Demoting a Samba AD DC: Difference between revisions

From SambaWiki
m (Rephrased two sentences)
mNo edit summary
 
(5 intermediate revisions by 4 users not shown)
Line 1: Line 1:
= Introduction =
= Introduction =


In certain situations, it is necessary that you permanently remove a domain controller (DC) from Active Directory (AD). While for a regular domain member,you only delete the machine account entry, you have to demote a DC, to remove it from AD.
Sometimes, you may find it necessary to permanently remove a domain controller (DC) from Active Directory (AD). Removing a regular domain member only requires the deletion of the machine account entry, but, to remove a DC from AD, you have to demote it.


If a DC is not demoted correctly, you AD can get unstable. For example:
If a DC is not demoted correctly, your AD can get unstable. For example:
* replication failures can occur.
* replication failures can occur.
* the remaining DCs can slow down due to time outs and failed replication attempts.
* the remaining DCs can slow down due to time outs and failed replication attempts.
Line 14: Line 14:
= Demoting an Online Domain Controller =
= Demoting an Online Domain Controller =


If the domain controller (DC) to remove is still working correctly:
If the domain controller (DC) to demote is still working correctly:


* Log in locally to the DC to demote.
* Log in locally to the DC you wish to demote.


* Ensure the <code>samba</code> service is running.
* Verify that the DC does not own any flexible single master operations (FSMO) roles. See [[Transferring_and_Seizing_FSMO_Roles#Displaying_the_Current_FSMO_Role_Owners|Displaying the Current FSMO Role Owners]].


: In case that the DC owns one or more FSMO roles, transfer them to a different DC. See [[Transferring_and_Seizing_FSMO_Roles#Transferring_an_FSMO_Role|Transferring an FSMO Role]].
* Check if the DC owns any flexible single master operations (FSMO) roles. See [[Transferring_and_Seizing_FSMO_Roles#Displaying_the_Current_FSMO_Role_Owners|Displaying the Current FSMO Role Owners]].

: If the DC does own any FSMO roles, transfer them to a different DC. See [[Transferring_and_Seizing_FSMO_Roles#Transferring_an_FSMO_Role|Transferring an FSMO Role]].


* Optionally, display the objectGUID of the DC. For example, for the <code>DC2</code> host:
* Optionally, display the objectGUID of the DC. For example, for the <code>DC2</code> host:
Line 28: Line 30:
objectGUID: c14a774f-9732-4ec2-b9fa-2156c95c4e48
objectGUID: c14a774f-9732-4ec2-b9fa-2156c95c4e48


: If you want to verify that all DNS entries were deleted ater you demoted the DC, you need to know the host name, IP address, and the objectGUID of the DC.
: If you want to verify that all DNS entries were deleted after you demoted the DC, you need to know the host name, IP address, and the objectGUID of the DC.


* Demote the DC:
* Demote the DC:
Line 46: Line 48:
* Stop the <code>samba</code> service.
* Stop the <code>samba</code> service.


* If this DC ran a DNS service for the Active Directory (AD) zones:
* If the DC used the <code>BIND9_DLZ</code> DNS back end for the Active Directory (AD) zones:
:* stop the DNS service, if you used the <code>BIND9_DLZ</code> DNS back end.
:* stop the Bind9 DNS service.
:* verify that domain members and DCs do no longer use this host to resolve the AD DNS zones.
:* verify that no members of the domain use this host to resolve the AD DNS zones.




Line 56: Line 58:
= Demoting an Offline Domain Controller =
= Demoting an Offline Domain Controller =


In certain situations, such as hardware failures, it is necessary to remove a domain controller (DC) from the domain, that is no longer accessible. In this case, demote the DC using a remaining working Samba DC.
In certain situations, such as hardware failures, it is necessary to remove a non accessible domain controller (DC) from the domain. In this case, you must demote the DC using a remaining working Samba DC.


{{Imbox
{{Imbox
| type = important
| type = important
| text = Only run this procedure if the DC to demote is no longer connected to the AD and you cannot demote it as described in [[#Demoting_an_Online_Domain_Controller|Demoting an Online Domain Controller]]. This ensures that all changes, like password changes, are replicated onto another DC. Otherwise such changes would be lost. You can get a list of changes by using [[Samba-tool ldapcmp]].
| text = Only run this procedure if the DC to demote is no longer connected to the AD and you cannot demote it as described in [[#Demoting_an_Online_Domain_Controller|Demoting an Online Domain Controller]]. This ensures that all changes, like password changes, are replicated onto another DC. Otherwise such changes will be lost. You can get a list of changes by using [[Samba-tool ldapcmp]].
}}
}}


Line 71: Line 73:
# samba --version
# samba --version


{{Imbox
: You cannot demote an offline remote DC from a DC that runs Samba 4.4 or earlier. Update to Samba 4.4.0 or later before you continue. For details, see [[Updating_Samba|Updating Samba]].
| type = important
| text = You cannot demote an offline remote DC from a DC that runs Samba 4.4 or earlier. Update to Samba 4.4.0 or later before you continue. For details, see [[Updating Samba]].
}}


* Verify that the remote DC to demote does not own any flexible single master operations (FSMO) role. See [[Transferring_and_Seizing_FSMO_Roles#Displaying_the_Current_FSMO_Role_Owners|Displaying the Current FSMO Role Owners]].
* Check that the remote DC being demoted does not own any flexible single master operations (FSMO) role. See [[Transferring_and_Seizing_FSMO_Roles#Displaying_the_Current_FSMO_Role_Owners|Displaying the Current FSMO Role Owners]].


:* In case that the DC to demote owns one or more FSMO roles, seize them to the local DC. See [[Transferring_and_Seizing_FSMO_Roles#Transferring_and_Seizing_FSMO_Roles#Seizing_a_FSMO_Role|Seizing an FSMO Role]].
:* If the DC being demoted owns any FSMO roles, seize them to the local DC. See [[Transferring_and_Seizing_FSMO_Roles#Transferring_and_Seizing_FSMO_Roles#Seizing_a_FSMO_Role|Seizing an FSMO Role]].


* Verify that the DC to demote is turned of.
* Verify that the DC being demoted is turned off.


* Optionally, display the objectGUID of the DC. For example, for the <code>DC2</code> host:
* Optionally, display the objectGUID of the DC. For example, for the <code>DC2</code> host:
Line 85: Line 90:
objectGUID: c14a774f-9732-4ec2-b9fa-2156c95c4e48
objectGUID: c14a774f-9732-4ec2-b9fa-2156c95c4e48


: If you want to verify that all DNS entries were deleted ater you demoted the DC, you need to know the host name, IP address, and the objectGUID of the DC.
: If you want to verify that all DNS entries were deleted after you demoted the DC, you need to know the host name, IP address, and the objectGUID of the DC.


* Demote the remote DC. For example, to demote <code>DC2</code>:
* Demote the remote DC. For example, to demote <code>DC2</code>:
Line 120: Line 125:
:{{Imbox
:{{Imbox
| type = warning
| type = warning
| text = You must not reconnect a DC to the network, that was demoted remotely. Your AD can get inconsistent.
| text = You must never reconnect a remotely demoted DC to the network. Your AD can get inconsistent.
}}
}}


* In case that the demoted DC ran a DNS service for the Active Directory (AD) zones, verify that domain members and DCs do no longer use this host to resolve the AD DNS zones.
* If the demoted DC ran a DNS service for the Active Directory (AD) zones, verify that domain members and DCs no longer use this host to resolve the AD DNS zones.






= Verifying the Demotion =
= Verifying the Demotion =

Latest revision as of 15:27, 11 June 2023

Introduction

Sometimes, you may find it necessary to permanently remove a domain controller (DC) from Active Directory (AD). Removing a regular domain member only requires the deletion of the machine account entry, but, to remove a DC from AD, you have to demote it.

If a DC is not demoted correctly, your AD can get unstable. For example:

  • replication failures can occur.
  • the remaining DCs can slow down due to time outs and failed replication attempts.
  • log ins on domain members can fail or take longer.



Demoting an Online Domain Controller

If the domain controller (DC) to demote is still working correctly:

  • Log in locally to the DC you wish to demote.
  • Ensure the samba service is running.
If the DC does own any FSMO roles, transfer them to a different DC. See Transferring an FSMO Role.
  • Optionally, display the objectGUID of the DC. For example, for the DC2 host:
# ldbsearch -H /usr/local/samba/private/sam.ldb '(invocationId=*)' --cross-ncs objectguid | grep -A1 DC2
dn: CN=NTDS Settings,CN=DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com
objectGUID: c14a774f-9732-4ec2-b9fa-2156c95c4e48
If you want to verify that all DNS entries were deleted after you demoted the DC, you need to know the host name, IP address, and the objectGUID of the DC.
  • Demote the DC:
# samba-tool domain demote -Uadministrator
Using DC1.samdom.example.com as partner server for the demotion
Password for [SAMDOM\administrator]:
Deactivating inbound replication
Asking partner server DC1.samdom.example.com to synchronize from us
Changing userControl and container
Removing Sysvol reference: CN=DC2,CN=Enterprise,CN=Microsoft System Volumes,CN=System,CN=Configuration,DC=samdom,DC=example,DC=com
Removing Sysvol reference: CN=DC2,CN=samdom.example.com,CN=Microsoft System Volumes,CN=System,CN=Configuration,DC=samdom,DC=example,DC=com
Removing Sysvol reference: CN=DC2,CN=Domain System Volumes (SYSVOL share),CN=File Replication Service,CN=System,DC=samdom,DC=example,DC=com
Removing Sysvol reference: CN=DC2,CN=Topology,CN=Domain System Volume,CN=DFSR-GlobalSettings,CN=System,DC=samdom,DC=example,DC=com
Demote successful
  • Stop the samba service.
  • If the DC used the BIND9_DLZ DNS back end for the Active Directory (AD) zones:
  • stop the Bind9 DNS service.
  • verify that no members of the domain use this host to resolve the AD DNS zones.



Demoting an Offline Domain Controller

In certain situations, such as hardware failures, it is necessary to remove a non accessible domain controller (DC) from the domain. In this case, you must demote the DC using a remaining working Samba DC.

To remotely demote an offline DC:

  • Log in to a working Samba DC in the Active Directory (AD) forest.
  • Verify that Samba 4.4 or later is installed:
# samba --version
  • Verify that the DC being demoted is turned off.
  • Optionally, display the objectGUID of the DC. For example, for the DC2 host:
# ldbsearch -H /usr/local/samba/private/sam.ldb '(invocationId=*)' --cross-ncs objectguid | grep -A1 DC2
dn: CN=NTDS Settings,CN=DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com
objectGUID: c14a774f-9732-4ec2-b9fa-2156c95c4e48
If you want to verify that all DNS entries were deleted after you demoted the DC, you need to know the host name, IP address, and the objectGUID of the DC.
  • Demote the remote DC. For example, to demote DC2:
# samba-tool domain demote --remove-other-dead-server=DC2
Removing nTDSConnection: CN=04baf417-eb41-4f31-a5f1-c739f0e92b1b,CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com
Removing nTDSDSA: CN=NTDS Settings,CN=DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com (and any children)
Removing RID Set: CN=RID Set,CN=DC2,OU=Domain Controllers,DC=samdom,DC=example,DC=com
Removing computer account: CN=DC2,OU=Domain Controllers,DC=samdom,DC=example,DC=com (and any child objects)
Removing Samba-specific DNS service account: CN=dns-DC2,CN=Users,DC=samdom,DC=example,DC=com
updating samdom.example.com keeping 3 values, removing 1 values
updating DC=_kerberos._tcp.Default-First-Site-Name._sites,DC=samdom.example.com,CN=MicrosoftDNS,DC=DomainDnsZones,DC=samdom,DC=example,DC=com keeping 1 values, removing 1 values
updating DC=_ldap._tcp.Default-First-Site-Name._sites,DC=samdom.example.com,CN=MicrosoftDNS,DC=DomainDnsZones,DC=samdom,DC=example,DC=com keeping 1 values, removing 1 values
updating DC=_gc._tcp.Default-First-Site-Name._sites,DC=samdom.example.com,CN=MicrosoftDNS,DC=DomainDnsZones,DC=samdom,DC=example,DC=com keeping 1 values, removing 1 values
updating DC=_kerberos._tcp,DC=samdom.example.com,CN=MicrosoftDNS,DC=DomainDnsZones,DC=samdom,DC=example,DC=com keeping 1 values, removing 1 values
updating DC=_kerberos._udp,DC=samdom.example.com,CN=MicrosoftDNS,DC=DomainDnsZones,DC=samdom,DC=example,DC=com keeping 1 values, removing 1 values
updating DC=_kpasswd._tcp,DC=samdom.example.com,CN=MicrosoftDNS,DC=DomainDnsZones,DC=samdom,DC=example,DC=com keeping 1 values, removing 1 values
updating DC=_kpasswd._udp,DC=samdom.example.com,CN=MicrosoftDNS,DC=DomainDnsZones,DC=samdom,DC=example,DC=com keeping 1 values, removing 1 values
updating DC=_ldap._tcp,DC=samdom.example.com,CN=MicrosoftDNS,DC=DomainDnsZones,DC=samdom,DC=example,DC=com keeping 1 values, removing 1 values
updating DC=_gc._tcp,DC=samdom.example.com,CN=MicrosoftDNS,DC=DomainDnsZones,DC=samdom,DC=example,DC=com keeping 1 values, removing 1 values
updating DC=_ldap._tcp.4d5258b9-0cd7-4d78-bdd7-99ebe6b19751.domains,DC=_msdcs.samdom.example.com,CN=MicrosoftDNS,DC=ForestDnsZones,DC=samdom,DC=example,DC=com keeping 1 values, removing 1 values
updating DC=_kerberos._tcp.Default-First-Site-Name._sites.dc,DC=_msdcs.samdom.example.com,CN=MicrosoftDNS,DC=ForestDnsZones,DC=samdom,DC=example,DC=com keeping 1 values, removing 1 values
updating DC=_ldap._tcp.Default-First-Site-Name._sites.dc,DC=_msdcs.samdom.example.com,CN=MicrosoftDNS,DC=ForestDnsZones,DC=samdom,DC=example,DC=com keeping 1 values, removing 1 values
updating DC=_ldap._tcp.Default-First-Site-Name._sites.gc,DC=_msdcs.samdom.example.com,CN=MicrosoftDNS,DC=ForestDnsZones,DC=samdom,DC=example,DC=com keeping 1 values, removing 1 values
updating DC=c14a774f-9732-4ec2-b9fa-2156c95c4e48,DC=_msdcs.samdom.example.com,CN=MicrosoftDNS,DC=ForestDnsZones,DC=samdom,DC=example,DC=com keeping 0 values, removing 1 values
updating DC=_kerberos._tcp.dc,DC=_msdcs.samdom.example.com,CN=MicrosoftDNS,DC=ForestDnsZones,DC=samdom,DC=example,DC=com keeping 1 values, removing 1 values
updating DC=_ldap._tcp.dc,DC=_msdcs.samdom.example.com,CN=MicrosoftDNS,DC=ForestDnsZones,DC=samdom,DC=example,DC=com keeping 1 values, removing 1 values
updating DC=_ldap._tcp.gc,DC=_msdcs.samdom.example.com,CN=MicrosoftDNS,DC=ForestDnsZones,DC=samdom,DC=example,DC=com keeping 1 values, removing 1 values
Removing Sysvol reference: CN=DC2,CN=Enterprise,CN=Microsoft System Volumes,CN=System,CN=Configuration,DC=samdom,DC=example,DC=com
Removing Sysvol reference: CN=DC2,CN=samdom.example.com,CN=Microsoft System Volumes,CN=System,CN=Configuration,DC=samdom,DC=example,DC=com
Removing Sysvol reference: CN=DC2,CN=Domain System Volumes (SYSVOL share),CN=File Replication Service,CN=System,DC=samdom,DC=example,DC=com
Removing Sysvol reference: CN=DC2,CN=Topology,CN=Domain System Volume,CN=DFSR-GlobalSettings,CN=System,DC=samdom,DC=example,DC=com
  • If the demoted DC ran a DNS service for the Active Directory (AD) zones, verify that domain members and DCs no longer use this host to resolve the AD DNS zones.



Verifying the Demotion

To manually verify that the domain controller (DC) was successfully demoted:

  • Log in to a Windows domain member using an account that is member of the Domain Admins group, such as the AD domain Administrator account.
  • Install the Remote Server Administration Tools (RSAT). For details, see Installing RSAT.
  • Open the Active Directory Users and Computers application.
  • Navigate to the Domain Controllers entry and verify that the demoted DC was removed. For example:
ADUC Domain Controllers.png
  • If the entry is still listed, you can manually remove it:
  • Right-click to the DC entry and select Delete
  • Click Yes to confirm.
  • Select Delete this Domain Controller anyway. It is permanently offline and can no longer be removed using the removal wizard. and click OK.
  • If the DC is a global catalog server, click Yes to confirm.
  • Open the Active Directory Sites and Services application and verify that the demoted DC is no longer listed in any Active Directory (AD) site entry. For example:
ADSS Domain Controllers.png
  • If the entry is still listed, you can manually remove it:
  • Right-click to the DC entry and select Delete
  • Click Yes to confirm.
  • Open the DNS application and verify that the DC's host name, IP address, and objectGUID is no longer used in any DNS entry in any AD DNS zone. For example:
DNS Domain Controllers.png
  • If entries are still listed, you can manually remove them:
  • Right-click to the entry and select Delete
  • Click Yes to confirm.