[Samba] Samba 4 Does not join existing domain as additional DC - Refusing to replicate from a read-only repilca into a read-write replica

Chris Lewis clewis at inview.co.uk
Mon Jan 7 10:11:42 MST 2013 

Hello,

This behaviour may be of interest:

Attempting to join samba4.0 to an AD domain running a single 2008 R2 
server. DNS is being provided by an existing bind 9 server.

After command:

/usr/local/samba/bin/samba-tool domain join example.com DC -U Administrator  -W EXAMPLE --dns-backend=NONE


Process to add the DC failed at this point:

Refusing to replicate DC=DomainDnsZones,DC=example,DC=com from a 
read-only repilca into a read-write replica!
Failed to convert object DC=DomainDnsZones,DC=inview,DC=local: 
WERR_DS_DRA_SOURCE_IS_PARTIAL_REPLICA
Failed to convert objects: WERR_DS_DRA_SOURCE_IS_PARTIAL_REPLICA
Join failed - cleaning up


In my test environment, I did some playing around and found that I could 
delete the troublesome namespaces using ntdsutil in partition management 
mode (see 
http://technet.microsoft.com/en-us/library/cc730970%28v=ws.10%29.aspx)

ntdsutil delete nc DC=DomainDnsZones,DC=example,DC=com

and

ntdsutil delete nc DC=DomainDnsZones,DC=example,DC=com

(These naming contexts are recreated when DNS server is started on the 
Win 2008 server.)

After doing that, I got when I attempt to add the DC:

Refusing to replicate 
DC=ForestDnsZones\0ADEL:e274cb7e-9b4d-4966-bc51-c4820808d9ba,DC=inview,DC=local 
from a read-only repilca into a read-write replica!
Failed to convert object 
DC=ForestDnsZones\0ADEL:e274cb7e-9b4d-4966-bc51-c4820808d9ba,DC=inview,DC=local: 
WERR_DS_DRA_SOURCE_IS_PARTIAL_REPLICA
Failed to convert objects: WERR_DS_DRA_SOURCE_IS_PARTIAL_REPLICA
Join failed - cleaning up

This is because the objects still persist in AD  but are tombstoned 
(hence the 0ADEL).

To try and get rid of them, I  reduced the tombstone lifetime from 180 
days to what I gather is the minimum of 3 days (using ADSI edit).

I found after 3 days (and AD garbage collection) I was able to add the 
DC successfully.

Has anyone else come across this? It could be some peculiarity on this 
particular domain.

Thanks in advance.

Chris

More information about the samba mailing list