[Samba] Demote a dead PDC: residuals in "DNS" console

Ole Traupe ole.traupe at tu-berlin.de
Thu Oct 29 13:56:05 UTC 2015 


Am 29.10.2015 um 14:37 schrieb James:
> On 10/29/2015 9:15 AM, Ole Traupe wrote:
>>
>>
>> Am 29.10.2015 um 13:54 schrieb mathias dufresne:
>>> Thank you for hint to this VBS script. In fact I alraedy saw it but 
>>> I'm not
>>> too confident in my VB knowledge, so I didn't use that script, 
>>> prefering
>>> rely on Samba command and shell scripts to work around issues.
>>>
>>> You spoke about SOA record which wasn't changed, same here. There is
>>> another DNS record I had to change: 
>>> _ldap._tcp.pdc._msdcs.samba.domain.tld.
>>
>> Yes, I can confirm that I had to change that one, too.
>>
>>>
>>> I spoke about removing removed-DCs from sites and the command to do 
>>> that
>>> could be:
>>> ldbdel -H $sam -b 'cn=sites,CN=Configuration,DC=samba,DC=domain,DC=tld'
>>> CN=removed-DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samba,DC=domain,DC=tld 
>>>
>>> Deleted 1 record
>>>
>>> To get list of all contents in sites:
>>> ldbsearch -H $sam -b 
>>> 'cn=sites,CN=Configuration,DC=samba,DC=domain,DC=tld'
>>> cn=* dn
>>>
>>> This will list all entries in "sites" container.
>>>
>>> Looking
>>> into 
>>> CN=Servers,CN=Default-First-Site-Name,cn=sites,CN=Configuration,DC=samba,DC=domain,DC=tld
>>> ldbsearch -H $sam -b
>>> 'CN=Servers,CN=Default-First-Site-Name,cn=sites,CN=Configuration,DC=ad,DC=dgfip,DC=finances,DC=gouv,DC=fr' 
>>>
>>> cn=* dn
>>>
>>> There are 4 entries in that container per declared DC in the site. 
>>> Only the
>>> one mentioned earlier had to be removed manually, the three others 
>>> should
>>> have been removed during demote process as I didn't removed by 
>>> myself and
>>> they weren't present before I manually perform mentioned clean up.
>>
>> Thank you for the further details. I can't really say anything about 
>> these entries or commands. There was only one entry in the ADSS 
>> console for my former PDC, and the script got rid of that.
>>
>> Best,
>> Ole
>>
>>
>>>
>>> Cheers,
>>>
>>> mathias
>>>
>>>
>>> 2015-10-29 12:38 GMT+01:00 Ole Traupe <ole.traupe at tu-berlin.de>:
>>>
>>>> Hi mathias,
>>>>
>>>> thanks for the heads-up! However, my AD Sites and Services is 
>>>> clear, too.
>>>> I followed the suggestion here
>>>> https://wiki.samba.org/index.php/Demote_a_Samba_AD_DC
>>>> to use this
>>>>
>>>> http://gallery.technet.microsoft.com/scriptcenter/d31f091f-2642-4ede-9f97-0e1cc4d577f3#content 
>>>>
>>>> script.
>>>>
>>>> Copy the contents of the "Visual Basic" box to a text file and 
>>>> rename it
>>>> to "something.vbs". Run the vb script as admin e.g. on a Win 7 64 bit
>>>> (worked for me) domain member client being logged on as 
>>>> "Administrator".
>>>> This removed my former PDC from ADUC and ADSS.
>>>>
>>>> Best,
>>>> Ole
>>>>
>>>>
>>>>
>>>> Am 29.10.2015 um 12:16 schrieb mathias dufresne:
>>>>
>>>>> Hi,
>>>>>
>>>>> I played with demote recently on a test AD domain composed with Samba
>>>>> version 4.3.0 and 4.3.1. I demoted all version 4.3.0.
>>>>>
>>>>> I was facing same issue as you. I written long mails here to 
>>>>> explain how I
>>>>> managed that. My DNS looks clear now.
>>>>>
>>>>> Today I played with AD sites and I found in default sites all 
>>>>> demoted DC.
>>>>> They weren't removed from DNS DB nor here. For now I have no idea 
>>>>> how to
>>>>> get rid of these DC in my sites configuration without ADUC.
>>>>>
>>>>> So you should have a look into your AD Sites configuration tool to 
>>>>> check
>>>>> if
>>>>> they were correctly removed.
>>>>>
>>>>> Cheers,
>>>>>
>>>>> mathias
>>>>>
>>>>>
>>>>> 2015-10-29 10:01 GMT+01:00 Ole Traupe <ole.traupe at tu-berlin.de>:
>>>>>
>>>>> Ok, I made a backup following the Samba wiki and then did this. 
>>>>> Had to
>>>>>> wait a bit between updating the SOA's because I got a strange error
>>>>>> message
>>>>>> saying that a time value for the non-update of some resource cleanup
>>>>>> wasn't
>>>>>> set. But a few minutes later I could update the second SOA as 
>>>>>> well, and
>>>>>> now
>>>>>> the Samba log is clean.
>>>>>>
>>>>>> Ole
>>>>>>
>>>>>>
>>>>>>
>>>>>> Am 28.10.2015 um 16:42 schrieb Ole Traupe:
>>>>>>
>>>>>> Hi,
>>>>>>> I demoted my PDC (DC1) forcefully, because replication (among 
>>>>>>> others)
>>>>>>> wasn't working anymore due to hard disk failure and I was afraid of
>>>>>>> spending a lot of time on nothing.
>>>>>>>
>>>>>>> With DC1 offline I seized the FSMO roles on DC2 (4.2.5), restarted
>>>>>>> Samba,
>>>>>>> and found errors in the samba log due to the missing DC1.
>>>>>>>
>>>>>>> I removed the two DNS entries created according to this site:
>>>>>>> https://wiki.samba.org/index.php/Check_and_fix_DNS_entries_on_DC_joins 
>>>>>>>
>>>>>>> I applied the script suggested here:
>>>>>>> https://wiki.samba.org/index.php/Demote_a_Samba_AD_DC
>>>>>>> This removed the DC1 entry in ADUC and "Active Directory Sites and
>>>>>>> Services".
>>>>>>>
>>>>>>> However, the error persists (10 minute interval; sanitized):
>>>>>>> # /usr/local/samba/sbin/samba_dnsupdate: couldn't get address for '
>>>>>>> dc1.my.domain.de': not found
>>>>>>>
>>>>>>> Likely due to further DNS entries, the last-mentioned site 
>>>>>>> suggests to
>>>>>>> remove them by hand. Most of the containers in the DNS console 
>>>>>>> have only
>>>>>>> duplicate entries for DC1/2, so no problem. However, 3 don't:
>>>>>>>
>>>>>>>
>>>>>>> (removed subfolder and client PC entries; sanitized, translated 
>>>>>>> where
>>>>>>> necessary GR->EN)
>>>>>>>
>>>>>>>
>>>>>>> *DNS/DC2/Forward-Lookupzones/my.domain.de*
>>>>>>>
>>>>>>> Name    Type    Data    Time stamp
>>>>>>> (identical to parent folder)    Source of Authority (SOA)    [3],
>>>>>>> dc1.my.domain.de., hostmaster.my.domain.de. ?28.?10.?2015 15:00:00
>>>>>>> (identical to parent folder)    Nameserver (NS) dc1.my.domain.de.
>>>>>>> Static
>>>>>>> (identical to parent folder)    Host (A) IP__of__DC1    Static
>>>>>>> (identical to parent folder)    Host (A) IP__of__DC2    Static
>>>>>>> DC2    Host (A)    130.149.34.118    ?29.?07.?2015 13:00:00
>>>>>>>
>>>>>>>
>>>>>>> *DNS/DC2/Forward-Lookupzones/_msdcs.my.domain.de*
>>>>>>>
>>>>>>> (identical to parent folder)    Source of Authority (SOA)    [3],
>>>>>>> dc1.my.domain.de., hostmaster.my.domain.de. ?28.?10.?2015 15:00:00
>>>>>>> (identical to parent folder)    Nameserver (NS) dc1.my.domain.de.
>>>>>>> Static
>>>>>>> objectGUID__of__DC2    Alias (CNAME) DC2.my.domain.de. 
>>>>>>> ?29.?07.?2015
>>>>>>> 13:00:00
>>>>>>>
>>>>>>>
>>>>>>> *DNS/DC2/Forward-Lookupzones/_msdcs.my.domain.de/pdc/_tcp*
>>>>>>>
>>>>>>> _ldap    Service Identification (SRV)    [0][100][389] 
>>>>>>> dc1.my.domain.de
>>>>>>> .
>>>>>>>     Static
>>>>>>>
>>>>>>>
>>>>>>> What to do in these cases? Is it safe to open the properties of the
>>>>>>> non-duplicate entries and replace DC1 with DC2?
>>>>>>>
>>>>>>> Ole
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> -- 
>>>>>> To unsubscribe from this list go to the following URL and read the
>>>>>> instructions: https://lists.samba.org/mailman/options/samba
>>>>>>
>>>>>>
>>>> -- 
>>>> To unsubscribe from this list go to the following URL and read the
>>>> instructions:  https://lists.samba.org/mailman/options/samba
>>>>
>>
>>
> When I demoted DC's in the past. I used ADSS, ADUC and ADSI to delete 
> all traces. ADSI was necessary to delete all NTDS traces. This was on 
> Samba 4.0.X versions. I take it you have no replication issues 
> pointing to the old DC either?
>

I had a replication issue (connection attempt with the demoted DC) 
before I ran the script from the wiki. I wasn't able to delete ADUC and 
ADSS entries for the DC by hand.

What did you do in ADSI?

More information about the samba mailing list