[Samba] Trouble demoting DC with broken replication

Andreas Oster aoster at novanetwork.de
Thu May 22 01:00:37 MDT 2014

Am 21.05.2014 20:53, schrieb Taylor, Jonn:
> On 05/21/2014 09:31 AM, Achim Gottinger wrote:
>> Am 21.05.2014 16:13, schrieb Andreas Oster:
>>> Am 19.05.2014 19:09, schrieb Marc Muehlfeld:
>>>> Hello Andreas,
>>>> Am 19.05.2014 12:26, schrieb Andreas Oster:
>>>>> Do you / does anybody have an idea how to get rid of those orphaned
>>>>> entries ?
>>>> Two weeks ago I wrote the 'Demote a DC' HowTo
>>>> (https://wiki.samba.org/index.php/Demote_a_Samba_DC#Demote_a_DC_that_isn.27t_accessable_any_more).
>>>> While doing researches and testings for the HowTo, it turned out, that
>>>> currently there seems to be no way (samba-tool or the usual Windows
>>>> ways) to demote a lost DC and cleanup the metadata.
>>>> I created a bug report about that:
>>>> https://bugzilla.samba.org/show_bug.cgi?id=10595
>>>> I guess the only way would be to manually find the stuff inside the AD
>>>> and remove it manually via ldbedit. But I really would be afraid of
>>>> that!
>>>> An other idea I had, would be to temporary join a machine with the same
>>>> name/IP as DC and then demote it with samba-tool. After that maybe less
>>>> directory entries have to be removed (like the ophaned objectGUID
>>>> entries). But this was just an idea and I wanted to try it in my test
>>>> environment. But I think it would be a risky way and should be not
>>>> recommend.
>>>> I think this is a very serious problem/bug!
>>>> Regards,
>>>> Marc
>>> Hello Marc,
>>> I have just recognized, that I am able to see the orphaned NTDS entry
>>> for the removed DC by using Sysinternals "Active Directory Explorer".
>>> I get the following:
>>> CN=DC02\0ADEL:533436d8-2dff-4a08-93ad-13fa454d93d1,CN=Servers,CN=Standardname-des-ersten-Standorts,CN=Sites,CN=Configuration,DC=samdom,DC=loc
>>> Settings\0ADEL:ef37f4de-a03c-493c-96f6-e521a5415d81,CN=DC02\0ADEL:533436d8-2dff-4a08-93ad-13fa454d93d1,CN=Servers,CN=Standardname-des-ersten-Standorts,CN=Sites,CN=Configuration,DC=samdom,DC=loc
>>> Unfortunately these entries are not deletable.
>>> Do know if it is possible to remove those leftovers in a safe way ?
>>> Thank you very much
>>> best regards
>>> Andreas
>> I think you can not delete these because they belong to the default
>> site default-first-site which may have references in other directory
>> entries. There's an open samba bug related to sites not being able to
>> be renamed and the inabillity to move servers to other sites.
>> Can you see this site in AD's site management?
> I have been down this road about a year ago with samba 4 AD. There is
> currently NO way to fix this until the developers fix it. NONE of the MS
> tools work!!! In my case after I force removed the failed DC the entire
> AD got corrupt and I had to rebuild the domain from scratch!
> Samba 4 as a stand-alone server works just fine. Just do not add any
> more servers! If you plan on migrating away from an MS AD server you
> will corrupt your domain.
> Jonn
Hello Jonn,

I already had a feeling, that I will not be able to fix it myself :-(
Since removal of the failed DC some things started to get weired. In
addition to the replication errors we are currently not able to use RDP
to connect to our Win7 machines. Might be that there are also some other
hidden issues.

I have started with samba 4 at alpha state and with the kind help of
some developer migrated our old Win2k domain to samba 4. I have always
used the latest git sources and never had any major issues until now :-(

My domain is quite small, only about 40 users and 30 workstations. I
might have to start from scratch. Do you know if it is possible to
export domain SID, users/machines and GPOs and import it into a new
samba AD ?


best regards


More information about the samba mailing list