[Samba] Demote a working DC fails with uncaught exception

mathias dufresne infractory at gmail.com
Mon Apr 4 09:28:24 UTC 2016

DNS entries related to DC must be removed when demoting a DC: they are
related to DC.

User can add specific DNS entries for their DC, those should not be removed
as they are manually added but for auto-added DNS entries which are only
related to DC behaviour (_ldap._tcp.*, _kerberos....) these must be removed
as they are used at every client connection when client search for
available DC. Useless DNS entries would generate useless LDAP request to
demoted DC (and certainly lot of others things I don't know they are

My opinion in short: auto-generated = auto-removed.

2016-04-02 11:03 GMT+02:00 Rowland penny <rpenny at samba.org>:

> On 01/04/16 22:38, spindles7 wrote:
>> Hi Rowland,
>> Have tried your patch, and now the Demote succeeds:
>> root at dc3:~# samba-tool domain demote -Uadministrator
>> Using dc1.microlynx.com as partner server for the demotion
>> Password for [MICROLYNX\administrator]:
>> Deactivating inbound replication
>> Asking partner server dc1.microlynx.com to synchronize from us
>> Changing userControl and container
>> Removing Sysvol reference: CN=DC3,CN=Enterprise,CN=Microsoft System
>> Volumes,CN=System,CN=Configuration,DC=microlynx,DC=com
>> Removing Sysvol reference: CN=DC3,CN=microlynx.com,CN=Microsoft System
>> Volumes,CN=System,CN=Configuration,DC=microlynx,DC=com
>> Removing Sysvol reference: CN=DC3,CN=Domain System Volumes (SYSVOL
>> share),CN=File Replication Service,CN=System,DC=microlynx,DC=com
>> Removing Sysvol reference: CN=DC3,CN=Topology,CN=Domain System
>> Volume,CN=DFSR-GlobalSettings,CN=System,DC=microlynx,DC=com
>> Demote successful
>> root at dc3:~#
>> but it leaves the demoted DC's DNS entries in place.   So there's still
>> something missing in the demote process.
>> Thanks,
>> spindles7
> The patch has been pushed, so it is good to get proof that it works :-)
> As for the DNS entries, not sure about this, perhaps another switch
> '--removedns' . This way the entries would only be removed if the machine
> wasn't coming back, some people may turn the machine into a member server
> or similar.
> There is another way of removing a DC from the domain, 'samba-tool domain
> demote' now has a switch '--remove-other-dead-server' , this is supposed to
> totally remove everything about a DC from AD, but this is not without its
> problems. The main problem being the SOA record, which, as standard, only
> contains the 'NS' & 'A' records of the first provisioned DC, any subsequent
> DCs do not get added to the SOA (I did propose a patch for this to happen,
> but it never got anywhere, even though it is really needed). So if you
> remove the first DC with 'demote', you do not have a SOA.
> Rowland
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list