On 10/16/2017 11:13 AM, Rowland Penny via samba wrote:> On Mon, 16 Oct 2017 16:53:17 +0200 > mj via samba <samba at lists.samba.org> wrote: > >> Hi, >> >> dbcheck tells us we have two "dangling forward links" that I am >> trying to get rid of. On my test domain, I have simply done >> >> ldbedit -e nano -H ./CN=CONFIGURATION,DC=SAMBA,DC=COMPANY,DC=COM >> >> to remove them. >> >> While that seems to have worked nicely, dbcheck report zero errors >> now, it is something that I should never have done, or do in >> production, according to Andrew: >> >> "We realise this is a difficult problem for you and other users, but >> NEVER, EVER do that." >> >> So, question: is there a SAFE way to easily get rid of those two >> "dangling forward links"? >> >> (they are Replica-Locations for a DC that has been removed years ago) >> >> MJ >> > If you need to edit the NCs in sam.ldb.d, use '--cross-ncs' with the > ldb command, this allows you safely change things. There have been > reports of AD being destroyed by directly editing the ldb's in sam.ldb.d > > Rowland >Mj, You should be able to safely remove those dangling forward links with #samba-tool domain tombstones expunge -- -- James
Hi James,> You should be able to safely remove those dangling forward links with > > #samba-tool domain tombstones expungeTried that, but after doing a full scan on - CN=Configuration - DC=samba - DC=DomainDnsZones - DC=ForstDnsZOnes it says: Removed 0 objects and 0 links successfully. And the two dangling links remain. MJ
Hai MJ Brainwave.. Goto this object, in this object is the reference which if failty. CN=84bea0a7-82dd-4237-9296-030573700698,CN=Partitions,CN=Configuration,DC=samba,DC=merit,DC=unu,DC=edu Same for : CN=d9d76e21-8cae-457d-b212-6cb192612739,CN=Partitions,CN=Configuration,DC=samba,DC=merit,DC=unu,DC=edu Now check which server this GUID are, you know the faulty GUID. Remove them from these. This can also be down with the RSAT tool User/computer manager. ( in dutch the : kenmerkeditor ) through advanced view. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens mj via samba > Verzonden: dinsdag 17 oktober 2017 10:46 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] possible to use ldbedit in a safe way > > Hi James, > > > You should be able to safely remove those dangling > forward links with > > > > #samba-tool domain tombstones expunge > > Tried that, but after doing a full scan on > - CN=Configuration > - DC=samba > - DC=DomainDnsZones > - DC=ForstDnsZOnes > > it says: > > Removed 0 objects and 0 links successfully. > > And the two dangling links remain. > > MJ > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
Sorry RSAT user/comp manager, dns manager, review every object in _msdcs.you.dom.> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > L.P.H. van Belle via samba > Verzonden: dinsdag 17 oktober 2017 10:55 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] possible to use ldbedit in a safe way > > Hai MJ > > Brainwave.. > > Goto this object, in this object is the reference which if failty. > > CN=84bea0a7-82dd-4237-9296-030573700698,CN=Partitions,CN=Confi > guration,DC=samba,DC=merit,DC=unu,DC=edu > > Same for : > CN=d9d76e21-8cae-457d-b212-6cb192612739,CN=Partitions,CN=Confi > guration,DC=samba,DC=merit,DC=unu,DC=edu > > Now check which server this GUID are, you know the faulty GUID. > Remove them from these. > This can also be down with the RSAT tool User/computer manager. > ( in dutch the : kenmerkeditor ) through advanced view. > > > Greetz, > > Louis > > > > > > -----Oorspronkelijk bericht----- > > Van: samba [mailto:samba-bounces at lists.samba.org] Namens mj > via samba > > Verzonden: dinsdag 17 oktober 2017 10:46 > > Aan: samba at lists.samba.org > > Onderwerp: Re: [Samba] possible to use ldbedit in a safe way > > > > Hi James, > > > > > You should be able to safely remove those dangling > > forward links with > > > > > > #samba-tool domain tombstones expunge > > > > Tried that, but after doing a full scan on > > - CN=Configuration > > - DC=samba > > - DC=DomainDnsZones > > - DC=ForstDnsZOnes > > > > it says: > > > > Removed 0 objects and 0 links successfully. > > > > And the two dangling links remain. > > > > MJ > > > > -- > > To unsubscribe from this list go to the following URL and read the > > instructions: https://lists.samba.org/mailman/options/samba > > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
On Tue, 2017-10-17 at 10:46 +0200, mj via samba wrote:> Hi James, > > > You should be able to safely remove those dangling forward links with > > > > #samba-tool domain tombstones expunge > > Tried that, but after doing a full scan on > - CN=Configuration > - DC=samba > - DC=DomainDnsZones > - DC=ForstDnsZOnes > > it says: > > Removed 0 objects and 0 links successfully. > > And the two dangling links remain.Indeed, currently this tool does not consider if the link points to a deleted object, that is left to dbcheck, which we hope folks will run at least every tombstone lifetime. I could make it check the target of every link, but that is a significant cost in an already expensive routine. what it will catch is deleted objects and links that are at their tombstone lifetime, and clear those out. Thanks, Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
Hi Louis, On 10/17/2017 10:54 AM, L.P.H. van Belle via samba wrote:> Goto this object, in this object is the reference which if failty. > > CN=84bea0a7-82dd-4237-9296-030573700698,CN=Partitions,CN=Configuration,DC=samba,DC=company,DC=com > > Same for : > CN=d9d76e21-8cae-457d-b212-6cb192612739,CN=Partitions,CN=Configuration,DC=samba,DC=company,DC=comThere we can read basically what dbcheck also says: Those CNs have four Replica-Locations, of which one is non-existant for years, this one:> msDS-NC-Replica-Locations in object CN=84bea0a7-82dd-4237-9296-030573700698,CN=Partitions,CN=Configuration,DC=samba,DC=company,DC=com - <GUID=81a27497-bdfb-4977-9874-675bbfba490f>;<RMD_ADDTIME=130405075610000000>;<RMD_CHANGETIME=130405075610000000>;<RMD_FLAGS=0>;<RMD_INVOCID=556b2cb4-e576-48e2-bb7c-7f62caee84fc>;<RMD_LOCAL_USN=4605>;<RMD_ORIGINATING_USN=3630>;<RMD_VERSION=0>;CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samba,DC=company,DC=com> Now check which server this GUID are, you know the faulty GUID.Taken from the above, that would be DC1..?> Remove them from these. > This can also be down with the RSAT tool User/computer manager. > ( in dutch the : kenmerkeditor ) through advanced view.So, in ADUC, I choose Domain Controllers, and I see DC2, DC3, DC4. (DC1 being long gone) I click (for example) DC2, Attributes Editor, no DC1 / 81a27497-bdfb-4977-9874-675bbfba490f. Then DC2, NTDS settings, connections, just the expected (correct) two DCs. Attribute Editor, msDS-NC-Replica-Locations not there. Am I doing something wrong / overlooking something? MJ