samba - Aug 2018 - Problems removing a SBS 2008 server from a Samba AD DC.

Hi,
I have a samba 4.7.9 DC that I am trying to remove a windows SBS dc from.
In doing this I have run across several problems.

For whatever reason when I try to dcpromo the windows DC it fails because
it says it cannot contact the samba4 DC. I have checked replication as per
https://wiki.samba.org/index.php/Verifying_the_Directory_Replication_Statuses
All of the tests pass.

Since we are going to retire the Windows server, I figured I would try just
running "samba-tool domain demote --remove-other-dead-server=PHT1".
That gave
me the error described in https://bugzilla.samba.org/show_bug.cgi?id=13484.
So I patched remove_dc.py as called out in the above bug. Once that was done
I now get the following error:
(pht-vdc1 pts8) # samba-tool domain demote --remove-other-dead-server=PHT1
ERROR(ldb): uncaught exception - replmd_delete: Failed to modify object CN=owa
(SBS Web Applications),CN=HTTP,CN=Protocols,CN=PHT1,CN=Servers,CN=Exchange
Administrative Group (FYDIBOHF23SPDLT),CN=Administrative
Groups,CN=MYDOMAIN,CN=Microsoft
Exchange,CN=Services,CN=Configuration,DC=mydomain,DC=com in delete - Unsupported
critical extension 1.3.6.1.4.1.7165.4.3.29
   File
"/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/__init__.py",
line 176, in _run
     return self.run(*args, **kwargs)
   File
"/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/domain.py",
line 730, in run
     remove_dc.remove_dc(samdb, logger, remove_other_dead_server)
   File
"/usr/local/samba/lib64/python2.7/site-packages/samba/remove_dc.py",
line 414, in remove_dc
     remove_dns_account=True)
   File
"/usr/local/samba/lib64/python2.7/site-packages/samba/remove_dc.py",
line 231, in offline_remove_server
     samdb.delete(server_dn, ["tree_delete:0"])
A transaction is still active in ldb context [0x229d050] on
tdb:///usr/local/samba/private/sam.ldb

I tried goggling the above error but I have not found anything useful.

smb.conf is as follows:
global]
     netbios name = VDC1
     realm = MYDOMAIN.COM
     server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd,
ntp_signd, kcc, dnsupdate
     workgroup = MYDOMAIN
     server role = active directory domain controller

     # logs split per machine
     log file = /var/log/samba/%m.log
     max log size = 5000
     log level = 2
     deadtime = 5

[netlogon]
     path = /usr/local/samba/var/locks/sysvol/mydomain.com/scripts
     read only = No

[sysvol]
     path = /usr/local/samba/var/locks/sysvol
     read only = No

In addition, I tried running samba-tool dbcheck --cross-ncs --fix
that command generates over 400 errors that it claims it is going to fix but
it does not.

(pht-vdc1 pts9) # samba-tool dbcheck --cross-ncs --fix --yes
Checking 10561 objects
ERROR: description not present on Deleted Objects container CN=Deleted
Objects,DC=DomainDnsZones,DC=mydomain,DC=com
Fix Deleted Objects container CN=Deleted
Objects,DC=DomainDnsZones,DC=mydomain,DC=com by restoring default attributes?
[YES]
Fixed Deleted Objects container 'CN=Deleted
Objects,DC=DomainDnsZones,DC=mydomain,DC=com'

ERROR: description not present on Deleted Objects container CN=Deleted
Objects,DC=ForestDnsZones,DC=mydomain,DC=com
Fix Deleted Objects container CN=Deleted
Objects,DC=ForestDnsZones,DC=mydomain,DC=com by restoring default attributes?
[YES]
Fixed Deleted Objects container 'CN=Deleted
Objects,DC=ForestDnsZones,DC=mydomain,DC=com'

Fix nTSecurityDescriptor on CN=Windows SBS Link Users,OU=Security
Groups,OU=MyBusiness,DC=mydomain,DC=com? [YES]
Fixed attribute 'nTSecurityDescriptor' of 'CN=Windows SBS Link
Users,OU=Security Groups,OU=MyBusiness,DC=mydomain,DC=com'

Fix nTSecurityDescriptor on CN=PHTool Calendar,CN=Microsoft Exchange System
Objects,DC=mydomain,DC=com? [YES]
Fixed attribute 'nTSecurityDescriptor' of 'CN=PHTool
Calendar,CN=Microsoft Exchange System Objects,DC=mydomain,DC=com'

Fix nTSecurityDescriptor on
CN=6bcd5683-8314-11d6-977b-00c04f613221,CN=Operations,CN=DomainUpdates,CN=System,DC=mydomain,DC=com?
[YES]
Fixed attribute 'nTSecurityDescriptor' of
'CN=6bcd5683-8314-11d6-977b-00c04f613221,CN=Operations,CN=DomainUpdates,CN=System,DC=mydomain,DC=com'

...

Fix nTSecurityDescriptor on
DC=173,DC=1.168.192.in-addr.arpa,CN=MicrosoftDNS,CN=System,DC=mydomain,DC=com?
[YES]
Fixed attribute 'nTSecurityDescriptor' of
'DC=173,DC=1.168.192.in-addr.arpa,CN=MicrosoftDNS,CN=System,DC=mydomain,DC=com'

Fix nTSecurityDescriptor on CN=PHTOOL Contacts,CN=Microsoft Exchange System
Objects,DC=mydomain,DC=com? [YES]
Fixed attribute 'nTSecurityDescriptor' of 'CN=PHTOOL
Contacts,CN=Microsoft Exchange System Objects,DC=mydomain,DC=com'

Fix nTSecurityDescriptor on
CN=3e4f4182-ac5d-4378-b760-0eab2de593e2,CN=Operations,CN=DomainUpdates,CN=System,DC=mydomain,DC=com?
[YES]
Fixed attribute 'nTSecurityDescriptor' of
'CN=3e4f4182-ac5d-4378-b760-0eab2de593e2,CN=Operations,CN=DomainUpdates,CN=System,DC=mydomain,DC=com'

Fix nTSecurityDescriptor on
CN=6bcd567c-8314-11d6-977b-00c04f613221,CN=Operations,CN=DomainUpdates,CN=System,DC=mydomain,DC=com?
[YES]
Fixed attribute 'nTSecurityDescriptor' of
'CN=6bcd567c-8314-11d6-977b-00c04f613221,CN=Operations,CN=DomainUpdates,CN=System,DC=mydomain,DC=com'

NOTE: old (due to rename or delete) DN string component for
msSBSComputerUserAccessOverride in object CN=Chris
XXXXX,OU=SBSUsers,OU=Users,OU=MyBusiness,DC=mydomain,DC=com - S:2:
5:<GUID=ae9149ab-23ca-4e82-9604-088f9266eb3f>;<SID=S-1-5-21-619667644-1604242038-736796184-3130>;CN=CHRIS-LAPTOP,OU=SBSComputers,OU=Computers,OU=MyBusiness,DC=mydomain,DC=com
Change DN to S:2:
5:<GUID=ae9149ab-23ca-4e82-9604-088f9266eb3f>;<SID=S-1-5-21-619667644-1604242038-736796184-3130>;CN=CHRIS-LAPTOP\0ADEL:ae9149ab-23ca-4e82-9604-088f9266eb3f,CN=Deleted
Objects,DC=mydomain,DC=com? [YES]
ERROR: Failed to fix old DN string on attribute msSBSComputerUserAccessOverride
: (16, "attribute 'msSBSComputerUserAccessOverride': no matching
attribute value while deleting attribute on 'CN=Chris
XXXXX,OU=SBSUsers,OU=Users,OU=MyBusiness,DC=mydomain,DC=com'")
(pht-vdc1 pts9) #

Is there a sane way to fix this?

Regards,

-- 
Tom			me at tdiehl.org

Just responding on one point..

On Mon, 27 Aug 2018 at 21:35, Tom Diehl via samba <samba at
lists.samba.org>
wrote:
> In addition, I tried running samba-tool dbcheck --cross-ncs --fix
> that command generates over 400 errors that it claims it is going to fix
> but
> it does not.
>
> (pht-vdc1 pts9) # samba-tool dbcheck --cross-ncs --fix --yes
> [...]
> ERROR: Failed to fix old DN string on attribute
> msSBSComputerUserAccessOverride : (16, "attribute
> 'msSBSComputerUserAccessOverride': no matching attribute value
while
> deleting attribute on 'CN=Chris
> XXXXX,OU=SBSUsers,OU=Users,OU=MyBusiness,DC=mydomain,DC=com'")
>
I had been bitten by this part in the past, too.

The 'dbcheck --fix --yes' operation is transactional, i.e. either the
whole
thing (all 400 updates) succeeds, or the whole thing fails (which is what
you are seeing) and no changes are committed.

You'll need to run without --yes, and confirm each one individually, I
think, in order to fix the 399 that are OK.

-- 
"If we knew what it was we were doing, it would not be called research,
would it?"
      - Albert Einstein

On Mon, 27 Aug 2018, Jonathan Hunter via samba wrote:
> Just responding on one point..
Thanks for the update.
>
> On Mon, 27 Aug 2018 at 21:35, Tom Diehl via samba <samba at
lists.samba.org>
> wrote:
>
>> In addition, I tried running samba-tool dbcheck --cross-ncs --fix
>> that command generates over 400 errors that it claims it is going to
fix
>> but
>> it does not.
>>
>> (pht-vdc1 pts9) # samba-tool dbcheck --cross-ncs --fix --yes
>> [...]
>> ERROR: Failed to fix old DN string on attribute
>> msSBSComputerUserAccessOverride : (16, "attribute
>> 'msSBSComputerUserAccessOverride': no matching attribute value
while
>> deleting attribute on 'CN=Chris
>> XXXXX,OU=SBSUsers,OU=Users,OU=MyBusiness,DC=mydomain,DC=com'")
>>
> I had been bitten by this part in the past, too.
>
> The 'dbcheck --fix --yes' operation is transactional, i.e. either
the whole
> thing (all 400 updates) succeeds, or the whole thing fails (which is what
> you are seeing) and no changes are committed.
>
> You'll need to run without --yes, and confirm each one individually, I
> think, in order to fix the 399 that are OK.
So I took your suggestion and confirmed each one individually. That got me
from 409 down to 407. :-(
I tried it twice and got the same results.

Below is a sample of the output:
(pht-vdc1 pts8) # samba-tool dbcheck --cross-ncs --fix
Checking 10566 objects
Fix nTSecurityDescriptor on CN=Windows SBS Link Users,OU=Security
Groups,OU=MyBusiness,DC=mydomain,DC=com? [y/N/all/none] y
Fixed attribute 'nTSecurityDescriptor' of 'CN=Windows SBS Link
Users,OU=Security Groups,OU=MyBusiness,DC=mydomain,DC=com'

Fix nTSecurityDescriptor on CN=MYCompany Calendar,CN=Microsoft Exchange System
Objects,DC=mydomain,DC=com? [y/N/all/none] y
Fixed attribute 'nTSecurityDescriptor' of 'CN=MYCompany
Calendar,CN=Microsoft Exchange System Objects,DC=mydomain,DC=com'

Fix nTSecurityDescriptor on
CN=6bcd5683-8314-11d6-977b-00c04f613221,CN=Operations,CN=DomainUpdates,CN=System,DC=mydomain,DC=com?
[y/N/all/none] y
Fixed attribute 'nTSecurityDescriptor' of
'CN=6bcd5683-8314-11d6-977b-00c04f613221,CN=Operations,CN=DomainUpdates,CN=System,DC=mydomain,DC=com'

Fix nTSecurityDescriptor on CN=Guests,CN=Builtin,DC=mydomain,DC=com?
[y/N/all/none] y
Fixed attribute 'nTSecurityDescriptor' of
'CN=Guests,CN=Builtin,DC=mydomain,DC=com'

...

Fix nTSecurityDescriptor on
CN=Shop,OU=SBSUsers,OU=Users,OU=MyBusiness,DC=mydomain,DC=com? [y/N/all/none] y
Fixed attribute 'nTSecurityDescriptor' of
'CN=Shop,OU=SBSUsers,OU=Users,OU=MyBusiness,DC=mydomain,DC=com'

Fix nTSecurityDescriptor on
CN=ANDREW-PC,OU=SBSComputers,OU=Computers,OU=MyBusiness,DC=mydomain,DC=com?
[y/N/all/none] y
Fixed attribute 'nTSecurityDescriptor' of
'CN=ANDREW-PC,OU=SBSComputers,OU=Computers,OU=MyBusiness,DC=mydomain,DC=com'

Checked 10566 objects (407 errors)
(pht-vdc1 pts9) #

Does anyone have any other ideas how to fix this? I am hoping that if I fix this
it will
then let me cleanup the dead Windows DC.

Regards,

-- 
Tom			me at tdiehl.org