[Samba] Demote a dead PDC: residuals in "DNS" console

Ole Traupe ole.traupe at tu-berlin.de
Fri Oct 30 14:11:40 UTC 2015 


Am 30.10.2015 um 14:56 schrieb James:
> On 10/30/2015 9:19 AM, Ole Traupe wrote:
>>
>>
>> Am 30.10.2015 um 13:33 schrieb James:
>>> On 10/29/2015 9:56 AM, Ole Traupe wrote:
>>>>
>>>>
>>>> Am 29.10.2015 um 14:37 schrieb James:
>>>>> On 10/29/2015 9:15 AM, Ole Traupe wrote:
>>>>>>
>>>>>>
>>>>>> Am 29.10.2015 um 13:54 schrieb mathias dufresne:
>>>>>>> Thank you for hint to this VBS script. In fact I alraedy saw it 
>>>>>>> but I'm not
>>>>>>> too confident in my VB knowledge, so I didn't use that script, 
>>>>>>> prefering
>>>>>>> rely on Samba command and shell scripts to work around issues.
>>>>>>>
>>>>>>> You spoke about SOA record which wasn't changed, same here. 
>>>>>>> There is
>>>>>>> another DNS record I had to change: 
>>>>>>> _ldap._tcp.pdc._msdcs.samba.domain.tld.
>>>>>>
>>>>>> Yes, I can confirm that I had to change that one, too.
>>>>>>
>>>>>>>
>>>>>>> I spoke about removing removed-DCs from sites and the command to 
>>>>>>> do that
>>>>>>> could be:
>>>>>>> ldbdel -H $sam -b 
>>>>>>> 'cn=sites,CN=Configuration,DC=samba,DC=domain,DC=tld'
>>>>>>> CN=removed-DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samba,DC=domain,DC=tld 
>>>>>>>
>>>>>>> Deleted 1 record
>>>>>>>
>>>>>>> To get list of all contents in sites:
>>>>>>> ldbsearch -H $sam -b 
>>>>>>> 'cn=sites,CN=Configuration,DC=samba,DC=domain,DC=tld'
>>>>>>> cn=* dn
>>>>>>>
>>>>>>> This will list all entries in "sites" container.
>>>>>>>
>>>>>>> Looking
>>>>>>> into 
>>>>>>> CN=Servers,CN=Default-First-Site-Name,cn=sites,CN=Configuration,DC=samba,DC=domain,DC=tld
>>>>>>> ldbsearch -H $sam -b
>>>>>>> 'CN=Servers,CN=Default-First-Site-Name,cn=sites,CN=Configuration,DC=ad,DC=dgfip,DC=finances,DC=gouv,DC=fr' 
>>>>>>>
>>>>>>> cn=* dn
>>>>>>>
>>>>>>> There are 4 entries in that container per declared DC in the 
>>>>>>> site. Only the
>>>>>>> one mentioned earlier had to be removed manually, the three 
>>>>>>> others should
>>>>>>> have been removed during demote process as I didn't removed by 
>>>>>>> myself and
>>>>>>> they weren't present before I manually perform mentioned clean up.
>>>>>>
>>>>>> Thank you for the further details. I can't really say anything 
>>>>>> about these entries or commands. There was only one entry in the 
>>>>>> ADSS console for my former PDC, and the script got rid of that.
>>>>>>
>>>>>> Best,
>>>>>> Ole
>>>>>>
>>>>>>
>>>>>>>
>>>>>>> Cheers,
>>>>>>>
>>>>>>> mathias
>>>>>>>
>>>>>>>
>>>>>>> 2015-10-29 12:38 GMT+01:00 Ole Traupe <ole.traupe at tu-berlin.de>:
>>>>>>>
>>>>>>>> Hi mathias,
>>>>>>>>
>>>>>>>> thanks for the heads-up! However, my AD Sites and Services is 
>>>>>>>> clear, too.
>>>>>>>> I followed the suggestion here
>>>>>>>> https://wiki.samba.org/index.php/Demote_a_Samba_AD_DC
>>>>>>>> to use this
>>>>>>>>
>>>>>>>> http://gallery.technet.microsoft.com/scriptcenter/d31f091f-2642-4ede-9f97-0e1cc4d577f3#content 
>>>>>>>>
>>>>>>>> script.
>>>>>>>>
>>>>>>>> Copy the contents of the "Visual Basic" box to a text file and 
>>>>>>>> rename it
>>>>>>>> to "something.vbs". Run the vb script as admin e.g. on a Win 7 
>>>>>>>> 64 bit
>>>>>>>> (worked for me) domain member client being logged on as 
>>>>>>>> "Administrator".
>>>>>>>> This removed my former PDC from ADUC and ADSS.
>>>>>>>>
>>>>>>>> Best,
>>>>>>>> Ole
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> Am 29.10.2015 um 12:16 schrieb mathias dufresne:
>>>>>>>>
>>>>>>>>> Hi,
>>>>>>>>>
>>>>>>>>> I played with demote recently on a test AD domain composed 
>>>>>>>>> with Samba
>>>>>>>>> version 4.3.0 and 4.3.1. I demoted all version 4.3.0.
>>>>>>>>>
>>>>>>>>> I was facing same issue as you. I written long mails here to 
>>>>>>>>> explain how I
>>>>>>>>> managed that. My DNS looks clear now.
>>>>>>>>>
>>>>>>>>> Today I played with AD sites and I found in default sites all 
>>>>>>>>> demoted DC.
>>>>>>>>> They weren't removed from DNS DB nor here. For now I have no 
>>>>>>>>> idea how to
>>>>>>>>> get rid of these DC in my sites configuration without ADUC.
>>>>>>>>>
>>>>>>>>> So you should have a look into your AD Sites configuration 
>>>>>>>>> tool to check
>>>>>>>>> if
>>>>>>>>> they were correctly removed.
>>>>>>>>>
>>>>>>>>> Cheers,
>>>>>>>>>
>>>>>>>>> mathias
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> 2015-10-29 10:01 GMT+01:00 Ole Traupe <ole.traupe at tu-berlin.de>:
>>>>>>>>>
>>>>>>>>> Ok, I made a backup following the Samba wiki and then did 
>>>>>>>>> this. Had to
>>>>>>>>>> wait a bit between updating the SOA's because I got a strange 
>>>>>>>>>> error
>>>>>>>>>> message
>>>>>>>>>> saying that a time value for the non-update of some resource 
>>>>>>>>>> cleanup
>>>>>>>>>> wasn't
>>>>>>>>>> set. But a few minutes later I could update the second SOA as 
>>>>>>>>>> well, and
>>>>>>>>>> now
>>>>>>>>>> the Samba log is clean.
>>>>>>>>>>
>>>>>>>>>> Ole
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> Am 28.10.2015 um 16:42 schrieb Ole Traupe:
>>>>>>>>>>
>>>>>>>>>> Hi,
>>>>>>>>>>> I demoted my PDC (DC1) forcefully, because replication 
>>>>>>>>>>> (among others)
>>>>>>>>>>> wasn't working anymore due to hard disk failure and I was 
>>>>>>>>>>> afraid of
>>>>>>>>>>> spending a lot of time on nothing.
>>>>>>>>>>>
>>>>>>>>>>> With DC1 offline I seized the FSMO roles on DC2 (4.2.5), 
>>>>>>>>>>> restarted
>>>>>>>>>>> Samba,
>>>>>>>>>>> and found errors in the samba log due to the missing DC1.
>>>>>>>>>>>
>>>>>>>>>>> I removed the two DNS entries created according to this site:
>>>>>>>>>>> https://wiki.samba.org/index.php/Check_and_fix_DNS_entries_on_DC_joins 
>>>>>>>>>>>
>>>>>>>>>>> I applied the script suggested here:
>>>>>>>>>>> https://wiki.samba.org/index.php/Demote_a_Samba_AD_DC
>>>>>>>>>>> This removed the DC1 entry in ADUC and "Active Directory 
>>>>>>>>>>> Sites and
>>>>>>>>>>> Services".
>>>>>>>>>>>
>>>>>>>>>>> However, the error persists (10 minute interval; sanitized):
>>>>>>>>>>> # /usr/local/samba/sbin/samba_dnsupdate: couldn't get 
>>>>>>>>>>> address for '
>>>>>>>>>>> dc1.my.domain.de': not found
>>>>>>>>>>>
>>>>>>>>>>> Likely due to further DNS entries, the last-mentioned site 
>>>>>>>>>>> suggests to
>>>>>>>>>>> remove them by hand. Most of the containers in the DNS 
>>>>>>>>>>> console have only
>>>>>>>>>>> duplicate entries for DC1/2, so no problem. However, 3 don't:
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> (removed subfolder and client PC entries; sanitized, 
>>>>>>>>>>> translated where
>>>>>>>>>>> necessary GR->EN)
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> *DNS/DC2/Forward-Lookupzones/my.domain.de*
>>>>>>>>>>>
>>>>>>>>>>> Name    Type    Data    Time stamp
>>>>>>>>>>> (identical to parent folder)    Source of Authority (SOA)    
>>>>>>>>>>> [3],
>>>>>>>>>>> dc1.my.domain.de., hostmaster.my.domain.de. ?28.?10.?2015 
>>>>>>>>>>> 15:00:00
>>>>>>>>>>> (identical to parent folder)    Nameserver (NS) 
>>>>>>>>>>> dc1.my.domain.de.
>>>>>>>>>>> Static
>>>>>>>>>>> (identical to parent folder)    Host (A) IP__of__DC1    Static
>>>>>>>>>>> (identical to parent folder)    Host (A) IP__of__DC2    Static
>>>>>>>>>>> DC2    Host (A)    130.149.34.118 ?29.?07.?2015 13:00:00
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> *DNS/DC2/Forward-Lookupzones/_msdcs.my.domain.de*
>>>>>>>>>>>
>>>>>>>>>>> (identical to parent folder)    Source of Authority (SOA)    
>>>>>>>>>>> [3],
>>>>>>>>>>> dc1.my.domain.de., hostmaster.my.domain.de. ?28.?10.?2015 
>>>>>>>>>>> 15:00:00
>>>>>>>>>>> (identical to parent folder)    Nameserver (NS) 
>>>>>>>>>>> dc1.my.domain.de.
>>>>>>>>>>> Static
>>>>>>>>>>> objectGUID__of__DC2    Alias (CNAME) DC2.my.domain.de. 
>>>>>>>>>>> ?29.?07.?2015
>>>>>>>>>>> 13:00:00
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> *DNS/DC2/Forward-Lookupzones/_msdcs.my.domain.de/pdc/_tcp*
>>>>>>>>>>>
>>>>>>>>>>> _ldap    Service Identification (SRV) [0][100][389] 
>>>>>>>>>>> dc1.my.domain.de
>>>>>>>>>>> .
>>>>>>>>>>>     Static
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> What to do in these cases? Is it safe to open the properties 
>>>>>>>>>>> of the
>>>>>>>>>>> non-duplicate entries and replace DC1 with DC2?
>>>>>>>>>>>
>>>>>>>>>>> Ole
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> -- 
>>>>>>>>>> To unsubscribe from this list go to the following URL and 
>>>>>>>>>> read the
>>>>>>>>>> instructions: https://lists.samba.org/mailman/options/samba
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>> -- 
>>>>>>>> To unsubscribe from this list go to the following URL and read the
>>>>>>>> instructions: https://lists.samba.org/mailman/options/samba
>>>>>>>>
>>>>>>
>>>>>>
>>>>> When I demoted DC's in the past. I used ADSS, ADUC and ADSI to 
>>>>> delete all traces. ADSI was necessary to delete all NTDS traces. 
>>>>> This was on Samba 4.0.X versions. I take it you have no 
>>>>> replication issues pointing to the old DC either?
>>>>>
>>>>
>>>> I had a replication issue (connection attempt with the demoted DC) 
>>>> before I ran the script from the wiki. I wasn't able to delete ADUC 
>>>> and ADSS entries for the DC by hand.
>>>>
>>>> What did you do in ADSI?
>>>>
>>>>
>>>>
>>> I deleted the demoted DC as well as it's NTDS settings from it's 
>>> Site. I then went into all other DC's and deleted the automatically 
>>> generated KCC connections pointing to the demoted DC. These are 
>>> located inside the NTDS settings container.
>>>
>>> Normally you can do this from inside ADSS. However I would received 
>>> a error. That's why I had to use ADSI.
>>
>> Good to know. Seem to be gone, too, in my case.
>>
>>
>>
> Did you also update NS record in DNS to point to your new DC that 
> matches your SOA?
>
Explain please. Which entry exactly?

More information about the samba mailing list