Trouble demoting DC with broken replication

Wed May 21 08:13:50 MDT 2014

Am 19.05.2014 19:09, schrieb Marc Muehlfeld:
> Hello Andreas,
> 
> Am 19.05.2014 12:26, schrieb Andreas Oster:
>> Do you / does anybody have an idea how to get rid of those orphaned
>> entries ?
> 
> 
> Two weeks ago I wrote the 'Demote a DC' HowTo
> (https://wiki.samba.org/index.php/Demote_a_Samba_DC#Demote_a_DC_that_isn.27t_accessable_any_more).
> 
> While doing researches and testings for the HowTo, it turned out, that
> currently there seems to be no way (samba-tool or the usual Windows
> ways) to demote a lost DC and cleanup the metadata.
> 
> I created a bug report about that:
> https://bugzilla.samba.org/show_bug.cgi?id=10595
> 
> I guess the only way would be to manually find the stuff inside the AD
> and remove it manually via ldbedit. But I really would be afraid of that!
> 
> An other idea I had, would be to temporary join a machine with the same
> name/IP as DC and then demote it with samba-tool. After that maybe less
> directory entries have to be removed (like the ophaned objectGUID
> entries). But this was just an idea and I wanted to try it in my test
> environment. But I think it would be a risky way and should be not
> recommend.
> 
> I think this is a very serious problem/bug!
> 
> 
> Regards,
> Marc
> 
> 
Hello Marc,

I have just recognized, that I am able to see the orphaned NTDS entry
for the removed DC by using Sysinternals "Active Directory Explorer".

I get the following:

CN=DC02\0ADEL:533436d8-2dff-4a08-93ad-13fa454d93d1,CN=Servers,CN=Standardname-des-ersten-Standorts,CN=Sites,CN=Configuration,DC=samdom,DC=loc

CN=NTDS
Settings\0ADEL:ef37f4de-a03c-493c-96f6-e521a5415d81,CN=DC02\0ADEL:533436d8-2dff-4a08-93ad-13fa454d93d1,CN=Servers,CN=Standardname-des-ersten-Standorts,CN=Sites,CN=Configuration,DC=samdom,DC=loc

Unfortunately these entries are not deletable.

Do know if it is possible to remove those leftovers in a safe way ?

Thank you very much

best regards

Andreas