Hi, I demoted a running domain controller by running the samba-tool demote command on the running system to be demoted and there's still some DNS entries for the old one kicking around. It's still listed under _msdcs and also _kerberos._udp and _ldap._tcp. Should I manually remove them? If so, is there a list of spots to look in for DNS entries of old DCs? Also, does the fact that these entries weren't removed indicate I had something misconfigured on the to-be-removed system or I screwed up the demotion procedures?
On Tue, 2017-09-05 at 18:39 -0400, Patrick Lepore via samba wrote:> Hi, I demoted a running domain controller by running the samba-tool demote > command on the running system to be demoted and there's still some DNS > entries for the old one kicking around. It's still listed under _msdcs and > also _kerberos._udp and _ldap._tcp. > > Should I manually remove them?Yes.> If so, is there a list of spots to look in > for DNS entries of old DCs?The remove-other-dead-server option looks for records pointing at the AD record of the demoted DC.> Also, does the fact that these entries weren't removed indicate I had > something misconfigured on the to-be-removed system or I screwed up the > demotion procedures?No. If you used the --remove-other-dead-server option, it would have removed them. The online removal isn't as complete. I've scoped out the work (on behalf of a client) to make the dynamic records expire, to have a cleanup and to make the online cleanup more thorough, but for now that is how it is. Sorry, Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
Ok, I'll clean up those records manually. On Wed, Sep 6, 2017 at 5:42 AM, Andrew Bartlett <abartlet at samba.org> wrote:> On Tue, 2017-09-05 at 18:39 -0400, Patrick Lepore via samba wrote: > > Hi, I demoted a running domain controller by running the samba-tool > demote > > command on the running system to be demoted and there's still some DNS > > entries for the old one kicking around. It's still listed under _msdcs > and > > also _kerberos._udp and _ldap._tcp. > > > > Should I manually remove them? > > Yes. > > > If so, is there a list of spots to look in > > for DNS entries of old DCs? > > The remove-other-dead-server option looks for records pointing at the > AD record of the demoted DC. > > > Also, does the fact that these entries weren't removed indicate I had > > something misconfigured on the to-be-removed system or I screwed up the > > demotion procedures? > > No. > > If you used the --remove-other-dead-server option, it would have > removed them. The online removal isn't as complete. > > I've scoped out the work (on behalf of a client) to make the dynamic > records expire, to have a cleanup and to make the online cleanup more > thorough, but for now that is how it is. > > Sorry, > > Andrew Bartlett > > -- > Andrew Bartlett http://samba.org/~abartlet/ > Authentication Developer, Samba Team http://samba.org > Samba Developer, Catalyst IT http://catalyst.net.nz/ > services/samba > >
Possibly Parallel Threads
- Cleaning up old DC DNS records
- Samba 4.8.4 + BIND 9.9.4 - possibility of nonsecure DNS updates
- Authentication to Secondary Domain Controller initially fails when PDC is offline
- Authentication to Secondary Domain Controller initially fails when PDC is offline
- Demote a working DC fails with uncaught exception