Bug 15811 - Online demotion of DC does not delete site assignments
Summary: Online demotion of DC does not delete site assignments
Status: NEW
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: AD: LDB/DSDB/SAMDB (show other bugs)
Version: 4.21.3
Hardware: All Linux
: P5 normal (vote)
Target Milestone: ---
Assignee: Samba QA Contact
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2025-02-21 07:20 UTC by Matthias Kühne
Modified: 2025-02-21 07:20 UTC (History)
0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Matthias Kühne 2025-02-21 07:20:03 UTC 
Two weeks ago we demoted a domain controller of our branch office in Zirndorf. Each branch office has its own set of DCs and its own AD-site (configured via RSAT on a Windows computer).

The office in zirndorf had 3 DCs: zir-1, zir-2 and zir-3. Ive logged onto zir-3 and executed "samba-tool domain demote -U Administrator". After that I shut down this virtual machine and deleted it.

All DCs showed a problem in replication and I figured "it just takes a while". A week later the DCs zir-1 and zir-2 still showed this problem. Logging into them and running "samba-tool drs showrepl" revealed that they want to replicate from and to the demoted DC zir-3.

Running "ldbsearch -H /var/lib/samba/private/sam.ldb '(invocationId=*)' --cross-ncs objectguid | grep -A1 ZIR-3" got me this:

dn: CN=NTDS Settings,CN=ZIR-3,CN=Servers,CN=Zirndorf,CN=Sites,CN=Configuration,DC=ad,DC=ellerhold,DC=lan
objectGUID: 26845d39-43cf-4112-8b61-bfb26fbe2f6a

So in the site "Zirndorf" this DC is still referenced. Looking into RSAT confirmed that. Ive deleted the DC from the site leaf-first and voila the replication error vanished.

So it seems like DCs dont get deleted from the Site assignments when online-demoting.

This was with samba 4.21.3 on Debian 12 (mjt repository).