** This version of Samba is at EOL as of 03-07-2017. **

Everything is good if the first domain controller is on and the one you want demote is on.

But if one is not on, you won’t work!  Several attempts has been made from others to demote the server by using ntdsutil.exe or ADSI Edit but I haven’t tested it out enoughBecause it won’t work I using a virtual CentOS Samba AD DC server and backing it up at least once a month.

Make sure your domain controller you want to demote has no FSMO roles.  There are 7 FSMO roles and to check it use this:

sudo samba-tool fsmo show

If not, demoted with this on the domain controller you want to demote:

sudo samba-tool domain demote -Uadministrator

Using centos.bales.lan as partner server for the demotion
Password for [BALES\administrator]: *
Desactivating inbound replication
Asking partner server centos.bales.lan to synchronize from us
Changing userControl and container
Demote successfull

If it does have any FSMO roles, using the DC you want to leave on, transfer to them to active domain controller:

sudo samba-tool fsmo transfer --role=*
FSMO transfer of '*' role successful

* The roles are ‘rid’, ‘pdc’, ‘infrastructure’, ‘schema’, ‘naming’, ‘domaindns’, ‘forestdns’, ‘all’.

If you use ‘all’ or domaindns or forstdns, transferring won’t work.   You have to seize them and place ‘–force’ at the end of the line to make sure it works.

sudo samba-tool fsmo seize --role=domaindns --force

Then demote it using this:

sudo samba-tool domain demote -Uadministrator

Using centos.bales.lan as partner server for the demotion
Password for [BALES\administrator]: *
Desactivating inbound replication
Asking partner server centos.bales.lan to synchronize from us
Changing userControl and container
Demote successfull

Make sure that added dns forwarding and rdc2307 to all smb.conf files:

# Global parameters
[global]
 workgroup = BALES
 realm = bales.lan
 netbios name = CENTOS2
 server role = active directory domain controller
 dns forwarder = 192.168.2.1
 idmap_ldb:use rfc2307 = yes

[netlogon]
 path = /usr/local/samba/var/locks/sysvol/bales.lan/scripts
 read only = No

[sysvol]
 path = /usr/local/samba/var/locks/sysvol
 read only = No

References

https://wiki.samba.org/index.php/Demote_a_Samba_AD_DC

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s