[Samba] questions regarding the Demoting an Offline Domain Controller procedure

[Rowland Penny]

On Mon, 28 Aug 2023 13:00:57 +0300
Jean-Louis Biasini via samba <samba at lists.samba.org> wrote:

> hello all,
> 
> To give some follow up info if anyone is affected by 1. too:
> 
> Le 14/07/2022 à 19:34, Jean-Louis Biasini a écrit :
> >>> 1. The procedure went well and no other problems occured, but
> >>> since then, I have the following popping up in the log of all the 
> >>> remaining DCs at restart:
> >>>
> >>> ../../source4/dsdb/kcc/scavenge_dns_records.c:491(dns_delete_tombstones) 
> >>>
> >>> dns_delete_tombstones: A tombstoned dnsNode has non-tombstoned 
> >>> records, which should not happen.
> >>>
> >>> How can I find and delete those remaining record? I don’t see 
> >>> anything related to the demoted DC with rsat DNS tool nor with:
> >>>
> >>> ldbsearch -H /usr/local/samba/private/sam.ldb '(invocationId=*)' 
> >>> --cross-ncs objectguid
> 
> the proper ldap request to perform is:
> 
> ldapsearch -H ldaps://ADSERVER_FQDN_DNSNAME:636 -x -W -D 
> "administrator at example.domain.tld" -b 
> 'DC=DomainDnsZones,DC=example,DC=domain,DC=tld' "(dNSTombstoned=TRUE)"

I tend to use the ldb tools and a similar search using ldbsearch and
kerberos would be:

sudo ldbsearch --show-deleted -H ldap://dc1.samdom.example.com -P -b 'dc=DomainDnsZones,dc=samdom,dc=example,dc=com'

> 
> Make sure whatever DC that comes up is not in used anymore and that
> all related dns record have been deleted
> 
> Then you can delete that record with ldapdelete.
> 
> >>> 2. the procedure states that I shouldn’t reconnect et demoted 
> >>> offline dc, does this apply only to that specific machine? Can I 
> >>> declare a new dc with the same name and/or ip and/or mac address 
> >>> (VM) or should this also be avoided?
> 
> I’m still looking for answers as to this question 2.

You should be okay using the old dns details, providing it is a new DC
and ALL the old details have been removed from any other DCs.

Rowland