samba - Mar 2016 - Unable to demote DC

I'm trying to remove a DC from a Samba4 based AD network, but run into 
an error that I can't fathom. Can anyone point me in the right direction?

# samba-tool domain demote -Uadministrator
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
Using SOGO3.ad.oak-wood.co.uk as partner server for the demotion
Using binding ncacn_ip_tcp:SOGO3.ad.oak-wood.co.uk[,seal]
resolve_lmhosts: Attempting lmhosts lookup for name 
SOGO3.ad.oak-wood.co.uk<0x20>
resolve_lmhosts: Attempting lmhosts lookup for name 
SOGO3.ad.oak-wood.co.uk<0x20>
Password for [NUMBER37\administrator]:
Deactivating inbound replication
Asking partner server SOGO3.ad.oak-wood.co.uk to synchronize from us
Error while demoting, re-enabling inbound replication
ERROR(<class 'samba.drs_utils.drsException'>): Error while sending
a
DsReplicaSync for partion 
CN=Schema,CN=Configuration,DC=ad,DC=oak-wood,DC=co,DC=uk - drsException: 
DsReplicaSync failed (2, 'WERR_BADFILE')
   File "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py",
line
720, in run
     sendDsReplicaSync(drsuapiBind, drsuapi_handle, ntds_guid, 
str(part), drsuapi.DRSUAPI_DRS_WRIT_REP)
   File "/usr/lib/python2.7/dist-packages/samba/drs_utils.py", line
83,
in sendDsReplicaSync
     raise drsException("DsReplicaSync failed %s" % estr)

Hi Chris,

Le 22/03/2016 22:07, Chris Hastie a écrit :
> I'm trying to remove a DC from a Samba4 based AD network, but run into
> an error that I can't fathom. Can anyone point me in the right
direction?
>
> # samba-tool domain demote -Uadministrator
which version of samba are you using? 4.4 or below?

is the sogo3.ad.oak-wood.co.uk server still running ok or do you have 
replication problem on that server?

Server demotion has been a common issue for quite some time. Could you 
try to upgrade to 4.4 and run the samba-tool demote with the 
--remove-other-dead-server flag?

Otherwise you can demote by hand cleaning up the LDAP and DNS on the DC 
that is still running properly.

HTH,

Denis


> GENSEC backend 'gssapi_spnego' registered
> GENSEC backend 'gssapi_krb5' registered
> GENSEC backend 'gssapi_krb5_sasl' registered
> GENSEC backend 'spnego' registered
> GENSEC backend 'schannel' registered
> GENSEC backend 'naclrpc_as_system' registered
> GENSEC backend 'sasl-EXTERNAL' registered
> GENSEC backend 'ntlmssp' registered
> GENSEC backend 'http_basic' registered
> GENSEC backend 'http_ntlm' registered
> GENSEC backend 'krb5' registered
> GENSEC backend 'fake_gssapi_krb5' registered
> Using SOGO3.ad.oak-wood.co.uk as partner server for the demotion
> Using binding ncacn_ip_tcp:SOGO3.ad.oak-wood.co.uk[,seal]
> resolve_lmhosts: Attempting lmhosts lookup for name
> SOGO3.ad.oak-wood.co.uk<0x20>
> resolve_lmhosts: Attempting lmhosts lookup for name
> SOGO3.ad.oak-wood.co.uk<0x20>
> Password for [NUMBER37\administrator]:
> Deactivating inbound replication
> Asking partner server SOGO3.ad.oak-wood.co.uk to synchronize from us
> Error while demoting, re-enabling inbound replication
> ERROR(<class 'samba.drs_utils.drsException'>): Error while
sending a
> DsReplicaSync for partion
> CN=Schema,CN=Configuration,DC=ad,DC=oak-wood,DC=co,DC=uk - drsException:
> DsReplicaSync failed (2, 'WERR_BADFILE')
>    File
"/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py", line
> 720, in run
>      sendDsReplicaSync(drsuapiBind, drsuapi_handle, ntds_guid,
> str(part), drsuapi.DRSUAPI_DRS_WRIT_REP)
>    File "/usr/lib/python2.7/dist-packages/samba/drs_utils.py",
line 83,
> in sendDsReplicaSync
>      raise drsException("DsReplicaSync failed %s" % estr)
>
-- 
Denis Cardon
Tranquil IT Systems
Les Espaces Jules Verne, bâtiment A
12 avenue Jules Verne
44230 Saint Sébastien sur Loire
tel : +33 (0) 2.40.97.57.55
http://www.tranquil-it-systems.fr

On 23/03/2016 11:31, Denis Cardon wrote:
> which version of samba are you using? 4.4 or below?
Hi, thanks for your suggestions.

I have version 4.1.6 on two DC should remain (from Ubuntu 14.04 LTS 
packages). The one I'm trying to demote is actually 4.3.4 from the 
Zentyal repositories.
> is the sogo3.ad.oak-wood.co.uk server still running ok or do you have
> replication problem on that server?
I have three DCs, oak, sogo3 and zent1. As far as I can tell replication 
between sogo3 and oak is fine, although occassionally flaky (sometimes I 
have to restart them to get them synced). Replication between zent1 and 
the others has never really worked, which is one of the reasons I want 
to demote it. I've also tried doing the demote on zent1 with 
--server=oak.ad.oak-wood.co.uk to force the choice of server to partner 
with, but with the same effect.
> Server demotion has been a common issue for quite some time. Could you
> try to upgrade to 4.4 and run the samba-tool demote with the
> --remove-other-dead-server flag?
>
> Otherwise you can demote by hand cleaning up the LDAP and DNS on the DC
> that is still running properly.
Of the two options which would you recommend? I'm retiscent to compile 
4.4 from source as I try to keep everything on Ubuntu LTS and standard 
repositories. On the other hand, hand cleaning sounds like it could be 
fraught with problems and gotchas

Thanks

Chris