On 29/05/2023 11:12, Alexandros Karypidis via samba wrote:> I connected to LDAP via Apache Directory Studio and it seems that the child node under the computer account is an RID set: > > ????????CN=RID Set,CN=DC2,CN=Computers,DC=ad,DC=home,DC=lan > > Is this an omission of the demotion process? Should this havfe been removed? Is it safe for me to delete this and try the "sambal-tool computer delete DC2" again? >Your DC should be running when you demote it, otherwise you should have demoted it from another DC with the '--remove-other-dead-server=The_DC_you_stopped' switch. As each DC gets its own RID pool, you should be able to delete the old, demoted DC's 'CN=RID Set,......' However, I am unsure if this is possible, mainly because I haven't tried it. As you have backups, give it a try and report back. Rowland
Alexandros Karypidis
2023-May-29 10:46 UTC
[Samba] How to cleanly remove a DC from Samba domain?
I used Apache Directory Studio to remove the "RID Set" node and after that a simple "samba-tool computer delete DC2" worked just fine. Perhaps the version of Samba in TurnKey Linux V16.1 has a bug (4.9.5-Debian)? Likely demotion should remove leaf nodes from domain controllers as part of the process. I have now recreated DC2 using TurnKey Linux V17.1 (4.17.6-Debian) and so far everything seems normal. I will take new backups, and then proceed to do the same with DC1 to sync up the versions.