[Samba] Error removing Windows DC from AD

Tim Beale timbeale at catalyst.net.nz
Tue Jun 26 05:26:29 UTC 2018 

Hi Pietro,

I noticed this problem removing a Windows DC the other day. I've sent a
patch to the samba-technical mailing list that should fix this.
https://lists.samba.org/archive/samba-technical/2018-June/128703.html

I also raised a bug for it: https://bugzilla.samba.org/show_bug.cgi?id=13484

The patch should hopefully be delivered soon. If you feel comfortable
patching the Samba code yourself, you could apply the change yourself
(it's very minor). Otherwise, you could wait a day or two until it's
delivered to master, and then clone the latest samba.git.

Once the change is applied, re-running the 'samba-tool domain demote
--remove-other-dead-server' command should work.

Thanks,
Tim

On 23/06/18 02:55, Pietro Stäheli via samba wrote:
> Hi,
>
> On 20/06/2018 20:38, Andrew Bartlett wrote:
>> To be clear, we don't replicate sysvol, you need to work that out
>> yourself (yes, this sucks).
>>
>
> Right, I'm doing that with Robocopy from the Windows DC initially,
> then with rsync.
>
>>> Is there any further preparation I need to do on the Windows server
>>> side
>>> to make a clean demotion possible? I can force the removal of the
>>> Windows DC but this led to leftover data in the LDAP database and DNS
>>> that I have to excise by hand, which I don't find ideal.
>>>
>>> I'm thankful for any advice on how to accomplish this.
>>
>> samba-tool domain demote --remove-other-dead-server
>>
>
> Unfortunately this causes the following error:
>
> # samba-tool domain demote --remove-other-dead-server=DC
> Removing nTDSConnection:
> CN=6e15b4f5-1863-4259-8817-c7835ed7815e,CN=NTDS
> Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=lan
> Removing nTDSDSA: CN=NTDS
> Settings,CN=DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=lan
> (and any children)
> ERROR(ldb): uncaught exception - subtree_delete: Unable to delete a
> non-leaf node (it has 1 children)!
>   File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py",
> line 176, in _run
>     return self.run(*args, **kwargs)
>   File "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py", line
> 721, in run
>     remove_dc.remove_dc(samdb, logger, remove_other_dead_server)
>   File "/usr/lib/python2.7/dist-packages/samba/remove_dc.py", line
> 422, in remove_dc
>     remove_dns_account=True)
>   File "/usr/lib/python2.7/dist-packages/samba/remove_dc.py", line
> 350, in offline_remove_ntds_dc
>     remove_dns_account=remove_dns_account)
>   File "/usr/lib/python2.7/dist-packages/samba/remove_dc.py", line
> 229, in offline_remove_server
>     samdb.delete(server_dn)
> A transaction is still active in ldb context [0x560a67adb490] on
> tdb:///var/lib/samba/private/sam.ldb
>
> (never mind that this is now on DC1, not DC3, I've torn down the test
> environment a few times)
>
> Manual removal of
> 'CN=DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=lan'
> in ADSIEdit didn't go well and caused all replication to break at some
> point. I must be missing something here but I can't quite figure out
> what exactly.
>
> Best regards,
> Pietro Stäheli
>

More information about the samba mailing list