[Samba] samba 4.11.16 issue with demoting DC leaving reminants in sam.ldb

Rowland penny rpenny at samba.org
Mon Dec 7 18:54:48 UTC 2020 

On 07/12/2020 18:13, Jason Keltz via samba wrote:
> Hi.
>
> Through a few experiments, I've tried to re-install my secondary 
> domain controller 3 times.  Each time, I demoted the DC, then readded 
> it.  The re-add  works fine, but I now notice that when I use 
> "samba-tool drs uptodateness", It is reporting one unknown invocation 
> ID for each past install:
>
> Unknown invocation ID 50ade4c2-11e2-4d74-9248-362b54ce282a
> Unknown invocation ID c6821a62-0387-4e4b-925e-b76a501a8777
> Unknown invocation ID e78be3c7-788a-4fbb-93f7-2bda7d95683a
> Unknown invocation ID 50ade4c2-11e2-4d74-9248-362b54ce282a
> Unknown invocation ID c6821a62-0387-4e4b-925e-b76a501a8777
> Unknown invocation ID e78be3c7-788a-4fbb-93f7-2bda7d95683a
> Unknown invocation ID 50ade4c2-11e2-4d74-9248-362b54ce282a
> Unknown invocation ID c6821a62-0387-4e4b-925e-b76a501a8777
> Unknown invocation ID e78be3c7-788a-4fbb-93f7-2bda7d95683a
> Unknown invocation ID 50ade4c2-11e2-4d74-9248-362b54ce282a
> Unknown invocation ID c6821a62-0387-4e4b-925e-b76a501a8777
> Unknown invocation ID e78be3c7-788a-4fbb-93f7-2bda7d95683a
> Unknown invocation ID 50ade4c2-11e2-4d74-9248-362b54ce282a
> Unknown invocation ID c6821a62-0387-4e4b-925e-b76a501a8777
> Unknown invocation ID e78be3c7-788a-4fbb-93f7-2bda7d95683a
>
> How do I delete these entries from sam.ldb?
Not sure, I cannot find the attribute in AD, also they are more worrying 
than meaning than anything. The latest code no longer prints them.
>
>
> Previous messages from Andrew B and Rowland say not to use ldbedit to 
> modify the database directly, so I don't want to mess with that.
No, I didn't say that, I said do not modify the files in sam.ldb.d 
directly, if you must modify something, modify the sam.ldb file.
>
>
> samba-tool domain tombstones expunge doesn't help.
>
> I've tried running a dbcheck (though I admittedly had to stop it after 
> awhile because it was very intensive, and even when reniced to lowest 
> priority, it stopped all logins to our system)...
>
> Why is it that when demoting a DC, and following the instructions, 
> these entries don't get deleted automatically? Is this a bug?
No (or if it is, blame Microsoft), the invocationId was meant to aid in 
restoring an individual DC (something that Samba doesn't recommend), but 
it doesn't seem to be used now.

Just ignore them for now, they shouldn't cause any real problems, of 
course if you do have a problem, it might not have anything to do with 
the invocation ID's.

Rowland

More information about the samba mailing list