status of DRS efforts in Samba4 (and a developer tutorial)

Andrew Kroeger andrew at
Mon Sep 21 15:28:35 MDT 2009

tridge at wrote:
> ---------------------------------------------
> - join w2k8 to samba4 dc
> We've been concentrating up to now on Samba4<->Samba4 replication, and
> Samba4<->Windows replication where the Samba4 server joins the Windows
> domain. A more difficult problem is making it work when you start with
> a Samba4 domain (from provision, or from vampiring a Windows domain)
> and then try to add another Windows DC by using dcpromo. This is
> currently failing with an obscure error at the end of the dcpromo
> process.


I did some work on this and made some progress, but I now find myself 
stuck and cannot figure out what is happening.  My initial attempt at 
running dcpromo under W2K8 server ended with the error message:

> To install a domain controller into this Active Directory forest, you
> must first prepare the forest using "adprep /forestprep".  The
> Adprep utility is available on the Windows 2008 Server installation
> media in the \sources\adprep folder.

I looked through the samba.log and was able to determine the LDAP 
queries dcpromo was using to determine that adprep needed to run.  Based 
on a comparison of those LDAP queries against a S4 DC and a W2K8 DC, I 
found two issues:

1.  The objectVersion attributes of ${SCHEMADN} were different. We had 
it set to 30 (W2K3 schema version) while the W2K8 DC had 44 (W2K8 
schema).  After changing our objectVersion to 44 (we are using a W2K8 
schema after all), the error still occurred.  Patch for this change is 

2.  I found three LDAP entries that dcpromo queried for that were 
present on the W2K8 DC, but not present on the S4 DC.  These values are:

- CN=ActiveDirectoryUpdate,CN=ForestUpdates,${CONFIGDN}
- CN=ActiveDirectoryUpdate,CN=DomainUpdates,CN=System,${DOMAINDN}
- CN=ActiveDirectoryRodcUpdate,CN=ForestUpdates,${CONFIGDN}

After some additional research, I found that these entries are created 
by the adprep utility (for the /forestprep, /domainprep and /rodcprep 
options, respectively).  After adding these entries (and the respective 
values for the revision attribute, as observed on a W2K8 DC), I no 
longer receive the above adprep error message when running dcpromo.  A 
patch with these changes is also attached.

After making the above changes, I can now run dcpromo to the point is 
starts configuring itself as a DC (pulling data from S4 or whatever 
steps it is actually doing under the hood).

I now receive the following error before the actual dcpromo run can finish:

> The operation failed because:
> An unknown error occurred while installing Active Directory
> Domain Services.
> "An error occurred while installing the directory service.  For more
> information, see the event log."

Looking in the event log gives the following detail for Event ID 1523:

> The Active Directory Domain Services schema cache load could not convert the default security descriptor on the following schema class object. 
> Security descriptor:
> D:(A;;RP;;;WD)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;BA)
> (OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;BA)(A;;RPLCLORC;;;AU)(A;;RPWPCRLCLOCCRCWDWOSW;;;DA)(A;CI;RPWPCRLCLOCCRCWDWOSDSW;;;BA)(A;;RPWPCRLCLOCCDCRCWDWOSDDTSW
> ;;;SY)(A;CI;RPWPCRLCLOCCDCRCWDWOSDDTSW;;;EA)(A;CI;LC;;;RU)(OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;bf967aba-0de6-
> 11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;4c164200-20c0-11d0-a768-00aa006e0529;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CI
> IO;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;;RP;c7407360-20bf-11d0-a768-00aa006e0529;;RU)(OA;CIIO;RPLCLORC;;bf967a9c-0de6-11d0-a285-00aa003049e2;RU)(A;;RPRC;;;RU)(OA;C
> IIO;RPLCLORC;;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(A;;LCRPLORC;;;ED)(OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939;4828CC14-1437-45bc-9B07-AD6F015E5F28;RU)(OA;CIIO;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;
> 4828CC14-1437-45bc-9B07-AD6F015E5F28;RU)(OA;CIIO;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;4828CC14-1437-45bc-9B07-AD6F015E5F28;RU)(OA;CIIO;RP;4c164200-20c0-11d0-a768-00aa006e0529;4828CC14-1437-45bc-9B07-AD6F015E
> 5F28;RU)(OA;CIIO;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;4828CC14-1437-45bc-9B07-AD6F015E5F28;RU)(OA;CIIO;RPLCLORC;;4828CC14-1437-45bc-9B07-AD6F015E5F28;RU)(OA;;RP;b8119fd0-04f6-4762-ab7a-4986c76b3f9a;;RU)(OA;;
> RP;b8119fd0-04f6-4762-ab7a-4986c76b3f9a;;AU)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967aba-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a9c-0de6-11d0-a285-00aa
> 003049e2;ED)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a86-0de6-11d0-a285-00aa003049e2;ED)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;DD)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;ED)(OA;;CR;113
> 1f6ad-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;BA)(OA;;CR;e2a36dc9-ae17-47c3-b58b-be34c55ba633;;S-1-5-32-557)(OA;;CR;280f369c-67c7-438e-ae98-1d46f3c6f541;;AU)(OA;;CR;ccc2dc7
> d-a6ad-4a7a-8846-c04e3cc53501;;AU)(OA;;CR;05c74c5e-4deb-43b4-bd9f-86664c2a7fd5;;AU)(OA;;CR;1131f6ae-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ae-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;CIIO;CRRPWP;91e647de-d96f
> -4b70-9557-d63ff4f3ccd8;;PS)S:(AU;SA;WDWOWP;;;WD)(AU;SA;CR;;;BA)(AU;SA;CR;;;DU)(OU;CISA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CISA;WP;f30e3bbf-9ff0-11d1-b603-0000f8
> 0367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD) 
> Schema class object:
> CN=Domain-DNS,CN=Schema,O=Boot 
> As a result, the schema cache load will fail. 
> User Action 
> Verify that the default security descriptor on the class is valid. If it is not valid, change it to a correct value. 
> Additional Data 
> Error value:
> 1337 The security ID structure is invalid.

I verified that the defaultSecurityDescriptor displayed in the error 
message is the same as the one included in the W2K8 schema we install. I 
also broke the defaultSecurityDescriptor down and inspected the 
components, and everything looks right.  I then tried changing the 
defaultSecurityDescriptor to something extremely simple ("D:S:"), but I 
still receive the exact same error (with the extremely long 
defaultSecurityDescriptor value).

This is where I am currently stuck.  I am posting the progress I have 
made thus far in hopes that someone can either point me in the right 
direction or build on what I have done to get this working.

Andrew Kroeger

-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: 0001-s4-provision-Update-schema-version-number-to-W2K8.patch
URL: <>

More information about the samba-technical mailing list