[Samba] Trouble demoting DC with broken replication

Taylor, Jonn jonnt at taylortelephone.com
Wed May 21 12:53:26 MDT 2014

On 05/21/2014 09:31 AM, Achim Gottinger wrote:
> Am 21.05.2014 16:13, schrieb Andreas Oster:
>> Am 19.05.2014 19:09, schrieb Marc Muehlfeld:
>>> Hello Andreas,
>>> Am 19.05.2014 12:26, schrieb Andreas Oster:
>>>> Do you / does anybody have an idea how to get rid of those orphaned
>>>> entries ?
>>> Two weeks ago I wrote the 'Demote a DC' HowTo
>>> (https://wiki.samba.org/index.php/Demote_a_Samba_DC#Demote_a_DC_that_isn.27t_accessable_any_more). 
>>> While doing researches and testings for the HowTo, it turned out, that
>>> currently there seems to be no way (samba-tool or the usual Windows
>>> ways) to demote a lost DC and cleanup the metadata.
>>> I created a bug report about that:
>>> https://bugzilla.samba.org/show_bug.cgi?id=10595
>>> I guess the only way would be to manually find the stuff inside the AD
>>> and remove it manually via ldbedit. But I really would be afraid of 
>>> that!
>>> An other idea I had, would be to temporary join a machine with the same
>>> name/IP as DC and then demote it with samba-tool. After that maybe less
>>> directory entries have to be removed (like the ophaned objectGUID
>>> entries). But this was just an idea and I wanted to try it in my test
>>> environment. But I think it would be a risky way and should be not
>>> recommend.
>>> I think this is a very serious problem/bug!
>>> Regards,
>>> Marc
>> Hello Marc,
>> I have just recognized, that I am able to see the orphaned NTDS entry
>> for the removed DC by using Sysinternals "Active Directory Explorer".
>> I get the following:
>> CN=DC02\0ADEL:533436d8-2dff-4a08-93ad-13fa454d93d1,CN=Servers,CN=Standardname-des-ersten-Standorts,CN=Sites,CN=Configuration,DC=samdom,DC=loc 
>> Settings\0ADEL:ef37f4de-a03c-493c-96f6-e521a5415d81,CN=DC02\0ADEL:533436d8-2dff-4a08-93ad-13fa454d93d1,CN=Servers,CN=Standardname-des-ersten-Standorts,CN=Sites,CN=Configuration,DC=samdom,DC=loc 
>> Unfortunately these entries are not deletable.
>> Do know if it is possible to remove those leftovers in a safe way ?
>> Thank you very much
>> best regards
>> Andreas
> I think you can not delete these because they belong to the default 
> site default-first-site which may have references in other directory 
> entries. There's an open samba bug related to sites not being able to 
> be renamed and the inabillity to move servers to other sites.
> Can you see this site in AD's site management?
I have been down this road about a year ago with samba 4 AD. There is 
currently NO way to fix this until the developers fix it. NONE of the MS 
tools work!!! In my case after I force removed the failed DC the entire 
AD got corrupt and I had to rebuild the domain from scratch!

Samba 4 as a stand-alone server works just fine. Just do not add any 
more servers! If you plan on migrating away from an MS AD server you 
will corrupt your domain.


More information about the samba mailing list