10254 – Unable to remove old windows domain controller

Bug 10254 - Unable to remove old windows domain controller

Summary: Unable to remove old windows domain controller

Status:	RESOLVED FIXED

Alias:	None

Product:	Samba 4.1 and newer
Classification:	Unclassified
Component:	AD: LDB/DSDB/SAMDB (show other bugs)
Version:	unspecified
Hardware:	x64 Linux

Importance:	P5 major (vote)
Target Milestone:	---
Assignee:	Andrew Bartlett
QA Contact:	Samba QA Contact

URL:
Keywords:

Depends on:
Blocks:

Reported:	2013-11-05 21:19 UTC by Jonn Taylor
Modified:	2016-07-29 02:35 UTC (History)
CC List:	2 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Jonn Taylor 2013-11-05 21:19:26 UTC

Unable to completely remove old windows DC. This was an upgraded domain that started as a 2003 domain that had RFC2307 added to it. Upgraded domain to 2008R2. after that we removed all windows DC's. The 2003 DC's removed fine but the 2008R2 server would not. Did a dcpromo /forceremove. After that samba still had the replications links. Used http://support.microsoft.com/kb/216498 to remove the DC. Adsiedit removed the DC but not the metadata. Attempted to use ntdsutil but it looks like samba is missing domain lists.

ntdsutil.exe

server connections: Connect to server dc0.taylortelephone.com
Binding to dc0.taylortelephone.com ...
Connected to dc0.taylortelephone.com using credentials of locally logged on user.
server connections: q

metadata cleanup: Select operation target
select operation target: list domain
Error parsing Input - Invalid Syntax.

samba -V
Version 4.2.0pre1-GIT-2d51424

samba-tool drs showrepl

==== INBOUND NEIGHBORS ====

CN=Configuration,DC=taylortelephone,DC=com
	NTDS DN: CN=NTDS Settings\0ADEL:9844a706-84f0-43c0-aa4b-d5dd2858d549,CN=DC3\0ADEL:e8840589-d2a2-4146-bca3-7424fc578cbb,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=taylortelephone,DC=com
		DSA object GUID: 9844a706-84f0-43c0-aa4b-d5dd2858d549
		Last attempt @ Tue Nov  5 14:10:38 2013 CST failed, result 2 (WERR_BADFILE)
		7810 consecutive failure(s).
		Last success @ Wed Oct  9 12:10:05 2013 CDT

CN=Configuration,DC=taylortelephone,DC=com
	Default-First-Site-Name\DC1 via RPC
		DSA object GUID: 72318ab4-605a-4df3-b78c-feea90bbe0c6
		Last attempt @ Tue Nov  5 14:10:38 2013 CST was successful
		0 consecutive failure(s).
		Last success @ Tue Nov  5 14:10:38 2013 CST

DC=taylortelephone,DC=com
	NTDS DN: CN=NTDS Settings\0ADEL:9844a706-84f0-43c0-aa4b-d5dd2858d549,CN=DC3\0ADEL:e8840589-d2a2-4146-bca3-7424fc578cbb,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=taylortelephone,DC=com
		DSA object GUID: 9844a706-84f0-43c0-aa4b-d5dd2858d549
		Last attempt @ Tue Nov  5 14:10:38 2013 CST failed, result 2 (WERR_BADFILE)
		7814 consecutive failure(s).
		Last success @ Wed Oct  9 12:10:48 2013 CDT

DC=taylortelephone,DC=com
	Default-First-Site-Name\DC1 via RPC
		DSA object GUID: 72318ab4-605a-4df3-b78c-feea90bbe0c6
		Last attempt @ Tue Nov  5 14:10:39 2013 CST was successful
		0 consecutive failure(s).
		Last success @ Tue Nov  5 14:10:39 2013 CST

DC=ForestDnsZones,DC=taylortelephone,DC=com
	NTDS DN: CN=NTDS Settings\0ADEL:9844a706-84f0-43c0-aa4b-d5dd2858d549,CN=DC3\0ADEL:e8840589-d2a2-4146-bca3-7424fc578cbb,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=taylortelephone,DC=com
		DSA object GUID: 9844a706-84f0-43c0-aa4b-d5dd2858d549
		Last attempt @ Tue Nov  5 14:10:35 2013 CST failed, result 2 (WERR_BADFILE)
		7811 consecutive failure(s).
		Last success @ Wed Oct  9 12:10:05 2013 CDT

DC=ForestDnsZones,DC=taylortelephone,DC=com
	Default-First-Site-Name\DC1 via RPC
		DSA object GUID: 72318ab4-605a-4df3-b78c-feea90bbe0c6
		Last attempt @ Tue Nov  5 14:10:36 2013 CST was successful
		0 consecutive failure(s).
		Last success @ Tue Nov  5 14:10:36 2013 CST

DC=DomainDnsZones,DC=taylortelephone,DC=com
	NTDS DN: CN=NTDS Settings\0ADEL:9844a706-84f0-43c0-aa4b-d5dd2858d549,CN=DC3\0ADEL:e8840589-d2a2-4146-bca3-7424fc578cbb,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=taylortelephone,DC=com
		DSA object GUID: 9844a706-84f0-43c0-aa4b-d5dd2858d549
		Last attempt @ Tue Nov  5 14:10:36 2013 CST failed, result 2 (WERR_BADFILE)
		7811 consecutive failure(s).
		Last success @ Wed Oct  9 12:10:05 2013 CDT

DC=DomainDnsZones,DC=taylortelephone,DC=com
	Default-First-Site-Name\DC1 via RPC
		DSA object GUID: 72318ab4-605a-4df3-b78c-feea90bbe0c6
		Last attempt @ Tue Nov  5 14:10:37 2013 CST was successful
		0 consecutive failure(s).
		Last success @ Tue Nov  5 14:10:37 2013 CST

CN=Schema,CN=Configuration,DC=taylortelephone,DC=com
	NTDS DN: CN=NTDS Settings\0ADEL:9844a706-84f0-43c0-aa4b-d5dd2858d549,CN=DC3\0ADEL:e8840589-d2a2-4146-bca3-7424fc578cbb,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=taylortelephone,DC=com
		DSA object GUID: 9844a706-84f0-43c0-aa4b-d5dd2858d549
		Last attempt @ Tue Nov  5 14:10:40 2013 CST failed, result 2 (WERR_BADFILE)
		7809 consecutive failure(s).
		Last success @ Wed Oct  9 12:10:06 2013 CDT

CN=Schema,CN=Configuration,DC=taylortelephone,DC=com
	Default-First-Site-Name\DC1 via RPC
		DSA object GUID: 72318ab4-605a-4df3-b78c-feea90bbe0c6
		Last attempt @ Tue Nov  5 14:10:41 2013 CST was successful
		0 consecutive failure(s).
		Last success @ Tue Nov  5 14:10:41 2013 CST

==== OUTBOUND NEIGHBORS ====

CN=Configuration,DC=taylortelephone,DC=com
	NTDS DN: CN=NTDS Settings\0ADEL:9844a706-84f0-43c0-aa4b-d5dd2858d549,CN=DC3\0ADEL:e8840589-d2a2-4146-bca3-7424fc578cbb,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=taylortelephone,DC=com
		DSA object GUID: 9844a706-84f0-43c0-aa4b-d5dd2858d549
		Last attempt @ Tue Nov  5 14:15:18 2013 CST failed, result 2 (WERR_BADFILE)
		383648 consecutive failure(s).
		Last success @ Wed Oct  9 12:07:07 2013 CDT

CN=Configuration,DC=taylortelephone,DC=com
	Default-First-Site-Name\DC1 via RPC
		DSA object GUID: 72318ab4-605a-4df3-b78c-feea90bbe0c6
		Last attempt @ NTTIME(0) was successful
		0 consecutive failure(s).
		Last success @ NTTIME(0)

DC=taylortelephone,DC=com
	NTDS DN: CN=NTDS Settings\0ADEL:9844a706-84f0-43c0-aa4b-d5dd2858d549,CN=DC3\0ADEL:e8840589-d2a2-4146-bca3-7424fc578cbb,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=taylortelephone,DC=com
		DSA object GUID: 9844a706-84f0-43c0-aa4b-d5dd2858d549
		Last attempt @ Tue Nov  5 14:15:18 2013 CST failed, result 2 (WERR_BADFILE)
		343523 consecutive failure(s).
		Last success @ Wed Oct  9 12:10:03 2013 CDT

DC=taylortelephone,DC=com
	Default-First-Site-Name\DC1 via RPC
		DSA object GUID: 72318ab4-605a-4df3-b78c-feea90bbe0c6
		Last attempt @ NTTIME(0) was successful
		0 consecutive failure(s).
		Last success @ NTTIME(0)

DC=ForestDnsZones,DC=taylortelephone,DC=com
	Default-First-Site-Name\DC1 via RPC
		DSA object GUID: 72318ab4-605a-4df3-b78c-feea90bbe0c6
		Last attempt @ NTTIME(0) was successful
		0 consecutive failure(s).
		Last success @ NTTIME(0)

DC=DomainDnsZones,DC=taylortelephone,DC=com
	Default-First-Site-Name\DC1 via RPC
		DSA object GUID: 72318ab4-605a-4df3-b78c-feea90bbe0c6
		Last attempt @ NTTIME(0) was successful
		0 consecutive failure(s).
		Last success @ NTTIME(0)

CN=Schema,CN=Configuration,DC=taylortelephone,DC=com
	NTDS DN: CN=NTDS Settings\0ADEL:9844a706-84f0-43c0-aa4b-d5dd2858d549,CN=DC3\0ADEL:e8840589-d2a2-4146-bca3-7424fc578cbb,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=taylortelephone,DC=com
		DSA object GUID: 9844a706-84f0-43c0-aa4b-d5dd2858d549
		Last attempt @ Tue Nov  5 14:15:19 2013 CST failed, result 2 (WERR_BADFILE)
		337940 consecutive failure(s).
		Last success @ Wed Oct  9 11:58:07 2013 CDT

CN=Schema,CN=Configuration,DC=taylortelephone,DC=com
	Default-First-Site-Name\DC1 via RPC
		DSA object GUID: 72318ab4-605a-4df3-b78c-feea90bbe0c6
		Last attempt @ NTTIME(0) was successful
		0 consecutive failure(s).
		Last success @ NTTIME(0)

==== KCC CONNECTION OBJECTS ====

Connection --
	Connection name: DC1
	Enabled        : TRUE
	Server DNS name : DC1.taylortelephone.com
	Server DN name  : CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=taylortelephone,DC=com
		TransportType: RPC
		options: 0x00000000
Warning: No NC replicated for Connection!

Comment 1 Jos Bol 2015-01-26 17:14:08 UTC

I'm having the same problem when trying to remove a 2008R2 DC from the domain (all the other DC's are samba4). dcpromo didn't work, and trying to remove it using users and computers results in 

"Windows cannot delete object"
LDAP://hostname/CN=ARQUIVOS,OU=Domain Controllers,DC=contoso,DC=com,DC=br because:
The specified module could not be found.

It seem impossible to do the metadata cleanup, due to the same reason as John Taylor indicated:


metadata cleanup: Select operation target
select operation target: list domain
Error parsing Input - Invalid Syntax.

Comment 2 Andrew Bartlett 2016-07-29 02:35:27 UTC

Use 'samba-tool domain demote --remove-other-dead-server' in Samba 4.4 or later.