[Samba] Issues demoting a samba DC.

Rowland Penny rpenny at samba.org
Sun Jan 8 11:21:08 UTC 2023

On 08/01/2023 11:04, Michael Tokarev via samba wrote:
> Hello!
> I'm trying to remove a DC from our samba domain (samba 4.17.4).
> It was the primary controller (with FSMO roles), - I successfully
> transferred the roles to another DC.  Now it's time to demote:
> ai# samba-tool domain demote -U mjt-adm
> Using svdcp.tls.msk.ru as partner server for the demotion
> Password for [TLS\mjt-adm]:
> Deactivating inbound replication
> Asking partner server svdcp.tls.msk.ru to synchronize from us
> Changing userControl and container
> Error while demoting, re-enabling inbound replication
> ERROR(ldb): Error while renaming CN=AI,OU=Domain 
> Controllers,DC=tls,DC=msk,DC=ru to 
> CN=AI,CN=Computers,DC=tls,DC=msk,DC=ru - LDAP error 50 
> LDAP_INSUFFICIENT_ACCESS_RIGHTS -  <acl:access_denied renaming 
> CN=AI,OU=Domain Controllers,DC=tls,DC=msk,DC=ru> <>
> mjt-adm is a user with admin rights (domain admins group) in the dc.
> It is interesting I can not use Administrator account for this,
> it asks for the password twice, and refuses to work saying
> login is incorrect, even if the same password works for
> smbclient.
> Now, after the first attempt to demote, some things doesn't work
> right, eg:
> ai# samba-tool drs showrepl
> ERROR(runtime): DsReplicaGetInfo of type 0 failed - (8453, 
> (it definitely worked at least before the FSMO roles transfer).
> Should I force-remove it from another DC?
> Thanks,
> /mjt

If you get any errors whilst trying to demote a DC, then it is probably 
quicker to forcibly demote the DC on another DC, why waste time trying 
to fix something you are trying to get rid of ?

Just as a note, I never have problems like this, but I always use 
Administrator, your problem was possibly a privilege problem that was 
reported as a permissions problem.


More information about the samba mailing list