Following:
https://wiki.samba.org/index.php/Demoting_a_Samba_AD_DC
i've demoted and removed a DC. Seems all went as expected:
root at vdcud1:~# samba-tool domain demote --server=vdcsv1.ad.fvg.lnf.it -U
gaio
Using vdcsv1.ad.fvg.lnf.it as partner server for the demotion
Password for [LNFFVG\gaio]:
Deactivating inbound replication
Asking partner server vdcsv1.ad.fvg.lnf.it to synchronize from us
Changing userControl and container
Removing Sysvol reference: CN=VDCUD1,CN=Enterprise,CN=Microsoft System
Volumes,CN=System,CN=Configuration,DC=ad,DC=fvg,DC=lnf,DC=it
Removing Sysvol reference: CN=VDCUD1,CN=ad.fvg.lnf.it,CN=Microsoft System
Volumes,CN=System,CN=Configuration,DC=ad,DC=fvg,DC=lnf,DC=it
Removing Sysvol reference: CN=VDCUD1,CN=Domain System Volumes (SYSVOL
share),CN=File Replication Service,CN=System,DC=ad,DC=fvg,DC=lnf,DC=it
Removing Sysvol reference: CN=VDCUD1,CN=Topology,CN=Domain System
Volume,CN=DFSR-GlobalSettings,CN=System,DC=ad,DC=fvg,DC=lnf,DC=it
Demote successful
Following the wiki, now i'm cleaning the DNS, because still:
gaio at hermione:~$ dig ns ad.fvg.lnf.it @vdcsv1
; <<>> DiG 9.11.3-1ubuntu1.3-Ubuntu <<>> ns
ad.fvg.lnf.it @vdcsv1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29592
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 7, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;ad.fvg.lnf.it. IN NS
;; ANSWER SECTION:
ad.fvg.lnf.it. 900 IN NS vdcsv2.ad.fvg.lnf.it.
ad.fvg.lnf.it. 900 IN NS vdcud1.ad.fvg.lnf.it.
ad.fvg.lnf.it. 900 IN NS vdcpp1.ad.fvg.lnf.it.
ad.fvg.lnf.it. 900 IN NS vdctms1.ad.fvg.lnf.it.
ad.fvg.lnf.it. 900 IN NS vdcpp2.ad.fvg.lnf.it.
ad.fvg.lnf.it. 900 IN NS vdc3t1.ad.fvg.lnf.it.
ad.fvg.lnf.it. 900 IN NS vdcsv1.ad.fvg.lnf.it.
;; Query time: 0 msec
;; SERVER: 10.5.1.25#53(10.5.1.25)
;; WHEN: Fri Feb 15 12:05:24 CET 2019
;; MSG SIZE rcvd: 190
I've removed some entry (mostly, the GUID alias), but seems there's no
way to remove the NS record (right clinking it, there's no
'remove').
I need to click 'properties' and on the 'name server' tab,
remove here?
Thanks.
--
dott. Marco Gaiarin GNUPG Key ID: 240A3D66
Associazione ``La Nostra Famiglia''
http://www.lanostrafamiglia.it/
Polo FVG - Via della Bontà, 7 - 33078 - San Vito al Tagliamento (PN)
marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797
Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
(cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
> Following: > https://wiki.samba.org/index.php/Demoting_a_Samba_AD_DC > i've demoted and removed a DC.A note. The demotion caused a reconfiguration of bind in every DCs. logs are: Feb 15 11:44:34 vdcpp2 named[1036]: received control channel command 'reload' Feb 15 11:44:34 vdcpp2 named[1036]: reading built-in trusted keys from file '/etc/bind/bind.keys' Feb 15 11:44:34 vdcpp2 named[1036]: using default UDP/IPv4 port range: [1024, 65535] Feb 15 11:44:34 vdcpp2 named[1036]: using default UDP/IPv6 port range: [1024, 65535] Feb 15 11:44:35 vdcpp2 named[1036]: sizing zone task pool based on 5 zones Feb 15 11:44:35 vdcpp2 named[1036]: Loading 'AD DNS Zone' using driver dlopen Feb 15 11:44:35 vdcpp2 named[1036]: samba_dlz: starting configure Feb 15 11:44:35 vdcpp2 named[1036]: samba_dlz: Ignoring duplicate zone 'ad.fvg.lnf.it' from 'DC=@,DC=ad.fvg.lnf.it,CN=MicrosoftDNS,DC=DomainDnsZones,DC=ad,DC=fvg,DC=lnf,DC=it' Feb 15 11:44:35 vdcpp2 named[1036]: samba_dlz: Ignoring duplicate zone '_msdcs.ad.fvg.lnf.it' from 'DC=@,DC=_msdcs.ad.fvg.lnf.it,CN=MicrosoftDNS,DC=ForestDnsZones,DC=ad,DC=fvg,DC=lnf,DC=it' Feb 15 11:44:35 vdcpp2 named[1036]: zone ad.fvg.lnf.it/NONE: (other) removed Feb 15 11:44:35 vdcpp2 named[1036]: zone _msdcs.ad.fvg.lnf.it/NONE: (other) removed Feb 15 11:44:35 vdcpp2 named[1036]: reloading configuration succeeded Feb 15 11:44:36 vdcpp2 named[1036]: samba_dlz: shutting down Feb 15 11:44:36 vdcpp2 named[1036]: reloading zones succeeded Feb 15 11:44:36 vdcpp2 named[1036]: all zones loaded Feb 15 11:44:36 vdcpp2 named[1036]: running note the 'samba_dlz: shutting down'. DNS seems to work (eg, resolve), but i was forced to restart *every* bind in every DC to have again 'samba_dlz' activities in DNS (eg, client dns registration). Again, FYI. -- dott. Marco Gaiarin GNUPG Key ID: 240A3D66 Associazione ``La Nostra Famiglia'' http://www.lanostrafamiglia.it/ Polo FVG - Via della Bontà, 7 - 33078 - San Vito al Tagliamento (PN) marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797 Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA! http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000 (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
Hai Marco, To prevent this run : systemctl edit bind9 Add: [Service] ExecReload Save. systemctl daemon-reload That should fix it., as in, this works for me. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Marco Gaiarin via samba > Verzonden: vrijdag 15 februari 2019 12:34 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] Demoted/removed a DC, and the NS records? > > > > Following: > > https://wiki.samba.org/index.php/Demoting_a_Samba_AD_DC > > i've demoted and removed a DC. > > A note. The demotion caused a reconfiguration of bind in every DCs. > logs are: > > Feb 15 11:44:34 vdcpp2 named[1036]: received control channel > command 'reload' > Feb 15 11:44:34 vdcpp2 named[1036]: reading built-in trusted > keys from file '/etc/bind/bind.keys' > Feb 15 11:44:34 vdcpp2 named[1036]: using default UDP/IPv4 > port range: [1024, 65535] > Feb 15 11:44:34 vdcpp2 named[1036]: using default UDP/IPv6 > port range: [1024, 65535] > Feb 15 11:44:35 vdcpp2 named[1036]: sizing zone task pool > based on 5 zones > Feb 15 11:44:35 vdcpp2 named[1036]: Loading 'AD DNS Zone' > using driver dlopen > Feb 15 11:44:35 vdcpp2 named[1036]: samba_dlz: starting configure > Feb 15 11:44:35 vdcpp2 named[1036]: samba_dlz: Ignoring > duplicate zone 'ad.fvg.lnf.it' from > 'DC=@,DC=ad.fvg.lnf.it,CN=MicrosoftDNS,DC=DomainDnsZones,DC=ad > ,DC=fvg,DC=lnf,DC=it' > Feb 15 11:44:35 vdcpp2 named[1036]: samba_dlz: Ignoring > duplicate zone '_msdcs.ad.fvg.lnf.it' from > 'DC=@,DC=_msdcs.ad.fvg.lnf.it,CN=MicrosoftDNS,DC=ForestDnsZone > s,DC=ad,DC=fvg,DC=lnf,DC=it' > Feb 15 11:44:35 vdcpp2 named[1036]: zone ad.fvg.lnf.it/NONE: > (other) removed > Feb 15 11:44:35 vdcpp2 named[1036]: zone > _msdcs.ad.fvg.lnf.it/NONE: (other) removed > Feb 15 11:44:35 vdcpp2 named[1036]: reloading configuration succeeded > Feb 15 11:44:36 vdcpp2 named[1036]: samba_dlz: shutting down > Feb 15 11:44:36 vdcpp2 named[1036]: reloading zones succeeded > Feb 15 11:44:36 vdcpp2 named[1036]: all zones loaded > Feb 15 11:44:36 vdcpp2 named[1036]: running > > note the 'samba_dlz: shutting down'. > > DNS seems to work (eg, resolve), but i was forced to restart > *every* bind in every > DC to have again 'samba_dlz' activities in DNS (eg, client dns > registration). > > > Again, FYI. > > -- > dott. Marco Gaiarin GNUPG > Key ID: 240A3D66 > Associazione ``La Nostra Famiglia'' > http://www.lanostrafamiglia.it/ > Polo FVG - Via della Bontà, 7 - 33078 - San Vito al > Tagliamento (PN) > marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 > f +39-0434-842797 > > Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA! > http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000 > (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA) > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
Hi Marco,> Following: > https://wiki.samba.org/index.php/Demoting_a_Samba_AD_DC > > i've demoted and removed a DC. Seems all went as expected: > > root at vdcud1:~# samba-tool domain demote --server=vdcsv1.ad.fvg.lnf.it -U gaio > Using vdcsv1.ad.fvg.lnf.it as partner server for the demotion > Password for [LNFFVG\gaio]: > Deactivating inbound replication > Asking partner server vdcsv1.ad.fvg.lnf.it to synchronize from us > Changing userControl and container > Removing Sysvol reference: CN=VDCUD1,CN=Enterprise,CN=Microsoft System Volumes,CN=System,CN=Configuration,DC=ad,DC=fvg,DC=lnf,DC=it > Removing Sysvol reference: CN=VDCUD1,CN=ad.fvg.lnf.it,CN=Microsoft System Volumes,CN=System,CN=Configuration,DC=ad,DC=fvg,DC=lnf,DC=it > Removing Sysvol reference: CN=VDCUD1,CN=Domain System Volumes (SYSVOL share),CN=File Replication Service,CN=System,DC=ad,DC=fvg,DC=lnf,DC=it > Removing Sysvol reference: CN=VDCUD1,CN=Topology,CN=Domain System Volume,CN=DFSR-GlobalSettings,CN=System,DC=ad,DC=fvg,DC=lnf,DC=it > Demote successfulwhat version of Samba are you running? Recent versions do a much better job at DNS cleaning during demote. I also advise you to run the demote on another DC than the one you are demoting (samba-tool doamin demote --remove-other-dead-server=xxxxx). Running a demote on the server you are demoting feels awkward as it looks like you are sawing the branch you are sitting on. Cheers, Denis> > Following the wiki, now i'm cleaning the DNS, because still: > > gaio at hermione:~$ dig ns ad.fvg.lnf.it @vdcsv1 > > ; <<>> DiG 9.11.3-1ubuntu1.3-Ubuntu <<>> ns ad.fvg.lnf.it @vdcsv1 > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29592 > ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 7, AUTHORITY: 0, ADDITIONAL: 1 > > ;; OPT PSEUDOSECTION: > ; EDNS: version: 0, flags:; udp: 4096 > ;; QUESTION SECTION: > ;ad.fvg.lnf.it. IN NS > > ;; ANSWER SECTION: > ad.fvg.lnf.it. 900 IN NS vdcsv2.ad.fvg.lnf.it. > ad.fvg.lnf.it. 900 IN NS vdcud1.ad.fvg.lnf.it. > ad.fvg.lnf.it. 900 IN NS vdcpp1.ad.fvg.lnf.it. > ad.fvg.lnf.it. 900 IN NS vdctms1.ad.fvg.lnf.it. > ad.fvg.lnf.it. 900 IN NS vdcpp2.ad.fvg.lnf.it. > ad.fvg.lnf.it. 900 IN NS vdc3t1.ad.fvg.lnf.it. > ad.fvg.lnf.it. 900 IN NS vdcsv1.ad.fvg.lnf.it. > > ;; Query time: 0 msec > ;; SERVER: 10.5.1.25#53(10.5.1.25) > ;; WHEN: Fri Feb 15 12:05:24 CET 2019 > ;; MSG SIZE rcvd: 190 > > I've removed some entry (mostly, the GUID alias), but seems there's no > way to remove the NS record (right clinking it, there's no 'remove'). > > I need to click 'properties' and on the 'name server' tab, remove here? > > > Thanks. >-- Denis Cardon Tranquil IT Systems Les Espaces Jules Verne, bâtiment A 12 avenue Jules Verne 44230 Saint Sébastien sur Loire tel : +33 (0) 2.40.97.57.55 http://www.tranquil.it Samba install wiki for Frenchies : https://dev.tranquil.it WAPT, software deployment made easy : https://wapt.fr
Mandi! Denis Cardon via samba In chel di` si favelave...> what version of Samba are you running? Recent versions do a much better job > at DNS cleaning during demote.Eh, domain controllers are still on samba 4.5...> I also advise you to run the demote on another DC than the one you are > demoting (samba-tool doamin demote --remove-other-dead-server=xxxxx). > Running a demote on the server you are demoting feels awkward as it looks > like you are sawing the branch you are sitting on.Ahem, this seems to me EXACTLY the opposite of what the wiki say: https://wiki.samba.org/index.php/Demoting_a_Samba_AD_DC -- dott. Marco Gaiarin GNUPG Key ID: 240A3D66 Associazione ``La Nostra Famiglia'' http://www.lanostrafamiglia.it/ Polo FVG - Via della Bontà, 7 - 33078 - San Vito al Tagliamento (PN) marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797 Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA! http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000 (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
Mandi! L.P.H. van Belle via samba In chel di` si favelave...> To prevent this run : systemctl edit bind9Ahem, debian jessie containers without systemd. ;-) -- dott. Marco Gaiarin GNUPG Key ID: 240A3D66 Associazione ``La Nostra Famiglia'' http://www.lanostrafamiglia.it/ Polo FVG - Via della Bontà, 7 - 33078 - San Vito al Tagliamento (PN) marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797 Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA! http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000 (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
I reply to myself.> I need to click 'properties' and on the 'name server' tab, remove here?Seems yes. ;) -- dott. Marco Gaiarin GNUPG Key ID: 240A3D66 Associazione ``La Nostra Famiglia'' http://www.lanostrafamiglia.it/ Polo FVG - Via della Bontà, 7 - 33078 - San Vito al Tagliamento (PN) marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797 Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA! http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000 (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)