[Samba] Error removing Windows DC from AD

Pietro Stäheli pietro.staeheli at ngworx.ag
Wed Jun 20 11:13:28 UTC 2018 

Hi,

I'm preparing to move a small business environment away from 
Windows-based AD (Windows Server 2012R2, Domain and Forest downgraded to 
Win2008R2 level) to Samba. So far in my lab environment joining Samba as 
a DC works, including DNS and Sysvol replication.

OS: Debian 9
Samba versions 4.5.12 (Debian repository) and 4.8.2 (latest release 
compiled from source), same behavior on both versions

As the goal is to get rid of the Windows server, I've tried to demote 
the Windows DC by uninstalling Active Directory services from the 
server. This fails with the following error message:

Uninstall-ADDSDomainController : The operation failed because:
Active Directory Domain Services could not find another Active Directory 
Domain Controller to transfer the remaining
data in directory partition DC=ForestDnsZones,DC=example,DC=lan.
"The specified domain either does not exist or could not be contacted."


When I've got more than one Windows AD DCs active, demotion of one or 
the other works fine, but removing the last Windows DC fails.

FSMO roles have all been transferred to the Debian Samba AD (DC3 in this 
case):

# samba-tool fsmo show
SchemaMasterRole owner: CN=NTDS 
Settings,CN=DC3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=lan
InfrastructureMasterRole owner: CN=NTDS 
Settings,CN=DC3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=lan
RidAllocationMasterRole owner: CN=NTDS 
Settings,CN=DC3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=lan
PdcEmulationMasterRole owner: CN=NTDS 
Settings,CN=DC3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=lan
DomainNamingMasterRole owner: CN=NTDS 
Settings,CN=DC3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=lan
DomainDnsZonesMasterRole owner: CN=NTDS 
Settings,CN=DC3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=lan
ForestDnsZonesMasterRole owner: CN=NTDS 
Settings,CN=DC3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=lan

samba-tool drs showrepl shows no failures.

Is there any further preparation I need to do on the Windows server side 
to make a clean demotion possible? I can force the removal of the 
Windows DC but this led to leftover data in the LDAP database and DNS 
that I have to excise by hand, which I don't find ideal.

I'm thankful for any advice on how to accomplish this.

Best regards,
Pietro

More information about the samba mailing list