Remove stale DRS replication partner

classic Classic list List threaded Threaded
11 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Remove stale DRS replication partner

Samba - General mailing list
Dear list,

After (almost) successfully removing a dead DC from my domain I am left
with only one visible symptom:
samba-tool drs showrepl shows two stale outbound link for one of the
remaining 2 DCs:
DC=DomainDnsZones,DC=subdom,DC=mydom,DC=com
        NTDS DN: CN=NTDS
Settings\0ADEL:09210f3d-dab9-4a69-92ca-b11e93845367,CN=DC3\0ADEL:591e8395-a414-4bca-99a0-8cb195417493,CN=Servers,CN=Location,CN=Sites,CN=Configuration,DC=subdom,DC=mydom,DC=com
                DSA object GUID: 09210f3d-dab9-4a69-92ca-b11e93845367
                Last attempt @ Mon Jun 26 17:26:27 2017 CEST failed, result
2 (WERR_FILE_NOT_FOUND)
                2001797 consecutive failure(s).
                Last success @ Sat Jan  7 15:22:31 2017 CET

I tried already the samba-tool emergency way using
DC2# samba-tool domain demote
--remove-other-dead-server=09210f3d-dab9-4a69-92ca-b11e93845367
ERROR: Demote failed: DemoteException: 09210f3d-dab9-4a69-92ca-b11e93845367
is not an AD DC in subdom.mydom.com

Same using the server's name instead of the GUID.
How can I remove this connection from the replication?

Any help appreciated.

Best regards
Johannes
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Remove stale DRS replication partner

Samba - General mailing list
On 6/26/2017 2:43 PM, Johannes Engel via samba wrote:

> Dear list,
>
> After (almost) successfully removing a dead DC from my domain I am left
> with only one visible symptom:
> samba-tool drs showrepl shows two stale outbound link for one of the
> remaining 2 DCs:
> DC=DomainDnsZones,DC=subdom,DC=mydom,DC=com
>          NTDS DN: CN=NTDS
> Settings\0ADEL:09210f3d-dab9-4a69-92ca-b11e93845367,CN=DC3\0ADEL:591e8395-a414-4bca-99a0-8cb195417493,CN=Servers,CN=Location,CN=Sites,CN=Configuration,DC=subdom,DC=mydom,DC=com
>                  DSA object GUID: 09210f3d-dab9-4a69-92ca-b11e93845367
>                  Last attempt @ Mon Jun 26 17:26:27 2017 CEST failed, result
> 2 (WERR_FILE_NOT_FOUND)
>                  2001797 consecutive failure(s).
>                  Last success @ Sat Jan  7 15:22:31 2017 CET
>
> I tried already the samba-tool emergency way using
> DC2# samba-tool domain demote
> --remove-other-dead-server=09210f3d-dab9-4a69-92ca-b11e93845367
> ERROR: Demote failed: DemoteException: 09210f3d-dab9-4a69-92ca-b11e93845367
> is not an AD DC in subdom.mydom.com
>
> Same using the server's name instead of the GUID.
> How can I remove this connection from the replication?
>
> Any help appreciated.
>
> Best regards
> Johannes

You can remove the orphaned NTDS connection using Windows Sites and
Services application.

--
--
James


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Remove stale DRS replication partner

Samba - General mailing list
Hi James,

thanks a lot for your hint. However, I seem to be unable to find it there.
Can you please be a little more specific?
I tried to check the replication topology, but no success.
Thanks a lot!

Best regards
Johannes

lingpanda101 via samba <[hidden email]> schrieb am Mo., 26. Juni
2017 um 20:52 Uhr:

> On 6/26/2017 2:43 PM, Johannes Engel via samba wrote:
> > Dear list,
> >
> > After (almost) successfully removing a dead DC from my domain I am left
> > with only one visible symptom:
> > samba-tool drs showrepl shows two stale outbound link for one of the
> > remaining 2 DCs:
> > DC=DomainDnsZones,DC=subdom,DC=mydom,DC=com
> >          NTDS DN: CN=NTDS
> >
> Settings\0ADEL:09210f3d-dab9-4a69-92ca-b11e93845367,CN=DC3\0ADEL:591e8395-a414-4bca-99a0-8cb195417493,CN=Servers,CN=Location,CN=Sites,CN=Configuration,DC=subdom,DC=mydom,DC=com
> >                  DSA object GUID: 09210f3d-dab9-4a69-92ca-b11e93845367
> >                  Last attempt @ Mon Jun 26 17:26:27 2017 CEST failed,
> result
> > 2 (WERR_FILE_NOT_FOUND)
> >                  2001797 consecutive failure(s).
> >                  Last success @ Sat Jan  7 15:22:31 2017 CET
> >
> > I tried already the samba-tool emergency way using
> > DC2# samba-tool domain demote
> > --remove-other-dead-server=09210f3d-dab9-4a69-92ca-b11e93845367
> > ERROR: Demote failed: DemoteException:
> 09210f3d-dab9-4a69-92ca-b11e93845367
> > is not an AD DC in subdom.mydom.com
> >
> > Same using the server's name instead of the GUID.
> > How can I remove this connection from the replication?
> >
> > Any help appreciated.
> >
> > Best regards
> > Johannes
>
> You can remove the orphaned NTDS connection using Windows Sites and
> Services application.
>
> --
> --
> James
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Remove stale DRS replication partner

Samba - General mailing list
On 6/26/2017 4:35 PM, Johannes Engel wrote:

> Hi James,
>
> thanks a lot for your hint. However, I seem to be unable to find it
> there. Can you please be a little more specific?
> I tried to check the replication topology, but no success.
> Thanks a lot!
>
> Best regards
> Johannes
>
> lingpanda101 via samba <[hidden email]
> <mailto:[hidden email]>> schrieb am Mo., 26. Juni 2017 um
> 20:52 Uhr:
>
>     On 6/26/2017 2:43 PM, Johannes Engel via samba wrote:
>     > Dear list,
>     >
>     > After (almost) successfully removing a dead DC from my domain I
>     am left
>     > with only one visible symptom:
>     > samba-tool drs showrepl shows two stale outbound link for one of the
>     > remaining 2 DCs:
>     > DC=DomainDnsZones,DC=subdom,DC=mydom,DC=com
>     >          NTDS DN: CN=NTDS
>     >
>     Settings\0ADEL:09210f3d-dab9-4a69-92ca-b11e93845367,CN=DC3\0ADEL:591e8395-a414-4bca-99a0-8cb195417493,CN=Servers,CN=Location,CN=Sites,CN=Configuration,DC=subdom,DC=mydom,DC=com
>     >                  DSA object GUID:
>     09210f3d-dab9-4a69-92ca-b11e93845367
>     >                  Last attempt @ Mon Jun 26 17:26:27 2017 CEST
>     failed, result
>     > 2 (WERR_FILE_NOT_FOUND)
>     >                  2001797 consecutive failure(s).
>     >                  Last success @ Sat Jan  7 15:22:31 2017 CET
>     >
>     > I tried already the samba-tool emergency way using
>     > DC2# samba-tool domain demote
>     > --remove-other-dead-server=09210f3d-dab9-4a69-92ca-b11e93845367
>     > ERROR: Demote failed: DemoteException:
>     09210f3d-dab9-4a69-92ca-b11e93845367
>     > is not an AD DC in subdom.mydom.com <http://subdom.mydom.com>
>     >
>     > Same using the server's name instead of the GUID.
>     > How can I remove this connection from the replication?
>     >
>     > Any help appreciated.
>     >
>     > Best regards
>     > Johannes
>
>     You can remove the orphaned NTDS connection using Windows Sites and
>     Services application.
>
>     --
>     --
>     James
>
>
>     --
>     To unsubscribe from this list go to the following URL and read the
>     instructions: https://lists.samba.org/mailman/options/samba
>
     I'll try, but I'm not sure if you have more then one site. Open
Sites & Services. One the the left you may only see
'Default-First-Site-Name'. Click the arrow to expand
'Default-First-Site-Name'. Next click the arrow to expand 'Servers'.  
You should see one or more servers. Click the arrow next the the DC that
continues to display the demoted NTDS settings when running 'showrepl'.
You should now see 'NTDS Settings' under the DC. You can now right click
and delete any 'automatically generated' site link not needed on the
right pane or altogether delete the 'NTDS settings' under the DC you
expanded.

If you see the actual DC you demoted when expanding
'Default-First-Site-Name', go ahead and delete it as well. Use caution
when deleting a DC. Make sure it's the one no longer part of your
domain. If in doubt on any of these steps, ask on the list.

--
--
James

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Remove stale DRS replication partner

Samba - General mailing list
Hi James,

thanks a lot. However, in the Windows Sites & Services application the
connection in question does not show up at all. It is only visible in
the samba-tool output and only for the objects DomainDnsZones and
ForestDnsZones...

Best regards
Johannes

Am 27.06.2017 um 17:16 schrieb Johannes Engel:

>
> Hi James,
>
> thanks a lot. However, in the Windows Sites & Services application the
> connection in question does not show up at all. It is only visible in
> the samba-tool output and only for the objects DomainDnsZones and
> ForestDnsZones...
>
> Best regards
> Johannes
>
>
> Am 27.06.2017 um 14:57 schrieb lingpanda101:
>> On 6/26/2017 4:35 PM, Johannes Engel wrote:
>>> Hi James,
>>>
>>> thanks a lot for your hint. However, I seem to be unable to find it
>>> there. Can you please be a little more specific?
>>> I tried to check the replication topology, but no success.
>>> Thanks a lot!
>>>
>>> Best regards
>>> Johannes
>>>
>>> lingpanda101 via samba <[hidden email]
>>> <mailto:[hidden email]>> schrieb am Mo., 26. Juni 2017 um
>>> 20:52 Uhr:
>>>
>>>     On 6/26/2017 2:43 PM, Johannes Engel via samba wrote:
>>>     > Dear list,
>>>     >
>>>     > After (almost) successfully removing a dead DC from my domain
>>>     I am left
>>>     > with only one visible symptom:
>>>     > samba-tool drs showrepl shows two stale outbound link for one
>>>     of the
>>>     > remaining 2 DCs:
>>>     > DC=DomainDnsZones,DC=subdom,DC=mydom,DC=com
>>>     >          NTDS DN: CN=NTDS
>>>     >
>>>     Settings\0ADEL:09210f3d-dab9-4a69-92ca-b11e93845367,CN=DC3\0ADEL:591e8395-a414-4bca-99a0-8cb195417493,CN=Servers,CN=Location,CN=Sites,CN=Configuration,DC=subdom,DC=mydom,DC=com
>>>     >                  DSA object GUID:
>>>     09210f3d-dab9-4a69-92ca-b11e93845367
>>>     >                  Last attempt @ Mon Jun 26 17:26:27 2017 CEST
>>>     failed, result
>>>     > 2 (WERR_FILE_NOT_FOUND)
>>>     >                  2001797 consecutive failure(s).
>>>     >                  Last success @ Sat Jan  7 15:22:31 2017 CET
>>>     >
>>>     > I tried already the samba-tool emergency way using
>>>     > DC2# samba-tool domain demote
>>>     > --remove-other-dead-server=09210f3d-dab9-4a69-92ca-b11e93845367
>>>     > ERROR: Demote failed: DemoteException:
>>>     09210f3d-dab9-4a69-92ca-b11e93845367
>>>     > is not an AD DC in subdom.mydom.com <http://subdom.mydom.com>
>>>     >
>>>     > Same using the server's name instead of the GUID.
>>>     > How can I remove this connection from the replication?
>>>     >
>>>     > Any help appreciated.
>>>     >
>>>     > Best regards
>>>     > Johannes
>>>
>>>     You can remove the orphaned NTDS connection using Windows Sites and
>>>     Services application.
>>>
>>>     --
>>>     --
>>>     James
>>>
>>>
>>>     --
>>>     To unsubscribe from this list go to the following URL and read the
>>>     instructions: https://lists.samba.org/mailman/options/samba
>>>
>>     I'll try, but I'm not sure if you have more then one site. Open
>> Sites & Services. One the the left you may only see
>> 'Default-First-Site-Name'. Click the arrow to expand
>> 'Default-First-Site-Name'. Next click the arrow to expand 'Servers'.  
>> You should see one or more servers. Click the arrow next the the DC
>> that continues to display the demoted NTDS settings when running
>> 'showrepl'. You should now see 'NTDS Settings' under the DC. You can
>> now right click and delete any 'automatically generated' site link
>> not needed on the right pane or altogether delete the 'NTDS settings'
>> under the DC you expanded.
>>
>> If you see the actual DC you demoted when expanding
>> 'Default-First-Site-Name', go ahead and delete it as well. Use
>> caution when deleting a DC. Make sure it's the one no longer part of
>> your domain. If in doubt on any of these steps, ask on the list.
>>
>> --
>> --
>> James
>

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Remove stale DRS replication partner

Samba - General mailing list
On Tue, 27 Jun 2017 17:18:37 +0200
Johannes Engel via samba <[hidden email]> wrote:

> Hi James,
>
> thanks a lot. However, in the Windows Sites & Services application
> the connection in question does not show up at all. It is only
> visible in the samba-tool output and only for the objects
> DomainDnsZones and ForestDnsZones...
>
> Best regards
> Johannes
>

The reason you cannot delete them is because they are already deleted,
they are 'tombstones', just wait, they will eventually go away.

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Remove stale DRS replication partner

Samba - General mailing list
Thanks a lot for your reply, Rowland, however, they have not gone away
in the last 5 months, and I doubt you had that time scale in mind, right?

Best regards
Johannes


Am 27.06.2017 um 17:36 schrieb Rowland Penny via samba:

> On Tue, 27 Jun 2017 17:18:37 +0200
> Johannes Engel via samba <[hidden email]> wrote:
>
>> Hi James,
>>
>> thanks a lot. However, in the Windows Sites & Services application
>> the connection in question does not show up at all. It is only
>> visible in the samba-tool output and only for the objects
>> DomainDnsZones and ForestDnsZones...
>>
>> Best regards
>> Johannes
>>
> The reason you cannot delete them is because they are already deleted,
> they are 'tombstones', just wait, they will eventually go away.
>
> Rowland
>


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Remove stale DRS replication partner

Samba - General mailing list
In reply to this post by Samba - General mailing list
On 6/27/2017 11:36 AM, Rowland Penny via samba wrote:

> On Tue, 27 Jun 2017 17:18:37 +0200
> Johannes Engel via samba <[hidden email]> wrote:
>
>> Hi James,
>>
>> thanks a lot. However, in the Windows Sites & Services application
>> the connection in question does not show up at all. It is only
>> visible in the samba-tool output and only for the objects
>> DomainDnsZones and ForestDnsZones...
>>
>> Best regards
>> Johannes
>>
> The reason you cannot delete them is because they are already deleted,
> they are 'tombstones', just wait, they will eventually go away.
>
> Rowland
>
Rowland is right, I missed the '0ADEL' part of the NTDS connection. It
should go away after 180 days from delete.

--
--
James


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Remove stale DRS replication partner

Samba - General mailing list
In reply to this post by Samba - General mailing list
On Tue, 27 Jun 2017 18:02:25 +0200
Johannes Engel via samba <[hidden email]> wrote:

> Thanks a lot for your reply, Rowland, however, they have not gone
> away in the last 5 months, and I doubt you had that time scale in
> mind, right?
>

OK, you only have about another month to wait then, the standard
tombstone lifetime is 180 days ;-)

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Remove stale DRS replication partner

Samba - General mailing list
OK, you got me here. Thanks a lot for your advice! :)


Am 27.06.2017 um 18:16 schrieb Rowland Penny via samba:

> On Tue, 27 Jun 2017 18:02:25 +0200
> Johannes Engel via samba <[hidden email]> wrote:
>
>> Thanks a lot for your reply, Rowland, however, they have not gone
>> away in the last 5 months, and I doubt you had that time scale in
>> mind, right?
>>
> OK, you only have about another month to wait then, the standard
> tombstone lifetime is 180 days ;-)
>
> Rowland
>


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Remove stale DRS replication partner

Samba - General mailing list
In reply to this post by Samba - General mailing list
Hi all,

by now your prophecy became true and indeed the tombstone appears to
have vanished.

Unfortunately, that did not solve the problem, now samba-tool drs
showrepl gives the following output:

==== OUTBOUND NEIGHBORS ====

ERROR(runtime): DsReplicaGetInfo of type 4294967294 failed - (8442,
'WERR_DS_DRA_INTERNAL_ERROR')

At the same time the samba daemon logs the following to syslog:

../source4/dsdb/kcc/kcc_drs_replica_info.c:680(fill_neighbor_from_repsTo)
../source4/dsdb/kcc/kcc_drs_replica_info.c:680: Failed to find DN for
neighbor GUID 09210f3d-dab9-4a69-92ca-b11e93845367

How can I fix the broken replication link?

Best regards
Johannes


Am 27.06.2017 um 18:16 schrieb Rowland Penny via samba:

> On Tue, 27 Jun 2017 18:02:25 +0200
> Johannes Engel via samba <[hidden email]> wrote:
>
>> Thanks a lot for your reply, Rowland, however, they have not gone
>> away in the last 5 months, and I doubt you had that time scale in
>> mind, right?
>>
> OK, you only have about another month to wait then, the standard
> tombstone lifetime is 180 days ;-)
>
> Rowland
>


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Loading...