[Samba] Demote a dead PDC: residuals in "DNS" console

Ole Traupe ole.traupe at tu-berlin.de
Thu Oct 29 11:38:46 UTC 2015


Hi mathias,

thanks for the heads-up! However, my AD Sites and Services is clear, 
too. I followed the suggestion here
https://wiki.samba.org/index.php/Demote_a_Samba_AD_DC
to use this
http://gallery.technet.microsoft.com/scriptcenter/d31f091f-2642-4ede-9f97-0e1cc4d577f3#content
script.

Copy the contents of the "Visual Basic" box to a text file and rename it 
to "something.vbs". Run the vb script as admin e.g. on a Win 7 64 bit 
(worked for me) domain member client being logged on as "Administrator". 
This removed my former PDC from ADUC and ADSS.

Best,
Ole


Am 29.10.2015 um 12:16 schrieb mathias dufresne:
> Hi,
>
> I played with demote recently on a test AD domain composed with Samba
> version 4.3.0 and 4.3.1. I demoted all version 4.3.0.
>
> I was facing same issue as you. I written long mails here to explain how I
> managed that. My DNS looks clear now.
>
> Today I played with AD sites and I found in default sites all demoted DC.
> They weren't removed from DNS DB nor here. For now I have no idea how to
> get rid of these DC in my sites configuration without ADUC.
>
> So you should have a look into your AD Sites configuration tool to check if
> they were correctly removed.
>
> Cheers,
>
> mathias
>
>
> 2015-10-29 10:01 GMT+01:00 Ole Traupe <ole.traupe at tu-berlin.de>:
>
>> Ok, I made a backup following the Samba wiki and then did this. Had to
>> wait a bit between updating the SOA's because I got a strange error message
>> saying that a time value for the non-update of some resource cleanup wasn't
>> set. But a few minutes later I could update the second SOA as well, and now
>> the Samba log is clean.
>>
>> Ole
>>
>>
>>
>> Am 28.10.2015 um 16:42 schrieb Ole Traupe:
>>
>>> Hi,
>>>
>>> I demoted my PDC (DC1) forcefully, because replication (among others)
>>> wasn't working anymore due to hard disk failure and I was afraid of
>>> spending a lot of time on nothing.
>>>
>>> With DC1 offline I seized the FSMO roles on DC2 (4.2.5), restarted Samba,
>>> and found errors in the samba log due to the missing DC1.
>>>
>>> I removed the two DNS entries created according to this site:
>>> https://wiki.samba.org/index.php/Check_and_fix_DNS_entries_on_DC_joins
>>> I applied the script suggested here:
>>> https://wiki.samba.org/index.php/Demote_a_Samba_AD_DC
>>> This removed the DC1 entry in ADUC and "Active Directory Sites and
>>> Services".
>>>
>>> However, the error persists (10 minute interval; sanitized):
>>> # /usr/local/samba/sbin/samba_dnsupdate: couldn't get address for '
>>> dc1.my.domain.de': not found
>>>
>>> Likely due to further DNS entries, the last-mentioned site suggests to
>>> remove them by hand. Most of the containers in the DNS console have only
>>> duplicate entries for DC1/2, so no problem. However, 3 don't:
>>>
>>>
>>> (removed subfolder and client PC entries; sanitized, translated where
>>> necessary GR->EN)
>>>
>>>
>>> *DNS/DC2/Forward-Lookupzones/my.domain.de*
>>>
>>> Name    Type    Data    Time stamp
>>> (identical to parent folder)    Source of Authority (SOA)    [3],
>>> dc1.my.domain.de., hostmaster.my.domain.de.    ?28.?10.?2015 15:00:00
>>> (identical to parent folder)    Nameserver (NS) dc1.my.domain.de.
>>> Static
>>> (identical to parent folder)    Host (A)    IP__of__DC1    Static
>>> (identical to parent folder)    Host (A)    IP__of__DC2    Static
>>> DC2    Host (A)    130.149.34.118    ?29.?07.?2015 13:00:00
>>>
>>>
>>> *DNS/DC2/Forward-Lookupzones/_msdcs.my.domain.de*
>>>
>>> (identical to parent folder)    Source of Authority (SOA)    [3],
>>> dc1.my.domain.de., hostmaster.my.domain.de.    ?28.?10.?2015 15:00:00
>>> (identical to parent folder)    Nameserver (NS) dc1.my.domain.de.
>>> Static
>>> objectGUID__of__DC2    Alias (CNAME)    DC2.my.domain.de. ?29.?07.?2015
>>> 13:00:00
>>>
>>>
>>> *DNS/DC2/Forward-Lookupzones/_msdcs.my.domain.de/pdc/_tcp*
>>>
>>> _ldap    Service Identification (SRV)    [0][100][389] dc1.my.domain.de.
>>>    Static
>>>
>>>
>>> What to do in these cases? Is it safe to open the properties of the
>>> non-duplicate entries and replace DC1 with DC2?
>>>
>>> Ole
>>>
>>>
>>>
>>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>




More information about the samba mailing list