SOLVED--- ForestDnsZones error when demoting a W2003 DC

"Dr. Hansjörg Maurer" hansjoerg.maurer at itsd.de
Fri Feb 7 15:13:11 MST 2014


Hi



Am 05.02.2014 23:54, schrieb "Dr. Hansjörg Maurer":
> Hi
>
> we are trying to replace a w2003 DC with a samba4 dc (4.1.4 with BIND9_DLZ)
>
> The domainlevel was raised to 2003 before samba4 joins the domain
>
> [root at server01 ~]# samba-tool domain level show
> Domain and forest function level for domain 'DC=ags,DC=local'
>
> Forest function level: (Windows) 2003
> Domain function level: (Windows) 2003
> Lowest function level of a DC: (Windows) 2003
>
> Join, DNS  ets seems to work
> samba_dnsupdate shows now error
> samba-tool fsmo seize --role=all
> works to
>
> When wir try to demote the w2003 server, we get an error, that no other
> DC for the transfer of DC=ForestDnsZones,DC=ags,DC=local
> could be found
>
> I tried to compare with MSC DNS Admin the DNS Zones
> and found, that under w2003 there where two entries
>  Standardname-des-ersten-Standorts._sites.ForestDnsZones.ags.local
> dns
> ForestDnsZones.ags.local
> which were not availiable under the samba dns.
>
> When I try to replicate the zone from the w2003 DC to the samba DC
> I get
>  
> [root at server01 ~]# samba-tool drs replicate agsrv.ags.local
> server01.ags.local "DC=ForestDnsZones,DC=ags,DC=local"
> ERROR(<class 'samba.drs_utils.drsException'>): DsReplicaSync failed -
> drsException: DsReplicaSync failed (8452, 'WERR_DS_DRA_NO_REPLICA')
>   File "/usr/lib64/python2.6/site-packages/samba/netcmd/drs.py", line
> 345, in run
>     drs_utils.sendDsReplicaSync(self.drsuapi, self.drsuapi_handle,
> source_dsa_guid, NC, req_options)
>   File "/usr/lib64/python2.6/site-packages/samba/drs_utils.py", line 83,
> in sendDsReplicaSync
>     raise drsException("DsReplicaSync failed %s" % estr)
>
> the other way around samba-> W2003 the replication works
>
> The same affects the DC=DomainDnsZones,DC=ags,DC=local zone
>
> What could be the reason for this errors
>
> ragards
>
> Hansjörg Maurer
>
>
>
>
>

I finally managed to remove the W2003 DC from the domain,
and I am able to reproduce it :-)

There seems to be  a samba bug which let the dcpromo fail
https://bugzilla.samba.org/show_bug.cgi?id=9429

Therefore we have to demote the dc using dcpromo /forceremoval
With the MS prefered solution ntdsutil we were unable to connect to the
samba4 dc
to cleanup the metadata (invalid input errors against samba dc, working
against w2003 dc)

Therefore the steps which work in our case are:

After the join of the samba4 dc I did
- on the samba host
* samba_dnsupdate --all-names
* samba-tool fsmo seize --role=all
* samba-tool fsmo transfer --role=all
* change name resultion to Linux AD server (resolv.conf )

- on the MS AD server
* disable the GC role on the windows server (with MMC AD Sites
configuration, removing the GC Flag)
* change the NS entry of all zones form the MS server to the samba
server (using DNS MMC)
   without deleting the A Record of the MS server
* change name resultion to Linux AD server (LAN DNS Settings)
* dcpromo /forceremoval
* reboot

- on a Windows AD member using MMC
* Cleanup DNS and remove all references of the MS server (A records,
service records etc)

* delete old MS AD server from the Domain Controllers Container (using
AD users and computers MMC SnapIn)
- on the Linux samba4 DC
* remove all enries referencing the old MS DC using ldbedit -e vi -H
/etc/samba/sam.ldb --cross-ncs

or (replacing the last two (*) steps)
- on a Windows AD member
* run the metadate removal script from here
http://gallery.technet.microsoft.com/scriptcenter/d31f091f-2642-4ede-9f97-0e1cc4d577f3

- on the linux server check if DRS is cleaned up (no connections and no
errors)

[root at server01 samba]# samba-tool drs showrepl
Standardname-des-ersten-Standorts\SERVER01
DSA Options: 0x00000001
DSA object GUID: 07fac3ef-a62e-4551-9481-293de46cda4d
DSA invocationId: 01e525de-0cae-433e-bcd9-9f74a7e97fa6

==== INBOUND NEIGHBORS ====

==== OUTBOUND NEIGHBORS ====

==== KCC CONNECTION OBJECTS ====


Regards

Hansjörg




-- 
Dr. Hansjörg Maurer
itsystems Deutschland AG
Erzgießereistr. 22
80335 München
Tel:   +49-89-52 04 68-41
Fax:   +49-89-52 04 68-59
E-Mail: hansjoerg.maurer at itsd.de
Web:    http://www.itsd.de


Amtsgericht München HRB 132146
USt-IdNr. DE 812991301
Steuer-Nr. 143/100/81575

Aufsichtsratsvorsitzender:
Stefan Adam
Vorstand:
Dr. Michael Krocka
Dr. Hansjörg Maurer



More information about the samba-technical mailing list