[Samba] old DC showing up

Rowland Penny rpenny at samba.org
Mon Jan 20 10:15:46 UTC 2025


On Sun, 19 Jan 2025 12:51:57 -0500
Sonic via samba <samba at lists.samba.org> wrote:

> Doing some tests with the recent reported samba/chrony/windows time
> sync issues I ran across this on 2 separate domains:
> ==============================
> C:\Windows\System32>w32tm /monitor
> old.dc.example.com [error WSAHOST_NOT_FOUND]
> new.dc.example.com *** PDC ***[192.168.37.9:123]:
>     ICMP: 32ms delay
>     NTP: error ERROR_TIMEOUT - no response from server in 1000ms
> ==============================
> 
> This post is not about the time issue, but that the command above
> looks for the old no longer present DC.
> Both domains were upgraded from older versions and the old DC was
> decommissioned over a year ago, yet somehow systems are looking for
> it on one level.
> This occurs with systems that had never previously seen the old DC.
> How to resolve this old DC cruft?
> Thank you.

This happens when you demote a DC, it removes the DC AD records, but
not entirely, it moves some of them, because when you demote a DC it
becomes a normal AD PC.

Note you do the following on a Samba AD DC and at your own risk.

You can find the 'old' records for 'dc1' with:

First run 'sudo kinit Administrator'

Then:

sudo ldbsearch -P --cross-ncs -H /var/lib/samba/private/sam.ldb
'(cn=dc1)' cn

Which should produce something like this:

# record 1
dn: CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com
cn: DC1

# record 2
dn: CN=DC1,CN=Computers,DC=samdom,DC=example,DC=com
cn: DC1

# returned 2 records
# 2 entries
# 0 referrals

However there is one other record, so also run this:

sudo ldbsearch -P --cross-ncs -H /var/lib/samba/private/sam.ldb
'(cn=RID Set)' cn

Which should produce records for all your current DCs, plus one for you
dead DC, which will look something like this:

dn: CN=RID Set,CN=DC1,CN=Computers,DC=samdom,DC=example,DC=com
cn: RID Set

NOTE: It should stand out like a sore thumb, the others should be in:

OU=Domain Controllers,DC=samdom,DC=example,DC=com

You now need to delete a couple of records with ldbdel:
sudo ldbdel --use-kerberos=required -H /var/lib/samba/private/sam.ldb
CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com

sudo ldbdel --use-kerberos=required -H /var/lib/samba/private/sam.ldb
'CN=RID Set,CN=DC1,CN=Computers,DC=samdom,DC=example,DC=com'

Finally delete the computer record with:

sudo samba-tool computer delete dc1 --use-kerberos=required

Rowland





More information about the samba mailing list