Hi, I demoted my PDC (DC1) forcefully, because replication (among others) wasn't working anymore due to hard disk failure and I was afraid of spending a lot of time on nothing. With DC1 offline I seized the FSMO roles on DC2 (4.2.5), restarted Samba, and found errors in the samba log due to the missing DC1. I removed the two DNS entries created according to this site: https://wiki.samba.org/index.php/Check_and_fix_DNS_entries_on_DC_joins I applied the script suggested here: https://wiki.samba.org/index.php/Demote_a_Samba_AD_DC This removed the DC1 entry in ADUC and "Active Directory Sites and Services". However, the error persists (10 minute interval; sanitized): # /usr/local/samba/sbin/samba_dnsupdate: couldn't get address for 'dc1.my.domain.de': not found Likely due to further DNS entries, the last-mentioned site suggests to remove them by hand. Most of the containers in the DNS console have only duplicate entries for DC1/2, so no problem. However, 3 don't: (removed subfolder and client PC entries; sanitized, translated where necessary GR->EN) *DNS/DC2/Forward-Lookupzones/my.domain.de* Name Type Data Time stamp (identical to parent folder) Source of Authority (SOA) [3], dc1.my.domain.de., hostmaster.my.domain.de. ?28.?10.?2015 15:00:00 (identical to parent folder) Nameserver (NS) dc1.my.domain.de. Static (identical to parent folder) Host (A) IP__of__DC1 Static (identical to parent folder) Host (A) IP__of__DC2 Static DC2 Host (A) 130.149.34.118 ?29.?07.?2015 13:00:00 *DNS/DC2/Forward-Lookupzones/_msdcs.my.domain.de* (identical to parent folder) Source of Authority (SOA) [3], dc1.my.domain.de., hostmaster.my.domain.de. ?28.?10.?2015 15:00:00 (identical to parent folder) Nameserver (NS) dc1.my.domain.de. Static objectGUID__of__DC2 Alias (CNAME) DC2.my.domain.de. ?29.?07.?2015 13:00:00 *DNS/DC2/Forward-Lookupzones/_msdcs.my.domain.de/pdc/_tcp* _ldap Service Identification (SRV) [0][100][389] dc1.my.domain.de. Static What to do in these cases? Is it safe to open the properties of the non-duplicate entries and replace DC1 with DC2? Ole
Ok, I made a backup following the Samba wiki and then did this. Had to wait a bit between updating the SOA's because I got a strange error message saying that a time value for the non-update of some resource cleanup wasn't set. But a few minutes later I could update the second SOA as well, and now the Samba log is clean. Ole Am 28.10.2015 um 16:42 schrieb Ole Traupe:> Hi, > > I demoted my PDC (DC1) forcefully, because replication (among others) > wasn't working anymore due to hard disk failure and I was afraid of > spending a lot of time on nothing. > > With DC1 offline I seized the FSMO roles on DC2 (4.2.5), restarted > Samba, and found errors in the samba log due to the missing DC1. > > I removed the two DNS entries created according to this site: > https://wiki.samba.org/index.php/Check_and_fix_DNS_entries_on_DC_joins > I applied the script suggested here: > https://wiki.samba.org/index.php/Demote_a_Samba_AD_DC > This removed the DC1 entry in ADUC and "Active Directory Sites and > Services". > > However, the error persists (10 minute interval; sanitized): > # /usr/local/samba/sbin/samba_dnsupdate: couldn't get address for > 'dc1.my.domain.de': not found > > Likely due to further DNS entries, the last-mentioned site suggests to > remove them by hand. Most of the containers in the DNS console have > only duplicate entries for DC1/2, so no problem. However, 3 don't: > > > (removed subfolder and client PC entries; sanitized, translated where > necessary GR->EN) > > > *DNS/DC2/Forward-Lookupzones/my.domain.de* > > Name Type Data Time stamp > (identical to parent folder) Source of Authority (SOA) [3], > dc1.my.domain.de., hostmaster.my.domain.de. ?28.?10.?2015 15:00:00 > (identical to parent folder) Nameserver (NS) dc1.my.domain.de. > Static > (identical to parent folder) Host (A) IP__of__DC1 Static > (identical to parent folder) Host (A) IP__of__DC2 Static > DC2 Host (A) 130.149.34.118 ?29.?07.?2015 13:00:00 > > > *DNS/DC2/Forward-Lookupzones/_msdcs.my.domain.de* > > (identical to parent folder) Source of Authority (SOA) [3], > dc1.my.domain.de., hostmaster.my.domain.de. ?28.?10.?2015 15:00:00 > (identical to parent folder) Nameserver (NS) dc1.my.domain.de. > Static > objectGUID__of__DC2 Alias (CNAME) DC2.my.domain.de. > ?29.?07.?2015 13:00:00 > > > *DNS/DC2/Forward-Lookupzones/_msdcs.my.domain.de/pdc/_tcp* > > _ldap Service Identification (SRV) [0][100][389] > dc1.my.domain.de. Static > > > What to do in these cases? Is it safe to open the properties of the > non-duplicate entries and replace DC1 with DC2? > > Ole > > >
mathias dufresne
2015-Oct-29 11:16 UTC
[Samba] Demote a dead PDC: residuals in "DNS" console
Hi, I played with demote recently on a test AD domain composed with Samba version 4.3.0 and 4.3.1. I demoted all version 4.3.0. I was facing same issue as you. I written long mails here to explain how I managed that. My DNS looks clear now. Today I played with AD sites and I found in default sites all demoted DC. They weren't removed from DNS DB nor here. For now I have no idea how to get rid of these DC in my sites configuration without ADUC. So you should have a look into your AD Sites configuration tool to check if they were correctly removed. Cheers, mathias 2015-10-29 10:01 GMT+01:00 Ole Traupe <ole.traupe at tu-berlin.de>:> Ok, I made a backup following the Samba wiki and then did this. Had to > wait a bit between updating the SOA's because I got a strange error message > saying that a time value for the non-update of some resource cleanup wasn't > set. But a few minutes later I could update the second SOA as well, and now > the Samba log is clean. > > Ole > > > > Am 28.10.2015 um 16:42 schrieb Ole Traupe: > >> Hi, >> >> I demoted my PDC (DC1) forcefully, because replication (among others) >> wasn't working anymore due to hard disk failure and I was afraid of >> spending a lot of time on nothing. >> >> With DC1 offline I seized the FSMO roles on DC2 (4.2.5), restarted Samba, >> and found errors in the samba log due to the missing DC1. >> >> I removed the two DNS entries created according to this site: >> https://wiki.samba.org/index.php/Check_and_fix_DNS_entries_on_DC_joins >> I applied the script suggested here: >> https://wiki.samba.org/index.php/Demote_a_Samba_AD_DC >> This removed the DC1 entry in ADUC and "Active Directory Sites and >> Services". >> >> However, the error persists (10 minute interval; sanitized): >> # /usr/local/samba/sbin/samba_dnsupdate: couldn't get address for ' >> dc1.my.domain.de': not found >> >> Likely due to further DNS entries, the last-mentioned site suggests to >> remove them by hand. Most of the containers in the DNS console have only >> duplicate entries for DC1/2, so no problem. However, 3 don't: >> >> >> (removed subfolder and client PC entries; sanitized, translated where >> necessary GR->EN) >> >> >> *DNS/DC2/Forward-Lookupzones/my.domain.de* >> >> Name Type Data Time stamp >> (identical to parent folder) Source of Authority (SOA) [3], >> dc1.my.domain.de., hostmaster.my.domain.de. ?28.?10.?2015 15:00:00 >> (identical to parent folder) Nameserver (NS) dc1.my.domain.de. >> Static >> (identical to parent folder) Host (A) IP__of__DC1 Static >> (identical to parent folder) Host (A) IP__of__DC2 Static >> DC2 Host (A) 130.149.34.118 ?29.?07.?2015 13:00:00 >> >> >> *DNS/DC2/Forward-Lookupzones/_msdcs.my.domain.de* >> >> (identical to parent folder) Source of Authority (SOA) [3], >> dc1.my.domain.de., hostmaster.my.domain.de. ?28.?10.?2015 15:00:00 >> (identical to parent folder) Nameserver (NS) dc1.my.domain.de. >> Static >> objectGUID__of__DC2 Alias (CNAME) DC2.my.domain.de. ?29.?07.?2015 >> 13:00:00 >> >> >> *DNS/DC2/Forward-Lookupzones/_msdcs.my.domain.de/pdc/_tcp* >> >> _ldap Service Identification (SRV) [0][100][389] dc1.my.domain.de. >> Static >> >> >> What to do in these cases? Is it safe to open the properties of the >> non-duplicate entries and replace DC1 with DC2? >> >> Ole >> >> >> >> > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
Andrew Bartlett
2015-Oct-31 09:36 UTC
[Samba] Demote a dead PDC: residuals in "DNS" console
On Wed, 2015-10-28 at 16:42 +0100, Ole Traupe wrote:> Hi, > > I demoted my PDC (DC1) forcefully, because replication (among others) > wasn't working anymore due to hard disk failure and I was afraid of > spending a lot of time on nothing. > > With DC1 offline I seized the FSMO roles on DC2 (4.2.5), restarted > Samba, and found errors in the samba log due to the missing DC1. > > I removed the two DNS entries created according to this site: > https://wiki.samba.org/index.php/Check_and_fix_DNS_entries_on_DC_join > s > I applied the script suggested here: > https://wiki.samba.org/index.php/Demote_a_Samba_AD_DC > This removed the DC1 entry in ADUC and "Active Directory Sites and > Services". > > However, the error persists (10 minute interval; sanitized): > # /usr/local/samba/sbin/samba_dnsupdate: couldn't get address for > 'dc1.my.domain.de': not found > > Likely due to further DNS entries, the last-mentioned site suggests > to > remove them by hand. Most of the containers in the DNS console have > only > duplicate entries for DC1/2, so no problem. However, 3 don't: > > > (removed subfolder and client PC entries; sanitized, translated where > necessary GR->EN) > > > *DNS/DC2/Forward-Lookupzones/my.domain.de* > > Name Type Data Time stamp > (identical to parent folder) Source of Authority (SOA) [3], > dc1.my.domain.de., hostmaster.my.domain.de. ?28.?10.?2015 15:00:00 > (identical to parent folder) Nameserver (NS) dc1.my.domain.de. > Static > (identical to parent folder) Host (A) IP__of__DC1 Static > (identical to parent folder) Host (A) IP__of__DC2 Static > DC2 Host (A) 130.149.34.118 ?29.?07.?2015 13:00:00 > > > *DNS/DC2/Forward-Lookupzones/_msdcs.my.domain.de* > > (identical to parent folder) Source of Authority (SOA) [3], > dc1.my.domain.de., hostmaster.my.domain.de. ?28.?10.?2015 15:00:00 > (identical to parent folder) Nameserver (NS) dc1.my.domain.de. > Static > objectGUID__of__DC2 Alias (CNAME) DC2.my.domain.de. > ?29.?07.?2015 > 13:00:00 > > > *DNS/DC2/Forward-Lookupzones/_msdcs.my.domain.de/pdc/_tcp* > > _ldap Service Identification (SRV) [0][100][389] > dc1.my.domain.de. Static > > > What to do in these cases? Is it safe to open the properties of the > non-duplicate entries and replace DC1 with DC2?Just a quick note to say that we are (finally) working to improve this situation. I have patches to improve samba_dnsupdate so that it will add some of the missing entries (and use RPC to do so, avoiding nasty chicken/egg issues), and my improvements to samba-tool domain demote (adding a --remove-other-dead-server option) have landed in master. I'm sorry this has been so bad for so long, but there is hope. Thanks! Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
Andrew, that is great news! Thank you very much for your continuous effort in providing Samba for us! Ole Am 31.10.2015 um 10:36 schrieb Andrew Bartlett:> On Wed, 2015-10-28 at 16:42 +0100, Ole Traupe wrote: >> Hi, >> >> I demoted my PDC (DC1) forcefully, because replication (among others) >> wasn't working anymore due to hard disk failure and I was afraid of >> spending a lot of time on nothing. >> >> With DC1 offline I seized the FSMO roles on DC2 (4.2.5), restarted >> Samba, and found errors in the samba log due to the missing DC1. >> >> I removed the two DNS entries created according to this site: >> https://wiki.samba.org/index.php/Check_and_fix_DNS_entries_on_DC_join >> s >> I applied the script suggested here: >> https://wiki.samba.org/index.php/Demote_a_Samba_AD_DC >> This removed the DC1 entry in ADUC and "Active Directory Sites and >> Services". >> >> However, the error persists (10 minute interval; sanitized): >> # /usr/local/samba/sbin/samba_dnsupdate: couldn't get address for >> 'dc1.my.domain.de': not found >> >> Likely due to further DNS entries, the last-mentioned site suggests >> to >> remove them by hand. Most of the containers in the DNS console have >> only >> duplicate entries for DC1/2, so no problem. However, 3 don't: >> >> >> (removed subfolder and client PC entries; sanitized, translated where >> necessary GR->EN) >> >> >> *DNS/DC2/Forward-Lookupzones/my.domain.de* >> >> Name Type Data Time stamp >> (identical to parent folder) Source of Authority (SOA) [3], >> dc1.my.domain.de., hostmaster.my.domain.de. ?28.?10.?2015 15:00:00 >> (identical to parent folder) Nameserver (NS) dc1.my.domain.de. >> Static >> (identical to parent folder) Host (A) IP__of__DC1 Static >> (identical to parent folder) Host (A) IP__of__DC2 Static >> DC2 Host (A) 130.149.34.118 ?29.?07.?2015 13:00:00 >> >> >> *DNS/DC2/Forward-Lookupzones/_msdcs.my.domain.de* >> >> (identical to parent folder) Source of Authority (SOA) [3], >> dc1.my.domain.de., hostmaster.my.domain.de. ?28.?10.?2015 15:00:00 >> (identical to parent folder) Nameserver (NS) dc1.my.domain.de. >> Static >> objectGUID__of__DC2 Alias (CNAME) DC2.my.domain.de. >> ?29.?07.?2015 >> 13:00:00 >> >> >> *DNS/DC2/Forward-Lookupzones/_msdcs.my.domain.de/pdc/_tcp* >> >> _ldap Service Identification (SRV) [0][100][389] >> dc1.my.domain.de. Static >> >> >> What to do in these cases? Is it safe to open the properties of the >> non-duplicate entries and replace DC1 with DC2? > Just a quick note to say that we are (finally) working to improve this > situation. I have patches to improve samba_dnsupdate so that it will > add some of the missing entries (and use RPC to do so, avoiding nasty > chicken/egg issues), and my improvements to samba-tool domain demote > (adding a --remove-other-dead-server option) have landed in master. > > I'm sorry this has been so bad for so long, but there is hope. > > Thanks! > > Andrew Bartlett >