Hello, I am running in a duplicate test environment of my work domain. I have 2 x 4.1 DCs and 2 x 4.7 DCs. I have transferred FSMO role to #3 and it is replicating to #4 fine. I have demoted #1 which appeared to go fine and have turned it off. When I try to demote #2 it fails with the error... Using dc3.domain.com as partner server for the demotion Password for [DOMAIN\administrator]: Desactivating inbound replication Asking partner server dc3.domain.com to synchronize from us Failed to bind - LDAP error 8 LDAP_STRONG_AUTH_REQUIRED - <SASL:[GSS-SPNEGO]: Sign or Seal are required.> <> Failed to connect to 'ldap://dc3.domain.com' with backend 'ldap': (null) Error while demoting, re-enabling inbound replication ERROR(ldb): Error while changing account control - None ...any ideas? My first guess is the difference between Gentoo/Samba 4.1 and Ubuntu/4.7 Thanks in advance. -- Paul Littlefield
Set on the newest DCs the following.
ldap server require strong auth = no
Should help but its adviced to remove it when your done.
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Paul
> Littlefield via samba
> Verzonden: vrijdag 25 mei 2018 16:46
> Aan: samba at lists.samba.org
> Onderwerp: [Samba] Demoting troublesome DC
>
> Hello,
>
> I am running in a duplicate test environment of my work domain.
>
> I have 2 x 4.1 DCs and 2 x 4.7 DCs.
>
> I have transferred FSMO role to #3 and it is replicating to #4 fine.
>
> I have demoted #1 which appeared to go fine and have turned it off.
>
> When I try to demote #2 it fails with the error...
>
>
> Using dc3.domain.com as partner server for the demotion
> Password for [DOMAIN\administrator]:
> Desactivating inbound replication
> Asking partner server dc3.domain.com to synchronize from us
> Failed to bind - LDAP error 8 LDAP_STRONG_AUTH_REQUIRED -
> <SASL:[GSS-SPNEGO]: Sign or Seal are required.> <>
> Failed to connect to 'ldap://dc3.domain.com' with backend
> 'ldap': (null)
> Error while demoting, re-enabling inbound replication
> ERROR(ldb): Error while changing account control - None
>
>
> ...any ideas?
>
> My first guess is the difference between Gentoo/Samba 4.1 and
> Ubuntu/4.7
>
> Thanks in advance.
>
> --
>
> Paul Littlefield
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
>
On Fri, 25 May 2018 14:46:21 +0000 Paul Littlefield via samba <samba at lists.samba.org> wrote:> Hello, > > I am running in a duplicate test environment of my work domain. > > I have 2 x 4.1 DCs and 2 x 4.7 DCs. > > I have transferred FSMO role to #3 and it is replicating to #4 fine. > > I have demoted #1 which appeared to go fine and have turned it off. > > When I try to demote #2 it fails with the error... > > > Using dc3.domain.com as partner server for the demotion > Password for [DOMAIN\administrator]: > Desactivating inbound replication > Asking partner server dc3.domain.com to synchronize from us > Failed to bind - LDAP error 8 LDAP_STRONG_AUTH_REQUIRED - > <SASL:[GSS-SPNEGO]: Sign or Seal are required.> <> Failed to connect > to 'ldap://dc3.domain.com' with backend 'ldap': (null) Error while > demoting, re-enabling inbound replication ERROR(ldb): Error while > changing account control - None > > > ...any ideas? > > My first guess is the difference between Gentoo/Samba 4.1 and > Ubuntu/4.7 > > Thanks in advance. >Run on the 4.7.x DC; samba-tool domain demote --remove-other-dead-server=dc Where 'dc' is the hostname of the DC that you want to remove. Rowland
On 25/05/18 16:04, L.P.H. van Belle via samba wrote:> ldap server require strong auth = noThanks! -- Paul Littlefield
On 25/05/18 16:15, Rowland Penny via samba wrote:> samba-tool domain demote --remove-other-dead-server=dcBrilliant... that made my day, I can't stop laughing. I love the way options are named. Almost as good as the 'vampire' option. Thanks Rowland. :-) -- Paul Littlefield
On 25/05/18 16:04, L.P.H. van Belle via samba wrote:> Set on the newest DCs the following. > > ldap server require strong auth = no > > Should help but its adviced to remove it when your done.Yes! This worked a treat. Now, we are trying to remove all references to the old DCs in the 'Computers' OU. When we use RSAT and try to delete DC1 or DC2 (now demoted) we get a warning:- "Deleting all of the objects it contains with an option to use 'delete subtree server control'" The only contained object is 'RID Set'. Is it safe to do this and delete RID Set and the Computer from OU? Thanks, -- Paul Littlefield