[Samba] create new child windows domain in existing samba forest

Zhuchenko Valery zvn at belkam.com
Thu Apr 14 13:23:00 UTC 2016 

Hi, all!

I have samba 4 AD (4.1.22) and try to create new domain in existing
forest with controller on windows 2008 r2.
It is possible?


1. At dcpromo, after all needed containers replications, I get error:
Active Directory Domain Services could not create the object
CN=CHDOM,CN=Partitions,CN=Configuration,DC=ad,DC=...

Log from samba:
[...]
../source4/rpc_server/drsuapi/addentry.c:166(dcesrv_drsuapi_DsAddEntry)
.....
  [0000] 04 00 00 00                                       ....
                                          attributes: struct
drsuapi_DsReplicaAttribute
                                              attid                    :
DRSUAPI_ATTID_systemFlags (0x90177)
                                              value_ctr: struct
drsuapi_DsAttributeValueCtr
                                                 
num_values               : 0x00000001 (1)
                                                 
values                   : *
                                                      values: ARRAY(1)
                                                          values: struct
drsuapi_DsAttributeValue
                                                             
__ndr_size               : 0x00000004 (4)
                                                             
blob                     : *
                                                                 
blob                     : DATA_BLOB length=4
  [0000] 00 00 00 02                                       ....
[...] ../source4/dsdb/samdb/ldb_modules/descriptor.c:607(descriptor_add)
  DN: DC=chdom,DC=ad,DC=... is a NC
[...] ../source4/dsdb/common/util.c:4558(dsdb_create_partial_replica_NC)
  Failed to create new NC for DC=chdom,DC=ad,DC=... - instancetype: if
TYPE_IS_NC_HEAD was set, then also TYPE_WRITE is requested! (Unwilling
to perform)

2. I read this article: 3.1.1.5.2.8 NC-Add Operation
https://technet.microsoft.com/ru-ru/cc223450

If a new domain NC needs to be created, then IDL_DRSAddEntry RPC MUST be
used to create the crossRef
Yes, in samba log I see this call: dcesrv_drsuapi_DsAddEntry

For originating updates, the NC-Add operation is distinguished by the
presence of instanceType attribute with (IT_NC_HEAD | IT_WRITE)
For originating updates, the NC-Add operation is only supported for
application NCs
For replicated updates, the NC-Add operation is distinguished by the
presence of instanceType attribute with IT_NC_HEAD value in the input
attribute set.
What update type is used when windows tries to add NC in my case?
Replicated or originating, which supported only for applications NCs?

3. Then I have read this article: 3.1.1.5.2.2 Constraints
https://msdn.microsoft.com/en-us/library/cc223443.aspx (If IT_NC_HEAD is
set, but IT_WRITE is not set, Add returns unwillingToPerform)
I have checked property of CN=Partitions,CN=Configuration,DC=ad,DC=...
instanceType=4 (https://technet.microsoft.com/ru-ru/cc219986 0x00000004
The object is writable on this directory.)

Where I am wrong?

Thank you and best regards, Valery.

More information about the samba mailing list