[Samba] Win2003 DC fails to detect Samba 4 DC
Garth Keesler
garthk at gdcjk.com
Tue Jul 16 05:45:33 MDT 2013
Thanx for the reply. I've done more digging into the repl from the WinDC
side and in the event log, security, I see the following:
Pre-authentication failed:
User Name: SAMBADC$
User ID: MYDOMAIN\SAMBADC$
Service Name: krbtgt/MYDOMAIN.COM
Pre-Authentication Type: 0x0
Failure Code: 0x19
Client Address: 10.20.60.15
In fact, I never see any successful attempts from the Samba DC. The web
reports:
When Windows Vista (or later version) client sends Kerberos
authentication request to DC, it uses AES to protect the authentication
message. However, as Windows Server 2003 DC does not support AES, it
logs a 675 event and replies back with the encryption types that it
supports. The Vista client then uses highest supported encryption type
that the Domain Controller supports (RC4-HMAC) and successfully be able
to supply Pre-Authentication.
So does Samba 4.0.7 respond correctly to these requests?
Next, when running dcdiag /s:sambadc from the WinDC, I see the following:
Domain Controller Diagnosis
Performing initial setup:
Done gathering initial info.
Doing initial required tests
Testing server: PRR\SAMBADC
Starting test: Connectivity
......................... SAMBADC passed test Connectivity
Doing primary tests
Testing server: PRR\SAMBADC
Starting test: Replications
REPLICATION-RECEIVED LATENCY WARNING
SAMBADC: Current time is 2013-07-16 06:10:14.
DC=DomainDnsZones,DC=mydomain,DC=com
Last replication recieved from WINDC at 1601-01-01
00:21:41.
WARNING: This latency is over the Tombstone Lifetime of
60 days!
CN=Schema,CN=Configuration,DC=mydomain,DC=com
Last replication recieved from WINDC at 1601-01-01
00:21:41.
WARNING: This latency is over the Tombstone Lifetime of
60 days!
CN=Configuration,DC=mydomain,DC=com
Last replication recieved from WINDC at 1601-01-01
00:21:41.
WARNING: This latency is over the Tombstone Lifetime of
60 days!
DC=ForestDnsZones,DC=mydomain,DC=com
Last replication recieved from WINDC at 1601-01-01
00:21:41.
WARNING: This latency is over the Tombstone Lifetime of
60 days!
DC=mydomain,DC=com
Last replication recieved from WINDC at 1601-01-01
00:21:41.
WARNING: This latency is over the Tombstone Lifetime of
60 days!
......................... SAMBADC passed test Replications
Starting test: NCSecDesc
......................... SAMBADC passed test NCSecDesc
Starting test: NetLogons
......................... SAMBADC passed test NetLogons
Starting test: Advertising
......................... SAMBADC passed test Advertising
Starting test: KnowsOfRoleHolders
......................... SAMBADC passed test KnowsOfRoleHolders
Starting test: RidManager
No rids allocated -- please check eventlog.
......................... SAMBADC passed test RidManager
Starting test: MachineAccount
......................... SAMBADC passed test MachineAccount
Starting test: Services
Could not open Dnscache Service on [SAMBADC]:failed with 8:
Not enough storage is available to process this command.
Could not open NtFrs Service on [SAMBADC]:failed with 8:
Not enough storage is available to process this command.
Could not open IsmServ Service on [SAMBADC]:failed with 8:
Not enough storage is available to process this command.
Could not open kdc Service on [SAMBADC]:failed with 8: Not
enough storage is available to process this command.
Could not open SamSs Service on [SAMBADC]:failed with 8:
Not enough storage is available to process this command.
Could not open LanmanServer Service on [SAMBADC]:failed
with 8: Not enough storage is available to process this command.
Could not open LanmanWorkstation Service on
[SAMBADC]:failed with 8: Not enough storage is available to process this
command.
Could not open RpcSs Service on [SAMBADC]:failed with 8:
Not enough storage is available to process this command.
Could not open w32time Service on [SAMBADC]:failed with 8:
Not enough storage is available to process this command.
......................... SAMBADC failed test Services
Starting test: ObjectsReplicated
Failed to read object metadata on SAMBADC, error The request
is not supported.
Failed to read object metadata on SAMBADC, error The request
is not supported.
......................... SAMBADC passed test ObjectsReplicated
Starting test: frssysvol
The SysVol is not ready. This can cause the DC to not advertise
itself as a DC for netlogon after dcpromo. Also trouble with FRS
SysVol replication can cause Group Policy problems. Check the FRS
event log on this DC.
......................... SAMBADC failed test frssysvol
Starting test: frsevent
Error 161 opening FRS eventlog \\SAMBADC:File Replication
Service:
The specified path is invalid.
......................... SAMBADC failed test frsevent
Starting test: kccevent
Error 161 opening FRS eventlog \\SAMBADC:Directory Service:
The specified path is invalid.
Failed to enumerate event log records, error The specified
path is invalid.
......................... SAMBADC failed test kccevent
Starting test: systemlog
Error 161 opening FRS eventlog \\SAMBADC:System:
The specified path is invalid.
Failed to enumerate event log records, error The specified
path is invalid.
......................... SAMBADC failed test systemlog
Starting test: VerifyReferences
Some objects relating to the DC SAMBADC have problems:
[1] Problem: Missing Expected Value
Base Object: CN=SAMBADC,OU=Domain
Controllers,DC=mydomain,DC=com
Base Object Description: "DC Account Object"
Value Object Attribute Name: frsComputerReferenceBL
Value Object Description: "SYSVOL FRS Member Object"
Recommended Action: See Knowledge Base Article: Q312862
[1] Problem: Missing Expected Value
Base Object:
CN=NTDS
Settings,CN=SAMBADC,CN=Servers,CN=PRR,CN=Sites,CN=Configuration,DC=mydomain,DC=com
Base Object Description: "DSA Object"
Value Object Attribute Name: serverReferenceBL
Value Object Description: "SYSVOL FRS Member Object"
Recommended Action: See Knowledge Base Article: Q312862
......................... SAMBADC failed test VerifyReferences
Running partition tests on : DomainDnsZones
Starting test: CrossRefValidation
......................... DomainDnsZones passed test
CrossRefValidation
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test
CheckSDRefDom
Running partition tests on : Schema
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Running partition tests on : Configuration
Starting test: CrossRefValidation
......................... Configuration passed test
CrossRefValidation
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Running partition tests on : ForestDnsZones
Starting test: CrossRefValidation
......................... ForestDnsZones passed test
CrossRefValidation
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test
CheckSDRefDom
Running partition tests on : mydomain
Starting test: CrossRefValidation
......................... mydomain passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... mydomain passed test CheckSDRefDom
Running enterprise tests on : mydomain.com
Starting test: Intersite
......................... mydomain.com passed test Intersite
Starting test: FsmoCheck
......................... mydomain.com passed test FsmoCheck
Notice the strange date/time on the repl time from the windc to the
sambadc which caused a latency warning near the top of the dcdiag
output. There are several other errors but they may be expected when
dcdiag is run against a Samba 4.0.7 DC. Let me know if anything looks
incorrect.
BTW, I did check and port 53 responds to telnet on both DCs.
Thanx for the help and let me know if there is anything else I can provide.
Garth
On 07/15/2013 11:47 AM, Matthieu Patou wrote:
> On 07/13/2013 02:08 PM, Garth Keesler wrote:
>> Well, I read several threads on this issue but none solved what I
>> have going so I'll re-ask the question: Should I be able to join a
>> Samba 4.0.7 server to a Windows 2003R2 AD that has been raised to the
>> forest level of 2003 and then be able to demote the Win DC? As stated
>> below, the Win Admin tools recognize the Samba DC as one of two DCs
>> in the domain but the Win DC will not recognize Samba as such when
>> trying to demote the Win DC. The FSMO roles will move to the Samba
>> server but the DNS MMC will not recognize the Samba DC as a DC either.
> Normally it should be the case, I would have a look at the samba box
> for error related to DNS (ie. impossible to bind on port 53). Which
> kind of DNS setup do you have ? (internal, bind 9.x dlz, flat file) ?
>
> Which DNS server ip the *nix box running Samba 4.0.x is using ?
>> Is there an easy way to orphan the Win DC after just shutting it
>> down? I'd be willing to do that.
> Yes. From the Active Directory User and Computer you select the DC and
> remove it, you might have to go to Active Directory Domain and Site
> and remove the links to the old DC as well.
>
> But if the s4 DC is working well the demote should work well.
>
> Matthieu
>>
>> Thanx,
>> Garth
>>
>>
>> On 07/13/2013 11:17 AM, Garth Keesler wrote:
>>> Starting over and following a couple of threads on this topic so
>>> please ignore.
>>>
>>> Thanx,
>>> Garth
>>>
>>> On 07/13/2013 08:49 AM, Garth Keesler wrote:
>>>> I have an (apparently) valid Samba4 DC to which I have transferred
>>>> all FSMO roles in preparation for running dcpromo and demoting the
>>>> Win DC. All of the logs look good on the Samba DC and showrepl
>>>> indicates no errors. Unfortunately, the Win DC does not seem to
>>>> detect the Samba DC when I attempt to run dcpromo and it throws a
>>>> nasty warning about AD data being lost. If I run Sites and
>>>> Services, both DCs show up and are viewable. Also, in Users and
>>>> Computers, both DCs correctly show up in Domain Controllers.
>>>>
>>>> Not sure what to do next. Help appreciated.
>>>>
>>>> Thanx,
>>>> Garth
>>>
>>
>
>
More information about the samba
mailing list