Hi, I'm preparing to move a small business environment away from Windows-based AD (Windows Server 2012R2, Domain and Forest downgraded to Win2008R2 level) to Samba. So far in my lab environment joining Samba as a DC works, including DNS and Sysvol replication. OS: Debian 9 Samba versions 4.5.12 (Debian repository) and 4.8.2 (latest release compiled from source), same behavior on both versions As the goal is to get rid of the Windows server, I've tried to demote the Windows DC by uninstalling Active Directory services from the server. This fails with the following error message: Uninstall-ADDSDomainController : The operation failed because: Active Directory Domain Services could not find another Active Directory Domain Controller to transfer the remaining data in directory partition DC=ForestDnsZones,DC=example,DC=lan. "The specified domain either does not exist or could not be contacted." When I've got more than one Windows AD DCs active, demotion of one or the other works fine, but removing the last Windows DC fails. FSMO roles have all been transferred to the Debian Samba AD (DC3 in this case): # samba-tool fsmo show SchemaMasterRole owner: CN=NTDS Settings,CN=DC3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=lan InfrastructureMasterRole owner: CN=NTDS Settings,CN=DC3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=lan RidAllocationMasterRole owner: CN=NTDS Settings,CN=DC3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=lan PdcEmulationMasterRole owner: CN=NTDS Settings,CN=DC3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=lan DomainNamingMasterRole owner: CN=NTDS Settings,CN=DC3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=lan DomainDnsZonesMasterRole owner: CN=NTDS Settings,CN=DC3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=lan ForestDnsZonesMasterRole owner: CN=NTDS Settings,CN=DC3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=lan samba-tool drs showrepl shows no failures. Is there any further preparation I need to do on the Windows server side to make a clean demotion possible? I can force the removal of the Windows DC but this led to leftover data in the LDAP database and DNS that I have to excise by hand, which I don't find ideal. I'm thankful for any advice on how to accomplish this. Best regards, Pietro
On Wed, 2018-06-20 at 13:13 +0200, Pietro Stäheli via samba wrote:> Hi, > > I'm preparing to move a small business environment away from > Windows-based AD (Windows Server 2012R2, Domain and Forest downgraded to > Win2008R2 level) to Samba. So far in my lab environment joining Samba as > a DC works, including DNS and Sysvol replication.To be clear, we don't replicate sysvol, you need to work that out yourself (yes, this sucks).> Is there any further preparation I need to do on the Windows server side > to make a clean demotion possible? I can force the removal of the > Windows DC but this led to leftover data in the LDAP database and DNS > that I have to excise by hand, which I don't find ideal. > > I'm thankful for any advice on how to accomplish this.samba-tool domain demote --remove-other-dead-server This should clean up most of it. What is still left behind? Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
Hi, On 20/06/2018 20:38, Andrew Bartlett wrote:> To be clear, we don't replicate sysvol, you need to work that out > yourself (yes, this sucks). >Right, I'm doing that with Robocopy from the Windows DC initially, then with rsync.>> Is there any further preparation I need to do on the Windows server side >> to make a clean demotion possible? I can force the removal of the >> Windows DC but this led to leftover data in the LDAP database and DNS >> that I have to excise by hand, which I don't find ideal. >> >> I'm thankful for any advice on how to accomplish this. > > samba-tool domain demote --remove-other-dead-server >Unfortunately this causes the following error: # samba-tool domain demote --remove-other-dead-server=DC Removing nTDSConnection: CN=6e15b4f5-1863-4259-8817-c7835ed7815e,CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=lan Removing nTDSDSA: CN=NTDS Settings,CN=DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=lan (and any children) ERROR(ldb): uncaught exception - subtree_delete: Unable to delete a non-leaf node (it has 1 children)! File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 176, in _run return self.run(*args, **kwargs) File "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py", line 721, in run remove_dc.remove_dc(samdb, logger, remove_other_dead_server) File "/usr/lib/python2.7/dist-packages/samba/remove_dc.py", line 422, in remove_dc remove_dns_account=True) File "/usr/lib/python2.7/dist-packages/samba/remove_dc.py", line 350, in offline_remove_ntds_dc remove_dns_account=remove_dns_account) File "/usr/lib/python2.7/dist-packages/samba/remove_dc.py", line 229, in offline_remove_server samdb.delete(server_dn) A transaction is still active in ldb context [0x560a67adb490] on tdb:///var/lib/samba/private/sam.ldb (never mind that this is now on DC1, not DC3, I've torn down the test environment a few times) Manual removal of 'CN=DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=lan' in ADSIEdit didn't go well and caused all replication to break at some point. I must be missing something here but I can't quite figure out what exactly. Best regards, Pietro Stäheli