[cifs-protocol] Errors when doing a DsAddEntry
hongweis at microsoft.com
Thu Sep 15 16:27:20 MDT 2011
I just want to close loop on this request even we already worked together and resolved the related issue. I want to make sure the document is updated properly to include the error conditions.
The first error can be returned by Windows DC handling IDL_DRSAddEntry if it is a Domain Naming FSMO role owner but its ownership canotn be validated because the DC has never been synchronized with any existing partners. This is not explicitly called out in the document. I filed a request to specify this condition.
For the second error, when the nTDSDSA object is created under server object, it needs to find an existing crossRef that matches the domain name. If it cannot be found , then ERROR_DS_NO_CROSSREF_FOR_NC will be returned. The logic is specified in the subroutine CreateNtdsDsa (220.127.116.11.3 MS-DSRS),which is called by IDL_DRSAddEntry() as following:
domainCR := select one v from ConfigNC() where v!nCName = domainName
and crossRef in v!objectClass
and FLAG_CR_NTDS_DOMAIN in v!systemFlags
We need to update the error condition here mentioning if domainCR cannot be found, then ERROR_DS_NO_CROSSREF_FOR_NC will be returned. This explains that his your workaround is the correct way.
I will send you the final update when it is available. Please let me know if there is any more questions regarding this issue.
From: Andrew Bartlett [mailto:abartlet at samba.org]
Sent: Tuesday, August 30, 2011 11:29 PM
To: Interoperability Documentation Help
Cc: cifs-protocol at cifs.org
Subject: Errors when doing a DsAddEntry
We have been looking at DRSUAPI/DsAddEntry, and have a few questions.
We are trying to implement subdomain support in Samba4 before the plugfest.
We have been able to generate error cases that do not seem to be 'possible' in the docs. Can you please clarify exactly what errors this function should be able to return, and document how to avoid these:
in join-s1.txt we have an error that is only listed in the docs when removing a DC from the domain.
extended_err : WERR_DS_ROLE_NOT_VERIFIED
This is currently blocking us. Our only theory is that we must perform a replication cycle before we do this call.
in join-s1-2.txt we have another error, that we worked around by creating the partitions object before creating the server object.
However, as we need to match the server-side behaviour, we need to know the undocumented circumstances that cause this error.
extended_err : WERR_DS_NO_CROSSREF_FOR_NC
Finally, is there any documentation of the high-level procedure for creating a subdomain?
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
More information about the cifs-protocol