[Samba] Demote a dead PDC: residuals in "DNS" console

Thu Oct 29 12:54:34 UTC 2015

Thank you for hint to this VBS script. In fact I alraedy saw it but I'm not
too confident in my VB knowledge, so I didn't use that script, prefering
rely on Samba command and shell scripts to work around issues.

You spoke about SOA record which wasn't changed, same here. There is
another DNS record I had to change: _ldap._tcp.pdc._msdcs.samba.domain.tld.

I spoke about removing removed-DCs from sites and the command to do that
could be:
ldbdel -H $sam -b 'cn=sites,CN=Configuration,DC=samba,DC=domain,DC=tld'
CN=removed-DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samba,DC=domain,DC=tld
Deleted 1 record

To get list of all contents in sites:
ldbsearch -H $sam -b 'cn=sites,CN=Configuration,DC=samba,DC=domain,DC=tld'
cn=* dn

This will list all entries in "sites" container.

Looking
into CN=Servers,CN=Default-First-Site-Name,cn=sites,CN=Configuration,DC=samba,DC=domain,DC=tld
ldbsearch -H $sam -b
'CN=Servers,CN=Default-First-Site-Name,cn=sites,CN=Configuration,DC=ad,DC=dgfip,DC=finances,DC=gouv,DC=fr'
cn=* dn

There are 4 entries in that container per declared DC in the site. Only the
one mentioned earlier had to be removed manually, the three others should
have been removed during demote process as I didn't removed by myself and
they weren't present before I manually perform mentioned clean up.

Cheers,

mathias

2015-10-29 12:38 GMT+01:00 Ole Traupe <ole.traupe at tu-berlin.de>:

> Hi mathias,
>
> thanks for the heads-up! However, my AD Sites and Services is clear, too.
> I followed the suggestion here
> https://wiki.samba.org/index.php/Demote_a_Samba_AD_DC
> to use this
>
> http://gallery.technet.microsoft.com/scriptcenter/d31f091f-2642-4ede-9f97-0e1cc4d577f3#content
> script.
>
> Copy the contents of the "Visual Basic" box to a text file and rename it
> to "something.vbs". Run the vb script as admin e.g. on a Win 7 64 bit
> (worked for me) domain member client being logged on as "Administrator".
> This removed my former PDC from ADUC and ADSS.
>
> Best,
> Ole
>
>
>
> Am 29.10.2015 um 12:16 schrieb mathias dufresne:
>
>> Hi,
>>
>> I played with demote recently on a test AD domain composed with Samba
>> version 4.3.0 and 4.3.1. I demoted all version 4.3.0.
>>
>> I was facing same issue as you. I written long mails here to explain how I
>> managed that. My DNS looks clear now.
>>
>> Today I played with AD sites and I found in default sites all demoted DC.
>> They weren't removed from DNS DB nor here. For now I have no idea how to
>> get rid of these DC in my sites configuration without ADUC.
>>
>> So you should have a look into your AD Sites configuration tool to check
>> if
>> they were correctly removed.
>>
>> Cheers,
>>
>> mathias
>>
>>
>> 2015-10-29 10:01 GMT+01:00 Ole Traupe <ole.traupe at tu-berlin.de>:
>>
>> Ok, I made a backup following the Samba wiki and then did this. Had to
>>> wait a bit between updating the SOA's because I got a strange error
>>> message
>>> saying that a time value for the non-update of some resource cleanup
>>> wasn't
>>> set. But a few minutes later I could update the second SOA as well, and
>>> now
>>> the Samba log is clean.
>>>
>>> Ole
>>>
>>>
>>>
>>> Am 28.10.2015 um 16:42 schrieb Ole Traupe:
>>>
>>> Hi,
>>>>
>>>> I demoted my PDC (DC1) forcefully, because replication (among others)
>>>> wasn't working anymore due to hard disk failure and I was afraid of
>>>> spending a lot of time on nothing.
>>>>
>>>> With DC1 offline I seized the FSMO roles on DC2 (4.2.5), restarted
>>>> Samba,
>>>> and found errors in the samba log due to the missing DC1.
>>>>
>>>> I removed the two DNS entries created according to this site:
>>>> https://wiki.samba.org/index.php/Check_and_fix_DNS_entries_on_DC_joins
>>>> I applied the script suggested here:
>>>> https://wiki.samba.org/index.php/Demote_a_Samba_AD_DC
>>>> This removed the DC1 entry in ADUC and "Active Directory Sites and
>>>> Services".
>>>>
>>>> However, the error persists (10 minute interval; sanitized):
>>>> # /usr/local/samba/sbin/samba_dnsupdate: couldn't get address for '
>>>> dc1.my.domain.de': not found
>>>>
>>>> Likely due to further DNS entries, the last-mentioned site suggests to
>>>> remove them by hand. Most of the containers in the DNS console have only
>>>> duplicate entries for DC1/2, so no problem. However, 3 don't:
>>>>
>>>>
>>>> (removed subfolder and client PC entries; sanitized, translated where
>>>> necessary GR->EN)
>>>>
>>>>
>>>> *DNS/DC2/Forward-Lookupzones/my.domain.de*
>>>>
>>>> Name    Type    Data    Time stamp
>>>> (identical to parent folder)    Source of Authority (SOA)    [3],
>>>> dc1.my.domain.de., hostmaster.my.domain.de.    ?28.?10.?2015 15:00:00
>>>> (identical to parent folder)    Nameserver (NS) dc1.my.domain.de.
>>>> Static
>>>> (identical to parent folder)    Host (A)    IP__of__DC1    Static
>>>> (identical to parent folder)    Host (A)    IP__of__DC2    Static
>>>> DC2    Host (A)    130.149.34.118    ?29.?07.?2015 13:00:00
>>>>
>>>>
>>>> *DNS/DC2/Forward-Lookupzones/_msdcs.my.domain.de*
>>>>
>>>> (identical to parent folder)    Source of Authority (SOA)    [3],
>>>> dc1.my.domain.de., hostmaster.my.domain.de.    ?28.?10.?2015 15:00:00
>>>> (identical to parent folder)    Nameserver (NS) dc1.my.domain.de.
>>>> Static
>>>> objectGUID__of__DC2    Alias (CNAME)    DC2.my.domain.de. ?29.?07.?2015
>>>> 13:00:00
>>>>
>>>>
>>>> *DNS/DC2/Forward-Lookupzones/_msdcs.my.domain.de/pdc/_tcp*
>>>>
>>>> _ldap    Service Identification (SRV)    [0][100][389] dc1.my.domain.de
>>>> .
>>>>    Static
>>>>
>>>>
>>>> What to do in these cases? Is it safe to open the properties of the
>>>> non-duplicate entries and replace DC1 with DC2?
>>>>
>>>> Ole
>>>>
>>>>
>>>>
>>>>
>>>> --
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions:  https://lists.samba.org/mailman/options/samba
>>>
>>>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>