samba - Feb 2014 - how to remove an (offline) DC from Samba 4 ?

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hi all,

What would be the recommended way to remove an old offline DC from Samba4?

I searched in samba-tool for a way to do this, but didn't find any.
Tried using the Windows tools to manage AD Users & Computers -> Domain
Controllers -> The DC & then hit delete, however this gives an error
'cannot
find specified module'.
On https://wiki.samba.org/index.php/Samba4/DRS_TODO_List I read this is
likely a known issue:
"Fix DsRemoveDSServer

Removing a DC from the Domain Controllers container when using windows
user/group admin tool against a s4 DC fails with "bad stub data". It
generated a fault on the wire. "

Given that both samba-tool and the using the ADUC tools are a dead end, what
should I do?

Should I start messing with ldbedit/ldbdel? I'm worried to mess up things,
especially dead references to the old DC. Or is this the way to go.

This is on samba 4.1.4, running as AD, with all FSMO roles seized (in case
it matters).

Any help would be appreciated.

Thanks,

Bram.

- -- 
Bram Matthys
Software developer/IT consultant        syzop at vulnscan.org
Website:                                  www.vulnscan.org
PGP key:                       www.vulnscan.org/pubkey.asc
PGP fp: EBCA 8977 FCA6 0AB0 6EDB  04A7 6E67 6D45 7FE1 99A6
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)

iF4EAREIAAYFAlMB2TgACgkQbmdtRX/hmaZ1/QD9EQo9g5DZ3ml/9ZkSQH5Y2cY5
1HpDgR6J0nWt8Yiu4D4A/R0MB+wdiDIfXmga+o9ep7sy083cE/Z6xKL7RNoCqoXc
=aPzr
-----END PGP SIGNATURE-----

Hi Bram,
>
> What would be the recommended way to remove an old offline DC from Samba4?
>
> I searched in samba-tool for a way to do this, but didn't find any.
> Tried using the Windows tools to manage AD Users & Computers ->
Domain
> Controllers -> The DC & then hit delete, however this gives an error
'cannot
> find specified module'.
> On https://wiki.samba.org/index.php/Samba4/DRS_TODO_List I read this is
> likely a known issue:
> "Fix DsRemoveDSServer
>
> Removing a DC from the Domain Controllers container when using windows
> user/group admin tool against a s4 DC fails with "bad stub data".
It
> generated a fault on the wire. "
>
> Given that both samba-tool and the using the ADUC tools are a dead end,
what
> should I do?
>
> Should I start messing with ldbedit/ldbdel? I'm worried to mess up
things,
> especially dead references to the old DC. Or is this the way to go.
You can actually get stuck in a similar situation with MSAD. There is a 
web page on microsoft about that http://support.microsoft.com/kb/216498 
. I had once to dig into that with a dead DC that wouldn't leave my 
win2k DC alone.

I'd advise you to use ApacheDirectoryStudio instead of adsiedit to 
remove the old entries from your AD, it is much more user friendly. Be 
sure to have a good backup before fiddling with your ldap entries!

Then use your dnsmgmt.msc to check and remove all the DNS entries of the 
old DC servers (NS and SRV fields).

Hope this helps,

Denis

> This is on samba 4.1.4, running as AD, with all FSMO roles seized (in case
> it matters).
>
> Any help would be appreciated.
>
> Thanks,
>
> Bram.
>
> - --
> Bram Matthys
> Software developer/IT consultant        syzop at vulnscan.org
> Website:                                  www.vulnscan.org
> PGP key:                       www.vulnscan.org/pubkey.asc
> PGP fp: EBCA 8977 FCA6 0AB0 6EDB  04A7 6E67 6D45 7FE1 99A6
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.17 (MingW32)
>
> iF4EAREIAAYFAlMB2TgACgkQbmdtRX/hmaZ1/QD9EQo9g5DZ3ml/9ZkSQH5Y2cY5
> 1HpDgR6J0nWt8Yiu4D4A/R0MB+wdiDIfXmga+o9ep7sy083cE/Z6xKL7RNoCqoXc
> =aPzr
> -----END PGP SIGNATURE-----
>

-- 
Denis Cardon
Tranquil IT Systems
Les Espaces Jules Verne, b?timent A
12 avenue Jules Verne
44230 Saint S?bastien sur Loire
tel : +33 (0) 2.40.97.57.55
http://www.tranquil-it-systems.fr

Hi

I found a script

http://gallery.technet.microsoft.com/scriptcenter/d31f091f-2642-4ede-9f97-0e1cc4d577f3

which did the removal of a dead windows DC form an samba4 AD

We startet is on a domain member as domain admin, it shows a list auf
dc's, you can select th one to remove

After the removal I did not find any references of the old one
with
ldbedit -e vi -H /etc/samba/sam.ldb --cross-ncs

and drs replication did not show any faild targets any more.
In oure case fsmo and GC roles have already been transfered to the samba dc.
 

It only removes the AD entries, not the dns entries, but it works fine
in our setup.

Regards

Hansj?rg Maurer


Am 17.02.2014 10:41, schrieb Bram Matthys:
> Hi all,
>
> What would be the recommended way to remove an old offline DC from Samba4?
>
> I searched in samba-tool for a way to do this, but didn't find any.
> Tried using the Windows tools to manage AD Users & Computers ->
Domain
> Controllers -> The DC & then hit delete, however this gives an error
'cannot
> find specified module'.
> On https://wiki.samba.org/index.php/Samba4/DRS_TODO_List I read this is
> likely a known issue:
> "Fix DsRemoveDSServer
>
> Removing a DC from the Domain Controllers container when using windows
> user/group admin tool against a s4 DC fails with "bad stub data".
It
> generated a fault on the wire. "
>
> Given that both samba-tool and the using the ADUC tools are a dead
end, what
> should I do?
>
> Should I start messing with ldbedit/ldbdel? I'm worried to mess up
things,
> especially dead references to the old DC. Or is this the way to go.
>
> This is on samba 4.1.4, running as AD, with all FSMO roles seized (in case
> it matters).
>
> Any help would be appreciated.
>
> Thanks,
>
> Bram.
>
-- 
Dr. Hansj?rg Maurer
itsystems Deutschland AG
Erzgie?ereistr. 22
80335 M?nchen
Tel:   +49-89-52 04 68-41
Fax:   +49-89-52 04 68-59
E-Mail: hansjoerg.maurer at itsd.de
Web:    http://www.itsd.de


Amtsgericht M?nchen HRB 132146
USt-IdNr. DE 812991301
Steuer-Nr. 143/100/81575

Aufsichtsratsvorsitzender:
Stefan Adam
Vorstand:
Dr. Michael Krocka
Dr. Hansj?rg Maurer