[Samba] Demote a dead PDC: residuals in "DNS" console

James lingpanda101 at gmail.com
Fri Oct 30 12:33:36 UTC 2015


On 10/29/2015 9:56 AM, Ole Traupe wrote:
>
>
> Am 29.10.2015 um 14:37 schrieb James:
>> On 10/29/2015 9:15 AM, Ole Traupe wrote:
>>>
>>>
>>> Am 29.10.2015 um 13:54 schrieb mathias dufresne:
>>>> Thank you for hint to this VBS script. In fact I alraedy saw it but 
>>>> I'm not
>>>> too confident in my VB knowledge, so I didn't use that script, 
>>>> prefering
>>>> rely on Samba command and shell scripts to work around issues.
>>>>
>>>> You spoke about SOA record which wasn't changed, same here. There is
>>>> another DNS record I had to change: 
>>>> _ldap._tcp.pdc._msdcs.samba.domain.tld.
>>>
>>> Yes, I can confirm that I had to change that one, too.
>>>
>>>>
>>>> I spoke about removing removed-DCs from sites and the command to do 
>>>> that
>>>> could be:
>>>> ldbdel -H $sam -b 
>>>> 'cn=sites,CN=Configuration,DC=samba,DC=domain,DC=tld'
>>>> CN=removed-DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samba,DC=domain,DC=tld 
>>>>
>>>> Deleted 1 record
>>>>
>>>> To get list of all contents in sites:
>>>> ldbsearch -H $sam -b 
>>>> 'cn=sites,CN=Configuration,DC=samba,DC=domain,DC=tld'
>>>> cn=* dn
>>>>
>>>> This will list all entries in "sites" container.
>>>>
>>>> Looking
>>>> into 
>>>> CN=Servers,CN=Default-First-Site-Name,cn=sites,CN=Configuration,DC=samba,DC=domain,DC=tld
>>>> ldbsearch -H $sam -b
>>>> 'CN=Servers,CN=Default-First-Site-Name,cn=sites,CN=Configuration,DC=ad,DC=dgfip,DC=finances,DC=gouv,DC=fr' 
>>>>
>>>> cn=* dn
>>>>
>>>> There are 4 entries in that container per declared DC in the site. 
>>>> Only the
>>>> one mentioned earlier had to be removed manually, the three others 
>>>> should
>>>> have been removed during demote process as I didn't removed by 
>>>> myself and
>>>> they weren't present before I manually perform mentioned clean up.
>>>
>>> Thank you for the further details. I can't really say anything about 
>>> these entries or commands. There was only one entry in the ADSS 
>>> console for my former PDC, and the script got rid of that.
>>>
>>> Best,
>>> Ole
>>>
>>>
>>>>
>>>> Cheers,
>>>>
>>>> mathias
>>>>
>>>>
>>>> 2015-10-29 12:38 GMT+01:00 Ole Traupe <ole.traupe at tu-berlin.de>:
>>>>
>>>>> Hi mathias,
>>>>>
>>>>> thanks for the heads-up! However, my AD Sites and Services is 
>>>>> clear, too.
>>>>> I followed the suggestion here
>>>>> https://wiki.samba.org/index.php/Demote_a_Samba_AD_DC
>>>>> to use this
>>>>>
>>>>> http://gallery.technet.microsoft.com/scriptcenter/d31f091f-2642-4ede-9f97-0e1cc4d577f3#content 
>>>>>
>>>>> script.
>>>>>
>>>>> Copy the contents of the "Visual Basic" box to a text file and 
>>>>> rename it
>>>>> to "something.vbs". Run the vb script as admin e.g. on a Win 7 64 bit
>>>>> (worked for me) domain member client being logged on as 
>>>>> "Administrator".
>>>>> This removed my former PDC from ADUC and ADSS.
>>>>>
>>>>> Best,
>>>>> Ole
>>>>>
>>>>>
>>>>>
>>>>> Am 29.10.2015 um 12:16 schrieb mathias dufresne:
>>>>>
>>>>>> Hi,
>>>>>>
>>>>>> I played with demote recently on a test AD domain composed with 
>>>>>> Samba
>>>>>> version 4.3.0 and 4.3.1. I demoted all version 4.3.0.
>>>>>>
>>>>>> I was facing same issue as you. I written long mails here to 
>>>>>> explain how I
>>>>>> managed that. My DNS looks clear now.
>>>>>>
>>>>>> Today I played with AD sites and I found in default sites all 
>>>>>> demoted DC.
>>>>>> They weren't removed from DNS DB nor here. For now I have no idea 
>>>>>> how to
>>>>>> get rid of these DC in my sites configuration without ADUC.
>>>>>>
>>>>>> So you should have a look into your AD Sites configuration tool 
>>>>>> to check
>>>>>> if
>>>>>> they were correctly removed.
>>>>>>
>>>>>> Cheers,
>>>>>>
>>>>>> mathias
>>>>>>
>>>>>>
>>>>>> 2015-10-29 10:01 GMT+01:00 Ole Traupe <ole.traupe at tu-berlin.de>:
>>>>>>
>>>>>> Ok, I made a backup following the Samba wiki and then did this. 
>>>>>> Had to
>>>>>>> wait a bit between updating the SOA's because I got a strange error
>>>>>>> message
>>>>>>> saying that a time value for the non-update of some resource 
>>>>>>> cleanup
>>>>>>> wasn't
>>>>>>> set. But a few minutes later I could update the second SOA as 
>>>>>>> well, and
>>>>>>> now
>>>>>>> the Samba log is clean.
>>>>>>>
>>>>>>> Ole
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> Am 28.10.2015 um 16:42 schrieb Ole Traupe:
>>>>>>>
>>>>>>> Hi,
>>>>>>>> I demoted my PDC (DC1) forcefully, because replication (among 
>>>>>>>> others)
>>>>>>>> wasn't working anymore due to hard disk failure and I was 
>>>>>>>> afraid of
>>>>>>>> spending a lot of time on nothing.
>>>>>>>>
>>>>>>>> With DC1 offline I seized the FSMO roles on DC2 (4.2.5), restarted
>>>>>>>> Samba,
>>>>>>>> and found errors in the samba log due to the missing DC1.
>>>>>>>>
>>>>>>>> I removed the two DNS entries created according to this site:
>>>>>>>> https://wiki.samba.org/index.php/Check_and_fix_DNS_entries_on_DC_joins 
>>>>>>>>
>>>>>>>> I applied the script suggested here:
>>>>>>>> https://wiki.samba.org/index.php/Demote_a_Samba_AD_DC
>>>>>>>> This removed the DC1 entry in ADUC and "Active Directory Sites and
>>>>>>>> Services".
>>>>>>>>
>>>>>>>> However, the error persists (10 minute interval; sanitized):
>>>>>>>> # /usr/local/samba/sbin/samba_dnsupdate: couldn't get address 
>>>>>>>> for '
>>>>>>>> dc1.my.domain.de': not found
>>>>>>>>
>>>>>>>> Likely due to further DNS entries, the last-mentioned site 
>>>>>>>> suggests to
>>>>>>>> remove them by hand. Most of the containers in the DNS console 
>>>>>>>> have only
>>>>>>>> duplicate entries for DC1/2, so no problem. However, 3 don't:
>>>>>>>>
>>>>>>>>
>>>>>>>> (removed subfolder and client PC entries; sanitized, translated 
>>>>>>>> where
>>>>>>>> necessary GR->EN)
>>>>>>>>
>>>>>>>>
>>>>>>>> *DNS/DC2/Forward-Lookupzones/my.domain.de*
>>>>>>>>
>>>>>>>> Name    Type    Data    Time stamp
>>>>>>>> (identical to parent folder)    Source of Authority (SOA)    [3],
>>>>>>>> dc1.my.domain.de., hostmaster.my.domain.de. ?28.?10.?2015 15:00:00
>>>>>>>> (identical to parent folder)    Nameserver (NS) dc1.my.domain.de.
>>>>>>>> Static
>>>>>>>> (identical to parent folder)    Host (A) IP__of__DC1    Static
>>>>>>>> (identical to parent folder)    Host (A) IP__of__DC2    Static
>>>>>>>> DC2    Host (A)    130.149.34.118    ?29.?07.?2015 13:00:00
>>>>>>>>
>>>>>>>>
>>>>>>>> *DNS/DC2/Forward-Lookupzones/_msdcs.my.domain.de*
>>>>>>>>
>>>>>>>> (identical to parent folder)    Source of Authority (SOA)    [3],
>>>>>>>> dc1.my.domain.de., hostmaster.my.domain.de. ?28.?10.?2015 15:00:00
>>>>>>>> (identical to parent folder)    Nameserver (NS) dc1.my.domain.de.
>>>>>>>> Static
>>>>>>>> objectGUID__of__DC2    Alias (CNAME) DC2.my.domain.de. 
>>>>>>>> ?29.?07.?2015
>>>>>>>> 13:00:00
>>>>>>>>
>>>>>>>>
>>>>>>>> *DNS/DC2/Forward-Lookupzones/_msdcs.my.domain.de/pdc/_tcp*
>>>>>>>>
>>>>>>>> _ldap    Service Identification (SRV) [0][100][389] 
>>>>>>>> dc1.my.domain.de
>>>>>>>> .
>>>>>>>>     Static
>>>>>>>>
>>>>>>>>
>>>>>>>> What to do in these cases? Is it safe to open the properties of 
>>>>>>>> the
>>>>>>>> non-duplicate entries and replace DC1 with DC2?
>>>>>>>>
>>>>>>>> Ole
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> -- 
>>>>>>> To unsubscribe from this list go to the following URL and read the
>>>>>>> instructions: https://lists.samba.org/mailman/options/samba
>>>>>>>
>>>>>>>
>>>>> -- 
>>>>> To unsubscribe from this list go to the following URL and read the
>>>>> instructions: https://lists.samba.org/mailman/options/samba
>>>>>
>>>
>>>
>> When I demoted DC's in the past. I used ADSS, ADUC and ADSI to delete 
>> all traces. ADSI was necessary to delete all NTDS traces. This was on 
>> Samba 4.0.X versions. I take it you have no replication issues 
>> pointing to the old DC either?
>>
>
> I had a replication issue (connection attempt with the demoted DC) 
> before I ran the script from the wiki. I wasn't able to delete ADUC 
> and ADSS entries for the DC by hand.
>
> What did you do in ADSI?
>
>
>
I deleted the demoted DC as well as it's NTDS settings from it's Site. I 
then went into all other DC's and deleted the automatically generated 
KCC connections pointing to the demoted DC. These are located inside the 
NTDS settings container.

Normally you can do this from inside ADSS. However I would received a 
error. That's why I had to use ADSI.

-- 
-James




More information about the samba mailing list