[Samba] Problems removing a SBS 2008 server from a Samba AD DC.

me at tdiehl.org me at tdiehl.org
Tue Aug 28 17:25:18 UTC 2018

On Mon, 27 Aug 2018, Jonathan Hunter via samba wrote:

> Just responding on one point..

Thanks for the update.

> On Mon, 27 Aug 2018 at 21:35, Tom Diehl via samba <samba at lists.samba.org>
> wrote:
>> In addition, I tried running samba-tool dbcheck --cross-ncs --fix
>> that command generates over 400 errors that it claims it is going to fix
>> but
>> it does not.
>> (pht-vdc1 pts9) # samba-tool dbcheck --cross-ncs --fix --yes
>> [...]
>> ERROR: Failed to fix old DN string on attribute
>> msSBSComputerUserAccessOverride : (16, "attribute
>> 'msSBSComputerUserAccessOverride': no matching attribute value while
>> deleting attribute on 'CN=Chris
>> XXXXX,OU=SBSUsers,OU=Users,OU=MyBusiness,DC=mydomain,DC=com'")
> I had been bitten by this part in the past, too.
> The 'dbcheck --fix --yes' operation is transactional, i.e. either the whole
> thing (all 400 updates) succeeds, or the whole thing fails (which is what
> you are seeing) and no changes are committed.
> You'll need to run without --yes, and confirm each one individually, I
> think, in order to fix the 399 that are OK.

So I took your suggestion and confirmed each one individually. That got me
from 409 down to 407. :-(
I tried it twice and got the same results.

Below is a sample of the output:
(pht-vdc1 pts8) # samba-tool dbcheck --cross-ncs --fix
Checking 10566 objects
Fix nTSecurityDescriptor on CN=Windows SBS Link Users,OU=Security Groups,OU=MyBusiness,DC=mydomain,DC=com? [y/N/all/none] y
Fixed attribute 'nTSecurityDescriptor' of 'CN=Windows SBS Link Users,OU=Security Groups,OU=MyBusiness,DC=mydomain,DC=com'

Fix nTSecurityDescriptor on CN=MYCompany Calendar,CN=Microsoft Exchange System Objects,DC=mydomain,DC=com? [y/N/all/none] y
Fixed attribute 'nTSecurityDescriptor' of 'CN=MYCompany Calendar,CN=Microsoft Exchange System Objects,DC=mydomain,DC=com'

Fix nTSecurityDescriptor on CN=6bcd5683-8314-11d6-977b-00c04f613221,CN=Operations,CN=DomainUpdates,CN=System,DC=mydomain,DC=com? [y/N/all/none] y
Fixed attribute 'nTSecurityDescriptor' of 'CN=6bcd5683-8314-11d6-977b-00c04f613221,CN=Operations,CN=DomainUpdates,CN=System,DC=mydomain,DC=com'

Fix nTSecurityDescriptor on CN=Guests,CN=Builtin,DC=mydomain,DC=com? [y/N/all/none] y
Fixed attribute 'nTSecurityDescriptor' of 'CN=Guests,CN=Builtin,DC=mydomain,DC=com'


Fix nTSecurityDescriptor on CN=Shop,OU=SBSUsers,OU=Users,OU=MyBusiness,DC=mydomain,DC=com? [y/N/all/none] y
Fixed attribute 'nTSecurityDescriptor' of 'CN=Shop,OU=SBSUsers,OU=Users,OU=MyBusiness,DC=mydomain,DC=com'

Fix nTSecurityDescriptor on CN=ANDREW-PC,OU=SBSComputers,OU=Computers,OU=MyBusiness,DC=mydomain,DC=com? [y/N/all/none] y
Fixed attribute 'nTSecurityDescriptor' of 'CN=ANDREW-PC,OU=SBSComputers,OU=Computers,OU=MyBusiness,DC=mydomain,DC=com'

Checked 10566 objects (407 errors)
(pht-vdc1 pts9) #

Does anyone have any other ideas how to fix this? I am hoping that if I fix this it will
then let me cleanup the dead Windows DC.


Tom			me at tdiehl.org

More information about the samba mailing list