Demote a Domain Controller
There may be circumstances where you need to demote a DC. For example, one reason is upgrading to a new version of samba, other being a DC is for any reason dead (and will never come back up).
Please note:
- Before demoting a DC, check if it owns any or all seven FSMO roles, if they do, they need to be transferred to another DC. Do not demote a DC that has any or all FSMO roles.
- If you have a dead server that owns any or all the FSMO roles, seize them from another DC before remotely demoting it.
Demoting a working server, for exmaple DC2.
On DC2, execute:
samba-tool domain demote -U "Administrator" systemctl stop samba-ad-dc.service
You can now continue to cleanup DNS entries.
Remotely demoting a dead server, for example DC2.
Please note: Never connect DC2 again after it has been remotely demoted
On DC1 (the other working DC), execute:
samba-tool domain demote --remove-other-dead-server=DC2 -U "MAD\Administrator"
Let me say it again: Never ever reconnect a remotely demoted DC, it will break your AD.
Sanity checks
Personally I like running these on a live DC after every demote.
samba-tool dbcheck --cross-ncs --fix --yes samba-tool domain tombstones expunge --tombstone-lifetime=0
Cleanup DNS entries
In bothe cases, unless you are demoting to upgrade and then re-join again with same name (for example after upgrading samba to newer version), you may want to go trough DNS tree (easier using DNS tool from Windows RSAT) and search for and delete old entries of the demoted DC.
Caponato's Samba notebook. Start here or else Main menu