Difference between revisions of "Demoting a Samba AD DC"

m (Mmuehlfeld moved page Demote a Samba AD DC to Demoting a Samba AD DC)
(Refreshed content. Added more details and steps, refreshed screenshots.)
Line 1: Line 1:
 
= Introduction =
 
= Introduction =
  
If you keep information about a domain controller (DC) that was permanently removed from the Active Directory (AD) in the directory, clients can encounter timeouts during log ins or other operations. To permanently remove a Samba DC from the AD, you must demote it.
+
In certain situations, it is necessary that you permanently remove a domain controller (DC) from Active Directory (AD). While for a regular domain member,you only delete the machine account entry, you have to demote a DC, to remove it from AD.
  
 +
If a DC is not demoted correctly, you AD can get instable. For example:
 +
* replication failures can occur.
 +
* the remaining DCs can slow down due to time outs and failed replication attempts.
 +
* log ins on domain members can fail or take longer.
  
  
  
  
= Demote a Working Domain Controller =
 
  
If you domain controller (DC) is still accessible:
+
= Demoting an Online Domain Controller =
  
* Log in to the DC you want to demote.
+
If the domain controller (DC) to remove is still working correctly:
  
* Verify that the DC does not hold any FSMO role. See [[Transferring_and_Seizing_FSMO_Roles#Displaying_the_Current_FSMO_Role_Owners|Displaying the Current FSMO Role Owners]].
+
* Log in locally to the DC to demote.
  
:* If the DC holds one or more FSMO roles, you must transfer them to a different DC. See [[Transferring_and_Seizing_FSMO_Roles#Transferring_an_FSMO_Role|Transferring an FSMO Role]].
+
* Verify that the DC does not own any flexible single master operations (FSMO) roles. See [[Transferring_and_Seizing_FSMO_Roles#Displaying_the_Current_FSMO_Role_Owners|Displaying the Current FSMO Role Owners]].
 +
 
 +
: In case that the DC owns one or more FSMO roles, transfer them to a different DC. See [[Transferring_and_Seizing_FSMO_Roles#Transferring_an_FSMO_Role|Transferring an FSMO Role]].
 +
 
 +
* Optionally, display the objectGUID of the DC. For example, for the <code>DC2</code> host:
 +
 
 +
# ldbsearch -H /usr/local/samba/private/sam.ldb '(invocationId=*)' --cross-ncs objectguid | grep -A1 DC2
 +
dn: CN=NTDS Settings,CN=DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com
 +
objectGUID: c14a774f-9732-4ec2-b9fa-2156c95c4e48
 +
 
 +
: If you want to verify that all DNS entries were deleted ater you demoted the DC, you need to know the host name, IP address, and the objectGUID of the DC.
  
 
* Demote the DC:
 
* Demote the DC:
Line 27: Line 40:
 
  Demote successful
 
  Demote successful
  
* Shut down the <code>samba</code> service.
+
* Stop the <code>samba</code> service.
 +
 
 +
* If this DC ran a DNS service for the Active Directory (AD) zones:
 +
:* stop the DNS service, if you used the <code>BIND9_DLZ</code> DNS back end.
 +
:* verify that domain members and DCs do no longer use this host to resolve the AD DNS zones.
 +
 
  
  
  
  
 +
= Demoting an Offline Domain Controller =
  
= Demote an Offline Domain Controller =
+
In certain situations, such as hardware failures, it is necessary to remove a domain controller (DC) from the domain, that is no longer accessible. In this case, you can demote the DC from an existing Samba DC:
  
Only follow this procedure if the domain controller (DC) to demote is no longer accessible; for example, due to a hardware failure:
+
{{Imbox
 +
| type = important
 +
| text = Only run this procedure, if you are no longer able to run the steps described in [[#Demoting_an_Online_Domain_Controller|Demoting an Online Domain Controller]] because the DC is not accessible.
 +
}}
  
* Log in to a remaining DC.
+
* Log in to a working Samba DC in the Active Directory (AD) forest.
  
* Display your Samba version:
+
* Display the installed Samba version:
  
 
  # samba --version
 
  # samba --version
  
: Samba version prior 4.4.0 do not support demoting a remote DC. Before you continue, upgrade your existing DCs to 4.4.0 or later. For details, see [[Updating_Samba|Updating Samba]].
+
: If you run a Samba version prior 4.4, you must first upgrade Samba to 4.4.0 or later. For details, see [[Updating_Samba|Updating Samba]].
 +
 
 +
* Verify that the remote DC to demote does not own any flexible single master operations (FSMO) role. See [[Transferring_and_Seizing_FSMO_Roles#Displaying_the_Current_FSMO_Role_Owners|Displaying the Current FSMO Role Owners]].
 +
 
 +
:* In case that the DC to demote owns one or more FSMO roles, seize them to the local DC. See [[Transferring_and_Seizing_FSMO_Roles#Transferring_and_Seizing_FSMO_Roles#Seizing_a_FSMO_Role|Seizing an FSMO Role]].
 +
 
 +
* Verify that the DC to demote is turned of.
 +
 
 +
* Optionally, display the objectGUID of the DC. For example, for the <code>DC2</code> host:
  
* Verify that the DC to demote does not hold any FSMO role. See [[Transferring_and_Seizing_FSMO_Roles#Displaying_the_Current_FSMO_Role_Owners|Displaying the Current FSMO Role Owners]].
+
# ldbsearch -H /usr/local/samba/private/sam.ldb '(invocationId=*)' --cross-ncs objectguid | grep -A1 DC2
 +
dn: CN=NTDS Settings,CN=DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com
 +
objectGUID: c14a774f-9732-4ec2-b9fa-2156c95c4e48
  
:* If the DC holds one or more FSMO roles, you must seize them. See [[Transferring_and_Seizing_FSMO_Roles#Transferring_and_Seizing_FSMO_Roles#Seizing_a_FSMO_Role|Seizing an FSMO Role]].
+
: If you want to verify that all DNS entries were deleted ater you demoted the DC, you need to know the host name, IP address, and the objectGUID of the DC.
  
* To demote a remote DC, for example <code>DC2</code>:
+
* Demote the remote DC. For example, to demote <code>DC2</code>:
  
 
  # samba-tool domain demote --remove-other-dead-server=DC2
 
  # samba-tool domain demote --remove-other-dead-server=DC2
Line 80: Line 112:
 
  Removing Sysvol reference: CN=DC2,CN=Topology,CN=Domain System Volume,CN=DFSR-GlobalSettings,CN=System,DC=samdom,DC=example,DC=com
 
  Removing Sysvol reference: CN=DC2,CN=Topology,CN=Domain System Volume,CN=DFSR-GlobalSettings,CN=System,DC=samdom,DC=example,DC=com
  
{{Imbox
+
:{{Imbox
 
| type = warning
 
| type = warning
| text = Never reconnect a DC to the network, that was demoted using this way. It can cause data loss.
+
| text = You must not reconnect a DC to the network, that was demoted remotely. Your AD can get inconsistent.
 
}}
 
}}
 +
 +
* In case that the demoted DC ran a DNS service for the Active Directory (AD) zones, verify that domain members and DCs do no longer use this host to resolve the AD DNS zones.
  
  
Line 91: Line 125:
 
= Verifying the Demotion =
 
= Verifying the Demotion =
  
The following steps are to verify and clean up remaining directory information after a domain controller demotion. It does not replace the procedure for the demote itself!
+
To manually verify that the domain controller (DC) was successfully demoted:
  
* Log on as Domain Administrator to a Windows computer having the Microsoft Remote Server Administration Tools (RSAT) installed. See [[Installing_RSAT|Installing RSAT].
+
{{Imbox
 +
| type = important
 +
| text = The steps described in this section, do not replace the official demote procedures described in the previous sections. The steps in this section are only to verify and to manually remove remaining entries, if the official demote process failed.
 +
}}
  
* Start <code>Active Directory Users and Computers</code>, navigate to the <code>Domain Controllers</code> container and verify that the demoted DC was removed.
+
* Log in to a Windows domain member using an account that is member of the <code>Domain Admins</code> group, such as the AD domain Administrator account.
  
: [[Image:ADUC_Domain_Controllers.png]]
+
* Install the Remote Server Administration Tools (RSAT). For details, see [[Installing RSAT]].
  
* Start <code>Active Directory Sites and Services</code> and check that the demoted DC is not listed in any site.
+
* Open the <code>Active Directory Users and Computers</code> application.
  
: [[Image:ADSS_Domain_Controllers.png]]
+
:* Navigate to the <code>Domain Controllers</code> entry and verify that the demoted DC was removed. For example:
 +
:[[Image:ADUC_Domain_Controllers.png]]
 +
:* If the entry is still listed, you can manually remove it:
 +
::* Right-click to the DC entry and select <code>Delete</code>
 +
::* Click <code>Yes</code> to confirm.
 +
::* Select <code>Delete this Domain Controller anyway. It is permanently offline and can no longer be removed using the removal wizard.</code> and click <code>OK</code>.
 +
::* If the DC is a global catalog server, click <code>Yes</code> to confirm.
  
* Start the <code>DNS</code> MMC console and check in <u>all</u> zones, that no entry referring to the demoted DC or it's IP has been left.
+
* Open the <code>Active Directory Sites and Services</code> application and verify that the demoted DC is no longer listed in any Active Directory (AD) site entry. For example:
 +
:[[Image:ADSS_Domain_Controllers.png]]
 +
:* If the entry is still listed, you can manually remove it:
 +
::* Right-click to the DC entry and select <code>Delete</code>
 +
::* Click <code>Yes</code> to confirm.
  
: [[Image:DNS_Domain_Controllers.png]]
+
* Open the <code>DNS</code> application and verify that the DC's host name, IP address, and objectGUID is no longer used in any DNS entry in any AD DNS zone. For example:
 +
:[[Image:DNS_Domain_Controllers.png]]
 +
:* If entries are still listed, you can manually remove them:
 +
::* Right-click to the entry and select <code>Delete</code>
 +
::* Click <code>Yes</code> to confirm.
  
  

Revision as of 18:17, 29 March 2017

Introduction

In certain situations, it is necessary that you permanently remove a domain controller (DC) from Active Directory (AD). While for a regular domain member,you only delete the machine account entry, you have to demote a DC, to remove it from AD.

If a DC is not demoted correctly, you AD can get instable. For example:

  • replication failures can occur.
  • the remaining DCs can slow down due to time outs and failed replication attempts.
  • log ins on domain members can fail or take longer.



Demoting an Online Domain Controller

If the domain controller (DC) to remove is still working correctly:

  • Log in locally to the DC to demote.
In case that the DC owns one or more FSMO roles, transfer them to a different DC. See Transferring an FSMO Role.
  • Optionally, display the objectGUID of the DC. For example, for the DC2 host:
# ldbsearch -H /usr/local/samba/private/sam.ldb '(invocationId=*)' --cross-ncs objectguid | grep -A1 DC2
dn: CN=NTDS Settings,CN=DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com
objectGUID: c14a774f-9732-4ec2-b9fa-2156c95c4e48
If you want to verify that all DNS entries were deleted ater you demoted the DC, you need to know the host name, IP address, and the objectGUID of the DC.
  • Demote the DC:
# samba-tool domain demote -Uadministrator
Using DC1.samdom.example.com as partner server for the demotion
Password for [SAMDOM\administrator]:
Deactivating inbound replication
Asking partner server DC1.samdom.example.com to synchronize from us
Changing userControl and container
Demote successful
  • Stop the samba service.
  • If this DC ran a DNS service for the Active Directory (AD) zones:
  • stop the DNS service, if you used the BIND9_DLZ DNS back end.
  • verify that domain members and DCs do no longer use this host to resolve the AD DNS zones.



Demoting an Offline Domain Controller

In certain situations, such as hardware failures, it is necessary to remove a domain controller (DC) from the domain, that is no longer accessible. In this case, you can demote the DC from an existing Samba DC:

  • Log in to a working Samba DC in the Active Directory (AD) forest.
  • Display the installed Samba version:
# samba --version
If you run a Samba version prior 4.4, you must first upgrade Samba to 4.4.0 or later. For details, see Updating Samba.
  • In case that the DC to demote owns one or more FSMO roles, seize them to the local DC. See Seizing an FSMO Role.
  • Verify that the DC to demote is turned of.
  • Optionally, display the objectGUID of the DC. For example, for the DC2 host:
# ldbsearch -H /usr/local/samba/private/sam.ldb '(invocationId=*)' --cross-ncs objectguid | grep -A1 DC2
dn: CN=NTDS Settings,CN=DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com
objectGUID: c14a774f-9732-4ec2-b9fa-2156c95c4e48
If you want to verify that all DNS entries were deleted ater you demoted the DC, you need to know the host name, IP address, and the objectGUID of the DC.
  • Demote the remote DC. For example, to demote DC2:
# samba-tool domain demote --remove-other-dead-server=DC2
Removing nTDSConnection: CN=04baf417-eb41-4f31-a5f1-c739f0e92b1b,CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com
Removing nTDSDSA: CN=NTDS Settings,CN=DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com (and any children)
Removing RID Set: CN=RID Set,CN=DC2,OU=Domain Controllers,DC=samdom,DC=example,DC=com
Removing computer account: CN=DC2,OU=Domain Controllers,DC=samdom,DC=example,DC=com (and any child objects)
Removing Samba-specific DNS service account: CN=dns-DC2,CN=Users,DC=samdom,DC=example,DC=com
updating samdom.example.com keeping 3 values, removing 1 values
updating DC=_kerberos._tcp.Default-First-Site-Name._sites,DC=samdom.example.com,CN=MicrosoftDNS,DC=DomainDnsZones,DC=samdom,DC=example,DC=com keeping 1 values, removing 1 values
updating DC=_ldap._tcp.Default-First-Site-Name._sites,DC=samdom.example.com,CN=MicrosoftDNS,DC=DomainDnsZones,DC=samdom,DC=example,DC=com keeping 1 values, removing 1 values
updating DC=_gc._tcp.Default-First-Site-Name._sites,DC=samdom.example.com,CN=MicrosoftDNS,DC=DomainDnsZones,DC=samdom,DC=example,DC=com keeping 1 values, removing 1 values
updating DC=_kerberos._tcp,DC=samdom.example.com,CN=MicrosoftDNS,DC=DomainDnsZones,DC=samdom,DC=example,DC=com keeping 1 values, removing 1 values
updating DC=_kerberos._udp,DC=samdom.example.com,CN=MicrosoftDNS,DC=DomainDnsZones,DC=samdom,DC=example,DC=com keeping 1 values, removing 1 values
updating DC=_kpasswd._tcp,DC=samdom.example.com,CN=MicrosoftDNS,DC=DomainDnsZones,DC=samdom,DC=example,DC=com keeping 1 values, removing 1 values
updating DC=_kpasswd._udp,DC=samdom.example.com,CN=MicrosoftDNS,DC=DomainDnsZones,DC=samdom,DC=example,DC=com keeping 1 values, removing 1 values
updating DC=_ldap._tcp,DC=samdom.example.com,CN=MicrosoftDNS,DC=DomainDnsZones,DC=samdom,DC=example,DC=com keeping 1 values, removing 1 values
updating DC=_gc._tcp,DC=samdom.example.com,CN=MicrosoftDNS,DC=DomainDnsZones,DC=samdom,DC=example,DC=com keeping 1 values, removing 1 values
updating DC=_ldap._tcp.4d5258b9-0cd7-4d78-bdd7-99ebe6b19751.domains,DC=_msdcs.samdom.example.com,CN=MicrosoftDNS,DC=ForestDnsZones,DC=samdom,DC=example,DC=com keeping 1 values, removing 1 values
updating DC=_kerberos._tcp.Default-First-Site-Name._sites.dc,DC=_msdcs.samdom.example.com,CN=MicrosoftDNS,DC=ForestDnsZones,DC=samdom,DC=example,DC=com keeping 1 values, removing 1 values
updating DC=_ldap._tcp.Default-First-Site-Name._sites.dc,DC=_msdcs.samdom.example.com,CN=MicrosoftDNS,DC=ForestDnsZones,DC=samdom,DC=example,DC=com keeping 1 values, removing 1 values
updating DC=_ldap._tcp.Default-First-Site-Name._sites.gc,DC=_msdcs.samdom.example.com,CN=MicrosoftDNS,DC=ForestDnsZones,DC=samdom,DC=example,DC=com keeping 1 values, removing 1 values
updating DC=c14a774f-9732-4ec2-b9fa-2156c95c4e48,DC=_msdcs.samdom.example.com,CN=MicrosoftDNS,DC=ForestDnsZones,DC=samdom,DC=example,DC=com keeping 0 values, removing 1 values
updating DC=_kerberos._tcp.dc,DC=_msdcs.samdom.example.com,CN=MicrosoftDNS,DC=ForestDnsZones,DC=samdom,DC=example,DC=com keeping 1 values, removing 1 values
updating DC=_ldap._tcp.dc,DC=_msdcs.samdom.example.com,CN=MicrosoftDNS,DC=ForestDnsZones,DC=samdom,DC=example,DC=com keeping 1 values, removing 1 values
updating DC=_ldap._tcp.gc,DC=_msdcs.samdom.example.com,CN=MicrosoftDNS,DC=ForestDnsZones,DC=samdom,DC=example,DC=com keeping 1 values, removing 1 values
Removing Sysvol reference: CN=DC2,CN=Enterprise,CN=Microsoft System Volumes,CN=System,CN=Configuration,DC=samdom,DC=example,DC=com
Removing Sysvol reference: CN=DC2,CN=samdom.example.com,CN=Microsoft System Volumes,CN=System,CN=Configuration,DC=samdom,DC=example,DC=com
Removing Sysvol reference: CN=DC2,CN=Domain System Volumes (SYSVOL share),CN=File Replication Service,CN=System,DC=samdom,DC=example,DC=com
Removing Sysvol reference: CN=DC2,CN=Topology,CN=Domain System Volume,CN=DFSR-GlobalSettings,CN=System,DC=samdom,DC=example,DC=com
  • In case that the demoted DC ran a DNS service for the Active Directory (AD) zones, verify that domain members and DCs do no longer use this host to resolve the AD DNS zones.



Verifying the Demotion

To manually verify that the domain controller (DC) was successfully demoted:

  • Log in to a Windows domain member using an account that is member of the Domain Admins group, such as the AD domain Administrator account.
  • Install the Remote Server Administration Tools (RSAT). For details, see Installing RSAT.
  • Open the Active Directory Users and Computers application.
  • Navigate to the Domain Controllers entry and verify that the demoted DC was removed. For example:
ADUC Domain Controllers.png
  • If the entry is still listed, you can manually remove it:
  • Right-click to the DC entry and select Delete
  • Click Yes to confirm.
  • Select Delete this Domain Controller anyway. It is permanently offline and can no longer be removed using the removal wizard. and click OK.
  • If the DC is a global catalog server, click Yes to confirm.
  • Open the Active Directory Sites and Services application and verify that the demoted DC is no longer listed in any Active Directory (AD) site entry. For example:
ADSS Domain Controllers.png
  • If the entry is still listed, you can manually remove it:
  • Right-click to the DC entry and select Delete
  • Click Yes to confirm.
  • Open the DNS application and verify that the DC's host name, IP address, and objectGUID is no longer used in any DNS entry in any AD DNS zone. For example:
DNS Domain Controllers.png
  • If entries are still listed, you can manually remove them:
  • Right-click to the entry and select Delete
  • Click Yes to confirm.