[Samba] Demote/Promote Samba DC

Andrew Bartlett abartlet at samba.org
Wed Apr 21 19:27:19 UTC 2021 

I'm not sure what you were thinking a demote and re-promote would do,
or what it would save, but delete, remove and start all over is all
there ever was with Samba really.  

Unlike Windows, a Samba DC 'demoted' isn't really put into a useful
state - it doesn't just go back to being a working domain member,
because you would need to reconfigure as a member server etc.

Even a domain join will just replace the existing accounts if it finds
them (unless they are the working accounts of the current server, as a
safety mechanism). 

In Samba we don't consider the accounts to be the valuable bit.

Finally, to be clear --remove-other-dead-server doesn't mean rebuild
the host OS or such, we have power but not that much power!  It just
means really clean up, really hard, more than what the Windows commands
do (which the normal demote tried, and failed, to match).

I hope this helps a little,

Andrew Bartlett

On Wed, 2021-04-21 at 09:30 -0700, Peter Pollock via samba wrote:
> If we use --remove-other-dead-server does that mean the server then
> has to
> be completely rebuilt to add it again?
> 
> Therefore there is no demote and re-promote, just delete, remove and
> start
> all over again?
> 
> On Wed, Apr 21, 2021 at 12:21 AM Rowland penny via samba <
> samba at lists.samba.org> wrote:
> 
> > On 21/04/2021 08:06, Andrew Bartlett via samba wrote:
> > > On Wed, 2021-04-21 at 08:19 +0200, Stefan Bellon via samba wrote:
> > > > Not sure whether this has anything to do with it ... but I
> > > > demoted
> > > > our
> > > > old Samba 4.2 server yesterday from the domain as well.
> > > > 
> > > > While "samba-tool domain demote -Uadministrator" worked fine
> > > > and
> > > > reported success, in the DNS there were still ~20 records
> > > > referring
> > > > to
> > > > that old DC. I stopped the old Samba 4.2, removed the BIND9 DLZ
> > > > integration on that old DC, restarted all BIND instances (also
> > > > those on the newer Samba 4.13.5 DCs) ... still, all the records
> > > > remained.
> > > > 
> > > > I ended up starting DNS tools on Windows and opened the whole
> > > > tree,
> > > > went through the entries one by one and deleted all that were
> > > > still
> > > > referring to the old DC (except of course the actual A and AAAA
> > > > records).
> > > > 
> > > > I think, "domain demote" only takes care of part of the
> > > > demotion?
> > > Pretty much.  I wrote an additional mode --remove-other-dead-
> > > server
> > > which is far more brutal because of this.
> > > 
> > > Andrew Bartlett
> > > 
> > 
> > So, what you are saying is, do not demote a DC because a lot of its
> > AD
> > records will not be removed, turn off the DC and use
> > '--remove-other-dead-server' and this will remove them.
> > 
> > Rowland
> > 
> > 
> > 
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
> > 
-- 
Andrew Bartlett (he/him)       https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Team Lead, Catalyst IT   https://catalyst.net.nz/services/samba

Samba Development and Support, Catalyst IT - Expert Open Source
Solutions

More information about the samba mailing list