I tried several times though demote a working server but it’s failed each time and the only way I can demote a working server by using the dead server demote. It might be something with CentOS and Linux Mint because it has the same error message also http://wp.me/p5qHcj-pR, I might doing something wrong or it will be fixed a later update.

Make sure your domain controller you want to demote has no FSMO roles.  There are 7 FSMO roles and to check them use this:

sudo samba-tool fsmo show

If it does have any FSMO roles, using the DC you want to leave working as a DC, transfer to them to active domain controller:

sudo samba-tool fsmo transfer --role=*
FSMO transfer of '*' role successful

* The roles are ‘rid’, ‘pdc’, ‘infrastructure’, ‘schema’, ‘naming’, ‘domaindns’, ‘forestdns’, ‘all’.

If you use ‘all’ or domaindns or forstdns, transferring won’t work.   You have to seize them and place ‘–force’ at the end of the line to make sure it works.

sudo samba-tool fsmo seize --role=domaindns --force

If there none, you should be able to do this on the demoting server:

sudo samba-tool domain demote -Uadministrator

but doing this it’s gives an error and doesn’t demote the server:

Using dc1.bales.lan as partner server for the demotion
Password for [BALES\administrator]:
Deactivating inbound replication
Asking partner server dc1.bales.lan to synchronize from us
Error while demoting, re-enabling inbound replication
ERROR(<type 'exceptions.RuntimeError'>): Error while sending a DsReplicaSync for partion CN=Schema,CN=Configuration,DC=bales,DC=lan - (8440, 'WERR_DS_DRA_BAD_NC')
 File "/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/domain.py", line 786, in run
 drsuapiBind.DsReplicaSync(drsuapi_handle, 1, req1)

The only way I can demote a working server is by using demote a dead server on the working server:

sudo samba-tool domain demote --remove-other-dead-server=dc2

It also removes the FSMO roles by deleted the server from AD DC. Since it’s removing the FSMO roles anyway and demoting a working server does not work, why not use this above instead of try to transfer or seize the roles first?

Turn off the not dead but working server first and check to make sure it’s gone in DNS after you do this:

Removing nTDSConnection: CN=88b0b124-1a8c-47b4-9f8f-68f724b898c0,CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=bales,DC=lan
Removing nTDSDSA: CN=NTDS Settings,CN=DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=bales,DC=lan (and any children)
Removing RID Set: CN=RID Set,CN=DC2,OU=Domain Controllers,DC=bales,DC=lan
Removing computer account: CN=DC2,OU=Domain Controllers,DC=bales,DC=lan (and any child objects)
updating ForestDnsZones.bales.lan keeping 1 values, removing 1 values
updating DomainDnsZones.bales.lan keeping 1 values, removing 1 values
updating bales.lan keeping 3 values, removing 1 values
updating DC=_ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones,DC=bales.lan,CN=MicrosoftDNS,DC=DomainDnsZones,DC=bales,DC=lan keeping 1 values, removing 1 values
updating DC=_ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones,DC=bales.lan,CN=MicrosoftDNS,DC=DomainDnsZones,DC=bales,DC=lan keeping 1 values, removing 1 values
updating DC=_kerberos._tcp.Default-First-Site-Name._sites,DC=bales.lan,CN=MicrosoftDNS,DC=DomainDnsZones,DC=bales,DC=lan keeping 1 values, removing 1 values
updating DC=_ldap._tcp.Default-First-Site-Name._sites,DC=bales.lan,CN=MicrosoftDNS,DC=DomainDnsZones,DC=bales,DC=lan keeping 1 values, removing 1 values
updating DC=_gc._tcp.Default-First-Site-Name._sites,DC=bales.lan,CN=MicrosoftDNS,DC=DomainDnsZones,DC=bales,DC=lan keeping 1 values, removing 1 values
updating DC=_ldap._tcp.DomainDnsZones,DC=bales.lan,CN=MicrosoftDNS,DC=DomainDnsZones,DC=bales,DC=lan keeping 1 values, removing 1 values
updating DC=_ldap._tcp.ForestDnsZones,DC=bales.lan,CN=MicrosoftDNS,DC=DomainDnsZones,DC=bales,DC=lan keeping 1 values, removing 1 values
updating DC=_kerberos._tcp,DC=bales.lan,CN=MicrosoftDNS,DC=DomainDnsZones,DC=bales,DC=lan keeping 1 values, removing 1 values
updating DC=_kerberos._udp,DC=bales.lan,CN=MicrosoftDNS,DC=DomainDnsZones,DC=bales,DC=lan keeping 1 values, removing 1 values
updating DC=_kpasswd._tcp,DC=bales.lan,CN=MicrosoftDNS,DC=DomainDnsZones,DC=bales,DC=lan keeping 1 values, removing 1 values
updating DC=_kpasswd._udp,DC=bales.lan,CN=MicrosoftDNS,DC=DomainDnsZones,DC=bales,DC=lan keeping 1 values, removing 1 values
updating DC=_ldap._tcp,DC=bales.lan,CN=MicrosoftDNS,DC=DomainDnsZones,DC=bales,DC=lan keeping 1 values, removing 1 values
updating DC=_gc._tcp,DC=bales.lan,CN=MicrosoftDNS,DC=DomainDnsZones,DC=bales,DC=lan keeping 1 values, removing 1 values
updating DC=_ldap._tcp.f2ce8d92-e3e7-43d2-a271-72798aa1dbdf.domains,DC=_msdcs.bales.lan,CN=MicrosoftDNS,DC=ForestDnsZones,DC=bales,DC=lan keeping 1 values, removing 1 values
updating DC=_kerberos._tcp.Default-First-Site-Name._sites.dc,DC=_msdcs.bales.lan,CN=MicrosoftDNS,DC=ForestDnsZones,DC=bales,DC=lan keeping 1 values, removing 1 values
updating DC=_ldap._tcp.Default-First-Site-Name._sites.dc,DC=_msdcs.bales.lan,CN=MicrosoftDNS,DC=ForestDnsZones,DC=bales,DC=lan keeping 1 values, removing 1 values
updating DC=_ldap._tcp.Default-First-Site-Name._sites.gc,DC=_msdcs.bales.lan,CN=MicrosoftDNS,DC=ForestDnsZones,DC=bales,DC=lan keeping 1 values, removing 1 values
updating DC=f44f8fb3-6ca5-4d12-8656-61d5e254323f,DC=_msdcs.bales.lan,CN=MicrosoftDNS,DC=ForestDnsZones,DC=bales,DC=lan keeping 0 values, removing 1 values
updating DC=_kerberos._tcp.dc,DC=_msdcs.bales.lan,CN=MicrosoftDNS,DC=ForestDnsZones,DC=bales,DC=lan keeping 1 values, removing 1 values
updating DC=_ldap._tcp.pdc,DC=_msdcs.bales.lan,CN=MicrosoftDNS,DC=ForestDnsZones,DC=bales,DC=lan keeping 1 values, removing 1 values
updating DC=_ldap._tcp.dc,DC=_msdcs.bales.lan,CN=MicrosoftDNS,DC=ForestDnsZones,DC=bales,DC=lan keeping 1 values, removing 1 values
updating DC=_ldap._tcp.gc,DC=_msdcs.bales.lan,CN=MicrosoftDNS,DC=ForestDnsZones,DC=bales,DC=lan keeping 1 values, removing 1 values
Removing Sysvol reference: CN=DC2,CN=Enterprise,CN=Microsoft System Volumes,CN=System,CN=Configuration,DC=bales,DC=lan
Removing Sysvol reference: CN=DC2,CN=bales.lan,CN=Microsoft System Volumes,CN=System,CN=Configuration,DC=bales,DC=lan
Removing Sysvol reference: CN=DC2,CN=Domain System Volumes (SYSVOL share),CN=File Replication Service,CN=System,DC=bales,DC=lan
Removing Sysvol reference: CN=DC2,CN=Topology,CN=Domain System Volume,CN=DFSR-GlobalSettings,CN=System,DC=bales,DC=lan

 

References:

https://wiki.samba.org/index.php/Demote_a_Samba_AD_DC

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s