mathias dufresne
2015-Oct-29 11:16 UTC
[Samba] Demote a dead PDC: residuals in "DNS" console
Hi, I played with demote recently on a test AD domain composed with Samba version 4.3.0 and 4.3.1. I demoted all version 4.3.0. I was facing same issue as you. I written long mails here to explain how I managed that. My DNS looks clear now. Today I played with AD sites and I found in default sites all demoted DC. They weren't removed from DNS DB nor here. For now I have no idea how to get rid of these DC in my sites configuration without ADUC. So you should have a look into your AD Sites configuration tool to check if they were correctly removed. Cheers, mathias 2015-10-29 10:01 GMT+01:00 Ole Traupe <ole.traupe at tu-berlin.de>:> Ok, I made a backup following the Samba wiki and then did this. Had to > wait a bit between updating the SOA's because I got a strange error message > saying that a time value for the non-update of some resource cleanup wasn't > set. But a few minutes later I could update the second SOA as well, and now > the Samba log is clean. > > Ole > > > > Am 28.10.2015 um 16:42 schrieb Ole Traupe: > >> Hi, >> >> I demoted my PDC (DC1) forcefully, because replication (among others) >> wasn't working anymore due to hard disk failure and I was afraid of >> spending a lot of time on nothing. >> >> With DC1 offline I seized the FSMO roles on DC2 (4.2.5), restarted Samba, >> and found errors in the samba log due to the missing DC1. >> >> I removed the two DNS entries created according to this site: >> https://wiki.samba.org/index.php/Check_and_fix_DNS_entries_on_DC_joins >> I applied the script suggested here: >> https://wiki.samba.org/index.php/Demote_a_Samba_AD_DC >> This removed the DC1 entry in ADUC and "Active Directory Sites and >> Services". >> >> However, the error persists (10 minute interval; sanitized): >> # /usr/local/samba/sbin/samba_dnsupdate: couldn't get address for ' >> dc1.my.domain.de': not found >> >> Likely due to further DNS entries, the last-mentioned site suggests to >> remove them by hand. Most of the containers in the DNS console have only >> duplicate entries for DC1/2, so no problem. However, 3 don't: >> >> >> (removed subfolder and client PC entries; sanitized, translated where >> necessary GR->EN) >> >> >> *DNS/DC2/Forward-Lookupzones/my.domain.de* >> >> Name Type Data Time stamp >> (identical to parent folder) Source of Authority (SOA) [3], >> dc1.my.domain.de., hostmaster.my.domain.de. ?28.?10.?2015 15:00:00 >> (identical to parent folder) Nameserver (NS) dc1.my.domain.de. >> Static >> (identical to parent folder) Host (A) IP__of__DC1 Static >> (identical to parent folder) Host (A) IP__of__DC2 Static >> DC2 Host (A) 130.149.34.118 ?29.?07.?2015 13:00:00 >> >> >> *DNS/DC2/Forward-Lookupzones/_msdcs.my.domain.de* >> >> (identical to parent folder) Source of Authority (SOA) [3], >> dc1.my.domain.de., hostmaster.my.domain.de. ?28.?10.?2015 15:00:00 >> (identical to parent folder) Nameserver (NS) dc1.my.domain.de. >> Static >> objectGUID__of__DC2 Alias (CNAME) DC2.my.domain.de. ?29.?07.?2015 >> 13:00:00 >> >> >> *DNS/DC2/Forward-Lookupzones/_msdcs.my.domain.de/pdc/_tcp* >> >> _ldap Service Identification (SRV) [0][100][389] dc1.my.domain.de. >> Static >> >> >> What to do in these cases? Is it safe to open the properties of the >> non-duplicate entries and replace DC1 with DC2? >> >> Ole >> >> >> >> > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
Hi mathias, thanks for the heads-up! However, my AD Sites and Services is clear, too. I followed the suggestion here https://wiki.samba.org/index.php/Demote_a_Samba_AD_DC to use this http://gallery.technet.microsoft.com/scriptcenter/d31f091f-2642-4ede-9f97-0e1cc4d577f3#content script. Copy the contents of the "Visual Basic" box to a text file and rename it to "something.vbs". Run the vb script as admin e.g. on a Win 7 64 bit (worked for me) domain member client being logged on as "Administrator". This removed my former PDC from ADUC and ADSS. Best, Ole Am 29.10.2015 um 12:16 schrieb mathias dufresne:> Hi, > > I played with demote recently on a test AD domain composed with Samba > version 4.3.0 and 4.3.1. I demoted all version 4.3.0. > > I was facing same issue as you. I written long mails here to explain how I > managed that. My DNS looks clear now. > > Today I played with AD sites and I found in default sites all demoted DC. > They weren't removed from DNS DB nor here. For now I have no idea how to > get rid of these DC in my sites configuration without ADUC. > > So you should have a look into your AD Sites configuration tool to check if > they were correctly removed. > > Cheers, > > mathias > > > 2015-10-29 10:01 GMT+01:00 Ole Traupe <ole.traupe at tu-berlin.de>: > >> Ok, I made a backup following the Samba wiki and then did this. Had to >> wait a bit between updating the SOA's because I got a strange error message >> saying that a time value for the non-update of some resource cleanup wasn't >> set. But a few minutes later I could update the second SOA as well, and now >> the Samba log is clean. >> >> Ole >> >> >> >> Am 28.10.2015 um 16:42 schrieb Ole Traupe: >> >>> Hi, >>> >>> I demoted my PDC (DC1) forcefully, because replication (among others) >>> wasn't working anymore due to hard disk failure and I was afraid of >>> spending a lot of time on nothing. >>> >>> With DC1 offline I seized the FSMO roles on DC2 (4.2.5), restarted Samba, >>> and found errors in the samba log due to the missing DC1. >>> >>> I removed the two DNS entries created according to this site: >>> https://wiki.samba.org/index.php/Check_and_fix_DNS_entries_on_DC_joins >>> I applied the script suggested here: >>> https://wiki.samba.org/index.php/Demote_a_Samba_AD_DC >>> This removed the DC1 entry in ADUC and "Active Directory Sites and >>> Services". >>> >>> However, the error persists (10 minute interval; sanitized): >>> # /usr/local/samba/sbin/samba_dnsupdate: couldn't get address for ' >>> dc1.my.domain.de': not found >>> >>> Likely due to further DNS entries, the last-mentioned site suggests to >>> remove them by hand. Most of the containers in the DNS console have only >>> duplicate entries for DC1/2, so no problem. However, 3 don't: >>> >>> >>> (removed subfolder and client PC entries; sanitized, translated where >>> necessary GR->EN) >>> >>> >>> *DNS/DC2/Forward-Lookupzones/my.domain.de* >>> >>> Name Type Data Time stamp >>> (identical to parent folder) Source of Authority (SOA) [3], >>> dc1.my.domain.de., hostmaster.my.domain.de. ?28.?10.?2015 15:00:00 >>> (identical to parent folder) Nameserver (NS) dc1.my.domain.de. >>> Static >>> (identical to parent folder) Host (A) IP__of__DC1 Static >>> (identical to parent folder) Host (A) IP__of__DC2 Static >>> DC2 Host (A) 130.149.34.118 ?29.?07.?2015 13:00:00 >>> >>> >>> *DNS/DC2/Forward-Lookupzones/_msdcs.my.domain.de* >>> >>> (identical to parent folder) Source of Authority (SOA) [3], >>> dc1.my.domain.de., hostmaster.my.domain.de. ?28.?10.?2015 15:00:00 >>> (identical to parent folder) Nameserver (NS) dc1.my.domain.de. >>> Static >>> objectGUID__of__DC2 Alias (CNAME) DC2.my.domain.de. ?29.?07.?2015 >>> 13:00:00 >>> >>> >>> *DNS/DC2/Forward-Lookupzones/_msdcs.my.domain.de/pdc/_tcp* >>> >>> _ldap Service Identification (SRV) [0][100][389] dc1.my.domain.de. >>> Static >>> >>> >>> What to do in these cases? Is it safe to open the properties of the >>> non-duplicate entries and replace DC1 with DC2? >>> >>> Ole >>> >>> >>> >>> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >>
mathias dufresne
2015-Oct-29 12:54 UTC
[Samba] Demote a dead PDC: residuals in "DNS" console
Thank you for hint to this VBS script. In fact I alraedy saw it but I'm not too confident in my VB knowledge, so I didn't use that script, prefering rely on Samba command and shell scripts to work around issues. You spoke about SOA record which wasn't changed, same here. There is another DNS record I had to change: _ldap._tcp.pdc._msdcs.samba.domain.tld. I spoke about removing removed-DCs from sites and the command to do that could be: ldbdel -H $sam -b 'cn=sites,CN=Configuration,DC=samba,DC=domain,DC=tld' CN=removed-DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samba,DC=domain,DC=tld Deleted 1 record To get list of all contents in sites: ldbsearch -H $sam -b 'cn=sites,CN=Configuration,DC=samba,DC=domain,DC=tld' cn=* dn This will list all entries in "sites" container. Looking into CN=Servers,CN=Default-First-Site-Name,cn=sites,CN=Configuration,DC=samba,DC=domain,DC=tld ldbsearch -H $sam -b 'CN=Servers,CN=Default-First-Site-Name,cn=sites,CN=Configuration,DC=ad,DC=dgfip,DC=finances,DC=gouv,DC=fr' cn=* dn There are 4 entries in that container per declared DC in the site. Only the one mentioned earlier had to be removed manually, the three others should have been removed during demote process as I didn't removed by myself and they weren't present before I manually perform mentioned clean up. Cheers, mathias 2015-10-29 12:38 GMT+01:00 Ole Traupe <ole.traupe at tu-berlin.de>:> Hi mathias, > > thanks for the heads-up! However, my AD Sites and Services is clear, too. > I followed the suggestion here > https://wiki.samba.org/index.php/Demote_a_Samba_AD_DC > to use this > > http://gallery.technet.microsoft.com/scriptcenter/d31f091f-2642-4ede-9f97-0e1cc4d577f3#content > script. > > Copy the contents of the "Visual Basic" box to a text file and rename it > to "something.vbs". Run the vb script as admin e.g. on a Win 7 64 bit > (worked for me) domain member client being logged on as "Administrator". > This removed my former PDC from ADUC and ADSS. > > Best, > Ole > > > > Am 29.10.2015 um 12:16 schrieb mathias dufresne: > >> Hi, >> >> I played with demote recently on a test AD domain composed with Samba >> version 4.3.0 and 4.3.1. I demoted all version 4.3.0. >> >> I was facing same issue as you. I written long mails here to explain how I >> managed that. My DNS looks clear now. >> >> Today I played with AD sites and I found in default sites all demoted DC. >> They weren't removed from DNS DB nor here. For now I have no idea how to >> get rid of these DC in my sites configuration without ADUC. >> >> So you should have a look into your AD Sites configuration tool to check >> if >> they were correctly removed. >> >> Cheers, >> >> mathias >> >> >> 2015-10-29 10:01 GMT+01:00 Ole Traupe <ole.traupe at tu-berlin.de>: >> >> Ok, I made a backup following the Samba wiki and then did this. Had to >>> wait a bit between updating the SOA's because I got a strange error >>> message >>> saying that a time value for the non-update of some resource cleanup >>> wasn't >>> set. But a few minutes later I could update the second SOA as well, and >>> now >>> the Samba log is clean. >>> >>> Ole >>> >>> >>> >>> Am 28.10.2015 um 16:42 schrieb Ole Traupe: >>> >>> Hi, >>>> >>>> I demoted my PDC (DC1) forcefully, because replication (among others) >>>> wasn't working anymore due to hard disk failure and I was afraid of >>>> spending a lot of time on nothing. >>>> >>>> With DC1 offline I seized the FSMO roles on DC2 (4.2.5), restarted >>>> Samba, >>>> and found errors in the samba log due to the missing DC1. >>>> >>>> I removed the two DNS entries created according to this site: >>>> https://wiki.samba.org/index.php/Check_and_fix_DNS_entries_on_DC_joins >>>> I applied the script suggested here: >>>> https://wiki.samba.org/index.php/Demote_a_Samba_AD_DC >>>> This removed the DC1 entry in ADUC and "Active Directory Sites and >>>> Services". >>>> >>>> However, the error persists (10 minute interval; sanitized): >>>> # /usr/local/samba/sbin/samba_dnsupdate: couldn't get address for ' >>>> dc1.my.domain.de': not found >>>> >>>> Likely due to further DNS entries, the last-mentioned site suggests to >>>> remove them by hand. Most of the containers in the DNS console have only >>>> duplicate entries for DC1/2, so no problem. However, 3 don't: >>>> >>>> >>>> (removed subfolder and client PC entries; sanitized, translated where >>>> necessary GR->EN) >>>> >>>> >>>> *DNS/DC2/Forward-Lookupzones/my.domain.de* >>>> >>>> Name Type Data Time stamp >>>> (identical to parent folder) Source of Authority (SOA) [3], >>>> dc1.my.domain.de., hostmaster.my.domain.de. ?28.?10.?2015 15:00:00 >>>> (identical to parent folder) Nameserver (NS) dc1.my.domain.de. >>>> Static >>>> (identical to parent folder) Host (A) IP__of__DC1 Static >>>> (identical to parent folder) Host (A) IP__of__DC2 Static >>>> DC2 Host (A) 130.149.34.118 ?29.?07.?2015 13:00:00 >>>> >>>> >>>> *DNS/DC2/Forward-Lookupzones/_msdcs.my.domain.de* >>>> >>>> (identical to parent folder) Source of Authority (SOA) [3], >>>> dc1.my.domain.de., hostmaster.my.domain.de. ?28.?10.?2015 15:00:00 >>>> (identical to parent folder) Nameserver (NS) dc1.my.domain.de. >>>> Static >>>> objectGUID__of__DC2 Alias (CNAME) DC2.my.domain.de. ?29.?07.?2015 >>>> 13:00:00 >>>> >>>> >>>> *DNS/DC2/Forward-Lookupzones/_msdcs.my.domain.de/pdc/_tcp* >>>> >>>> _ldap Service Identification (SRV) [0][100][389] dc1.my.domain.de >>>> . >>>> Static >>>> >>>> >>>> What to do in these cases? Is it safe to open the properties of the >>>> non-duplicate entries and replace DC1 with DC2? >>>> >>>> Ole >>>> >>>> >>>> >>>> >>>> -- >>> To unsubscribe from this list go to the following URL and read the >>> instructions: https://lists.samba.org/mailman/options/samba >>> >>> > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >