Re: samba-tool domain demote

[Greg Dickie]

OK I'm doing something very wrong then. I'm trying to demote a samba DC.
The other server is win2008R2 and the AD was created by a classicupgrade
from samba3.

I get this:

[root@hamba4 ~]# /usr/local/samba-beta8/bin/samba-tool domain demote
-Uadministrator
Using HAI-MTL-DC1.haivision.local as partner server for the demotion
Password for [HAI\administrator]:
Desactivating inbound replication
Asking partner server HAI-MTL-DC1.haivision.local to synchronize from us
Changing userControl and container
Error while demoting, re-enabling inbound replication
ERROR(ldb): Error while changing account control - LDAP error 80
LDAP_OTHER - <00000057: SysErr: DSID-031A1202, problem 22 (Invalid
argument), data 0
> <>

Any tips on how to debug this?

Thanks,
Greg


On Sat, 2012-08-18 at 16:47 +0200, steve wrote:
> On 18/08/12 14:51, Andrew Bartlett wrote:
> > On Sat, 2012-08-18 at 12:50 +0200, steve wrote:
> >> Hi everyone
> >>
> >> I want to reinstall our secondary DC and start with a new install. This
> >> is to test the new openSUSE 12.2 RC2 with Samba4.
> >>
> >> How about this on the secodary DC?
> >> samba-tool domain demote -UAdministrator
> >>
> >> Question:
> >> 1. Is that all?
> >> 2. Does samba need to be running on both DC's?
> >
> > Yes, this is an on-line tool, to run on the DC being demoted. Both DCs
> > must be up and operational at the time of the demote.
> >
> > Andrew Bartlett
> >
> Hi Andrew
> Thanks. it worked fine.
> I think we need to stop samba on the demoted DC and stop and start it a
> few times on the live DC otherwise it still keeps trying to replicate:
>
> Failed to connect host 192.168.1.6
> (d1929b53-0de5-43c6-a3d7-2686e8f7bffe._msdcs.hh3.site) on port 135 -
> NT_STATUS_CONNECTION_REFUSED.
> Failed to connect host 192.168.1.6 on port 135 -
> NT_STATUS_CONNECTION_REFUSED
>
> Otherwise fine.
> Cheers,
> Steve
>
>

--
Greg Dickie
just a guy
514-983-5400

[Greg Dickie]

Debugging this a bit (nice to have lots of stuff in python so I can
easily add debug). I get this:

Desactivating inbound replication
Asking partner server HAI-MTL-DC1.haivision.local to synchronize from us
Changing userControl and container

DN is CN=HAMBA4,OU=Domain Controllers,DC=haivision,DC=local - UAC is
0x83000, old UAC is 0x1000

Error while demoting, re-enabling inbound replication

ERROR(ldb): Error while changing account control2 - LDAP error 80

LDAP_OTHER - <00000057: SysErr: DSID-031A1202, problem 22 (Invalid
argument), data 0
> <>

So I assume it does not like the new UAC of 0x83000. Which is all the
bits for UF_WORKSTATION_TRUST_ACCOUNT,
UF_SERVER_TRUST_ACCOUNT,
UF_TRUSTED_FOR_DELEGATION


But why?

Greg

[Greg Dickie]

If I reset UF_SERVER_TRUST_ACCOUNT it gets past this section but then
fails with:

Asking partner server HAI-MTL-DC1.haivision.local to synchronize from us
Changing userControl and container
DN is CN=HAMBA4,OU=Domain Controllers,DC=haivision,DC=local - UAC is

0x1000, old UAC is 0x81000
RemoveDSServer server:
CN=HAMBA4,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=haivision,DC=local, domain: DC=haivision,DC=local

Error while demoting, re-enabling inbound replication

CN=HAMBA4,OU=Domain Controllers,DC=haivision,DC=local
ERROR(<class 'samba.drs_utils.drsException'>): Error while sending a
removeDsServer - drsException: DsRemoveDSServer failed (87,
'WERR_INVALID_PARAM')
File
"/usr/local/samba-beta8/lib64/python2.6/site-packages/samba/netcmd/domain.py", line 475, in run
sendRemoveDsServer(drsuapiBind, drsuapi_handle, server_dsa_dn,
domain)
File
"/usr/local/samba-beta8/lib64/python2.6/site-packages/samba/drs_utils.py", line 108, in sendRemoveDsServer
raise drsException("DsRemoveDSServer failed %s" % estr)

help?

Greg