[cifs-protocol] Errors when doing a DsAddEntry

Hongwei Sun hongweis at microsoft.com
Thu Sep 8 22:01:03 MDT 2011


Andrew,

>  in join-s1.txt we have an error that is only listed in the docs when removing a DC from the domain.  
>extended_err             : WERR_DS_ROLE_NOT_VERIFIED
>This is currently blocking us.  Our only theory is that we must perform a replication cycle before we do this call.

Answer:  This error means that  "the FSMO role ownership could not be verified because its directory partition has not replicated successfully with at least one replication partner."      When  adding or modifying certain objects through LDL_DRSAddEntry, certain FSMO roles will be checked and verified,  if the partition is never replicated , this check will fail and the error will be returned.   Some of the functions called by LDL_DRSAddEntry such as CreateCrossRef() or PerformModifyEntInf() imply returning this error status by referencing the constraints in MS-ADTS.      Looking at the objects added, it is CN=S2,CN=Partitions,CN=Configuration,DC=v2,DC=tridgell,DC=net. It requires Domain Naming Master FSMO role to write to the Partitions container or its children.   A trace may tell the condition more easily.    But your solution makes sense.   Once the replication is done at least once, then the FSMO role can be verified.

>Finally, is there any documentation of the high-level procedure for creating a subdomain?

Answer:  The following links maybe helpful for you.  Also  MS-ADSO  3.1.1.1 has some description about  the structures of parent and child domains.   Please let us know if you need more information.

  http://technet.microsoft.com/en-us/library/cc787706(WS.10).aspx
  http://technet.microsoft.com/en-us/library/bb726976.aspx

  I am looking at the second error.

Thanks!

Hongwei






-----Original Message-----
From: Andrew Bartlett [mailto:abartlet at samba.org] 
Sent: Wednesday, August 31, 2011 4:55 PM
To: Hongwei Sun
Cc: cifs-protocol at cifs.org; tridge at samba.org
Subject: RE: Errors when doing a DsAddEntry

On Wed, 2011-08-31 at 15:22 +0000, Hongwei Sun wrote:
> Andrew,
> 
>    Can you give the information about your configuration ?  Are you joining Samba DC to a Windows DC ?  

We were attempting to create a subdomain using Samba4 as the new domain. 

> If so,  what is the version of Windows DC ?    Are you referring to  the section "4.1.1.3   Server Behavior of the IDL_DRSAddEntry Method" of MS-DRSR  for the "impossible" error case ?

The only occurrences of these error constants in the docs were for calls other than AddEntry. 

>    Is it possible for you to capture a TTT trace for Windows server when error is returned  so I can analyze the behavior ?  If so , I can create a FTP workspace for you to upload the trace captured ?

Tridge may be able to help with that (it was on his systems).  We are also continuing to work on the issues, harmonising our behaviour with the example Windows packet trace I took. 

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org




More information about the cifs-protocol mailing list