samba - Jul 2020 - How to fully remove entries to dead windows server

To save the whole back story, I borked everything and had to restore from
backups.

DC1 and DC2 (Samba DC's) came back fine

DC3 (Windows 2008 DC) did not come back. Which is fine, I wanted to
decommission it anyway.

I have seized all the FSMO roles (because DC3 previously held them all) and
replication SEEMS to be OK (users created on each machine replicate across
instantly, although showrepl throws up some odd errors on DC1 (below)).

My question though is what steps should I take to ensure that I completely
remove all entries to the dead windows server? I wasn't able to demote it
before it died and I don't want loose ends causing niggly problems in the
future.

Many thanks, Peter

P.S. Why does it say it failed replication, while also saying the last
success was exactly the same time as the last failure?

CN=Schema,CN=Configuration,DC=my,DC=domain
        Default-First-Site-Name\DC2 via RPC
                DSA object GUID: d0ab7757-99e0-4104-a22d-60e4b318e1b4
                Last attempt @ Thu Jul 16 00:35:58 2020 PDT failed, result
8453 (WERR_DS_DRA_ACCESS_DENIED)
                249708 consecutive failure(s).
                Last success @ Thu Jul 16 00:35:58 2020 PDT

On 16/07/2020 08:45, Peter Pollock via samba wrote:
> My question though is what steps should I take to ensure that I completely
> remove all entries to the dead windows server? I wasn't able to demote
it
> before it died and I don't want loose ends causing niggly problems in
the
> future.
We have a command for that ;-)

samba-tool domain demote --remove-other-dead-server=DEAD_DC_TO_REMOVE
>
> Many thanks, Peter
>
> P.S. Why does it say it failed replication, while also saying the last
> success was exactly the same time as the last failure?
>
> CN=Schema,CN=Configuration,DC=my,DC=domain
>          Default-First-Site-Name\DC2 via RPC
>                  DSA object GUID: d0ab7757-99e0-4104-a22d-60e4b318e1b4
>                  Last attempt @ Thu Jul 16 00:35:58 2020 PDT failed, result
> 8453 (WERR_DS_DRA_ACCESS_DENIED)
>                  249708 consecutive failure(s).
>                  Last success @ Thu Jul 16 00:35:58 2020 PDT
I have no idea, unless it is trying to replicate to the dead DC ?

Rowland

Thank you! I thought remove-other-dead-server was only for linux servers
that had died.
That did the trick though.

It didn't, however, fix the weird replication reports, and I just noticed
that the Outbound ones are also weird - in that they don't have any
timestamps at all.

C=ForestDnsZones,DC=my,DC=domain
        Default-First-Site-Name\DC2 via RPC
                DSA object GUID: d0ab7757-99e0-4104-a22d-60e4b318e1b4
                Last attempt @ NTTIME(0) was successful
                0 consecutive failure(s).
                Last success @ NTTIME(0)

But I ran the remove-other-dead-server on DC2 and DC1 recognized the
removal immediately so replication must be working. Should I just ignore it?

On Thu, Jul 16, 2020 at 12:54 AM Rowland penny via samba <
samba at lists.samba.org> wrote:
> On 16/07/2020 08:45, Peter Pollock via samba wrote:
> > My question though is what steps should I take to ensure that I
> completely
> > remove all entries to the dead windows server? I wasn't able to
demote it
> > before it died and I don't want loose ends causing niggly problems
in the
> > future.
>
> We have a command for that ;-)
>
> samba-tool domain demote --remove-other-dead-server=DEAD_DC_TO_REMOVE
>
> >
> > Many thanks, Peter
> >
> > P.S. Why does it say it failed replication, while also saying the last
> > success was exactly the same time as the last failure?
> >
> > CN=Schema,CN=Configuration,DC=my,DC=domain
> >          Default-First-Site-Name\DC2 via RPC
> >                  DSA object GUID: d0ab7757-99e0-4104-a22d-60e4b318e1b4
> >                  Last attempt @ Thu Jul 16 00:35:58 2020 PDT failed,
> result
> > 8453 (WERR_DS_DRA_ACCESS_DENIED)
> >                  249708 consecutive failure(s).
> >                  Last success @ Thu Jul 16 00:35:58 2020 PDT
>
> I have no idea, unless it is trying to replicate to the dead DC ?
>
> Rowland
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>