Samba 4 - How to deal with Deleted Objects
If you use UCS in Version < 4.2 you can follow the next Steps. If you use UCS >4.2 see further down.
Active Directory stores Deleted Objects for a while instead of removing them directly. This procedure is justified by the replication mechanism and will not cause any problems in general.
It can occur that old references at objects will be updated and point to Deleted Objects - this could be an issue - for example if using a deleted object as masteredBy reference at the domain object.
Please be aware of the fact that deleted objects itself are no problem - they are used by design not by accident!
So, before deleting anything please make sure that you backed up your ldb and be sure that the references found are bad and should be deleted - for example if they disturb the drs replication
Find them - ldbsearch
You can use ldbsearch for searching the ldb. With this command you will search the ldb for occurances of Deleted Objects.
Attention: Every occurance of dn or distinguishedName is okay here - we are only looking for references!
ldbsearch --cross-ncs --show-deleted -H /var/lib/samba/private/sam.ldb | grep "\0ADEL"
Remove the references - ldbedit
If finding a reference to a deleted object which causes problems, you can edit the ldb in order to remove the reference:
ldbedit -H /var/lib/samba/private/sam.ldb -b <object dn> -s base
root@server:~# ldbsearch --cross-ncs --show-deleted -H /var/lib/samba/private/sam.ldb | grep "\0ADEL"
masteredBy: CN=NTDS Settings\0ADEL:269337d0-8610-4613-a2a4-ecf1bd4ea78e,CN=BAC KUP\0ADEL:785f0de4-88b1-47bd-b4cd-69ab02e73f6c,CN=Servers,CN=Default-First-Site,CN=Sites,CN=Configuration,DC=domain,DC=test
root@server:~# ldbsearch --cross-ncs --show-deleted -H /var/lib/samba/private/sam.ldb masteredBy="CN=NTDS Settings\0ADEL:269337d0-8610-4613-a2a4-ecf1bd4ea78e,CN=BAC KUP\0ADEL:785f0de4-88b1-47bd-b4cd-69ab02e73f6c,CN=Servers,CN=Default-First-Site,CN=Sites,CN=Configuration,DC=domain,DC=test" dn
# record 1
# returned 1 records
# 1 entries
# 0 refferals
root@server:~# ldbedit -H /var/lib/samba/private/sam.ldb -b DC=domain,DC=test -s base
The last command will spawn an editor. The default should be vi, you can specify another editor within the env varibale
We have the domain object opened now and can edit it like an text document. So we jump to the masteredBy line we are looking for and remove it.
Deleted Objects if you use UCS >4.2
In UCS 4.2 you can delete or demote a no longer used DC via samba-tool
samba-tool domain demote --remove-other-dead-server=<deleted-server>
nTDSConnection is now removed and the deleted server is no longer a participant of the replication.
After that you can trigger the consistency check via
samba-tool drs kcc
and verify, that the server is no longer displayed and used in
samba-tool drs showrepl