[Samba] Demote a dead PDC: residuals in "DNS" console

Rowland Penny rowlandpenny241155 at gmail.com
Thu Oct 29 15:05:51 UTC 2015 

On 29/10/15 12:54, mathias dufresne wrote:
> Thank you for hint to this VBS script. In fact I alraedy saw it but I'm not
> too confident in my VB knowledge, so I didn't use that script, prefering
> rely on Samba command and shell scripts to work around issues.
>
> You spoke about SOA record which wasn't changed, same here. There is
> another DNS record I had to change: _ldap._tcp.pdc._msdcs.samba.domain.tld.
>
> I spoke about removing removed-DCs from sites and the command to do that
> could be:
> ldbdel -H $sam -b 'cn=sites,CN=Configuration,DC=samba,DC=domain,DC=tld'
> CN=removed-DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samba,DC=domain,DC=tld
> Deleted 1 record
>
> To get list of all contents in sites:
> ldbsearch -H $sam -b 'cn=sites,CN=Configuration,DC=samba,DC=domain,DC=tld'
> cn=* dn
>
> This will list all entries in "sites" container.
>
> Looking
> into CN=Servers,CN=Default-First-Site-Name,cn=sites,CN=Configuration,DC=samba,DC=domain,DC=tld
> ldbsearch -H $sam -b
> 'CN=Servers,CN=Default-First-Site-Name,cn=sites,CN=Configuration,DC=ad,DC=dgfip,DC=finances,DC=gouv,DC=fr'
> cn=* dn
>
> There are 4 entries in that container per declared DC in the site. Only the
> one mentioned earlier had to be removed manually, the three others should
> have been removed during demote process as I didn't removed by myself and
> they weren't present before I manually perform mentioned clean up.
>
> Cheers,
>
> mathias
>
>
> 2015-10-29 12:38 GMT+01:00 Ole Traupe <ole.traupe at tu-berlin.de>:
>
>> Hi mathias,
>>
>> thanks for the heads-up! However, my AD Sites and Services is clear, too.
>> I followed the suggestion here
>> https://wiki.samba.org/index.php/Demote_a_Samba_AD_DC
>> to use this
>>
>> http://gallery.technet.microsoft.com/scriptcenter/d31f091f-2642-4ede-9f97-0e1cc4d577f3#content
>> script.
>>
>> Copy the contents of the "Visual Basic" box to a text file and rename it
>> to "something.vbs". Run the vb script as admin e.g. on a Win 7 64 bit
>> (worked for me) domain member client being logged on as "Administrator".
>> This removed my former PDC from ADUC and ADSS.
>>
>> Best,
>> Ole
>>
>>
>>
>> Am 29.10.2015 um 12:16 schrieb mathias dufresne:
>>
>>> Hi,
>>>
>>> I played with demote recently on a test AD domain composed with Samba
>>> version 4.3.0 and 4.3.1. I demoted all version 4.3.0.
>>>
>>> I was facing same issue as you. I written long mails here to explain how I
>>> managed that. My DNS looks clear now.
>>>
>>> Today I played with AD sites and I found in default sites all demoted DC.
>>> They weren't removed from DNS DB nor here. For now I have no idea how to
>>> get rid of these DC in my sites configuration without ADUC.
>>>
>>> So you should have a look into your AD Sites configuration tool to check
>>> if
>>> they were correctly removed.
>>>
>>> Cheers,
>>>
>>> mathias
>>>
>>>
>>> 2015-10-29 10:01 GMT+01:00 Ole Traupe <ole.traupe at tu-berlin.de>:
>>>
>>> Ok, I made a backup following the Samba wiki and then did this. Had to
>>>> wait a bit between updating the SOA's because I got a strange error
>>>> message
>>>> saying that a time value for the non-update of some resource cleanup
>>>> wasn't
>>>> set. But a few minutes later I could update the second SOA as well, and
>>>> now
>>>> the Samba log is clean.
>>>>
>>>> Ole
>>>>
>>>>
>>>>
>>>> Am 28.10.2015 um 16:42 schrieb Ole Traupe:
>>>>
>>>> Hi,
>>>>> I demoted my PDC (DC1) forcefully, because replication (among others)
>>>>> wasn't working anymore due to hard disk failure and I was afraid of
>>>>> spending a lot of time on nothing.
>>>>>
>>>>> With DC1 offline I seized the FSMO roles on DC2 (4.2.5), restarted
>>>>> Samba,
>>>>> and found errors in the samba log due to the missing DC1.
>>>>>
>>>>> I removed the two DNS entries created according to this site:
>>>>> https://wiki.samba.org/index.php/Check_and_fix_DNS_entries_on_DC_joins
>>>>> I applied the script suggested here:
>>>>> https://wiki.samba.org/index.php/Demote_a_Samba_AD_DC
>>>>> This removed the DC1 entry in ADUC and "Active Directory Sites and
>>>>> Services".
>>>>>
>>>>> However, the error persists (10 minute interval; sanitized):
>>>>> # /usr/local/samba/sbin/samba_dnsupdate: couldn't get address for '
>>>>> dc1.my.domain.de': not found
>>>>>
>>>>> Likely due to further DNS entries, the last-mentioned site suggests to
>>>>> remove them by hand. Most of the containers in the DNS console have only
>>>>> duplicate entries for DC1/2, so no problem. However, 3 don't:
>>>>>
>>>>>
>>>>> (removed subfolder and client PC entries; sanitized, translated where
>>>>> necessary GR->EN)
>>>>>
>>>>>
>>>>> *DNS/DC2/Forward-Lookupzones/my.domain.de*
>>>>>
>>>>> Name    Type    Data    Time stamp
>>>>> (identical to parent folder)    Source of Authority (SOA)    [3],
>>>>> dc1.my.domain.de., hostmaster.my.domain.de.    ?28.?10.?2015 15:00:00
>>>>> (identical to parent folder)    Nameserver (NS) dc1.my.domain.de.
>>>>> Static
>>>>> (identical to parent folder)    Host (A)    IP__of__DC1    Static
>>>>> (identical to parent folder)    Host (A)    IP__of__DC2    Static
>>>>> DC2    Host (A)    130.149.34.118    ?29.?07.?2015 13:00:00
>>>>>
>>>>>
>>>>> *DNS/DC2/Forward-Lookupzones/_msdcs.my.domain.de*
>>>>>
>>>>> (identical to parent folder)    Source of Authority (SOA)    [3],
>>>>> dc1.my.domain.de., hostmaster.my.domain.de.    ?28.?10.?2015 15:00:00
>>>>> (identical to parent folder)    Nameserver (NS) dc1.my.domain.de.
>>>>> Static
>>>>> objectGUID__of__DC2    Alias (CNAME)    DC2.my.domain.de. ?29.?07.?2015
>>>>> 13:00:00
>>>>>
>>>>>
>>>>> *DNS/DC2/Forward-Lookupzones/_msdcs.my.domain.de/pdc/_tcp*
>>>>>
>>>>> _ldap    Service Identification (SRV)    [0][100][389] dc1.my.domain.de
>>>>> .
>>>>>     Static
>>>>>
>>>>>
>>>>> What to do in these cases? Is it safe to open the properties of the
>>>>> non-duplicate entries and replace DC1 with DC2?
>>>>>
>>>>> Ole
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> --
>>>> To unsubscribe from this list go to the following URL and read the
>>>> instructions:  https://lists.samba.org/mailman/options/samba
>>>>
>>>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>

If anybody is using the reverse zone, have they checked this after 
demoting a dead DC ?

Rowland

More information about the samba mailing list