Bug 10595 - Demote a permanently offline DC with ADUC fails
Summary: Demote a permanently offline DC with ADUC fails
Status: RESOLVED FIXED
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: AD: LDB/DSDB/SAMDB (show other bugs)
Version: 4.1.7
Hardware: x64 Linux
: P5 major (vote)
Target Milestone: ---
Assignee: Andrew Bartlett
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2014-05-06 21:22 UTC by Marc Muehlfeld
Modified: 2016-07-29 02:31 UTC (History)
6 users (show)

See Also:


Attachments
ADUC Error Screenshot (25.00 KB, image/png)
2014-05-06 21:22 UTC, Marc Muehlfeld
no flags Details
Level 10 debug log (1.75 MB, text/plain)
2014-05-06 21:23 UTC, Marc Muehlfeld
no flags Details
Network capture (42.18 KB, application/octet-stream)
2014-05-06 21:23 UTC, Marc Muehlfeld
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Marc Muehlfeld 2014-05-06 21:22:51 UTC
Created attachment 9910 [details]
ADUC Error Screenshot

If you have a broken DC, that is permanently offline, there's currently no way to remove it. Trying to demote it through Windows fails:

- Open ADUC
- Go to container "Domain Controllers"
- Right-click to the DC that should be forced demoted
- Confim the deletion of the computer
- Check "This Domain Controller is permanently offline and can no longer be demoted using Active Directory Domain Service Installation Wizzard (DCPROMO)" and click "Delete"
- Confirm that you know that it's a Global Catalog.
- You receive an error: "Windows cannot delete object LDAP://dc1.samdom.example.com/CN=DC2,OU=Domain Controllers,DC=samdom,DC=example,DC=com because: The specified module could not be found." (See Screenshot)
Comment 1 Marc Muehlfeld 2014-05-06 21:23:16 UTC
Created attachment 9911 [details]
Level 10 debug log
Comment 2 Marc Muehlfeld 2014-05-06 21:23:41 UTC
Created attachment 9912 [details]
Network capture
Comment 3 Marc Muehlfeld 2014-05-06 21:36:39 UTC
Created attachment 9913 [details]
secrets.keytab
Comment 4 Chan Min Wai 2014-10-02 17:01:55 UTC
Hi All,

I've reason to believes that permanently offline DC on Samba DC will cause samba to eat up memory in a long run

So it will trigger oom-killer.

And worst case happen when your Dc1 offline, DC2 because of this will also be offline very soon.

Please help to fix this.

There are some suggestion to use this script to remove the death DC
http://gallery.technet.microsoft.com/scriptcenter/d31f091f-2642-4ede-9f97-0e1cc4d577f3#content

Not sure if that help...


Thank You.
Comment 5 isolatedvirus 2015-01-17 04:47:01 UTC
The work around for an offline DC is to remove it from Sites and Services. You may have to delete the server's NTDS contents first before being allowed to remove the server.

This should remove (most) of the DNS entries. Ensure you check in the DNS management snap-ip and remove the server from all zones (A and PTR records may not have been automatically removed.

Once you have done this, return to ADUC and delete the domain controller from the DC OU.
Comment 6 Lee Cremeans 2015-05-01 19:09:52 UTC
I ran into this issue myself, and neither the Active Directory management tools nor the script mentioned in the Wiki were any help...I still got the error mentioned. I was finally able to delete the NTDS entry and the PDC folder from the site by using phpLDAPadmin: 

* log onto the Configuration database as a domain administrator
* browse to CN=Sites\CN=Default-First-Site-Name\CN=Servers\CN=<orphaned DC>
* open the NTDS Settings object
* choose "Delete this entry" from the blue menu bar on top of the page
* Confirm the delete.
* Do the same for CN=<orphaned DC>
Comment 7 David Mansfield 2015-06-17 14:04:02 UTC
I had no problem removing from ADUC but removal was incomplete.

I had a bunch of DNS records to remove, but in particular these were very important to remove.  

> samba-tool dns delete workingdc mydomain.com _gc._tcp.mysite._sites SRV "deaddc.mydomain.com 3268 0 100"
> samba-tool dns delete workingdc mydomain.com _ldap._tcp.mysite._sites SRV "deaddc.mydomain.com 389 0 100"

HTH.
Comment 8 Andrew Bartlett 2016-07-29 02:31:07 UTC
Fixed (at least in part) by 8086900077a23c1c8d94afe691d99d180a297d81..55a13e17b36adc69eb4ec7d706cb9a55906f8275 in Samba 4.3

We now have samba-tool domain demote --remove-other-dead-server for this task.