[Samba] how to remove an (offline) DC from Samba 4 ?

Bram Matthys syzop at vulnscan.org
Mon Feb 17 13:29:06 MST 2014 

Hi Denis,

Denis Cardon wrote, on 17-2-2014 19:14:
>> What would be the recommended way to remove an old offline DC from Samba4?
>>
>> I searched in samba-tool for a way to do this, but didn't find any.
>> Tried using the Windows tools to manage AD Users & Computers -> Domain
>> Controllers -> The DC & then hit delete, however this gives an error 'cannot
>> find specified module'.
>> On https://wiki.samba.org/index.php/Samba4/DRS_TODO_List I read this is
>> likely a known issue:
>> "Fix DsRemoveDSServer
>>
>> Removing a DC from the Domain Controllers container when using windows
>> user/group admin tool against a s4 DC fails with "bad stub data". It
>> generated a fault on the wire. "
>>
>> Given that both samba-tool and the using the ADUC tools are a dead end, what
>> should I do?
>>
>> Should I start messing with ldbedit/ldbdel? I'm worried to mess up things,
>> especially dead references to the old DC. Or is this the way to go.
> 
> You can actually get stuck in a similar situation with MSAD. There is a web
> page on microsoft about that http://support.microsoft.com/kb/216498 . I had
> once to dig into that with a dead DC that wouldn't leave my win2k DC alone.
> 
> I'd advise you to use ApacheDirectoryStudio instead of adsiedit to remove
> the old entries from your AD, it is much more user friendly. Be sure to have
> a good backup before fiddling with your ldap entries!

Thanks. So indeed, little choice but to fiddle with LDAP or the DB directly.

I ended up running ldbedit on:
/usr/local/samba/private/sam.ldb.d/DC=COMPANY,DC=NET.ldb
/usr/local/samba/private/sam.ldb.d/CN=CONFIGURATION,DC=COMPANY,DC=NET.ldb
etc..

and removing all objects and references I could find to my old DC's.

Then tried editing /usr/local/samba/private/sam.ldb:
in dn:DC=COMPANY,DC=NET I tried to remove masteredBy: lines referencing my
old DC's.
However this failed:
failed to modify DC=MLHJ,DC=NET - objectclass_attrs: attribute 'masteredBy'
on entry 'DC=MLHJ,DC=NET' must not be modified directly, it is a linked
attribute
Even though I already removed that entry from
sam.ldb.d/CN=CONFIGURATION,DC=COMPANY,DC=NET.ldb. I restarted samba4 to see
if it would detect and remove the reference, but no.
Then I found out about ldbedit --relax which lets me remove the item.

The connection attempts are gone from the samba log and the other (dead)
DC's are gone from 'samba-tool drs showrepl' as well. Good!

So I think I'm mostly done now :)

> Then use your dnsmgmt.msc to check and remove all the DNS entries of the old
> DC servers (NS and SRV fields).

Unfortunately I have a problem with this, even before I started messing with
the DB. I'll post a new message.

Thanks for your help!

Bram.

-- 
Bram Matthys
Software developer/IT consultant        syzop at vulnscan.org
Website:                                  www.vulnscan.org
PGP key:                       www.vulnscan.org/pubkey.asc
PGP fp: EBCA 8977 FCA6 0AB0 6EDB  04A7 6E67 6D45 7FE1 99A6

More information about the samba mailing list