14 22:21:55 MDT 2012 

If I reset UF_SERVER_TRUST_ACCOUNT it gets past this section but then
fails with:

Asking partner server HAI-MTL-DC1.haivision.local to synchronize from us
Changing userControl and container
DN is CN=HAMBA4,OU=Domain Controllers,DC=haivision,DC=local - UAC is
0x1000, old UAC is 0x81000
RemoveDSServer server:
CN=HAMBA4,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=haivision,DC=local, domain: DC=haivision,DC=local
Error while demoting, re-enabling inbound replication
CN=HAMBA4,OU=Domain Controllers,DC=haivision,DC=local
ERROR(<class 'samba.drs_utils.drsException'>): Error while sending a
removeDsServer - drsException: DsRemoveDSServer failed (87,
'WERR_INVALID_PARAM')
  File
"/usr/local/samba-beta8/lib64/python2.6/site-packages/samba/netcmd/domain.py", line 475, in run
    sendRemoveDsServer(drsuapiBind, drsuapi_handle, server_dsa_dn,
domain)
  File
"/usr/local/samba-beta8/lib64/python2.6/site-packages/samba/drs_utils.py", line 108, in sendRemoveDsServer
    raise drsException("DsRemoveDSServer failed %s" % estr)

help?

Greg

On Sat, 2012-09-15 at 00:01 -0400, Greg Dickie wrote:
> Debugging this a bit (nice to have lots of stuff in python so I can
> easily add debug). I get this:
> 
> Desactivating inbound replication
> Asking partner server HAI-MTL-DC1.haivision.local to synchronize from us
> Changing userControl and container
> DN is CN=HAMBA4,OU=Domain Controllers,DC=haivision,DC=local - UAC is
> 0x83000, old UAC is 0x1000
> Error while demoting, re-enabling inbound replication
> ERROR(ldb): Error while changing account control2 - LDAP error 80
> LDAP_OTHER -  <00000057: SysErr: DSID-031A1202, problem 22 (Invalid
> argument), data 0
> > <>
> 
> 
> So I assume it does not like the new UAC of 0x83000. Which is all the
> bits for     UF_WORKSTATION_TRUST_ACCOUNT,
>     UF_SERVER_TRUST_ACCOUNT,
>     UF_TRUSTED_FOR_DELEGATION
> 
> 
> But why?
> 
> Greg
> 
> 
> On Fri, 2012-09-14 at 22:44 -0400, Greg Dickie wrote:
> > OK I'm doing something very wrong then. I'm trying to demote a samba DC.
> > The other server is win2008R2 and the AD was created by a classicupgrade
> > from samba3.
> > 
> > I get this:
> > 
> > [root at hamba4 ~]# /usr/local/samba-beta8/bin/samba-tool domain demote
> > -Uadministrator
> > Using HAI-MTL-DC1.haivision.local as partner server for the demotion
> > Password for [HAI\administrator]:
> > Desactivating inbound replication
> > Asking partner server HAI-MTL-DC1.haivision.local to synchronize from us
> > Changing userControl and container
> > Error while demoting, re-enabling inbound replication
> > ERROR(ldb): Error while changing account control - LDAP error 80
> > LDAP_OTHER -  <00000057: SysErr: DSID-031A1202, problem 22 (Invalid
> > argument), data 0
> > > <>
> > 
> > Any tips on how to debug this?
> > 
> > Thanks,
> > Greg
> > 
> > 
> > On Sat, 2012-08-18 at 16:47 +0200, steve wrote:
> > > On 18/08/12 14:51, Andrew Bartlett wrote:
> > > > On Sat, 2012-08-18 at 12:50 +0200, steve wrote:
> > > >> Hi everyone
> > > >>
> > > >> I want to reinstall our secondary DC and start with a new install. This
> > > >> is to test the new openSUSE 12.2 RC2 with Samba4.
> > > >>
> > > >> How about this on the secodary DC?
> > > >> samba-tool domain demote -UAdministrator
> > > >>
> > > >> Question:
> > > >> 1. Is that all?
> > > >> 2. Does samba need to be running on both DC's?
> > > >
> > > > Yes, this is an on-line tool, to run on the DC being demoted.  Both DCs
> > > > must be up and operational at the time of the demote.
> > > >
> > > > Andrew Bartlett
> > > >
> > > Hi Andrew
> > > Thanks. it worked fine.
> > > I think we need to stop samba on the demoted DC and stop and start it a 
> > > few times on the live DC otherwise it still keeps trying to replicate:
> > > 
> > > Failed to connect host 192.168.1.6 
> > > (d1929b53-0de5-43c6-a3d7-2686e8f7bffe._msdcs.hh3.site) on port 135 - 
> > > NT_STATUS_CONNECTION_REFUSED.
> > > Failed to connect host 192.168.1.6 on port 135 - 
> > > NT_STATUS_CONNECTION_REFUSED
> > > 
> > > Otherwise fine.
> > > Cheers,
> > > Steve
> > > 
> > > 
> > 
> 

-- 
Greg Dickie
just a guy
514-983-5400

More information about the samba-technical mailing list