The Samba-Bugzilla – Bug 10595
Demote a permanently offline DC with ADUC fails
Last modified: 2016-07-29 02:31:07 UTC
Created attachment 9910 [details]
ADUC Error Screenshot
If you have a broken DC, that is permanently offline, there's currently no way to remove it. Trying to demote it through Windows fails:
- Open ADUC
- Go to container "Domain Controllers"
- Right-click to the DC that should be forced demoted
- Confim the deletion of the computer
- Check "This Domain Controller is permanently offline and can no longer be demoted using Active Directory Domain Service Installation Wizzard (DCPROMO)" and click "Delete"
- Confirm that you know that it's a Global Catalog.
- You receive an error: "Windows cannot delete object LDAP://dc1.samdom.example.com/CN=DC2,OU=Domain Controllers,DC=samdom,DC=example,DC=com because: The specified module could not be found." (See Screenshot)
Created attachment 9911 [details]
Level 10 debug log
Created attachment 9912 [details]
Created attachment 9913 [details]
I've reason to believes that permanently offline DC on Samba DC will cause samba to eat up memory in a long run
So it will trigger oom-killer.
And worst case happen when your Dc1 offline, DC2 because of this will also be offline very soon.
Please help to fix this.
There are some suggestion to use this script to remove the death DC
Not sure if that help...
The work around for an offline DC is to remove it from Sites and Services. You may have to delete the server's NTDS contents first before being allowed to remove the server.
This should remove (most) of the DNS entries. Ensure you check in the DNS management snap-ip and remove the server from all zones (A and PTR records may not have been automatically removed.
Once you have done this, return to ADUC and delete the domain controller from the DC OU.
I ran into this issue myself, and neither the Active Directory management tools nor the script mentioned in the Wiki were any help...I still got the error mentioned. I was finally able to delete the NTDS entry and the PDC folder from the site by using phpLDAPadmin:
* log onto the Configuration database as a domain administrator
* browse to CN=Sites\CN=Default-First-Site-Name\CN=Servers\CN=<orphaned DC>
* open the NTDS Settings object
* choose "Delete this entry" from the blue menu bar on top of the page
* Confirm the delete.
* Do the same for CN=<orphaned DC>
I had no problem removing from ADUC but removal was incomplete.
I had a bunch of DNS records to remove, but in particular these were very important to remove.
> samba-tool dns delete workingdc mydomain.com _gc._tcp.mysite._sites SRV "deaddc.mydomain.com 3268 0 100"
> samba-tool dns delete workingdc mydomain.com _ldap._tcp.mysite._sites SRV "deaddc.mydomain.com 389 0 100"
Fixed (at least in part) by 8086900077a23c1c8d94afe691d99d180a297d81..55a13e17b36adc69eb4ec7d706cb9a55906f8275 in Samba 4.3
We now have samba-tool domain demote --remove-other-dead-server for this task.