On 08/01/2023 11:04, Michael Tokarev via samba wrote:> Hello!
>
> I'm trying to remove a DC from our samba domain (samba 4.17.4).
> It was the primary controller (with FSMO roles), - I successfully
> transferred the roles to another DC.? Now it's time to demote:
>
> ai# samba-tool domain demote -U mjt-adm
> Using svdcp.tls.msk.ru as partner server for the demotion
> Password for [TLS\mjt-adm]:
> Deactivating inbound replication
> Asking partner server svdcp.tls.msk.ru to synchronize from us
> Changing userControl and container
> Error while demoting, re-enabling inbound replication
> ERROR(ldb): Error while renaming CN=AI,OU=Domain
> Controllers,DC=tls,DC=msk,DC=ru to
> CN=AI,CN=Computers,DC=tls,DC=msk,DC=ru - LDAP error 50
> LDAP_INSUFFICIENT_ACCESS_RIGHTS -? <acl:access_denied renaming
> CN=AI,OU=Domain Controllers,DC=tls,DC=msk,DC=ru> <>
>
> mjt-adm is a user with admin rights (domain admins group) in the dc.
> It is interesting I can not use Administrator account for this,
> it asks for the password twice, and refuses to work saying
> login is incorrect, even if the same password works for
> smbclient.
>
> Now, after the first attempt to demote, some things doesn't work
> right, eg:
>
> ai# samba-tool drs showrepl
> ERROR(runtime): DsReplicaGetInfo of type 0 failed - (8453,
> 'WERR_DS_DRA_ACCESS_DENIED')
>
> (it definitely worked at least before the FSMO roles transfer).
>
> Should I force-remove it from another DC?
>
> Thanks,
>
> /mjt
>
If you get any errors whilst trying to demote a DC, then it is probably
quicker to forcibly demote the DC on another DC, why waste time trying
to fix something you are trying to get rid of ?
Just as a note, I never have problems like this, but I always use
Administrator, your problem was possibly a privilege problem that was
reported as a permissions problem.
Rowland