Web lists-archives.com

[Samba] Error removing Windows DC from AD




Hi,

I'm preparing to move a small business environment away from Windows-based AD (Windows Server 2012R2, Domain and Forest downgraded to Win2008R2 level) to Samba. So far in my lab environment joining Samba as a DC works, including DNS and Sysvol replication.

OS: Debian 9
Samba versions 4.5.12 (Debian repository) and 4.8.2 (latest release compiled from source), same behavior on both versions

As the goal is to get rid of the Windows server, I've tried to demote the Windows DC by uninstalling Active Directory services from the server. This fails with the following error message:

Uninstall-ADDSDomainController : The operation failed because:
Active Directory Domain Services could not find another Active Directory Domain Controller to transfer the remaining
data in directory partition DC=ForestDnsZones,DC=example,DC=lan.
"The specified domain either does not exist or could not be contacted."


When I've got more than one Windows AD DCs active, demotion of one or the other works fine, but removing the last Windows DC fails.

FSMO roles have all been transferred to the Debian Samba AD (DC3 in this case):

# samba-tool fsmo show
SchemaMasterRole owner: CN=NTDS Settings,CN=DC3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=lan InfrastructureMasterRole owner: CN=NTDS Settings,CN=DC3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=lan RidAllocationMasterRole owner: CN=NTDS Settings,CN=DC3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=lan PdcEmulationMasterRole owner: CN=NTDS Settings,CN=DC3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=lan DomainNamingMasterRole owner: CN=NTDS Settings,CN=DC3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=lan DomainDnsZonesMasterRole owner: CN=NTDS Settings,CN=DC3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=lan ForestDnsZonesMasterRole owner: CN=NTDS Settings,CN=DC3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=lan

samba-tool drs showrepl shows no failures.

Is there any further preparation I need to do on the Windows server side to make a clean demotion possible? I can force the removal of the Windows DC but this led to leftover data in the LDAP database and DNS that I have to excise by hand, which I don't find ideal.

I'm thankful for any advice on how to accomplish this.

Best regards,
Pietro

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba