mathias dufresne
2015-Oct-29 12:54 UTC
[Samba] Demote a dead PDC: residuals in "DNS" console
Thank you for hint to this VBS script. In fact I alraedy saw it but I'm not too confident in my VB knowledge, so I didn't use that script, prefering rely on Samba command and shell scripts to work around issues. You spoke about SOA record which wasn't changed, same here. There is another DNS record I had to change: _ldap._tcp.pdc._msdcs.samba.domain.tld. I spoke about removing removed-DCs from sites and the command to do that could be: ldbdel -H $sam -b 'cn=sites,CN=Configuration,DC=samba,DC=domain,DC=tld' CN=removed-DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samba,DC=domain,DC=tld Deleted 1 record To get list of all contents in sites: ldbsearch -H $sam -b 'cn=sites,CN=Configuration,DC=samba,DC=domain,DC=tld' cn=* dn This will list all entries in "sites" container. Looking into CN=Servers,CN=Default-First-Site-Name,cn=sites,CN=Configuration,DC=samba,DC=domain,DC=tld ldbsearch -H $sam -b 'CN=Servers,CN=Default-First-Site-Name,cn=sites,CN=Configuration,DC=ad,DC=dgfip,DC=finances,DC=gouv,DC=fr' cn=* dn There are 4 entries in that container per declared DC in the site. Only the one mentioned earlier had to be removed manually, the three others should have been removed during demote process as I didn't removed by myself and they weren't present before I manually perform mentioned clean up. Cheers, mathias 2015-10-29 12:38 GMT+01:00 Ole Traupe <ole.traupe at tu-berlin.de>:> Hi mathias, > > thanks for the heads-up! However, my AD Sites and Services is clear, too. > I followed the suggestion here > https://wiki.samba.org/index.php/Demote_a_Samba_AD_DC > to use this > > http://gallery.technet.microsoft.com/scriptcenter/d31f091f-2642-4ede-9f97-0e1cc4d577f3#content > script. > > Copy the contents of the "Visual Basic" box to a text file and rename it > to "something.vbs". Run the vb script as admin e.g. on a Win 7 64 bit > (worked for me) domain member client being logged on as "Administrator". > This removed my former PDC from ADUC and ADSS. > > Best, > Ole > > > > Am 29.10.2015 um 12:16 schrieb mathias dufresne: > >> Hi, >> >> I played with demote recently on a test AD domain composed with Samba >> version 4.3.0 and 4.3.1. I demoted all version 4.3.0. >> >> I was facing same issue as you. I written long mails here to explain how I >> managed that. My DNS looks clear now. >> >> Today I played with AD sites and I found in default sites all demoted DC. >> They weren't removed from DNS DB nor here. For now I have no idea how to >> get rid of these DC in my sites configuration without ADUC. >> >> So you should have a look into your AD Sites configuration tool to check >> if >> they were correctly removed. >> >> Cheers, >> >> mathias >> >> >> 2015-10-29 10:01 GMT+01:00 Ole Traupe <ole.traupe at tu-berlin.de>: >> >> Ok, I made a backup following the Samba wiki and then did this. Had to >>> wait a bit between updating the SOA's because I got a strange error >>> message >>> saying that a time value for the non-update of some resource cleanup >>> wasn't >>> set. But a few minutes later I could update the second SOA as well, and >>> now >>> the Samba log is clean. >>> >>> Ole >>> >>> >>> >>> Am 28.10.2015 um 16:42 schrieb Ole Traupe: >>> >>> Hi, >>>> >>>> I demoted my PDC (DC1) forcefully, because replication (among others) >>>> wasn't working anymore due to hard disk failure and I was afraid of >>>> spending a lot of time on nothing. >>>> >>>> With DC1 offline I seized the FSMO roles on DC2 (4.2.5), restarted >>>> Samba, >>>> and found errors in the samba log due to the missing DC1. >>>> >>>> I removed the two DNS entries created according to this site: >>>> https://wiki.samba.org/index.php/Check_and_fix_DNS_entries_on_DC_joins >>>> I applied the script suggested here: >>>> https://wiki.samba.org/index.php/Demote_a_Samba_AD_DC >>>> This removed the DC1 entry in ADUC and "Active Directory Sites and >>>> Services". >>>> >>>> However, the error persists (10 minute interval; sanitized): >>>> # /usr/local/samba/sbin/samba_dnsupdate: couldn't get address for ' >>>> dc1.my.domain.de': not found >>>> >>>> Likely due to further DNS entries, the last-mentioned site suggests to >>>> remove them by hand. Most of the containers in the DNS console have only >>>> duplicate entries for DC1/2, so no problem. However, 3 don't: >>>> >>>> >>>> (removed subfolder and client PC entries; sanitized, translated where >>>> necessary GR->EN) >>>> >>>> >>>> *DNS/DC2/Forward-Lookupzones/my.domain.de* >>>> >>>> Name Type Data Time stamp >>>> (identical to parent folder) Source of Authority (SOA) [3], >>>> dc1.my.domain.de., hostmaster.my.domain.de. ?28.?10.?2015 15:00:00 >>>> (identical to parent folder) Nameserver (NS) dc1.my.domain.de. >>>> Static >>>> (identical to parent folder) Host (A) IP__of__DC1 Static >>>> (identical to parent folder) Host (A) IP__of__DC2 Static >>>> DC2 Host (A) 130.149.34.118 ?29.?07.?2015 13:00:00 >>>> >>>> >>>> *DNS/DC2/Forward-Lookupzones/_msdcs.my.domain.de* >>>> >>>> (identical to parent folder) Source of Authority (SOA) [3], >>>> dc1.my.domain.de., hostmaster.my.domain.de. ?28.?10.?2015 15:00:00 >>>> (identical to parent folder) Nameserver (NS) dc1.my.domain.de. >>>> Static >>>> objectGUID__of__DC2 Alias (CNAME) DC2.my.domain.de. ?29.?07.?2015 >>>> 13:00:00 >>>> >>>> >>>> *DNS/DC2/Forward-Lookupzones/_msdcs.my.domain.de/pdc/_tcp* >>>> >>>> _ldap Service Identification (SRV) [0][100][389] dc1.my.domain.de >>>> . >>>> Static >>>> >>>> >>>> What to do in these cases? Is it safe to open the properties of the >>>> non-duplicate entries and replace DC1 with DC2? >>>> >>>> Ole >>>> >>>> >>>> >>>> >>>> -- >>> To unsubscribe from this list go to the following URL and read the >>> instructions: https://lists.samba.org/mailman/options/samba >>> >>> > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
Am 29.10.2015 um 13:54 schrieb mathias dufresne:> Thank you for hint to this VBS script. In fact I alraedy saw it but I'm not > too confident in my VB knowledge, so I didn't use that script, prefering > rely on Samba command and shell scripts to work around issues. > > You spoke about SOA record which wasn't changed, same here. There is > another DNS record I had to change: _ldap._tcp.pdc._msdcs.samba.domain.tld.Yes, I can confirm that I had to change that one, too.> > I spoke about removing removed-DCs from sites and the command to do that > could be: > ldbdel -H $sam -b 'cn=sites,CN=Configuration,DC=samba,DC=domain,DC=tld' > CN=removed-DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samba,DC=domain,DC=tld > Deleted 1 record > > To get list of all contents in sites: > ldbsearch -H $sam -b 'cn=sites,CN=Configuration,DC=samba,DC=domain,DC=tld' > cn=* dn > > This will list all entries in "sites" container. > > Looking > into CN=Servers,CN=Default-First-Site-Name,cn=sites,CN=Configuration,DC=samba,DC=domain,DC=tld > ldbsearch -H $sam -b > 'CN=Servers,CN=Default-First-Site-Name,cn=sites,CN=Configuration,DC=ad,DC=dgfip,DC=finances,DC=gouv,DC=fr' > cn=* dn > > There are 4 entries in that container per declared DC in the site. Only the > one mentioned earlier had to be removed manually, the three others should > have been removed during demote process as I didn't removed by myself and > they weren't present before I manually perform mentioned clean up.Thank you for the further details. I can't really say anything about these entries or commands. There was only one entry in the ADSS console for my former PDC, and the script got rid of that. Best, Ole> > Cheers, > > mathias > > > 2015-10-29 12:38 GMT+01:00 Ole Traupe <ole.traupe at tu-berlin.de>: > >> Hi mathias, >> >> thanks for the heads-up! However, my AD Sites and Services is clear, too. >> I followed the suggestion here >> https://wiki.samba.org/index.php/Demote_a_Samba_AD_DC >> to use this >> >> http://gallery.technet.microsoft.com/scriptcenter/d31f091f-2642-4ede-9f97-0e1cc4d577f3#content >> script. >> >> Copy the contents of the "Visual Basic" box to a text file and rename it >> to "something.vbs". Run the vb script as admin e.g. on a Win 7 64 bit >> (worked for me) domain member client being logged on as "Administrator". >> This removed my former PDC from ADUC and ADSS. >> >> Best, >> Ole >> >> >> >> Am 29.10.2015 um 12:16 schrieb mathias dufresne: >> >>> Hi, >>> >>> I played with demote recently on a test AD domain composed with Samba >>> version 4.3.0 and 4.3.1. I demoted all version 4.3.0. >>> >>> I was facing same issue as you. I written long mails here to explain how I >>> managed that. My DNS looks clear now. >>> >>> Today I played with AD sites and I found in default sites all demoted DC. >>> They weren't removed from DNS DB nor here. For now I have no idea how to >>> get rid of these DC in my sites configuration without ADUC. >>> >>> So you should have a look into your AD Sites configuration tool to check >>> if >>> they were correctly removed. >>> >>> Cheers, >>> >>> mathias >>> >>> >>> 2015-10-29 10:01 GMT+01:00 Ole Traupe <ole.traupe at tu-berlin.de>: >>> >>> Ok, I made a backup following the Samba wiki and then did this. Had to >>>> wait a bit between updating the SOA's because I got a strange error >>>> message >>>> saying that a time value for the non-update of some resource cleanup >>>> wasn't >>>> set. But a few minutes later I could update the second SOA as well, and >>>> now >>>> the Samba log is clean. >>>> >>>> Ole >>>> >>>> >>>> >>>> Am 28.10.2015 um 16:42 schrieb Ole Traupe: >>>> >>>> Hi, >>>>> I demoted my PDC (DC1) forcefully, because replication (among others) >>>>> wasn't working anymore due to hard disk failure and I was afraid of >>>>> spending a lot of time on nothing. >>>>> >>>>> With DC1 offline I seized the FSMO roles on DC2 (4.2.5), restarted >>>>> Samba, >>>>> and found errors in the samba log due to the missing DC1. >>>>> >>>>> I removed the two DNS entries created according to this site: >>>>> https://wiki.samba.org/index.php/Check_and_fix_DNS_entries_on_DC_joins >>>>> I applied the script suggested here: >>>>> https://wiki.samba.org/index.php/Demote_a_Samba_AD_DC >>>>> This removed the DC1 entry in ADUC and "Active Directory Sites and >>>>> Services". >>>>> >>>>> However, the error persists (10 minute interval; sanitized): >>>>> # /usr/local/samba/sbin/samba_dnsupdate: couldn't get address for ' >>>>> dc1.my.domain.de': not found >>>>> >>>>> Likely due to further DNS entries, the last-mentioned site suggests to >>>>> remove them by hand. Most of the containers in the DNS console have only >>>>> duplicate entries for DC1/2, so no problem. However, 3 don't: >>>>> >>>>> >>>>> (removed subfolder and client PC entries; sanitized, translated where >>>>> necessary GR->EN) >>>>> >>>>> >>>>> *DNS/DC2/Forward-Lookupzones/my.domain.de* >>>>> >>>>> Name Type Data Time stamp >>>>> (identical to parent folder) Source of Authority (SOA) [3], >>>>> dc1.my.domain.de., hostmaster.my.domain.de. ?28.?10.?2015 15:00:00 >>>>> (identical to parent folder) Nameserver (NS) dc1.my.domain.de. >>>>> Static >>>>> (identical to parent folder) Host (A) IP__of__DC1 Static >>>>> (identical to parent folder) Host (A) IP__of__DC2 Static >>>>> DC2 Host (A) 130.149.34.118 ?29.?07.?2015 13:00:00 >>>>> >>>>> >>>>> *DNS/DC2/Forward-Lookupzones/_msdcs.my.domain.de* >>>>> >>>>> (identical to parent folder) Source of Authority (SOA) [3], >>>>> dc1.my.domain.de., hostmaster.my.domain.de. ?28.?10.?2015 15:00:00 >>>>> (identical to parent folder) Nameserver (NS) dc1.my.domain.de. >>>>> Static >>>>> objectGUID__of__DC2 Alias (CNAME) DC2.my.domain.de. ?29.?07.?2015 >>>>> 13:00:00 >>>>> >>>>> >>>>> *DNS/DC2/Forward-Lookupzones/_msdcs.my.domain.de/pdc/_tcp* >>>>> >>>>> _ldap Service Identification (SRV) [0][100][389] dc1.my.domain.de >>>>> . >>>>> Static >>>>> >>>>> >>>>> What to do in these cases? Is it safe to open the properties of the >>>>> non-duplicate entries and replace DC1 with DC2? >>>>> >>>>> Ole >>>>> >>>>> >>>>> >>>>> >>>>> -- >>>> To unsubscribe from this list go to the following URL and read the >>>> instructions: https://lists.samba.org/mailman/options/samba >>>> >>>> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >>
On 10/29/2015 9:15 AM, Ole Traupe wrote:> > > Am 29.10.2015 um 13:54 schrieb mathias dufresne: >> Thank you for hint to this VBS script. In fact I alraedy saw it but >> I'm not >> too confident in my VB knowledge, so I didn't use that script, prefering >> rely on Samba command and shell scripts to work around issues. >> >> You spoke about SOA record which wasn't changed, same here. There is >> another DNS record I had to change: >> _ldap._tcp.pdc._msdcs.samba.domain.tld. > > Yes, I can confirm that I had to change that one, too. > >> >> I spoke about removing removed-DCs from sites and the command to do that >> could be: >> ldbdel -H $sam -b 'cn=sites,CN=Configuration,DC=samba,DC=domain,DC=tld' >> CN=removed-DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samba,DC=domain,DC=tld >> >> Deleted 1 record >> >> To get list of all contents in sites: >> ldbsearch -H $sam -b >> 'cn=sites,CN=Configuration,DC=samba,DC=domain,DC=tld' >> cn=* dn >> >> This will list all entries in "sites" container. >> >> Looking >> into >> CN=Servers,CN=Default-First-Site-Name,cn=sites,CN=Configuration,DC=samba,DC=domain,DC=tld >> ldbsearch -H $sam -b >> 'CN=Servers,CN=Default-First-Site-Name,cn=sites,CN=Configuration,DC=ad,DC=dgfip,DC=finances,DC=gouv,DC=fr' >> >> cn=* dn >> >> There are 4 entries in that container per declared DC in the site. >> Only the >> one mentioned earlier had to be removed manually, the three others >> should >> have been removed during demote process as I didn't removed by myself >> and >> they weren't present before I manually perform mentioned clean up. > > Thank you for the further details. I can't really say anything about > these entries or commands. There was only one entry in the ADSS > console for my former PDC, and the script got rid of that. > > Best, > Ole > > >> >> Cheers, >> >> mathias >> >> >> 2015-10-29 12:38 GMT+01:00 Ole Traupe <ole.traupe at tu-berlin.de>: >> >>> Hi mathias, >>> >>> thanks for the heads-up! However, my AD Sites and Services is clear, >>> too. >>> I followed the suggestion here >>> https://wiki.samba.org/index.php/Demote_a_Samba_AD_DC >>> to use this >>> >>> http://gallery.technet.microsoft.com/scriptcenter/d31f091f-2642-4ede-9f97-0e1cc4d577f3#content >>> >>> script. >>> >>> Copy the contents of the "Visual Basic" box to a text file and >>> rename it >>> to "something.vbs". Run the vb script as admin e.g. on a Win 7 64 bit >>> (worked for me) domain member client being logged on as >>> "Administrator". >>> This removed my former PDC from ADUC and ADSS. >>> >>> Best, >>> Ole >>> >>> >>> >>> Am 29.10.2015 um 12:16 schrieb mathias dufresne: >>> >>>> Hi, >>>> >>>> I played with demote recently on a test AD domain composed with Samba >>>> version 4.3.0 and 4.3.1. I demoted all version 4.3.0. >>>> >>>> I was facing same issue as you. I written long mails here to >>>> explain how I >>>> managed that. My DNS looks clear now. >>>> >>>> Today I played with AD sites and I found in default sites all >>>> demoted DC. >>>> They weren't removed from DNS DB nor here. For now I have no idea >>>> how to >>>> get rid of these DC in my sites configuration without ADUC. >>>> >>>> So you should have a look into your AD Sites configuration tool to >>>> check >>>> if >>>> they were correctly removed. >>>> >>>> Cheers, >>>> >>>> mathias >>>> >>>> >>>> 2015-10-29 10:01 GMT+01:00 Ole Traupe <ole.traupe at tu-berlin.de>: >>>> >>>> Ok, I made a backup following the Samba wiki and then did this. Had to >>>>> wait a bit between updating the SOA's because I got a strange error >>>>> message >>>>> saying that a time value for the non-update of some resource cleanup >>>>> wasn't >>>>> set. But a few minutes later I could update the second SOA as >>>>> well, and >>>>> now >>>>> the Samba log is clean. >>>>> >>>>> Ole >>>>> >>>>> >>>>> >>>>> Am 28.10.2015 um 16:42 schrieb Ole Traupe: >>>>> >>>>> Hi, >>>>>> I demoted my PDC (DC1) forcefully, because replication (among >>>>>> others) >>>>>> wasn't working anymore due to hard disk failure and I was afraid of >>>>>> spending a lot of time on nothing. >>>>>> >>>>>> With DC1 offline I seized the FSMO roles on DC2 (4.2.5), restarted >>>>>> Samba, >>>>>> and found errors in the samba log due to the missing DC1. >>>>>> >>>>>> I removed the two DNS entries created according to this site: >>>>>> https://wiki.samba.org/index.php/Check_and_fix_DNS_entries_on_DC_joins >>>>>> >>>>>> I applied the script suggested here: >>>>>> https://wiki.samba.org/index.php/Demote_a_Samba_AD_DC >>>>>> This removed the DC1 entry in ADUC and "Active Directory Sites and >>>>>> Services". >>>>>> >>>>>> However, the error persists (10 minute interval; sanitized): >>>>>> # /usr/local/samba/sbin/samba_dnsupdate: couldn't get address for ' >>>>>> dc1.my.domain.de': not found >>>>>> >>>>>> Likely due to further DNS entries, the last-mentioned site >>>>>> suggests to >>>>>> remove them by hand. Most of the containers in the DNS console >>>>>> have only >>>>>> duplicate entries for DC1/2, so no problem. However, 3 don't: >>>>>> >>>>>> >>>>>> (removed subfolder and client PC entries; sanitized, translated >>>>>> where >>>>>> necessary GR->EN) >>>>>> >>>>>> >>>>>> *DNS/DC2/Forward-Lookupzones/my.domain.de* >>>>>> >>>>>> Name Type Data Time stamp >>>>>> (identical to parent folder) Source of Authority (SOA) [3], >>>>>> dc1.my.domain.de., hostmaster.my.domain.de. ?28.?10.?2015 15:00:00 >>>>>> (identical to parent folder) Nameserver (NS) dc1.my.domain.de. >>>>>> Static >>>>>> (identical to parent folder) Host (A) IP__of__DC1 Static >>>>>> (identical to parent folder) Host (A) IP__of__DC2 Static >>>>>> DC2 Host (A) 130.149.34.118 ?29.?07.?2015 13:00:00 >>>>>> >>>>>> >>>>>> *DNS/DC2/Forward-Lookupzones/_msdcs.my.domain.de* >>>>>> >>>>>> (identical to parent folder) Source of Authority (SOA) [3], >>>>>> dc1.my.domain.de., hostmaster.my.domain.de. ?28.?10.?2015 15:00:00 >>>>>> (identical to parent folder) Nameserver (NS) dc1.my.domain.de. >>>>>> Static >>>>>> objectGUID__of__DC2 Alias (CNAME) DC2.my.domain.de. ?29.?07.?2015 >>>>>> 13:00:00 >>>>>> >>>>>> >>>>>> *DNS/DC2/Forward-Lookupzones/_msdcs.my.domain.de/pdc/_tcp* >>>>>> >>>>>> _ldap Service Identification (SRV) [0][100][389] >>>>>> dc1.my.domain.de >>>>>> . >>>>>> Static >>>>>> >>>>>> >>>>>> What to do in these cases? Is it safe to open the properties of the >>>>>> non-duplicate entries and replace DC1 with DC2? >>>>>> >>>>>> Ole >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> -- >>>>> To unsubscribe from this list go to the following URL and read the >>>>> instructions: https://lists.samba.org/mailman/options/samba >>>>> >>>>> >>> -- >>> To unsubscribe from this list go to the following URL and read the >>> instructions: https://lists.samba.org/mailman/options/samba >>> > >When I demoted DC's in the past. I used ADSS, ADUC and ADSI to delete all traces. ADSI was necessary to delete all NTDS traces. This was on Samba 4.0.X versions. I take it you have no replication issues pointing to the old DC either? -- -James
On 29/10/15 12:54, mathias dufresne wrote:> Thank you for hint to this VBS script. In fact I alraedy saw it but I'm not > too confident in my VB knowledge, so I didn't use that script, prefering > rely on Samba command and shell scripts to work around issues. > > You spoke about SOA record which wasn't changed, same here. There is > another DNS record I had to change: _ldap._tcp.pdc._msdcs.samba.domain.tld. > > I spoke about removing removed-DCs from sites and the command to do that > could be: > ldbdel -H $sam -b 'cn=sites,CN=Configuration,DC=samba,DC=domain,DC=tld' > CN=removed-DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samba,DC=domain,DC=tld > Deleted 1 record > > To get list of all contents in sites: > ldbsearch -H $sam -b 'cn=sites,CN=Configuration,DC=samba,DC=domain,DC=tld' > cn=* dn > > This will list all entries in "sites" container. > > Looking > into CN=Servers,CN=Default-First-Site-Name,cn=sites,CN=Configuration,DC=samba,DC=domain,DC=tld > ldbsearch -H $sam -b > 'CN=Servers,CN=Default-First-Site-Name,cn=sites,CN=Configuration,DC=ad,DC=dgfip,DC=finances,DC=gouv,DC=fr' > cn=* dn > > There are 4 entries in that container per declared DC in the site. Only the > one mentioned earlier had to be removed manually, the three others should > have been removed during demote process as I didn't removed by myself and > they weren't present before I manually perform mentioned clean up. > > Cheers, > > mathias > > > 2015-10-29 12:38 GMT+01:00 Ole Traupe <ole.traupe at tu-berlin.de>: > >> Hi mathias, >> >> thanks for the heads-up! However, my AD Sites and Services is clear, too. >> I followed the suggestion here >> https://wiki.samba.org/index.php/Demote_a_Samba_AD_DC >> to use this >> >> http://gallery.technet.microsoft.com/scriptcenter/d31f091f-2642-4ede-9f97-0e1cc4d577f3#content >> script. >> >> Copy the contents of the "Visual Basic" box to a text file and rename it >> to "something.vbs". Run the vb script as admin e.g. on a Win 7 64 bit >> (worked for me) domain member client being logged on as "Administrator". >> This removed my former PDC from ADUC and ADSS. >> >> Best, >> Ole >> >> >> >> Am 29.10.2015 um 12:16 schrieb mathias dufresne: >> >>> Hi, >>> >>> I played with demote recently on a test AD domain composed with Samba >>> version 4.3.0 and 4.3.1. I demoted all version 4.3.0. >>> >>> I was facing same issue as you. I written long mails here to explain how I >>> managed that. My DNS looks clear now. >>> >>> Today I played with AD sites and I found in default sites all demoted DC. >>> They weren't removed from DNS DB nor here. For now I have no idea how to >>> get rid of these DC in my sites configuration without ADUC. >>> >>> So you should have a look into your AD Sites configuration tool to check >>> if >>> they were correctly removed. >>> >>> Cheers, >>> >>> mathias >>> >>> >>> 2015-10-29 10:01 GMT+01:00 Ole Traupe <ole.traupe at tu-berlin.de>: >>> >>> Ok, I made a backup following the Samba wiki and then did this. Had to >>>> wait a bit between updating the SOA's because I got a strange error >>>> message >>>> saying that a time value for the non-update of some resource cleanup >>>> wasn't >>>> set. But a few minutes later I could update the second SOA as well, and >>>> now >>>> the Samba log is clean. >>>> >>>> Ole >>>> >>>> >>>> >>>> Am 28.10.2015 um 16:42 schrieb Ole Traupe: >>>> >>>> Hi, >>>>> I demoted my PDC (DC1) forcefully, because replication (among others) >>>>> wasn't working anymore due to hard disk failure and I was afraid of >>>>> spending a lot of time on nothing. >>>>> >>>>> With DC1 offline I seized the FSMO roles on DC2 (4.2.5), restarted >>>>> Samba, >>>>> and found errors in the samba log due to the missing DC1. >>>>> >>>>> I removed the two DNS entries created according to this site: >>>>> https://wiki.samba.org/index.php/Check_and_fix_DNS_entries_on_DC_joins >>>>> I applied the script suggested here: >>>>> https://wiki.samba.org/index.php/Demote_a_Samba_AD_DC >>>>> This removed the DC1 entry in ADUC and "Active Directory Sites and >>>>> Services". >>>>> >>>>> However, the error persists (10 minute interval; sanitized): >>>>> # /usr/local/samba/sbin/samba_dnsupdate: couldn't get address for ' >>>>> dc1.my.domain.de': not found >>>>> >>>>> Likely due to further DNS entries, the last-mentioned site suggests to >>>>> remove them by hand. Most of the containers in the DNS console have only >>>>> duplicate entries for DC1/2, so no problem. However, 3 don't: >>>>> >>>>> >>>>> (removed subfolder and client PC entries; sanitized, translated where >>>>> necessary GR->EN) >>>>> >>>>> >>>>> *DNS/DC2/Forward-Lookupzones/my.domain.de* >>>>> >>>>> Name Type Data Time stamp >>>>> (identical to parent folder) Source of Authority (SOA) [3], >>>>> dc1.my.domain.de., hostmaster.my.domain.de. ?28.?10.?2015 15:00:00 >>>>> (identical to parent folder) Nameserver (NS) dc1.my.domain.de. >>>>> Static >>>>> (identical to parent folder) Host (A) IP__of__DC1 Static >>>>> (identical to parent folder) Host (A) IP__of__DC2 Static >>>>> DC2 Host (A) 130.149.34.118 ?29.?07.?2015 13:00:00 >>>>> >>>>> >>>>> *DNS/DC2/Forward-Lookupzones/_msdcs.my.domain.de* >>>>> >>>>> (identical to parent folder) Source of Authority (SOA) [3], >>>>> dc1.my.domain.de., hostmaster.my.domain.de. ?28.?10.?2015 15:00:00 >>>>> (identical to parent folder) Nameserver (NS) dc1.my.domain.de. >>>>> Static >>>>> objectGUID__of__DC2 Alias (CNAME) DC2.my.domain.de. ?29.?07.?2015 >>>>> 13:00:00 >>>>> >>>>> >>>>> *DNS/DC2/Forward-Lookupzones/_msdcs.my.domain.de/pdc/_tcp* >>>>> >>>>> _ldap Service Identification (SRV) [0][100][389] dc1.my.domain.de >>>>> . >>>>> Static >>>>> >>>>> >>>>> What to do in these cases? Is it safe to open the properties of the >>>>> non-duplicate entries and replace DC1 with DC2? >>>>> >>>>> Ole >>>>> >>>>> >>>>> >>>>> >>>>> -- >>>> To unsubscribe from this list go to the following URL and read the >>>> instructions: https://lists.samba.org/mailman/options/samba >>>> >>>> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >>If anybody is using the reverse zone, have they checked this after demoting a dead DC ? Rowland