[Samba] Demote a dead PDC: residuals in "DNS" console

James lingpanda101 at gmail.com
Fri Oct 30 13:56:32 UTC 2015 

On 10/30/2015 9:19 AM, Ole Traupe wrote:
>
>
> Am 30.10.2015 um 13:33 schrieb James:
>> On 10/29/2015 9:56 AM, Ole Traupe wrote:
>>>
>>>
>>> Am 29.10.2015 um 14:37 schrieb James:
>>>> On 10/29/2015 9:15 AM, Ole Traupe wrote:
>>>>>
>>>>>
>>>>> Am 29.10.2015 um 13:54 schrieb mathias dufresne:
>>>>>> Thank you for hint to this VBS script. In fact I alraedy saw it 
>>>>>> but I'm not
>>>>>> too confident in my VB knowledge, so I didn't use that script, 
>>>>>> prefering
>>>>>> rely on Samba command and shell scripts to work around issues.
>>>>>>
>>>>>> You spoke about SOA record which wasn't changed, same here. There is
>>>>>> another DNS record I had to change: 
>>>>>> _ldap._tcp.pdc._msdcs.samba.domain.tld.
>>>>>
>>>>> Yes, I can confirm that I had to change that one, too.
>>>>>
>>>>>>
>>>>>> I spoke about removing removed-DCs from sites and the command to 
>>>>>> do that
>>>>>> could be:
>>>>>> ldbdel -H $sam -b 
>>>>>> 'cn=sites,CN=Configuration,DC=samba,DC=domain,DC=tld'
>>>>>> CN=removed-DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samba,DC=domain,DC=tld 
>>>>>>
>>>>>> Deleted 1 record
>>>>>>
>>>>>> To get list of all contents in sites:
>>>>>> ldbsearch -H $sam -b 
>>>>>> 'cn=sites,CN=Configuration,DC=samba,DC=domain,DC=tld'
>>>>>> cn=* dn
>>>>>>
>>>>>> This will list all entries in "sites" container.
>>>>>>
>>>>>> Looking
>>>>>> into 
>>>>>> CN=Servers,CN=Default-First-Site-Name,cn=sites,CN=Configuration,DC=samba,DC=domain,DC=tld
>>>>>> ldbsearch -H $sam -b
>>>>>> 'CN=Servers,CN=Default-First-Site-Name,cn=sites,CN=Configuration,DC=ad,DC=dgfip,DC=finances,DC=gouv,DC=fr' 
>>>>>>
>>>>>> cn=* dn
>>>>>>
>>>>>> There are 4 entries in that container per declared DC in the 
>>>>>> site. Only the
>>>>>> one mentioned earlier had to be removed manually, the three 
>>>>>> others should
>>>>>> have been removed during demote process as I didn't removed by 
>>>>>> myself and
>>>>>> they weren't present before I manually perform mentioned clean up.
>>>>>
>>>>> Thank you for the further details. I can't really say anything 
>>>>> about these entries or commands. There was only one entry in the 
>>>>> ADSS console for my former PDC, and the script got rid of that.
>>>>>
>>>>> Best,
>>>>> Ole
>>>>>
>>>>>
>>>>>>
>>>>>> Cheers,
>>>>>>
>>>>>> mathias
>>>>>>
>>>>>>
>>>>>> 2015-10-29 12:38 GMT+01:00 Ole Traupe <ole.traupe at tu-berlin.de>:
>>>>>>
>>>>>>> Hi mathias,
>>>>>>>
>>>>>>> thanks for the heads-up! However, my AD Sites and Services is 
>>>>>>> clear, too.
>>>>>>> I followed the suggestion here
>>>>>>> https://wiki.samba.org/index.php/Demote_a_Samba_AD_DC
>>>>>>> to use this
>>>>>>>
>>>>>>> http://gallery.technet.microsoft.com/scriptcenter/d31f091f-2642-4ede-9f97-0e1cc4d577f3#content 
>>>>>>>
>>>>>>> script.
>>>>>>>
>>>>>>> Copy the contents of the "Visual Basic" box to a text file and 
>>>>>>> rename it
>>>>>>> to "something.vbs". Run the vb script as admin e.g. on a Win 7 
>>>>>>> 64 bit
>>>>>>> (worked for me) domain member client being logged on as 
>>>>>>> "Administrator".
>>>>>>> This removed my former PDC from ADUC and ADSS.
>>>>>>>
>>>>>>> Best,
>>>>>>> Ole
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> Am 29.10.2015 um 12:16 schrieb mathias dufresne:
>>>>>>>
>>>>>>>> Hi,
>>>>>>>>
>>>>>>>> I played with demote recently on a test AD domain composed with 
>>>>>>>> Samba
>>>>>>>> version 4.3.0 and 4.3.1. I demoted all version 4.3.0.
>>>>>>>>
>>>>>>>> I was facing same issue as you. I written long mails here to 
>>>>>>>> explain how I
>>>>>>>> managed that. My DNS looks clear now.
>>>>>>>>
>>>>>>>> Today I played with AD sites and I found in default sites all 
>>>>>>>> demoted DC.
>>>>>>>> They weren't removed from DNS DB nor here. For now I have no 
>>>>>>>> idea how to
>>>>>>>> get rid of these DC in my sites configuration without ADUC.
>>>>>>>>
>>>>>>>> So you should have a look into your AD Sites configuration tool 
>>>>>>>> to check
>>>>>>>> if
>>>>>>>> they were correctly removed.
>>>>>>>>
>>>>>>>> Cheers,
>>>>>>>>
>>>>>>>> mathias
>>>>>>>>
>>>>>>>>
>>>>>>>> 2015-10-29 10:01 GMT+01:00 Ole Traupe <ole.traupe at tu-berlin.de>:
>>>>>>>>
>>>>>>>> Ok, I made a backup following the Samba wiki and then did this. 
>>>>>>>> Had to
>>>>>>>>> wait a bit between updating the SOA's because I got a strange 
>>>>>>>>> error
>>>>>>>>> message
>>>>>>>>> saying that a time value for the non-update of some resource 
>>>>>>>>> cleanup
>>>>>>>>> wasn't
>>>>>>>>> set. But a few minutes later I could update the second SOA as 
>>>>>>>>> well, and
>>>>>>>>> now
>>>>>>>>> the Samba log is clean.
>>>>>>>>>
>>>>>>>>> Ole
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Am 28.10.2015 um 16:42 schrieb Ole Traupe:
>>>>>>>>>
>>>>>>>>> Hi,
>>>>>>>>>> I demoted my PDC (DC1) forcefully, because replication (among 
>>>>>>>>>> others)
>>>>>>>>>> wasn't working anymore due to hard disk failure and I was 
>>>>>>>>>> afraid of
>>>>>>>>>> spending a lot of time on nothing.
>>>>>>>>>>
>>>>>>>>>> With DC1 offline I seized the FSMO roles on DC2 (4.2.5), 
>>>>>>>>>> restarted
>>>>>>>>>> Samba,
>>>>>>>>>> and found errors in the samba log due to the missing DC1.
>>>>>>>>>>
>>>>>>>>>> I removed the two DNS entries created according to this site:
>>>>>>>>>> https://wiki.samba.org/index.php/Check_and_fix_DNS_entries_on_DC_joins 
>>>>>>>>>>
>>>>>>>>>> I applied the script suggested here:
>>>>>>>>>> https://wiki.samba.org/index.php/Demote_a_Samba_AD_DC
>>>>>>>>>> This removed the DC1 entry in ADUC and "Active Directory 
>>>>>>>>>> Sites and
>>>>>>>>>> Services".
>>>>>>>>>>
>>>>>>>>>> However, the error persists (10 minute interval; sanitized):
>>>>>>>>>> # /usr/local/samba/sbin/samba_dnsupdate: couldn't get address 
>>>>>>>>>> for '
>>>>>>>>>> dc1.my.domain.de': not found
>>>>>>>>>>
>>>>>>>>>> Likely due to further DNS entries, the last-mentioned site 
>>>>>>>>>> suggests to
>>>>>>>>>> remove them by hand. Most of the containers in the DNS 
>>>>>>>>>> console have only
>>>>>>>>>> duplicate entries for DC1/2, so no problem. However, 3 don't:
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> (removed subfolder and client PC entries; sanitized, 
>>>>>>>>>> translated where
>>>>>>>>>> necessary GR->EN)
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> *DNS/DC2/Forward-Lookupzones/my.domain.de*
>>>>>>>>>>
>>>>>>>>>> Name    Type    Data    Time stamp
>>>>>>>>>> (identical to parent folder)    Source of Authority (SOA)    
>>>>>>>>>> [3],
>>>>>>>>>> dc1.my.domain.de., hostmaster.my.domain.de. ?28.?10.?2015 
>>>>>>>>>> 15:00:00
>>>>>>>>>> (identical to parent folder)    Nameserver (NS) 
>>>>>>>>>> dc1.my.domain.de.
>>>>>>>>>> Static
>>>>>>>>>> (identical to parent folder)    Host (A) IP__of__DC1    Static
>>>>>>>>>> (identical to parent folder)    Host (A) IP__of__DC2    Static
>>>>>>>>>> DC2    Host (A)    130.149.34.118 ?29.?07.?2015 13:00:00
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> *DNS/DC2/Forward-Lookupzones/_msdcs.my.domain.de*
>>>>>>>>>>
>>>>>>>>>> (identical to parent folder)    Source of Authority (SOA)    
>>>>>>>>>> [3],
>>>>>>>>>> dc1.my.domain.de., hostmaster.my.domain.de. ?28.?10.?2015 
>>>>>>>>>> 15:00:00
>>>>>>>>>> (identical to parent folder)    Nameserver (NS) 
>>>>>>>>>> dc1.my.domain.de.
>>>>>>>>>> Static
>>>>>>>>>> objectGUID__of__DC2    Alias (CNAME) DC2.my.domain.de. 
>>>>>>>>>> ?29.?07.?2015
>>>>>>>>>> 13:00:00
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> *DNS/DC2/Forward-Lookupzones/_msdcs.my.domain.de/pdc/_tcp*
>>>>>>>>>>
>>>>>>>>>> _ldap    Service Identification (SRV) [0][100][389] 
>>>>>>>>>> dc1.my.domain.de
>>>>>>>>>> .
>>>>>>>>>>     Static
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> What to do in these cases? Is it safe to open the properties 
>>>>>>>>>> of the
>>>>>>>>>> non-duplicate entries and replace DC1 with DC2?
>>>>>>>>>>
>>>>>>>>>> Ole
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> -- 
>>>>>>>>> To unsubscribe from this list go to the following URL and read 
>>>>>>>>> the
>>>>>>>>> instructions: https://lists.samba.org/mailman/options/samba
>>>>>>>>>
>>>>>>>>>
>>>>>>> -- 
>>>>>>> To unsubscribe from this list go to the following URL and read the
>>>>>>> instructions: https://lists.samba.org/mailman/options/samba
>>>>>>>
>>>>>
>>>>>
>>>> When I demoted DC's in the past. I used ADSS, ADUC and ADSI to 
>>>> delete all traces. ADSI was necessary to delete all NTDS traces. 
>>>> This was on Samba 4.0.X versions. I take it you have no replication 
>>>> issues pointing to the old DC either?
>>>>
>>>
>>> I had a replication issue (connection attempt with the demoted DC) 
>>> before I ran the script from the wiki. I wasn't able to delete ADUC 
>>> and ADSS entries for the DC by hand.
>>>
>>> What did you do in ADSI?
>>>
>>>
>>>
>> I deleted the demoted DC as well as it's NTDS settings from it's 
>> Site. I then went into all other DC's and deleted the automatically 
>> generated KCC connections pointing to the demoted DC. These are 
>> located inside the NTDS settings container.
>>
>> Normally you can do this from inside ADSS. However I would received a 
>> error. That's why I had to use ADSI.
>
> Good to know. Seem to be gone, too, in my case.
>
>
>
Did you also update NS record in DNS to point to your new DC that 
matches your SOA?

-- 
-James

More information about the samba mailing list