[Samba] WERR_DS_DRA_MISSING_PARENT while Joining Samba4 DC to Samba4 Domain
Rowland Penny
rpenny at samba.org
Fri Dec 22 09:01:55 UTC 2017
On Thu, 21 Dec 2017 17:58:54 -0500 (EST)
Daniel McFeeters via samba <samba at lists.samba.org> wrote:
> Perhaps I'm rooting around at a lower level than I should be, and
> somewhat beyond what I can understand, but here is a bit of info I
> dug up. It might be helpful? The GUID in the first search matches the
> one referred to in the error message.
>
> $ sudo ldbsearch
> -H /var/lib/samba/private/sam.ldb.d/DC\=DOMAINDNSZONES\,DC\=REDACTED\,DC\=DOMAIN\,DC\=LOCAL.ldb
> "(DC=DomainDnsZones)" # record 1 dn:
> DC=DomainDnsZones,DC=redacted,DC=domain,DC=local objectClass: top
> objectClass: domain
> objectClass: domainDNS
> description: Microsoft DNS Directory
> instanceType: 13
> whenCreated: 20171218211518.0Z
> whenChanged: 20171218211518.0Z
> uSNCreated: 3620
> nTSecurityDescriptor: REDACTED
> name: DomainDnsZones
> objectGUID: 60e25dda-6d35-4aab-bfa5-6137cb271e27
> objectCategory:
> <GUID=b7263211-731a-43fe-a2f4-b522bf2d1a9d>;CN=Domain-DNS,CN=Schema,CN=Configuration,DC=redacted,DC=domain,DC=local
> msDS-NcType: 0 dc: DomainDnsZones
> wellKnownObjects:
> B:32:6227F0AF1FC2410D8E3BB10615BB5B0F:<GUID=ff815094-bd8e-49
> 08-ac71-c62beeb47896>;CN=NTDS
> Quotas,DC=DomainDnsZones,DC=redacted,DC=domain,DC=local
> wellKnownObjects:
> B:32:18E2EA80684F11D2B9AA00C04F79F805:<GUID=d3806832-94c6-41
> 3b-9406-0f512a8a6cd5>;CN=Deleted
> Objects,DC=DomainDnsZones,DC=redacted,DC=domain,DC=local
> wellKnownObjects:
> B:32:2FBAC1870ADE11D297C400C04FD8D5CD:<GUID=e72f6718-5cb2-45
> 35-9410-c1fc3e4ea084>;CN=Infrastructure,DC=DomainDnsZones,DC=redacted,DC=domain,DC=local
> wellKnownObjects:
> B:32:AB8153B7768811D1ADED00C04FD8D5CD:<GUID=5e3f945f-a07e-4d
> 5a-bf69-6d191f5a6bc2>;CN=LostAndFound,DC=DomainDnsZones,DC=redacted,DC=domain,DC=local
> replPropertyMetaData:: REDACTED uSNChanged: 3627 distinguishedName:
> DC=DomainDnsZones,DC=redacted,DC=domain,DC=local
>
> # record 2
> dn:
> DC=DomainDnsZones,DC=lc.lcdhd.org,CN=MicrosoftDNS,DC=DomainDnsZones,DC=redacted,DC=domain,DC=local
> objectClass: top objectClass: dnsNode
> instanceType: 4
> whenCreated: 20171218211518.0Z
> whenChanged: 20171218211518.0Z
> uSNCreated: 3672
> uSNChanged: 3672
> showInAdvancedViewOnly: TRUE
> name: DomainDnsZones
> objectGUID: 4f08c35a-d330-4e01-8cd7-7a6790397b3a
> replPropertyMetaData:: REDACTED
> dnsRecord:: BAABAAXwAAABAAAAAAADhAAAAAAAAAAACmMAFQ==
> objectCategory:
> <GUID=30c12cc0-3c1f-43d6-9498-5ca8856a6156>;CN=Dns-Node,CN=Sch
> ema,CN=Configuration,DC=redacted,DC=domain,DC=local dc: DomainDnsZones
> nTSecurityDescriptor: REDACTED
> distinguishedName:
> DC=DomainDnsZones,DC=lc.lcdhd.org,CN=MicrosoftDNS,DC=Domain
> DnsZones,DC=redacted,DC=domain,DC=local
>
> # returned 2 records
> # 2 entries
> # 0 referrals
>
> $ sudo ldbsearch
> -H /var/lib/samba/private/sam.ldb.d/DC\=DOMAINDNSZONES\,DC\=REDACTED\,DC\=DOMAIN\,DC\=LOCAL.ldb
> "(CN=MicrosoftDNS)" # record 1 dn:
> CN=MicrosoftDNS,DC=DomainDnsZones,DC=redacted,DC=domain,DC=local
> objectClass: top objectClass: container
> cn: MicrosoftDNS
> instanceType: 4
> whenCreated: 20171218211518.0Z
> uSNCreated: 3638
> showInAdvancedViewOnly: TRUE
> name: MicrosoftDNS
> objectGUID: 249ac0c0-b3fd-4998-84b7-950066285b78
> nTSecurityDescriptor: REDACTED
> objectCategory:
> <GUID=591defdf-e2f7-4c9e-9b5a-d6c2d0744b44>;CN=Container,CN=Sc
> hema,CN=Configuration,DC=redacted,DC=domain,DC=local
> replPropertyMetaData:: REDACTED whenChanged: 20171220011156.0Z
> uSNChanged: 887580
> distinguishedName:
> CN=MicrosoftDNS,DC=DomainDnsZones,DC=redacted,DC=domain,DC=local
>
> # returned 1 records
> # 1 entries
> # 0 referrals
>
>
> $ sudo ldbsearch
> -H /var/lib/samba/private/sam.ldb.d/DC\=REDACTED\,DC\=DOMAIN\,DC\=LOCAL.ldb
> "(CN=MicrosoftDNS)" # record 1 dn:
> CN=MicrosoftDNS,DC=DomainDnsZones,DC=redacted,DC=domain,DC=local
> objectClass: top objectClass: container
> cn: MicrosoftDNS
> instanceType: 4
> whenCreated: 20100113175618.0Z
> whenChanged: 20121217022721.0Z
> displayName: DNS Servers
> uSNCreated: 3330
> uSNChanged: 3330
> showInAdvancedViewOnly: TRUE
> name: MicrosoftDNS
> objectGUID: 6e2ba870-34a5-494c-82a9-ab06f109c3dd
> replPropertyMetaData:: REDACTED
> objectCategory:
> <GUID=591defdf-e2f7-4c9e-9b5a-d6c2d0744b44>;CN=Container,CN=Sc
> hema,CN=Configuration,DC=redacted,DC=domain,DC=local
> nTSecurityDescriptor: REDACTED distinguishedName:
> CN=MicrosoftDNS,DC=DomainDnsZones,DC=redacted,DC=domain,DC=local
>
> # returned 1 records
> # 1 entries
> # 0 referrals
>
>
> Daniel McFeeters
>
>
> ----- Original Message -----
> > From: "samba" <samba at lists.samba.org>
> > To: "Garming Sam" <garming at catalyst.net.nz>
> > Cc: "samba" <samba at lists.samba.org>, "Andrew Bartlett"
> > <abartlet at samba.org> Sent: Thursday, December 21, 2017 5:20:30 PM
> > Subject: Re: [Samba] WERR_DS_DRA_MISSING_PARENT while Joining
> > Samba4 DC to Samba4 Domain
>
> > OK, we're getting closer here I think. I repeated with -d 2 without
> > much help. Here is -d 3, which may point us in the right direction.
> > As I suspected, it seems to point to some corruption in the DNS
> > still, perhaps?
>
> > The key line seems to be here:
> > Missing parent while attempting to apply records: No parent with
> > GUID 60e25dda-6d35-4aab-bfa5-6137cb271e27 found for object remotely
> > known as
> > CN=MicrosoftDNS,DC=DomainDnsZones,DC=redacted,DC=domain,DC=local
> > Failed to commit objects: WERR_DS_DRA_MISSING_PARENT
>
> > Here is the full output in context:
>
> > $ sudo samba-tool domain join redacted.domain.local DC
> > -U"REDACTED\my.domain.admin" --dns-backend=SAMBA_INTERNAL -d 3
> > GENSEC backend 'gssapi_spnego' registered
> > GENSEC backend 'gssapi_krb5' registered
> > GENSEC backend 'gssapi_krb5_sasl' registered
> > GENSEC backend 'spnego' registered
> > GENSEC backend 'schannel' registered
> > GENSEC backend 'naclrpc_as_system' registered
> > GENSEC backend 'sasl-EXTERNAL' registered
> > GENSEC backend 'ntlmssp' registered
> > GENSEC backend 'ntlmssp_resume_ccache' registered
> > GENSEC backend 'http_basic' registered
> > GENSEC backend 'http_ntlm' registered
> > GENSEC backend 'krb5' registered
> > GENSEC backend 'fake_gssapi_krb5' registered
> > Finding a writeable DC for domain 'redacted.domain.local'
> > resolve_lmhosts: Attempting lmhosts lookup for name
> > _ldap._tcp.redacted.domain.local<0x0>
> > Found DC samba4dom.redacted.domain.local
> > resolve_lmhosts: Attempting lmhosts lookup for name
> > samba4dom.redacted.domain.local<0x20>
> > cli_credentials(REDACTED\my.domain.admin) without realm, cannot use
> > kerberos for this connection ldap/samba4dom.redacted.domain.local
> > Got challenge flags:
> > Got NTLMSSP neg_flags=0x62898235
> > Password for [REDACTED\my.domain.admin]:
> > NTLMSSP: Set final flags:
> > Got NTLMSSP neg_flags=0x62088235
> > NTLMSSP Sign/Seal - Initialising with flags:
> > Got NTLMSSP neg_flags=0x62088235
> > NTLMSSP Sign/Seal - Initialising with flags:
> > Got NTLMSSP neg_flags=0x62088235
> > NO DNS zone information found in source domain, not replicating DNS
> > workgroup is REDACTED
> > realm is redacted.domain.local
> > Adding CN=SAMBA4DC2,OU=Domain
> > Controllers,DC=redacted,DC=domain,DC=local Adding
> > CN=SAMBA4DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=redacted,DC=domain,DC=local
> > Adding CN=NTDS
> > Settings,CN=SAMBA4DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=redacted,DC=domain,DC=local
> > Using binding ncacn_ip_tcp:samba4dom.redacted.domain.local[,seal]
> > resolve_lmhosts: Attempting lmhosts lookup for name
> > samba4dom.redacted.domain.local<0x20>
> > resolve_lmhosts: Attempting lmhosts lookup for name
> > samba4dom.redacted.domain.local<0x20>
> > cli_credentials(REDACTED\my.domain.admin) without realm, cannot use
> > kerberos for this connection ldap/SAMBA4DOM.REDACTED.DOMAIN.LOCAL
> > Got challenge flags:
> > Got NTLMSSP neg_flags=0x62898235
> > NTLMSSP: Set final flags:
> > Got NTLMSSP neg_flags=0x62088235
> > NTLMSSP Sign/Seal - Initialising with flags:
> > Got NTLMSSP neg_flags=0x62088235
> > NTLMSSP Sign/Seal - Initialising with flags:
> > Got NTLMSSP neg_flags=0x62088235
> > Adding SPNs to CN=SAMBA4DC2,OU=Domain
> > Controllers,DC=redacted,DC=domain,DC=local Setting account password
> > for SAMBA4DC2$ Enabling account
> > Calling bare provision
> > lpcfg_load: refreshing parameters from /etc/samba/smb.conf
> > lpcfg_load: refreshing parameters from /etc/samba/smb.conf
> > Looking up IPv4 addresses
> > Looking up IPv6 addresses
> > No IPv6 address will be assigned
> > Setting up share.ldb
> > Setting up secrets.ldb
> > Setting up the registry
> > ldb_wrap open of hklm.ldb
> > Key 'key=SOFTWARE,hive=NONE' not found
> > key added: key=SOFTWARE,hive=NONE
> > Key 'key=Microsoft,key=SOFTWARE,hive=NONE' not found
> > key added: key=Microsoft,key=SOFTWARE,hive=NONE
> > Key 'key=Windows NT,key=Microsoft,key=SOFTWARE,hive=NONE' not found
> > key added: key=Windows NT,key=Microsoft,key=SOFTWARE,hive=NONE
> > Key 'key=CurrentVersion,key=Windows
> > NT,key=Microsoft,key=SOFTWARE,hive=NONE' not found
> > key added: key=CurrentVersion,key=Windows
> > NT,key=Microsoft,key=SOFTWARE,hive=NONE
> > Key 'key=SYSTEM,hive=NONE' not found
> > key added: key=SYSTEM,hive=NONE
> > Key 'key=CurrentControlSet,key=SYSTEM,hive=NONE' not found
> > key added: key=CurrentControlSet,key=SYSTEM,hive=NONE
> > Key 'key=Control,key=CurrentControlSet,key=SYSTEM,hive=NONE' not
> > found key added:
> > key=Control,key=CurrentControlSet,key=SYSTEM,hive=NONE Key
> > 'key=ProductOptions,key=Control,key=CurrentControlSet,key=SYSTEM,hive=NONE'
> > not found key added:
> > key=ProductOptions,key=Control,key=CurrentControlSet,key=SYSTEM,hive=NONE
> > Key
> > 'key=Print,key=Control,key=CurrentControlSet,key=SYSTEM,hive=NONE'
> > not found key added:
> > key=Print,key=Control,key=CurrentControlSet,key=SYSTEM,hive=NONE
> > Key 'key=Terminal
> > Server,key=Control,key=CurrentControlSet,key=SYSTEM,hive=NONE' not
> > found key added: key=Terminal
> > Server,key=Control,key=CurrentControlSet,key=SYSTEM,hive=NONE Key
> > 'key=Services,key=CurrentControlSet,key=SYSTEM,hive=NONE' not found
> > key added: key=Services,key=CurrentControlSet,key=SYSTEM,hive=NONE
> > Key
> > 'key=Netlogon,key=Services,key=CurrentControlSet,key=SYSTEM,hive=NONE'
> > not found key added:
> > key=Netlogon,key=Services,key=CurrentControlSet,key=SYSTEM,hive=NONE
> > Key
> > 'key=Parameters,key=Netlogon,key=Services,key=CurrentControlSet,key=SYSTEM,hive=NONE'
> > not found key added:
> > key=Parameters,key=Netlogon,key=Services,key=CurrentControlSet,key=SYSTEM,hive=NONE
> > Key
> > 'key=Alerter,key=Services,key=CurrentControlSet,key=SYSTEM,hive=NONE'
> > not found key added:
> > key=Alerter,key=Services,key=CurrentControlSet,key=SYSTEM,hive=NONE
> > Key
> > 'key=Parameters,key=Alerter,key=Services,key=CurrentControlSet,key=SYSTEM,hive=NONE'
> > not found key added:
> > key=Parameters,key=Alerter,key=Services,key=CurrentControlSet,key=SYSTEM,hive=NONE
> > Setting up the privileges database Setting up idmap db Setting up
> > SAM db Setting up sam.ldb partitions and settings
> > Setting up sam.ldb rootDSE
> > Pre-loading the Samba 4 and AD schema
> > partition_metadata: Migrating partition metadata: open of
> > metadata.tdb gave: (null)
> > A Kerberos configuration suitable for Samba AD has been generated at
> > /var/lib/samba/private/krb5.conf
> > Provision OK for domain DN DC=redacted,DC=domain,DC=local
> > Starting replication
> > Using binding ncacn_ip_tcp:samba4dom.redacted.domain.local[,seal]
> > resolve_lmhosts: Attempting lmhosts lookup for name
> > samba4dom.redacted.domain.local<0x20>
> > resolve_lmhosts: Attempting lmhosts lookup for name
> > samba4dom.redacted.domain.local<0x20>
> > cli_credentials(REDACTED\my.domain.admin) without realm, cannot use
> > kerberos for this connection ldap/SAMBA4DOM.REDACTED.DOMAIN.LOCAL
> > Got challenge flags:
> > Got NTLMSSP neg_flags=0x62898235
> > NTLMSSP: Set final flags:
> > Got NTLMSSP neg_flags=0x62088235
> > NTLMSSP Sign/Seal - Initialising with flags:
> > Got NTLMSSP neg_flags=0x62088235
> > NTLMSSP Sign/Seal - Initialising with flags:
> > Got NTLMSSP neg_flags=0x62088235
> > Schema-DN[CN=Schema,CN=Configuration,DC=redacted,DC=domain,DC=local]
> > objects[402/1550] linked_values[0/0]
> > Schema-DN[CN=Schema,CN=Configuration,DC=redacted,DC=domain,DC=local]
> > objects[804/1550] linked_values[0/0]
> > Schema-DN[CN=Schema,CN=Configuration,DC=redacted,DC=domain,DC=local]
> > objects[1206/1550] linked_values[0/0]
> > Schema-DN[CN=Schema,CN=Configuration,DC=redacted,DC=domain,DC=local]
> > objects[1550/1550] linked_values[0/0]
> > Analyze and apply schema objects
> > Replicated 1550 objects (0 linked attributes) for
> > CN=Schema,CN=Configuration,DC=redacted,DC=domain,DC=local
> > Partition[CN=Configuration,DC=redacted,DC=domain,DC=local]
> > objects[402/1610] linked_values[0/0]
> > Replicated 402 objects (0 linked attributes) for
> > CN=Configuration,DC=redacted,DC=domain,DC=local
> > Partition[CN=Configuration,DC=redacted,DC=domain,DC=local]
> > objects[804/1610] linked_values[0/0]
> > Replicated 402 objects (0 linked attributes) for
> > CN=Configuration,DC=redacted,DC=domain,DC=local
> > Partition[CN=Configuration,DC=redacted,DC=domain,DC=local]
> > objects[1206/1610] linked_values[0/0]
> > Replicated 402 objects (0 linked attributes) for
> > CN=Configuration,DC=redacted,DC=domain,DC=local
> > Partition[CN=Configuration,DC=redacted,DC=domain,DC=local]
> > objects[1608/1610] linked_values[0/15]
> > Replicated 402 objects (0 linked attributes) for
> > CN=Configuration,DC=redacted,DC=domain,DC=local
> > Partition[CN=Configuration,DC=redacted,DC=domain,DC=local]
> > objects[1609/1610] linked_values[22/22]
> > Replicated 1 objects (22 linked attributes) for
> > CN=Configuration,DC=redacted,DC=domain,DC=local
> > Replicating critical objects from the base DN of the domain
> > Partition[DC=redacted,DC=domain,DC=local] objects[76/74]
> > linked_values[21/21] Replicated 76 objects (21 linked attributes)
> > for DC=redacted,DC=domain,DC=local
> > Partition[DC=redacted,DC=domain,DC=local] objects[478/19962]
> > linked_values[0/0] Missing parent while attempting to apply
> > records: No parent with GUID 60e25dda-6d35-4aab-bfa5-6137cb271e27
> > found for object remotely known as
> > CN=MicrosoftDNS,DC=DomainDnsZones,DC=redacted,DC=domain,DC=local
> > Failed to commit objects: WERR_DS_DRA_MISSING_PARENT Join failed -
> > cleaning up ldb_wrap open of secrets.ldb Could not find machine
> > account in secrets database: Failed to fetch machine account
> > password for REDACTED from both secrets.ldb (Could not find entry
> > to match filter:
> > '(&(flatname=REDACTED)(objectclass=primaryDomain))' base:
> > 'cn=Primary Domains': No such object: dsdb_search
> > at ../source4/dsdb/common/util.c:4636) and
> > from /var/lib/samba/private/secrets.tdb:
> > NT_STATUS_CANT_ACCESS_DOMAIN_INFO Deleted CN=SAMBA4DC2,OU=Domain
> > Controllers,DC=redacted,DC=domain,DC=local Deleted CN=NTDS
> > Settings,CN=SAMBA4DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=redacted,DC=domain,DC=local
> > Deleted
> > CN=SAMBA4DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=redacted,DC=domain,DC=local
> > ERROR(runtime): uncaught exception - (8460, "Failed to process
> > 'chunk' of DRS replicated objects: WERR_DS_DRA_MISSING_PARENT")
> > File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py",
> > line 176, in _run return self.run(*args, **kwargs) File
> > "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py", line
> > 661, in run machinepass=machinepass, use_ntvfs=use_ntvfs,
> > dns_backend=dns_backend) File
> > "/usr/lib/python2.7/dist-packages/samba/join.py", line 1474, in
> > join_DC ctx.do_join() File
> > "/usr/lib/python2.7/dist-packages/samba/join.py", line 1377, in
> > do_join ctx.join_replicate() File
> > "/usr/lib/python2.7/dist-packages/samba/join.py", line 936, in
> > join_replicate replica_flags=ctx.domain_replica_flags) File
> > "/usr/lib/python2.7/dist-packages/samba/drs_utils.py", line 295, in
> > replicate schema=schema, req_level=req_level, req=req)
> > $
>
> > Daniel McFeeters
>
As I said, you do not seem to have a dns server, what you could try is:
Backup the DC, then run 'samba_upgradedns', this should recreate the
dns.
Rowland
More information about the samba
mailing list