Difference between revisions of "Demoting a Samba AD DC"

m (Fix link)
(Rewrote page)
Line 1: Line 1:
 
= Introduction =
 
= Introduction =
  
Whenever a Domain Controller needs to be removed from your domain, for what ever reason, you will have to demote it. This documentation describes different scenarios to demote a Domain Controller.
+
If you keep information about a domain controller (DC) that was permanently removed from the Active Directory (AD) in the directory, clients can encounter timeouts during log ins or other operations. To permanently remove a Samba DC from the AD, you must demote it.
  
'''See the [[Host_information_used_in_documentation|host information used in documentation]] page for used paths, hostnames, etc.'''
 
  
  
  
  
 +
= Demote a Working Domain Controller =
  
= Demote a working Domain Controller =
+
If you domain controller (DC) is still accessible:
  
Follow this section if your DC is accessible and working.
+
* Log in to the DC you want to demote.
  
* Log into the DC you want to demote.
+
* Verify that the DC does not hold any FSMO role. See [[Transfering_and_Seizing_FSMO_Roles#Displaying_the_Current_FSMO_Role_Owners|Displaying the Current FSMO Role Owners]].
  
* Verify that the DC is not the last one remaining in the domain!
+
:* If the DC holds one or more FSMO roles, you must transfer them to a different DC. See [[Transfering_and_Seizing_FSMO_Roles#Transferring_an_FSMO_Role|Transferring an FSMO Role]].
 
 
* Make sure this DC does not contain any [[Flexible_Single-Master_Operations_(FSMO)_roles|FSMO role]]:
 
 
 
# samba-tool fsmo show
 
InfrastructureMasterRole owner: CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com
 
RidAllocationMasterRole owner: CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com
 
PdcEmulationMasterRole owner: CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com
 
DomainNamingMasterRole owner: CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com
 
SchemaMasterRole owner: CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com
 
 
 
* If you are using Samba 4.3.0 and up, the samba tool command will show an extra two FSMO roles:
 
 
 
DomainDnsZonesMasterRole owner: CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com
 
ForestDnsZonesMasterRole owner: CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com
 
 
 
Irrespective of version, there are 7 FSMO roles. See [[Transfering_and_Seizing_FSMO_Roles#Show_Current_FSMO_Role_Owners|show fsmo roles]] for how to display all 7 roles on earlier versions.
 
 
: If it still contains one or more [[Flexible_Single-Master_Operations_(FSMO)_roles#Transfering_a_FSMO_role|FSMO roles, transfer]] them to a different DC.
 
  
 
* Demote the DC:
 
* Demote the DC:
Line 45: Line 27:
 
  Demote successfull
 
  Demote successfull
  
* Shutdown Samba
+
* Shut down the "samba" service.
  
* [[#Verifying_that_nothing_was_left|Verify that nothing was left]].
 
  
  
  
  
 +
= Demote an Offline Domain Controller =
  
= Demote a DC that isn't accessible any more=
+
Only follow this procedure if the domain controller (DC) to demote is no longer accessible; for example, due to a hardware failure:
  
''Note: Samba versions prior 4.4 don't support demoting a foreign DC that is offline. Upgrade your existing DCs to 4.4 or later in that case.''
+
* Log in to a remaining DC.
  
Follow this section if your DC is not accessible any more - e. g. by hardware failure - and it surely will never come back into the network.
+
* Verify that you are running Samba 4.4 or a later version:
  
Run the following command on one of the remaining, working Domain Controllers:
+
# samba --version
 +
Version 4.5.0
 +
 
 +
: Samba version prior 4.4.0 do not support demoting a remote DC. Before you continue, upgrade your existing DCs to 4.4.0 or later.
 +
 
 +
* Verify that the DC to demote does not hold any FSMO role. See [[Transfering_and_Seizing_FSMO_Roles#Displaying_the_Current_FSMO_Role_Owners|Displaying the Current FSMO Role Owners]].
 +
 
 +
:* If the DC holds one or more FSMO roles, you must seize them. See [[Transfering_and_Seizing_FSMO_Roles#Transfering_and_Seizing_FSMO_Roles#Seizing_a_FSMO_Role|Seizing an FSMO Role]].
 +
 
 +
* To demote a remote DC, for example "DC2":
  
 
  # samba-tool domain demote --remove-other-dead-server=DC2
 
  # samba-tool domain demote --remove-other-dead-server=DC2
Line 90: Line 81:
 
  Removing Sysvol reference: CN=DC2,CN=Topology,CN=Domain System Volume,CN=DFSR-GlobalSettings,CN=System,DC=samdom,DC=example,DC=com
 
  Removing Sysvol reference: CN=DC2,CN=Topology,CN=Domain System Volume,CN=DFSR-GlobalSettings,CN=System,DC=samdom,DC=example,DC=com
  
 +
'''WARNING: Never reconnect a DC to the network, that was demoted using this way. It can cause data loss!'''
  
  
  
  
= Verifying that nothing was left =
 
  
The following steps are done on a Windows computer having [[Installing RSAT|RSAT installed]].
+
= Verifying the Demotion =
  
'''Warning: The following are just cleanup steps, if something was left after a demote! It's not a replacement for the demote process itself!'''
+
The following steps are to verify and clean up remaining directory information after a domain controller demotion. It does not replace the procedure for the demote itself!
  
* Open „Active Directory Users and Computers“
+
* Log on as Domain Administrator to a Windows computer having the Microsoft Remote Server Administration Tools (RSAT) installed. See [[Installing_RSAT|Installing RSAT].
  
:* Go to the container „Domain Controllers“ and verify that the demoted DC was removed. If not, remove the account manually. This would also cleanup metadata. '''DC removal via ADUC is currently broken. See [https://bugzilla.samba.org/show_bug.cgi?id=10595 Bug report #10595].'''
+
* Start "Active Directory Users and Computers", navigate to the "Domain Controllers" container and verify that the demoted DC was removed.
  
 
: [[Image:ADUC_Domain_Controllers.png]]
 
: [[Image:ADUC_Domain_Controllers.png]]
  
* Open „Active Directory Sites and Services“
+
* Start "Active Directory Sites and Services" and check that the demoted DC is not listed in any site.
 
 
:* Check that the demoted DC doesn't exist any more in any site. If an entry is still there, remove it manually.
 
  
 
: [[Image:ADSS_Domain_Controllers.png]]
 
: [[Image:ADSS_Domain_Controllers.png]]
  
* Open the „DNS“ console
+
* Start the "DNS" MMC console and check in <u>all</u> zones, that no entry refering to the demoted DC or it's IP has been left.
 
 
:* <u>Check in all zones</u>, that no entry about the demoted DC is still existing.
 
  
 
: [[Image:DNS_Domain_Controllers.png]]
 
: [[Image:DNS_Domain_Controllers.png]]

Revision as of 13:23, 3 October 2016

Introduction

If you keep information about a domain controller (DC) that was permanently removed from the Active Directory (AD) in the directory, clients can encounter timeouts during log ins or other operations. To permanently remove a Samba DC from the AD, you must demote it.



Demote a Working Domain Controller

If you domain controller (DC) is still accessible:

  • Log in to the DC you want to demote.
  • Demote the DC:
# samba-tool domain demote -Uadministrator
Using DC1.samdom.example.com as partner server for the demotion
Password for [SAMDOM\administrator]:
Desactivating inbound replication
Asking partner server DC1.samdom.example.com to synchronize from us
Changing userControl and container
Demote successfull
  • Shut down the "samba" service.



Demote an Offline Domain Controller

Only follow this procedure if the domain controller (DC) to demote is no longer accessible; for example, due to a hardware failure:

  • Log in to a remaining DC.
  • Verify that you are running Samba 4.4 or a later version:
# samba --version
Version 4.5.0
Samba version prior 4.4.0 do not support demoting a remote DC. Before you continue, upgrade your existing DCs to 4.4.0 or later.
  • To demote a remote DC, for example "DC2":
# samba-tool domain demote --remove-other-dead-server=DC2
Removing nTDSConnection: CN=04baf417-eb41-4f31-a5f1-c739f0e92b1b,CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com
Removing nTDSDSA: CN=NTDS Settings,CN=DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com (and any children)
Removing RID Set: CN=RID Set,CN=DC2,OU=Domain Controllers,DC=samdom,DC=example,DC=com
Removing computer account: CN=DC2,OU=Domain Controllers,DC=samdom,DC=example,DC=com (and any child objects)
Removing Samba-specific DNS service account: CN=dns-DC2,CN=Users,DC=samdom,DC=example,DC=com
updating samdom.example.com keeping 3 values, removing 1 values
updating DC=_kerberos._tcp.Default-First-Site-Name._sites,DC=samdom.example.com,CN=MicrosoftDNS,DC=DomainDnsZones,DC=samdom,DC=example,DC=com keeping 1 values, removing 1 values
updating DC=_ldap._tcp.Default-First-Site-Name._sites,DC=samdom.example.com,CN=MicrosoftDNS,DC=DomainDnsZones,DC=samdom,DC=example,DC=com keeping 1 values, removing 1 values
updating DC=_gc._tcp.Default-First-Site-Name._sites,DC=samdom.example.com,CN=MicrosoftDNS,DC=DomainDnsZones,DC=samdom,DC=example,DC=com keeping 1 values, removing 1 values
updating DC=_kerberos._tcp,DC=samdom.example.com,CN=MicrosoftDNS,DC=DomainDnsZones,DC=samdom,DC=example,DC=com keeping 1 values, removing 1 values
updating DC=_kerberos._udp,DC=samdom.example.com,CN=MicrosoftDNS,DC=DomainDnsZones,DC=samdom,DC=example,DC=com keeping 1 values, removing 1 values
updating DC=_kpasswd._tcp,DC=samdom.example.com,CN=MicrosoftDNS,DC=DomainDnsZones,DC=samdom,DC=example,DC=com keeping 1 values, removing 1 values
updating DC=_kpasswd._udp,DC=samdom.example.com,CN=MicrosoftDNS,DC=DomainDnsZones,DC=samdom,DC=example,DC=com keeping 1 values, removing 1 values
updating DC=_ldap._tcp,DC=samdom.example.com,CN=MicrosoftDNS,DC=DomainDnsZones,DC=samdom,DC=example,DC=com keeping 1 values, removing 1 values
updating DC=_gc._tcp,DC=samdom.example.com,CN=MicrosoftDNS,DC=DomainDnsZones,DC=samdom,DC=example,DC=com keeping 1 values, removing 1 values
updating DC=_ldap._tcp.4d5258b9-0cd7-4d78-bdd7-99ebe6b19751.domains,DC=_msdcs.samdom.example.com,CN=MicrosoftDNS,DC=ForestDnsZones,DC=samdom,DC=example,DC=com keeping 1 values, removing 1 values
updating DC=_kerberos._tcp.Default-First-Site-Name._sites.dc,DC=_msdcs.samdom.example.com,CN=MicrosoftDNS,DC=ForestDnsZones,DC=samdom,DC=example,DC=com keeping 1 values, removing 1 values
updating DC=_ldap._tcp.Default-First-Site-Name._sites.dc,DC=_msdcs.samdom.example.com,CN=MicrosoftDNS,DC=ForestDnsZones,DC=samdom,DC=example,DC=com keeping 1 values, removing 1 values
updating DC=_ldap._tcp.Default-First-Site-Name._sites.gc,DC=_msdcs.samdom.example.com,CN=MicrosoftDNS,DC=ForestDnsZones,DC=samdom,DC=example,DC=com keeping 1 values, removing 1 values
updating DC=c14a774f-9732-4ec2-b9fa-2156c95c4e48,DC=_msdcs.samdom.example.com,CN=MicrosoftDNS,DC=ForestDnsZones,DC=samdom,DC=example,DC=com keeping 0 values, removing 1 values
updating DC=_kerberos._tcp.dc,DC=_msdcs.samdom.example.com,CN=MicrosoftDNS,DC=ForestDnsZones,DC=samdom,DC=example,DC=com keeping 1 values, removing 1 values
updating DC=_ldap._tcp.dc,DC=_msdcs.samdom.example.com,CN=MicrosoftDNS,DC=ForestDnsZones,DC=samdom,DC=example,DC=com keeping 1 values, removing 1 values
updating DC=_ldap._tcp.gc,DC=_msdcs.samdom.example.com,CN=MicrosoftDNS,DC=ForestDnsZones,DC=samdom,DC=example,DC=com keeping 1 values, removing 1 values
Removing Sysvol reference: CN=DC2,CN=Enterprise,CN=Microsoft System Volumes,CN=System,CN=Configuration,DC=samdom,DC=example,DC=com
Removing Sysvol reference: CN=DC2,CN=samdom.example.com,CN=Microsoft System Volumes,CN=System,CN=Configuration,DC=samdom,DC=example,DC=com
Removing Sysvol reference: CN=DC2,CN=Domain System Volumes (SYSVOL share),CN=File Replication Service,CN=System,DC=samdom,DC=example,DC=com
Removing Sysvol reference: CN=DC2,CN=Topology,CN=Domain System Volume,CN=DFSR-GlobalSettings,CN=System,DC=samdom,DC=example,DC=com

WARNING: Never reconnect a DC to the network, that was demoted using this way. It can cause data loss!



Verifying the Demotion

The following steps are to verify and clean up remaining directory information after a domain controller demotion. It does not replace the procedure for the demote itself!

  • Log on as Domain Administrator to a Windows computer having the Microsoft Remote Server Administration Tools (RSAT) installed. See [[Installing_RSAT|Installing RSAT].
  • Start "Active Directory Users and Computers", navigate to the "Domain Controllers" container and verify that the demoted DC was removed.
ADUC Domain Controllers.png
  • Start "Active Directory Sites and Services" and check that the demoted DC is not listed in any site.
ADSS Domain Controllers.png
  • Start the "DNS" MMC console and check in all zones, that no entry refering to the demoted DC or it's IP has been left.
DNS Domain Controllers.png