[Samba] Trouble demoting DC with broken replication
Achim Gottinger
achim at ag-web.biz
Wed May 21 08:31:51 MDT 2014
Am 21.05.2014 16:13, schrieb Andreas Oster:
> Am 19.05.2014 19:09, schrieb Marc Muehlfeld:
>> Hello Andreas,
>>
>> Am 19.05.2014 12:26, schrieb Andreas Oster:
>>> Do you / does anybody have an idea how to get rid of those orphaned
>>> entries ?
>>
>> Two weeks ago I wrote the 'Demote a DC' HowTo
>> (https://wiki.samba.org/index.php/Demote_a_Samba_DC#Demote_a_DC_that_isn.27t_accessable_any_more).
>>
>> While doing researches and testings for the HowTo, it turned out, that
>> currently there seems to be no way (samba-tool or the usual Windows
>> ways) to demote a lost DC and cleanup the metadata.
>>
>> I created a bug report about that:
>> https://bugzilla.samba.org/show_bug.cgi?id=10595
>>
>> I guess the only way would be to manually find the stuff inside the AD
>> and remove it manually via ldbedit. But I really would be afraid of that!
>>
>> An other idea I had, would be to temporary join a machine with the same
>> name/IP as DC and then demote it with samba-tool. After that maybe less
>> directory entries have to be removed (like the ophaned objectGUID
>> entries). But this was just an idea and I wanted to try it in my test
>> environment. But I think it would be a risky way and should be not
>> recommend.
>>
>> I think this is a very serious problem/bug!
>>
>>
>> Regards,
>> Marc
>>
>>
> Hello Marc,
>
> I have just recognized, that I am able to see the orphaned NTDS entry
> for the removed DC by using Sysinternals "Active Directory Explorer".
>
> I get the following:
>
> CN=DC02\0ADEL:533436d8-2dff-4a08-93ad-13fa454d93d1,CN=Servers,CN=Standardname-des-ersten-Standorts,CN=Sites,CN=Configuration,DC=samdom,DC=loc
>
> CN=NTDS
> Settings\0ADEL:ef37f4de-a03c-493c-96f6-e521a5415d81,CN=DC02\0ADEL:533436d8-2dff-4a08-93ad-13fa454d93d1,CN=Servers,CN=Standardname-des-ersten-Standorts,CN=Sites,CN=Configuration,DC=samdom,DC=loc
>
> Unfortunately these entries are not deletable.
>
> Do know if it is possible to remove those leftovers in a safe way ?
>
> Thank you very much
>
> best regards
>
> Andreas
I think you can not delete these because they belong to the default site
default-first-site which may have references in other directory entries.
There's an open samba bug related to sites not being able to be renamed
and the inabillity to move servers to other sites.
Can you see this site in AD's site management?
More information about the samba
mailing list