[Samba] Demote a dead PDC: residuals in "DNS" console
Ole Traupe
ole.traupe at tu-berlin.de
Fri Oct 30 13:19:33 UTC 2015
Am 30.10.2015 um 13:33 schrieb James:
> On 10/29/2015 9:56 AM, Ole Traupe wrote:
>>
>>
>> Am 29.10.2015 um 14:37 schrieb James:
>>> On 10/29/2015 9:15 AM, Ole Traupe wrote:
>>>>
>>>>
>>>> Am 29.10.2015 um 13:54 schrieb mathias dufresne:
>>>>> Thank you for hint to this VBS script. In fact I alraedy saw it
>>>>> but I'm not
>>>>> too confident in my VB knowledge, so I didn't use that script,
>>>>> prefering
>>>>> rely on Samba command and shell scripts to work around issues.
>>>>>
>>>>> You spoke about SOA record which wasn't changed, same here. There is
>>>>> another DNS record I had to change:
>>>>> _ldap._tcp.pdc._msdcs.samba.domain.tld.
>>>>
>>>> Yes, I can confirm that I had to change that one, too.
>>>>
>>>>>
>>>>> I spoke about removing removed-DCs from sites and the command to
>>>>> do that
>>>>> could be:
>>>>> ldbdel -H $sam -b
>>>>> 'cn=sites,CN=Configuration,DC=samba,DC=domain,DC=tld'
>>>>> CN=removed-DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samba,DC=domain,DC=tld
>>>>>
>>>>> Deleted 1 record
>>>>>
>>>>> To get list of all contents in sites:
>>>>> ldbsearch -H $sam -b
>>>>> 'cn=sites,CN=Configuration,DC=samba,DC=domain,DC=tld'
>>>>> cn=* dn
>>>>>
>>>>> This will list all entries in "sites" container.
>>>>>
>>>>> Looking
>>>>> into
>>>>> CN=Servers,CN=Default-First-Site-Name,cn=sites,CN=Configuration,DC=samba,DC=domain,DC=tld
>>>>> ldbsearch -H $sam -b
>>>>> 'CN=Servers,CN=Default-First-Site-Name,cn=sites,CN=Configuration,DC=ad,DC=dgfip,DC=finances,DC=gouv,DC=fr'
>>>>>
>>>>> cn=* dn
>>>>>
>>>>> There are 4 entries in that container per declared DC in the site.
>>>>> Only the
>>>>> one mentioned earlier had to be removed manually, the three others
>>>>> should
>>>>> have been removed during demote process as I didn't removed by
>>>>> myself and
>>>>> they weren't present before I manually perform mentioned clean up.
>>>>
>>>> Thank you for the further details. I can't really say anything
>>>> about these entries or commands. There was only one entry in the
>>>> ADSS console for my former PDC, and the script got rid of that.
>>>>
>>>> Best,
>>>> Ole
>>>>
>>>>
>>>>>
>>>>> Cheers,
>>>>>
>>>>> mathias
>>>>>
>>>>>
>>>>> 2015-10-29 12:38 GMT+01:00 Ole Traupe <ole.traupe at tu-berlin.de>:
>>>>>
>>>>>> Hi mathias,
>>>>>>
>>>>>> thanks for the heads-up! However, my AD Sites and Services is
>>>>>> clear, too.
>>>>>> I followed the suggestion here
>>>>>> https://wiki.samba.org/index.php/Demote_a_Samba_AD_DC
>>>>>> to use this
>>>>>>
>>>>>> http://gallery.technet.microsoft.com/scriptcenter/d31f091f-2642-4ede-9f97-0e1cc4d577f3#content
>>>>>>
>>>>>> script.
>>>>>>
>>>>>> Copy the contents of the "Visual Basic" box to a text file and
>>>>>> rename it
>>>>>> to "something.vbs". Run the vb script as admin e.g. on a Win 7 64
>>>>>> bit
>>>>>> (worked for me) domain member client being logged on as
>>>>>> "Administrator".
>>>>>> This removed my former PDC from ADUC and ADSS.
>>>>>>
>>>>>> Best,
>>>>>> Ole
>>>>>>
>>>>>>
>>>>>>
>>>>>> Am 29.10.2015 um 12:16 schrieb mathias dufresne:
>>>>>>
>>>>>>> Hi,
>>>>>>>
>>>>>>> I played with demote recently on a test AD domain composed with
>>>>>>> Samba
>>>>>>> version 4.3.0 and 4.3.1. I demoted all version 4.3.0.
>>>>>>>
>>>>>>> I was facing same issue as you. I written long mails here to
>>>>>>> explain how I
>>>>>>> managed that. My DNS looks clear now.
>>>>>>>
>>>>>>> Today I played with AD sites and I found in default sites all
>>>>>>> demoted DC.
>>>>>>> They weren't removed from DNS DB nor here. For now I have no
>>>>>>> idea how to
>>>>>>> get rid of these DC in my sites configuration without ADUC.
>>>>>>>
>>>>>>> So you should have a look into your AD Sites configuration tool
>>>>>>> to check
>>>>>>> if
>>>>>>> they were correctly removed.
>>>>>>>
>>>>>>> Cheers,
>>>>>>>
>>>>>>> mathias
>>>>>>>
>>>>>>>
>>>>>>> 2015-10-29 10:01 GMT+01:00 Ole Traupe <ole.traupe at tu-berlin.de>:
>>>>>>>
>>>>>>> Ok, I made a backup following the Samba wiki and then did this.
>>>>>>> Had to
>>>>>>>> wait a bit between updating the SOA's because I got a strange
>>>>>>>> error
>>>>>>>> message
>>>>>>>> saying that a time value for the non-update of some resource
>>>>>>>> cleanup
>>>>>>>> wasn't
>>>>>>>> set. But a few minutes later I could update the second SOA as
>>>>>>>> well, and
>>>>>>>> now
>>>>>>>> the Samba log is clean.
>>>>>>>>
>>>>>>>> Ole
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> Am 28.10.2015 um 16:42 schrieb Ole Traupe:
>>>>>>>>
>>>>>>>> Hi,
>>>>>>>>> I demoted my PDC (DC1) forcefully, because replication (among
>>>>>>>>> others)
>>>>>>>>> wasn't working anymore due to hard disk failure and I was
>>>>>>>>> afraid of
>>>>>>>>> spending a lot of time on nothing.
>>>>>>>>>
>>>>>>>>> With DC1 offline I seized the FSMO roles on DC2 (4.2.5),
>>>>>>>>> restarted
>>>>>>>>> Samba,
>>>>>>>>> and found errors in the samba log due to the missing DC1.
>>>>>>>>>
>>>>>>>>> I removed the two DNS entries created according to this site:
>>>>>>>>> https://wiki.samba.org/index.php/Check_and_fix_DNS_entries_on_DC_joins
>>>>>>>>>
>>>>>>>>> I applied the script suggested here:
>>>>>>>>> https://wiki.samba.org/index.php/Demote_a_Samba_AD_DC
>>>>>>>>> This removed the DC1 entry in ADUC and "Active Directory Sites
>>>>>>>>> and
>>>>>>>>> Services".
>>>>>>>>>
>>>>>>>>> However, the error persists (10 minute interval; sanitized):
>>>>>>>>> # /usr/local/samba/sbin/samba_dnsupdate: couldn't get address
>>>>>>>>> for '
>>>>>>>>> dc1.my.domain.de': not found
>>>>>>>>>
>>>>>>>>> Likely due to further DNS entries, the last-mentioned site
>>>>>>>>> suggests to
>>>>>>>>> remove them by hand. Most of the containers in the DNS console
>>>>>>>>> have only
>>>>>>>>> duplicate entries for DC1/2, so no problem. However, 3 don't:
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> (removed subfolder and client PC entries; sanitized,
>>>>>>>>> translated where
>>>>>>>>> necessary GR->EN)
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> *DNS/DC2/Forward-Lookupzones/my.domain.de*
>>>>>>>>>
>>>>>>>>> Name Type Data Time stamp
>>>>>>>>> (identical to parent folder) Source of Authority (SOA) [3],
>>>>>>>>> dc1.my.domain.de., hostmaster.my.domain.de. ?28.?10.?2015
>>>>>>>>> 15:00:00
>>>>>>>>> (identical to parent folder) Nameserver (NS) dc1.my.domain.de.
>>>>>>>>> Static
>>>>>>>>> (identical to parent folder) Host (A) IP__of__DC1 Static
>>>>>>>>> (identical to parent folder) Host (A) IP__of__DC2 Static
>>>>>>>>> DC2 Host (A) 130.149.34.118 ?29.?07.?2015 13:00:00
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> *DNS/DC2/Forward-Lookupzones/_msdcs.my.domain.de*
>>>>>>>>>
>>>>>>>>> (identical to parent folder) Source of Authority (SOA) [3],
>>>>>>>>> dc1.my.domain.de., hostmaster.my.domain.de. ?28.?10.?2015
>>>>>>>>> 15:00:00
>>>>>>>>> (identical to parent folder) Nameserver (NS) dc1.my.domain.de.
>>>>>>>>> Static
>>>>>>>>> objectGUID__of__DC2 Alias (CNAME) DC2.my.domain.de.
>>>>>>>>> ?29.?07.?2015
>>>>>>>>> 13:00:00
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> *DNS/DC2/Forward-Lookupzones/_msdcs.my.domain.de/pdc/_tcp*
>>>>>>>>>
>>>>>>>>> _ldap Service Identification (SRV) [0][100][389]
>>>>>>>>> dc1.my.domain.de
>>>>>>>>> .
>>>>>>>>> Static
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> What to do in these cases? Is it safe to open the properties
>>>>>>>>> of the
>>>>>>>>> non-duplicate entries and replace DC1 with DC2?
>>>>>>>>>
>>>>>>>>> Ole
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> --
>>>>>>>> To unsubscribe from this list go to the following URL and read the
>>>>>>>> instructions: https://lists.samba.org/mailman/options/samba
>>>>>>>>
>>>>>>>>
>>>>>> --
>>>>>> To unsubscribe from this list go to the following URL and read the
>>>>>> instructions: https://lists.samba.org/mailman/options/samba
>>>>>>
>>>>
>>>>
>>> When I demoted DC's in the past. I used ADSS, ADUC and ADSI to
>>> delete all traces. ADSI was necessary to delete all NTDS traces.
>>> This was on Samba 4.0.X versions. I take it you have no replication
>>> issues pointing to the old DC either?
>>>
>>
>> I had a replication issue (connection attempt with the demoted DC)
>> before I ran the script from the wiki. I wasn't able to delete ADUC
>> and ADSS entries for the DC by hand.
>>
>> What did you do in ADSI?
>>
>>
>>
> I deleted the demoted DC as well as it's NTDS settings from it's Site.
> I then went into all other DC's and deleted the automatically
> generated KCC connections pointing to the demoted DC. These are
> located inside the NTDS settings container.
>
> Normally you can do this from inside ADSS. However I would received a
> error. That's why I had to use ADSI.
Good to know. Seem to be gone, too, in my case.
More information about the samba
mailing list