On Thu, 2016-10-13 at 19:00 -0500, Bob of Donelson Trophy via samba
wrote:> A few days ago I demoted my first DC (a v4.2.14, I think) and thought
> the demote had gone well. Now, when I run "samba-tool dnsupdate
> --verbose" I can see references to the first DC that remain.
> Unfortunately, that DC no longer exists so I simply cannot demote it
> again.
>
> Following the instructions on the "Demote a Samba AD DC" page
> "Verifying
> The Demotion" section, I can see references to the original AD DC in
> the
> ADUC, ADSS and the MMC Console. So, I need to fix this.
>
> Currently I am running a Samba 4.3.11 version AD DC. I see that it is
> suggested that I use v4.4.0 or newer to "Demote an Offline Domain
> Controller."
>
> I have a second v4.5.0 AD DC waiting to join the existing v4.3.11 AD
> DC.
> The idea is to join the v4.5.0, get it working and demote the v4.3.11
> AD
> DC to rebuild it (the v4.3.11) as the then second AD DC running
> v4.5.0.
> The end result being I will have two AD DC running v4.5.0.
>
> Now, the question, do I ignore the dns issue, for now, and move
> forward
> with the second (v4.5.0) AD DC join, demote the v4.3.11 DC and then
> "remove-the-other-dead-server" with the v4.5.0 DC? Is there any
issue
> I
> may be overlooking?
That seems reasonable. However it is better to upgrade servers then to
demote/join if you can. If you don't need to do the underlying OS,
Samba actually works better when you just upgrade in place, rather than
try and do what seems tidy, because as you have seen, a DC is very hard
to totally remove from the state.
In particular (a bug) moving the RID manager FSMO around is causing
folks pain right now.
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba