Demoting a Samba AD DC: Difference between revisions

From SambaWiki
m (→‎Demote a DC that isn't accessable any more: Add in suspicion memory leakage note)
Line 64: Line 64:
samba-tool currently does' not support demote a foreign DC. That's why currently the only way to demote a lost DC is using the Windows tools. '''Sadly demoting e. g. through deleting the DC in ADUC, currently fails. See [https://bugzilla.samba.org/show_bug.cgi?id=10595 Bug report #10595].'''
samba-tool currently does' not support demote a foreign DC. That's why currently the only way to demote a lost DC is using the Windows tools. '''Sadly demoting e. g. through deleting the DC in ADUC, currently fails. See [https://bugzilla.samba.org/show_bug.cgi?id=10595 Bug report #10595].'''


'''There are suspicion that the DC that isn't accessable ''would eat up memory and later trigger oom-killer.'''''
'''There are suspicion that samba DC with the metadate of the DC that isn't accessable ''would eat up memory and later trigger oom-killer.'''''


This information was correct Until 4.1.12, and the same problem might kill the 2nd and 3rd DC if you have.
This information was correct Until 4.1.12, and the same problem might kill the 2nd and 3rd DC if you have.

Revision as of 17:13, 2 October 2014

Introduction

Whenever a Domain Controller should be removed from your domain, regardless out of which reason, you have to demote it. This HowTo describes different scenarios to demote a Domain Controller.



Server information used in this HowTo

Inside this HowTo, we will be using the following configuration/settings:

Installation directory:                 /usr/local/samba/
DC to demote:                           DC2
Different DC remaining in the network:  DC1
DNS Domain Name/Realm:                  samdom.example.com
NT4 Domain Name:                        samdom



Demote a still working Domain Controller

Follow this section, if your DC is accessable and working.

  • Log into the DC you want to demote.
  • Verify that the DC is not last one remaining in the domain!
  • Make sure, that this DC does not contain any FSMO role:
# samba-tool fsmo show
InfrastructureMasterRole owner: CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com
RidAllocationMasterRole owner: CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com
PdcEmulationMasterRole owner: CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com
DomainNamingMasterRole owner: CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com
SchemaMasterRole owner: CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com
If it still contains one or more FSMO roles, transfer them to a different DC.
  • Demote the DC:
# samba-tool domain demote -Uadministrator
Using DC1.samdom.example.com as partner server for the demotion
Password for [SAMDOM\administrator]:
Desactivating inbound replication
Asking partner server DC1.samdom.example.com to synchronize from us
Changing userControl and container
Demote successfull
  • Shutdown Samba



Demote a DC that isn't accessable any more

Follow this section, if your DC is not accessable any more, e. g. by hardware failure and it surely will never come back into the network.

samba-tool currently does' not support demote a foreign DC. That's why currently the only way to demote a lost DC is using the Windows tools. Sadly demoting e. g. through deleting the DC in ADUC, currently fails. See Bug report #10595.

There are suspicion that samba DC with the metadate of the DC that isn't accessable would eat up memory and later trigger oom-killer.

This information was correct Until 4.1.12, and the same problem might kill the 2nd and 3rd DC if you have.

Some people say that they can remove using the script below, but it was fully not tested. Please use at your own risk. [1]

Verifying that nothing was left

The following steps are done on a Windows computer having RSAT installed.

Warning: The following are just cleanup steps, if something was left after a demote! It's not a replacement for the demote process itself!

  • Open „Active Directory Users and Computers“
  • Go to the container „Domain Controllers“ and verify that the demoted DC was removed. If not, remove the account manually. This would also cleanup metadata. DC removal via ADUC is currently broken. See Bug report #10595.
ADUC Domain Controllers.png
  • Open „Active Directory Sites and Services“
  • Check that the demoted DC doesn't exist any more in any site. If an entry is still there, remove it manually.
ADSS Domain Controllers.png
  • Open the „DNS“ console
  • Check in all zones, that no entry about the demoted DC is still existing.
DNS Domain Controllers.png