[Samba] Trouble demoting DC with broken replication

[Taylor, Jonn]

On 05/22/2014 02:00 AM, Andreas Oster wrote:
> Am 21.05.2014 20:53, schrieb Taylor, Jonn:
>> On 05/21/2014 09:31 AM, Achim Gottinger wrote:
>>> Am 21.05.2014 16:13, schrieb Andreas Oster:
>>>> Am 19.05.2014 19:09, schrieb Marc Muehlfeld:
>>>>> Hello Andreas,
>>>>>
>>>>> Am 19.05.2014 12:26, schrieb Andreas Oster:
>>>>>> Do you / does anybody have an idea how to get rid of those orphaned
>>>>>> entries ?
>>>>> Two weeks ago I wrote the 'Demote a DC' HowTo
>>>>> (https://wiki.samba.org/index.php/Demote_a_Samba_DC#Demote_a_DC_that_isn.27t_accessable_any_more).
>>>>>
>>>>>
>>>>> While doing researches and testings for the HowTo, it turned out, that
>>>>> currently there seems to be no way (samba-tool or the usual Windows
>>>>> ways) to demote a lost DC and cleanup the metadata.
>>>>>
>>>>> I created a bug report about that:
>>>>> https://bugzilla.samba.org/show_bug.cgi?id=10595
>>>>>
>>>>> I guess the only way would be to manually find the stuff inside the AD
>>>>> and remove it manually via ldbedit. But I really would be afraid of
>>>>> that!
>>>>>
>>>>> An other idea I had, would be to temporary join a machine with the same
>>>>> name/IP as DC and then demote it with samba-tool. After that maybe less
>>>>> directory entries have to be removed (like the ophaned objectGUID
>>>>> entries). But this was just an idea and I wanted to try it in my test
>>>>> environment. But I think it would be a risky way and should be not
>>>>> recommend.
>>>>>
>>>>> I think this is a very serious problem/bug!
>>>>>
>>>>>
>>>>> Regards,
>>>>> Marc
>>>>>
>>>>>
>>>> Hello Marc,
>>>>
>>>> I have just recognized, that I am able to see the orphaned NTDS entry
>>>> for the removed DC by using Sysinternals "Active Directory Explorer".
>>>>
>>>> I get the following:
>>>>
>>>> CN=DC02\0ADEL:533436d8-2dff-4a08-93ad-13fa454d93d1,CN=Servers,CN=Standardname-des-ersten-Standorts,CN=Sites,CN=Configuration,DC=samdom,DC=loc
>>>>
>>>>
>>>> CN=NTDS
>>>> Settings\0ADEL:ef37f4de-a03c-493c-96f6-e521a5415d81,CN=DC02\0ADEL:533436d8-2dff-4a08-93ad-13fa454d93d1,CN=Servers,CN=Standardname-des-ersten-Standorts,CN=Sites,CN=Configuration,DC=samdom,DC=loc
>>>>
>>>>
>>>> Unfortunately these entries are not deletable.
>>>>
>>>> Do know if it is possible to remove those leftovers in a safe way ?
>>>>
>>>> Thank you very much
>>>>
>>>> best regards
>>>>
>>>> Andreas
>>> I think you can not delete these because they belong to the default
>>> site default-first-site which may have references in other directory
>>> entries. There's an open samba bug related to sites not being able to
>>> be renamed and the inabillity to move servers to other sites.
>>> Can you see this site in AD's site management?
>>>
>> I have been down this road about a year ago with samba 4 AD. There is
>> currently NO way to fix this until the developers fix it. NONE of the MS
>> tools work!!! In my case after I force removed the failed DC the entire
>> AD got corrupt and I had to rebuild the domain from scratch!
>>
>> Samba 4 as a stand-alone server works just fine. Just do not add any
>> more servers! If you plan on migrating away from an MS AD server you
>> will corrupt your domain.
>>
>> Jonn
>>
> Hello Jonn,
>
> I already had a feeling, that I will not be able to fix it myself :-(
> Since removal of the failed DC some things started to get weired. In
> addition to the replication errors we are currently not able to use RDP
> to connect to our Win7 machines. Might be that there are also some other
> hidden issues.
>
> I have started with samba 4 at alpha state and with the kind help of
> some developer migrated our old Win2k domain to samba 4. I have always
> used the latest git sources and never had any major issues until now :-(
>
> My domain is quite small, only about 40 users and 30 workstations. I
> might have to start from scratch. Do you know if it is possible to
> export domain SID, users/machines and GPOs and import it into a new
> samba AD ?
>
> Thanks
>
> best regards
>
> Andreas
Sounds like you have some kind of corruption for sure. We have an rdweb 
server that would not auth our users correctly after trying to remove 
the failed DC. After time this got so bad we had to do something. 
Eventually our workstations could not log in randomly.

I am not sure but in samba 3 as NT style domain you could set the domain 
SID. I am not sure about samba 4 AD DC. We just bit the bullet, built a 
new 2008R2 domain and rejoined all the machines. We did print out all 
our user id's and group id's so we did not have to reset permissions on 
all our files.

The samba 4.x has a long way to go before it is production ready. Here 
are just a few things that I have found. The first 3 are show stoppers 
for me and I would consider them blockers for any future releases!

AD corruption due to adding or removing additional DC's to the domain. 
One of the big things with this is that some of this is still hard coded 
in. This is why none of the metadata can be removed.
DNS - Kai has done a great job in the internal DNS server but it is not 
bind. DDNS updates need alot of work and they need to fix how the MS DNS 
tool reads and works with DNS.
SMB performance in the 4.x branch really sucks, even as a classic smb 
server. I went back to 3.6 just for this reason!
 From some of my testing there still seems to some kerberos and winbind 
problems in 4.x, never nailed down what the real problem was and this 
was just using it as a classic smb server.
CTDB and 4.x is getting there but until the performance issue is 
resolved I am going to look at this again.
 From watching the list a lot people are having problems getting DHCP, 
DDNS and Samba 4 AD DC setup correctly. The information is out there but 
it seems that getting it work is very different for each person.

Jonn