Benedikt Kaleß
2020-Apr-29 08:21 UTC
[Samba] demoted AD remains in samba-tool drs showrepl
Dear list, in this corona crisis a delivery of a AD to a location abroad takes longer than I expected. I demoted the AD which is in delivery with samba-tool domain demote --remove-other-dead-server=ADDC3 If I know trigger a samba-tool drs showrepl I still see him in the list: CN=Configuration,DC=example,DC=com ??? NTDS DN: CN=NTDS Settings\0ADEL:490b60eb-3616-4f02-87c2-32b6653bfa22,CN=ADDC3\0ADEL:d424f125-bca9-4d37-907b-4b83b5558197,CN=Servers,CN=location,CN=Sites,CN=Configuration,DC=example,DC=cm ??? ??? DSA object GUID: 490b60eb-3616-4f02-87c2-32b6653bfa22 ??? ??? Last attempt @ Wed Apr 22 09:29:19 2020 CEST failed, result 2 (WERR_FILE_NOT_FOUND) ??? ??? 44689 consecutive failure(s). ???? ??? Last success @ NTTIME(0) A samba-tool dbcheck list this entry as well: Not fixing old string component NOTE: old (due to rename or delete) DN string component for lastKnownParent in object CN=RID Set\0ADEL:e1e17d3e-92ac-4f33-98ce-635edabf6166,CN=Deleted Objects,DC=zfd,DC=forumzfd,DC=de - CN=ADDC3,OU=Domain Controllers,DC=example,DC=com I don't see that server in "Active Directory Locations" tool any more. How can I get rid of these entries in the ldap database? Best regards Benedikt -- forumZFD Entschieden f?r Frieden|Committed to Peace Benedikt Kale? Leiter Team IT|Head team IT Forum Ziviler Friedensdienst e.V.|Forum Civil Peace Service Am K?lner Brett 8 | 50825 K?ln | Germany Tel 0221 91273233 | Fax 0221 91273299 | http://www.forumZFD.de Vorstand nach ? 26 BGB, einzelvertretungsberechtigt|Executive Board: Oliver Knabe (Vorsitz|Chair), Sonja Wiekenberg-Mlalandle, Alexander Mauz VR 17651 Amtsgericht K?ln Spenden|Donations: IBAN DE37 3702 0500 0008 2401 01 BIC BFSWDE33XXX
On 29/04/2020 09:21, Benedikt Kale? via samba wrote:> Dear list, > in this corona crisis a delivery of a AD to a location abroad takes > longer than I expected. I demoted the AD which is in delivery with > > samba-tool domain demote --remove-other-dead-server=ADDC3 > > If I know trigger a > > samba-tool drs showrepl > > I still see him in the list: > > CN=Configuration,DC=example,DC=com > ??? NTDS DN: CN=NTDS > Settings\0ADEL:490b60eb-3616-4f02-87c2-32b6653bfa22,CN=ADDC3\0ADEL:d424f125-bca9-4d37-907b-4b83b5558197,CN=Servers,CN=location,CN=Sites,CN=Configuration,DC=example,DC=cmThat is a deleted object, so you can wait for the tombstone lifetime (defaults to 180 days) to expire and it will then be totally removed. You could run: samba-tool domain tombstones expunge --tombstone-lifetime=1 This will delete ALL tombstoned objects over one day old. Rowland
Hi Benedikt, Le 29/04/2020 ? 10:21, Benedikt Kale? via samba a ?crit?:> Dear list, > in this corona crisis a delivery of a AD to a location abroad takes > longer than I expected. I demoted the AD which is in delivery with > > samba-tool domain demote --remove-other-dead-server=ADDC3 > > If I know trigger a > > samba-tool drs showrepl > > I still see him in the list: > > CN=Configuration,DC=example,DC=com > ??? NTDS DN: CN=NTDS > Settings\0ADEL:490b60eb-3616-4f02-87c2-32b6653bfa22,CN=ADDC3\0ADEL:d424f125-bca9-4d37-907b-4b83b5558197,CN=Servers,CN=location,CN=Sites,CN=Configuration,DC=example,DC=cm > ??? ??? DSA object GUID: 490b60eb-3616-4f02-87c2-32b6653bfa22 > ??? ??? Last attempt @ Wed Apr 22 09:29:19 2020 CEST failed, result 2 > (WERR_FILE_NOT_FOUND) > ??? ??? 44689 consecutive failure(s). > ???? ??? Last success @ NTTIME(0) > > A samba-tool dbcheck list this entry as well:it is normal for ADDC3 object to go to deleted object. The GUID reference in the repsfrom repsto attribute is still there however. It should go away by itself after some time. If you want to make it go faster you can run "samba_kcc". It will recheck the NTDSConnection and the repsFrom repsTo attribute and should clean them. ADDC3 will still be in Deleted Objects but won't be referenced anymore and the spurious message should go away. Cheers, Denis> > Not fixing old string component > NOTE: old (due to rename or delete) DN string component for > lastKnownParent in object CN=RID > Set\0ADEL:e1e17d3e-92ac-4f33-98ce-635edabf6166,CN=Deleted > Objects,DC=zfd,DC=forumzfd,DC=de - CN=ADDC3,OU=Domain > Controllers,DC=example,DC=com > > I don't see that server in "Active Directory Locations" tool any more. > > How can I get rid of these entries in the ldap database? > > Best regards > Benedikt >
Benedikt Kaleß
2020-Apr-29 10:34 UTC
[Samba] demoted AD remains in samba-tool drs showrepl
Dear Rowland, thanks for the tip: Now I get a: root at addc2:~# samba-tool drs showrepl ERROR(runtime): DsReplicaGetInfo of type 0 failed - (8442, 'WERR_DS_DRA_INTERNAL_ERROR') addc2 is the guy who had the fsmo-roles. I transfered them to a third AD now. Best Bene Am 29.04.20 um 11:01 schrieb Rowland penny via samba:> On 29/04/2020 09:21, Benedikt Kale? via samba wrote: > > Dear list, > > in this corona crisis a delivery of a AD to a location abroad takes > > longer than I expected. I demoted the AD which is in delivery with > > > > samba-tool domain demote --remove-other-dead-server=ADDC3 > > > > If I know trigger a > > > > samba-tool drs showrepl > > > > I still see him in the list: > > > > CN=Configuration,DC=example,DC=com > > ??? NTDS DN: CN=NTDS > > Settings\0ADEL:490b60eb-3616-4f02-87c2-32b6653bfa22,CN=ADDC3\0ADEL:d424f125-bca9-4d37-907b-4b83b5558197,CN=Servers,CN=location,CN=Sites,CN=Configuration,DC=example,DC=cm > > That is a deleted object, so you can wait for the tombstone lifetime > (defaults to 180 days) to expire and it will then be totally removed. > > You could run: samba-tool domain tombstones expunge --tombstone-lifetime=1 > > This will delete ALL tombstoned objects over one day old. > > Rowland > > >-- forumZFD Entschieden f?r Frieden|Committed to Peace Benedikt Kale? Leiter Team IT|Head team IT Forum Ziviler Friedensdienst e.V.|Forum Civil Peace Service Am K?lner Brett 8 | 50825 K?ln | Germany Tel 0221 91273233 | Fax 0221 91273299 | http://www.forumZFD.de Vorstand nach ? 26 BGB, einzelvertretungsberechtigt|Executive Board: Oliver Knabe (Vorsitz|Chair), Sonja Wiekenberg-Mlalandle, Alexander Mauz VR 17651 Amtsgericht K?ln Spenden|Donations: IBAN DE37 3702 0500 0008 2401 01 BIC BFSWDE33XXX