Samba 4 - Deleted Objects

Samba 4 - How to deal with Deleted Objects

If you use UCS in Version < 4.2 you can follow the next Steps. If you use UCS >4.2 see further down.

Deleted Objects

Active Directory stores Deleted Objects for a while instead of removing them directly. This procedure is justified by the replication mechanism and will not cause any problems in general.

It can occur that old references at objects will be updated and point to Deleted Objects - this could be an issue - for example if using a deleted object as masteredBy reference at the domain object.

Please be aware of the fact that deleted objects itself are no problem - they are used by design not by accident!
So, before deleting anything please make sure that you backed up your ldb and be sure that the references found are bad and should be deleted - for example if they disturb the drs replication

Find them - ldbsearch

You can use ldbsearch for searching the ldb. With this command you will search the ldb for occurances of Deleted Objects.
Attention: Every occurance of dn or distinguishedName is okay here - we are only looking for references!

ldbsearch --cross-ncs --show-deleted -H /var/lib/samba/private/sam.ldb | grep "\0ADEL"

Remove the references - ldbedit

If finding a reference to a deleted object which causes problems, you can edit the ldb in order to remove the reference:

ldbedit -H /var/lib/samba/private/sam.ldb -b <object dn> -s base


root@server:~# ldbsearch --cross-ncs --show-deleted -H /var/lib/samba/private/sam.ldb | grep "\0ADEL"
masteredBy: CN=NTDS Settings\0ADEL:269337d0-8610-4613-a2a4-ecf1bd4ea78e,CN=BAC KUP\0ADEL:785f0de4-88b1-47bd-b4cd-69ab02e73f6c,CN=Servers,CN=Default-First-Site,CN=Sites,CN=Configuration,DC=domain,DC=test

root@server:~# ldbsearch --cross-ncs --show-deleted -H /var/lib/samba/private/sam.ldb masteredBy="CN=NTDS Settings\0ADEL:269337d0-8610-4613-a2a4-ecf1bd4ea78e,CN=BAC KUP\0ADEL:785f0de4-88b1-47bd-b4cd-69ab02e73f6c,CN=Servers,CN=Default-First-Site,CN=Sites,CN=Configuration,DC=domain,DC=test" dn
# record 1
dn: DC=domain,DC=test
# returned 1 records
# 1 entries
# 0 refferals

root@server:~# ldbedit -H /var/lib/samba/private/sam.ldb -b DC=domain,DC=test -s base

The last command will spawn an editor. The default should be vi, you can specify another editor within the env varibale $EDITOR.
We have the domain object opened now and can edit it like an text document. So we jump to the masteredBy line we are looking for and remove it.

Deleted Objects if you use UCS >4.2

In UCS 4.2 you can delete or demote a no longer used DC via samba-tool

samba-tool domain demote --remove-other-dead-server=<deleted-server>

The nTDSConnection is now removed and the deleted server is no longer a participant of the replication.

After that you can trigger the consistency check via

samba-tool drs kcc

and verify, that the server is no longer displayed and used in

samba-tool drs showrepl