status of DRS efforts in Samba4 (and a developer tutorial)
Andrew Kroeger
andrew at id10ts.net
Mon Sep 21 15:28:35 MDT 2009
tridge at samba.org wrote:
> ---------------------------------------------
> - join w2k8 to samba4 dc
>
> We've been concentrating up to now on Samba4<->Samba4 replication, and
> Samba4<->Windows replication where the Samba4 server joins the Windows
> domain. A more difficult problem is making it work when you start with
> a Samba4 domain (from provision, or from vampiring a Windows domain)
> and then try to add another Windows DC by using dcpromo. This is
> currently failing with an obscure error at the end of the dcpromo
> process.
All:
I did some work on this and made some progress, but I now find myself
stuck and cannot figure out what is happening. My initial attempt at
running dcpromo under W2K8 server ended with the error message:
> To install a domain controller into this Active Directory forest, you
> must first prepare the forest using "adprep /forestprep". The
> Adprep utility is available on the Windows 2008 Server installation
> media in the \sources\adprep folder.
I looked through the samba.log and was able to determine the LDAP
queries dcpromo was using to determine that adprep needed to run. Based
on a comparison of those LDAP queries against a S4 DC and a W2K8 DC, I
found two issues:
1. The objectVersion attributes of ${SCHEMADN} were different. We had
it set to 30 (W2K3 schema version) while the W2K8 DC had 44 (W2K8
schema). After changing our objectVersion to 44 (we are using a W2K8
schema after all), the error still occurred. Patch for this change is
attached.
2. I found three LDAP entries that dcpromo queried for that were
present on the W2K8 DC, but not present on the S4 DC. These values are:
- CN=ActiveDirectoryUpdate,CN=ForestUpdates,${CONFIGDN}
- CN=ActiveDirectoryUpdate,CN=DomainUpdates,CN=System,${DOMAINDN}
- CN=ActiveDirectoryRodcUpdate,CN=ForestUpdates,${CONFIGDN}
After some additional research, I found that these entries are created
by the adprep utility (for the /forestprep, /domainprep and /rodcprep
options, respectively). After adding these entries (and the respective
values for the revision attribute, as observed on a W2K8 DC), I no
longer receive the above adprep error message when running dcpromo. A
patch with these changes is also attached.
After making the above changes, I can now run dcpromo to the point is
starts configuring itself as a DC (pulling data from S4 or whatever
steps it is actually doing under the hood).
I now receive the following error before the actual dcpromo run can finish:
> The operation failed because:
>
> An unknown error occurred while installing Active Directory
> Domain Services.
>
> "An error occurred while installing the directory service. For more
> information, see the event log."
Looking in the event log gives the following detail for Event ID 1523:
> The Active Directory Domain Services schema cache load could not convert the default security descriptor on the following schema class object.
>
> Security descriptor:
> D:(A;;RP;;;WD)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;BA)
> (OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;BA)(A;;RPLCLORC;;;AU)(A;;RPWPCRLCLOCCRCWDWOSW;;;DA)(A;CI;RPWPCRLCLOCCRCWDWOSDSW;;;BA)(A;;RPWPCRLCLOCCDCRCWDWOSDDTSW
> ;;;SY)(A;CI;RPWPCRLCLOCCDCRCWDWOSDDTSW;;;EA)(A;CI;LC;;;RU)(OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;bf967aba-0de6-
> 11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;4c164200-20c0-11d0-a768-00aa006e0529;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CI
> IO;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;;RP;c7407360-20bf-11d0-a768-00aa006e0529;;RU)(OA;CIIO;RPLCLORC;;bf967a9c-0de6-11d0-a285-00aa003049e2;RU)(A;;RPRC;;;RU)(OA;C
> IIO;RPLCLORC;;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(A;;LCRPLORC;;;ED)(OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939;4828CC14-1437-45bc-9B07-AD6F015E5F28;RU)(OA;CIIO;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;
> 4828CC14-1437-45bc-9B07-AD6F015E5F28;RU)(OA;CIIO;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;4828CC14-1437-45bc-9B07-AD6F015E5F28;RU)(OA;CIIO;RP;4c164200-20c0-11d0-a768-00aa006e0529;4828CC14-1437-45bc-9B07-AD6F015E
> 5F28;RU)(OA;CIIO;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;4828CC14-1437-45bc-9B07-AD6F015E5F28;RU)(OA;CIIO;RPLCLORC;;4828CC14-1437-45bc-9B07-AD6F015E5F28;RU)(OA;;RP;b8119fd0-04f6-4762-ab7a-4986c76b3f9a;;RU)(OA;;
> RP;b8119fd0-04f6-4762-ab7a-4986c76b3f9a;;AU)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967aba-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a9c-0de6-11d0-a285-00aa
> 003049e2;ED)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a86-0de6-11d0-a285-00aa003049e2;ED)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;DD)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;ED)(OA;;CR;113
> 1f6ad-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;BA)(OA;;CR;e2a36dc9-ae17-47c3-b58b-be34c55ba633;;S-1-5-32-557)(OA;;CR;280f369c-67c7-438e-ae98-1d46f3c6f541;;AU)(OA;;CR;ccc2dc7
> d-a6ad-4a7a-8846-c04e3cc53501;;AU)(OA;;CR;05c74c5e-4deb-43b4-bd9f-86664c2a7fd5;;AU)(OA;;CR;1131f6ae-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ae-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;CIIO;CRRPWP;91e647de-d96f
> -4b70-9557-d63ff4f3ccd8;;PS)S:(AU;SA;WDWOWP;;;WD)(AU;SA;CR;;;BA)(AU;SA;CR;;;DU)(OU;CISA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CISA;WP;f30e3bbf-9ff0-11d1-b603-0000f8
> 0367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)
> Schema class object:
> CN=Domain-DNS,CN=Schema,O=Boot
>
> As a result, the schema cache load will fail.
>
> User Action
> Verify that the default security descriptor on the class is valid. If it is not valid, change it to a correct value.
>
> Additional Data
> Error value:
> 1337 The security ID structure is invalid.
I verified that the defaultSecurityDescriptor displayed in the error
message is the same as the one included in the W2K8 schema we install. I
also broke the defaultSecurityDescriptor down and inspected the
components, and everything looks right. I then tried changing the
defaultSecurityDescriptor to something extremely simple ("D:S:"), but I
still receive the exact same error (with the extremely long
defaultSecurityDescriptor value).
This is where I am currently stuck. I am posting the progress I have
made thus far in hopes that someone can either point me in the right
direction or build on what I have done to get this working.
Sincerely,
Andrew Kroeger
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: 0001-s4-provision-Update-schema-version-number-to-W2K8.patch
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20090921/fe35de52/attachment.ksh>
More information about the samba-technical
mailing list