Web lists-archives.com

Re: [Samba] Problems removing a SBS 2008 server from a Samba AD DC.




On Mon, 27 Aug 2018, Jonathan Hunter via samba wrote:

Just responding on one point..

Thanks for the update.


On Mon, 27 Aug 2018 at 21:35, Tom Diehl via samba <samba@xxxxxxxxxxxxxxx>
wrote:

In addition, I tried running samba-tool dbcheck --cross-ncs --fix
that command generates over 400 errors that it claims it is going to fix
but
it does not.

(pht-vdc1 pts9) # samba-tool dbcheck --cross-ncs --fix --yes
[...]
ERROR: Failed to fix old DN string on attribute
msSBSComputerUserAccessOverride : (16, "attribute
'msSBSComputerUserAccessOverride': no matching attribute value while
deleting attribute on 'CN=Chris
XXXXX,OU=SBSUsers,OU=Users,OU=MyBusiness,DC=mydomain,DC=com'")

I had been bitten by this part in the past, too.

The 'dbcheck --fix --yes' operation is transactional, i.e. either the whole
thing (all 400 updates) succeeds, or the whole thing fails (which is what
you are seeing) and no changes are committed.

You'll need to run without --yes, and confirm each one individually, I
think, in order to fix the 399 that are OK.

So I took your suggestion and confirmed each one individually. That got me
from 409 down to 407. :-(
I tried it twice and got the same results.

Below is a sample of the output:
(pht-vdc1 pts8) # samba-tool dbcheck --cross-ncs --fix
Checking 10566 objects
Fix nTSecurityDescriptor on CN=Windows SBS Link Users,OU=Security Groups,OU=MyBusiness,DC=mydomain,DC=com? [y/N/all/none] y
Fixed attribute 'nTSecurityDescriptor' of 'CN=Windows SBS Link Users,OU=Security Groups,OU=MyBusiness,DC=mydomain,DC=com'

Fix nTSecurityDescriptor on CN=MYCompany Calendar,CN=Microsoft Exchange System Objects,DC=mydomain,DC=com? [y/N/all/none] y
Fixed attribute 'nTSecurityDescriptor' of 'CN=MYCompany Calendar,CN=Microsoft Exchange System Objects,DC=mydomain,DC=com'

Fix nTSecurityDescriptor on CN=6bcd5683-8314-11d6-977b-00c04f613221,CN=Operations,CN=DomainUpdates,CN=System,DC=mydomain,DC=com? [y/N/all/none] y
Fixed attribute 'nTSecurityDescriptor' of 'CN=6bcd5683-8314-11d6-977b-00c04f613221,CN=Operations,CN=DomainUpdates,CN=System,DC=mydomain,DC=com'

Fix nTSecurityDescriptor on CN=Guests,CN=Builtin,DC=mydomain,DC=com? [y/N/all/none] y
Fixed attribute 'nTSecurityDescriptor' of 'CN=Guests,CN=Builtin,DC=mydomain,DC=com'

...

Fix nTSecurityDescriptor on CN=Shop,OU=SBSUsers,OU=Users,OU=MyBusiness,DC=mydomain,DC=com? [y/N/all/none] y
Fixed attribute 'nTSecurityDescriptor' of 'CN=Shop,OU=SBSUsers,OU=Users,OU=MyBusiness,DC=mydomain,DC=com'

Fix nTSecurityDescriptor on CN=ANDREW-PC,OU=SBSComputers,OU=Computers,OU=MyBusiness,DC=mydomain,DC=com? [y/N/all/none] y
Fixed attribute 'nTSecurityDescriptor' of 'CN=ANDREW-PC,OU=SBSComputers,OU=Computers,OU=MyBusiness,DC=mydomain,DC=com'

Checked 10566 objects (407 errors)
(pht-vdc1 pts9) #

Does anyone have any other ideas how to fix this? I am hoping that if I fix this it will
then let me cleanup the dead Windows DC.

Regards,

--
Tom			me@xxxxxxxxxx

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba