Re: [Samba] Win 2003 DC Demotion
On 07/23/2013 10:49 PM, Garth Keesler wrote: Sorry, I forgot to mention. This ONLY occurs when I join Samba 4.x to an existing Windows domain. When I join a Windows DC to an existing Samba 4.x domain, all works correctly including Forest and Domain bi-directional DNS repl. Thanx, Garth Hi Garth, It was once working in my test environment, but I do not know why. We had a little discussion some months ago [1]. But most of the time I was also having issues demoting Windows DCs (mostly with the samba-internal DNS database which told me the database is inconsistent as soon as I tried to add new records). As we do have small environments with about 30 users and we do use puppet for deployment, I have chosen not do to migration/demoting of existing Windows domains. I am starting now from scratch with new Samba4 domains which seems to work very well with single or multiple domain controllers. Sorry, not really helpful but I do not have an answer to the question. It's just my experience. Maybe it's because I'm using the old version which is used with Debian Wheezy, I don't know. Regards Peter [1] https://lists.samba.org/archive/samba/2013-February/171583.html -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Win 2003 DC Demotion
I remember having issues trying to demote a windows server. What I did was seise the roles from that dc, turn of the machine and manually clean up the old DC records from samba using rsat. I still have lingering records under the root zone though. Atenciosamente, Caio Zanolla On Sun, Jul 28, 2013 at 12:50 PM, Peter Beck pe...@datentraeger.li wrote: On 07/23/2013 10:49 PM, Garth Keesler wrote: Sorry, I forgot to mention. This ONLY occurs when I join Samba 4.x to an existing Windows domain. When I join a Windows DC to an existing Samba 4.x domain, all works correctly including Forest and Domain bi-directional DNS repl. Thanx, Garth Hi Garth, It was once working in my test environment, but I do not know why. We had a little discussion some months ago [1]. But most of the time I was also having issues demoting Windows DCs (mostly with the samba-internal DNS database which told me the database is inconsistent as soon as I tried to add new records). As we do have small environments with about 30 users and we do use puppet for deployment, I have chosen not do to migration/demoting of existing Windows domains. I am starting now from scratch with new Samba4 domains which seems to work very well with single or multiple domain controllers. Sorry, not really helpful but I do not have an answer to the question. It's just my experience. Maybe it's because I'm using the old version which is used with Debian Wheezy, I don't know. Regards Peter [1] https://lists.samba.org/**archive/samba/2013-February/**171583.htmlhttps://lists.samba.org/archive/samba/2013-February/171583.html -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/**mailman/options/sambahttps://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Win 2003 DC Demotion
All, I've posted a few times about this but without response so it seems that not many folks are trying to do this. So, before I spend many more hours on this trying to make it work, a simple yes or no question: Has anyone successfully demoted a Win 2003 PDC without error after joining a Samba 4.x DC to it? That's it. I'm primarily interested in yes responses but I'll take what I can get. Thanx, Garth -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Win 2003 DC Demotion
On Tue, 2013-07-23 at 06:49 -0500, Garth Keesler wrote: All, I've posted a few times about this but without response so it seems that not many folks are trying to do this. So, before I spend many more hours on this trying to make it work, a simple yes or no question: Has anyone successfully demoted a Win 2003 PDC without error after joining a Samba 4.x DC to it? That's it. I'm primarily interested in yes responses but I'll take what I can get. It would help if you can describe the errors you get when this fails for you. It certainly is meant to work. Thanks, Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Win 2003 DC Demotion
On 07/23/2013 02:54 PM, Andrew Bartlett wrote:
On Tue, 2013-07-23 at 06:49 -0500, Garth Keesler wrote:
All,
I've posted a few times about this but without response so it seems that
not many folks are trying to do this. So, before I spend many more hours
on this trying to make it work, a simple yes or no question:
Has anyone successfully demoted a Win 2003 PDC without error after
joining a Samba 4.x DC to it?
That's it. I'm primarily interested in yes responses but I'll take
what I can get.
It would help if you can describe the errors you get when this fails for
you.
It certainly is meant to work.
Thanks,
Andrew Bartlett
On 07/23/2013 02:54 PM, Andrew Bartlett wrote:
On Tue, 2013-07-23 at 06:49 -0500, Garth Keesler wrote:
All,
I've posted a few times about this but without response so it seems that
not many folks are trying to do this. So, before I spend many more hours
on this trying to make it work, a simple yes or no question:
Has anyone successfully demoted a Win 2003 PDC without error after
joining a Samba 4.x DC to it?
That's it. I'm primarily interested in yes responses but I'll take
what I can get.
It would help if you can describe the errors you get when this fails for
you.
It certainly is meant to work.
Thanks,
Andrew Bartlett
First, thanx for the reply. I'm not exactly sure what to send so I'll
send a lot. Let me know if you need more. The errors (not really errors)
have to do with the fact that Forest and Domain DNS repl are one-way
from WINDC to SAMBADC so when I try and demote WINDC, it refuses to
demote because it believes it is the only holder of that info.
Also, when I try and add the Samba DC to the Win DNS MMC, it refuses to
add it because it does not detect that the Samba DC is in fact an Active
Domain server. This is in spite of the fact that (some) replication does
occur.
root@sambadc:~# samba --version
Version 4.1.0rc1
root@sambadc:~#
root@sambadc:~# samba-tool drs showrepl
PRR\SAMBADC
DSA Options: 0x0001
DSA object GUID: 981910d4-81a9-4421-8134-4961a3c474ad
DSA invocationId: c004e70f-5b8c-4dd8-b364-b1c110cd241c
INBOUND NEIGHBORS
DC=mydomain,DC=com
PRR\WINDC via RPC
DSA object GUID: a8260438-0154-4429-829b-c0b7914e4525
Last attempt @ Tue Jul 23 14:57:42 2013 CDT was successful
0 consecutive failure(s).
Last success @ Tue Jul 23 14:57:42 2013 CDT
DC=ForestDnsZones,DC=mydomain,DC=com
PRR\WINDC via RPC
DSA object GUID: a8260438-0154-4429-829b-c0b7914e4525
Last attempt @ Tue Jul 23 14:57:42 2013 CDT was successful
0 consecutive failure(s).
Last success @ Tue Jul 23 14:57:42 2013 CDT
CN=Configuration,DC=mydomain,DC=com
PRR\WINDC via RPC
DSA object GUID: a8260438-0154-4429-829b-c0b7914e4525
Last attempt @ Tue Jul 23 14:57:42 2013 CDT was successful
0 consecutive failure(s).
Last success @ Tue Jul 23 14:57:42 2013 CDT
CN=Schema,CN=Configuration,DC=mydomain,DC=com
PRR\WINDC via RPC
DSA object GUID: a8260438-0154-4429-829b-c0b7914e4525
Last attempt @ Tue Jul 23 14:57:42 2013 CDT was successful
0 consecutive failure(s).
Last success @ Tue Jul 23 14:57:42 2013 CDT
DC=DomainDnsZones,DC=mydomain,DC=com
PRR\WINDC via RPC
DSA object GUID: a8260438-0154-4429-829b-c0b7914e4525
Last attempt @ Tue Jul 23 14:57:42 2013 CDT was successful
0 consecutive failure(s).
Last success @ Tue Jul 23 14:57:42 2013 CDT
OUTBOUND NEIGHBORS
DC=mydomain,DC=com
PRR\WINDC via RPC
DSA object GUID: a8260438-0154-4429-829b-c0b7914e4525
Last attempt @ Sat Jul 20 05:57:20 2013 CDT was successful
0 consecutive failure(s).
Last success @ Sat Jul 20 05:57:20 2013 CDT
CN=Configuration,DC=mydomain,DC=com
PRR\WINDC via RPC
DSA object GUID: a8260438-0154-4429-829b-c0b7914e4525
Last attempt @ Sat Jul 20 05:57:20 2013 CDT was successful
0 consecutive failure(s).
Last success @ Sat Jul 20 05:57:20 2013 CDT
CN=Schema,CN=Configuration,DC=mydomain,DC=com
PRR\WINDC via RPC
DSA object GUID: a8260438-0154-4429-829b-c0b7914e4525
Last attempt @ Sat Jul 20 05:57:20 2013 CDT was successful
0 consecutive failure(s).
Last success @ Sat Jul 20 05:57:20 2013 CDT
KCC CONNECTION OBJECTS
Connection --
Connection name: 130d9758-a7b2-4a25-b0b7-40ce00d9ef2a
Enabled: TRUE
Server DNS name : windc.mydomain.com
Server DN name : CN=NTDS
Settings,CN=WINDC,CN=Servers,CN=PRR,CN=Sites,CN=Configuration,DC=mydomain,DC=com
TransportType: RPC
options: 0x0001
Warning: No NC replicated for Connection!
root@sambadc:~#
root@sambadc:~# samba-tool dbcheck
Checking 2290 objects
ERROR: missing GUID component for ipsecOwnersReference in object
CN=ipsecISAKMPPolicy{7238523D-70FA-11D1-864C-14A3},CN=IP
Security,CN=System,DC=mydomain,DC=com -
Re: [Samba] Win 2003 DC Demotion
On 07/23/2013 03:37 PM, Garth Keesler wrote:
On 07/23/2013 02:54 PM, Andrew Bartlett wrote:
On Tue, 2013-07-23 at 06:49 -0500, Garth Keesler wrote:
All,
I've posted a few times about this but without response so it seems
that
not many folks are trying to do this. So, before I spend many more
hours
on this trying to make it work, a simple yes or no question:
Has anyone successfully demoted a Win 2003 PDC without error after
joining a Samba 4.x DC to it?
That's it. I'm primarily interested in yes responses but I'll take
what I can get.
It would help if you can describe the errors you get when this fails for
you.
It certainly is meant to work.
Thanks,
Andrew Bartlett
On 07/23/2013 02:54 PM, Andrew Bartlett wrote:
On Tue, 2013-07-23 at 06:49 -0500, Garth Keesler wrote:
All,
I've posted a few times about this but without response so it seems
that
not many folks are trying to do this. So, before I spend many more
hours
on this trying to make it work, a simple yes or no question:
Has anyone successfully demoted a Win 2003 PDC without error after
joining a Samba 4.x DC to it?
That's it. I'm primarily interested in yes responses but I'll take
what I can get.
It would help if you can describe the errors you get when this fails for
you.
It certainly is meant to work.
Thanks,
Andrew Bartlett
First, thanx for the reply. I'm not exactly sure what to send so I'll
send a lot. Let me know if you need more. The errors (not really
errors) have to do with the fact that Forest and Domain DNS repl are
one-way from WINDC to SAMBADC so when I try and demote WINDC, it
refuses to demote because it believes it is the only holder of that info.
Also, when I try and add the Samba DC to the Win DNS MMC, it refuses
to add it because it does not detect that the Samba DC is in fact an
Active Domain server. This is in spite of the fact that (some)
replication does occur.
root@sambadc:~# samba --version
Version 4.1.0rc1
root@sambadc:~#
root@sambadc:~# samba-tool drs showrepl
PRR\SAMBADC
DSA Options: 0x0001
DSA object GUID: 981910d4-81a9-4421-8134-4961a3c474ad
DSA invocationId: c004e70f-5b8c-4dd8-b364-b1c110cd241c
INBOUND NEIGHBORS
DC=mydomain,DC=com
PRR\WINDC via RPC
DSA object GUID: a8260438-0154-4429-829b-c0b7914e4525
Last attempt @ Tue Jul 23 14:57:42 2013 CDT was successful
0 consecutive failure(s).
Last success @ Tue Jul 23 14:57:42 2013 CDT
DC=ForestDnsZones,DC=mydomain,DC=com
PRR\WINDC via RPC
DSA object GUID: a8260438-0154-4429-829b-c0b7914e4525
Last attempt @ Tue Jul 23 14:57:42 2013 CDT was successful
0 consecutive failure(s).
Last success @ Tue Jul 23 14:57:42 2013 CDT
CN=Configuration,DC=mydomain,DC=com
PRR\WINDC via RPC
DSA object GUID: a8260438-0154-4429-829b-c0b7914e4525
Last attempt @ Tue Jul 23 14:57:42 2013 CDT was successful
0 consecutive failure(s).
Last success @ Tue Jul 23 14:57:42 2013 CDT
CN=Schema,CN=Configuration,DC=mydomain,DC=com
PRR\WINDC via RPC
DSA object GUID: a8260438-0154-4429-829b-c0b7914e4525
Last attempt @ Tue Jul 23 14:57:42 2013 CDT was successful
0 consecutive failure(s).
Last success @ Tue Jul 23 14:57:42 2013 CDT
DC=DomainDnsZones,DC=mydomain,DC=com
PRR\WINDC via RPC
DSA object GUID: a8260438-0154-4429-829b-c0b7914e4525
Last attempt @ Tue Jul 23 14:57:42 2013 CDT was successful
0 consecutive failure(s).
Last success @ Tue Jul 23 14:57:42 2013 CDT
OUTBOUND NEIGHBORS
DC=mydomain,DC=com
PRR\WINDC via RPC
DSA object GUID: a8260438-0154-4429-829b-c0b7914e4525
Last attempt @ Sat Jul 20 05:57:20 2013 CDT was successful
0 consecutive failure(s).
Last success @ Sat Jul 20 05:57:20 2013 CDT
CN=Configuration,DC=mydomain,DC=com
PRR\WINDC via RPC
DSA object GUID: a8260438-0154-4429-829b-c0b7914e4525
Last attempt @ Sat Jul 20 05:57:20 2013 CDT was successful
0 consecutive failure(s).
Last success @ Sat Jul 20 05:57:20 2013 CDT
CN=Schema,CN=Configuration,DC=mydomain,DC=com
PRR\WINDC via RPC
DSA object GUID: a8260438-0154-4429-829b-c0b7914e4525
Last attempt @ Sat Jul 20 05:57:20 2013 CDT was successful
0 consecutive failure(s).
Last success @ Sat Jul 20 05:57:20 2013 CDT
KCC CONNECTION OBJECTS
Connection --
Connection name: 130d9758-a7b2-4a25-b0b7-40ce00d9ef2a
Enabled: TRUE
Server DNS name : windc.mydomain.com
Server DN name : CN=NTDS
Settings,CN=WINDC,CN=Servers,CN=PRR,CN=Sites,CN=Configuration,DC=mydomain,DC=com
TransportType: RPC
options: 0x0001
Warning: No NC replicated for Connection!
root@sambadc:~#
root@sambadc:~# samba-tool dbcheck
Checking 2290 objects
ERROR: missing GUID component for ipsecOwnersReference in object
CN=ipsecISAKMPPolicy{7238523D-70FA-11D1-864C-14A3},CN=IP
