status of DRS efforts in Samba4 (and a developer tutorial)

Matthias Dieter Wallnöfer mdw at
Tue Sep 22 05:50:23 MDT 2009

Andrew Kroeger,

your work is highly appreciated. I applied your patches in a slightly 
different version to my personal branch - since this week I agreed with 
abartlet and tridge to not push directly to "master" (as you may know: 
they perform important tests in the MS labs and prefer a stable release).

But afterwards I hope to merge it soon.

As I already told you in a recent email: if you have some interest to 
continue to work on the password policies in s4 please tell me. 
Otherwise I'll try to do it sooner or later.


Andrew Kroeger schrieb:
> tridge at wrote:
>> ---------------------------------------------
>> - join w2k8 to samba4 dc
>> We've been concentrating up to now on Samba4<->Samba4 replication, and
>> Samba4<->Windows replication where the Samba4 server joins the Windows
>> domain. A more difficult problem is making it work when you start with
>> a Samba4 domain (from provision, or from vampiring a Windows domain)
>> and then try to add another Windows DC by using dcpromo. This is
>> currently failing with an obscure error at the end of the dcpromo
>> process.
> All:
> I did some work on this and made some progress, but I now find myself 
> stuck and cannot figure out what is happening.  My initial attempt at 
> running dcpromo under W2K8 server ended with the error message:
>> To install a domain controller into this Active Directory forest, you
>> must first prepare the forest using "adprep /forestprep".  The
>> Adprep utility is available on the Windows 2008 Server installation
>> media in the \sources\adprep folder.
> I looked through the samba.log and was able to determine the LDAP 
> queries dcpromo was using to determine that adprep needed to run.  
> Based on a comparison of those LDAP queries against a S4 DC and a W2K8 
> DC, I found two issues:
> 1.  The objectVersion attributes of ${SCHEMADN} were different. We had 
> it set to 30 (W2K3 schema version) while the W2K8 DC had 44 (W2K8 
> schema).  After changing our objectVersion to 44 (we are using a W2K8 
> schema after all), the error still occurred.  Patch for this change is 
> attached.
> 2.  I found three LDAP entries that dcpromo queried for that were 
> present on the W2K8 DC, but not present on the S4 DC.  These values are:
> - CN=ActiveDirectoryUpdate,CN=ForestUpdates,${CONFIGDN}
> - CN=ActiveDirectoryUpdate,CN=DomainUpdates,CN=System,${DOMAINDN}
> - CN=ActiveDirectoryRodcUpdate,CN=ForestUpdates,${CONFIGDN}
> After some additional research, I found that these entries are created 
> by the adprep utility (for the /forestprep, /domainprep and /rodcprep 
> options, respectively).  After adding these entries (and the 
> respective values for the revision attribute, as observed on a W2K8 
> DC), I no longer receive the above adprep error message when running 
> dcpromo.  A patch with these changes is also attached.
> After making the above changes, I can now run dcpromo to the point is 
> starts configuring itself as a DC (pulling data from S4 or whatever 
> steps it is actually doing under the hood).
> I now receive the following error before the actual dcpromo run can 
> finish:
>> The operation failed because:
>> An unknown error occurred while installing Active Directory
>> Domain Services.
>> "An error occurred while installing the directory service.  For more
>> information, see the event log."
> Looking in the event log gives the following detail for Event ID 1523:
>> The Active Directory Domain Services schema cache load could not 
>> convert the default security descriptor on the following schema class 
>> object.  
>> Security descriptor:
>> D:(A;;RP;;;WD)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;BA) 
>> (OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;BA)(A;;RPLCLORC;;;AU)(A;;RPWPCRLCLOCCRCWDWOSW;;;DA)(A;CI;RPWPCRLCLOCCRCWDWOSDSW;;;BA)(A;;RPWPCRLCLOCCDCRCWDWOSDDTSW 
>> ;;;SY)(A;CI;RPWPCRLCLOCCDCRCWDWOSDDTSW;;;EA)(A;CI;LC;;;RU)(OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;bf967aba-0de6- 
>> 11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;4c164200-20c0-11d0-a768-00aa006e0529;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CI 
>> IO;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;;RP;c7407360-20bf-11d0-a768-00aa006e0529;;RU)(OA;CIIO;RPLCLORC;;bf967a9c-0de6-11d0-a285-00aa003049e2;RU)(A;;RPRC;;;RU)(OA;C 
>> IIO;RPLCLORC;;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(A;;LCRPLORC;;;ED)(OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939;4828CC14-1437-45bc-9B07-AD6F015E5F28;RU)(OA;CIIO;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf; 
>> 4828CC14-1437-45bc-9B07-AD6F015E5F28;RU)(OA;CIIO;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;4828CC14-1437-45bc-9B07-AD6F015E5F28;RU)(OA;CIIO;RP;4c164200-20c0-11d0-a768-00aa006e0529;4828CC14-1437-45bc-9B07-AD6F015E 
>> 5F28;RU)(OA;CIIO;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;4828CC14-1437-45bc-9B07-AD6F015E5F28;RU)(OA;CIIO;RPLCLORC;;4828CC14-1437-45bc-9B07-AD6F015E5F28;RU)(OA;;RP;b8119fd0-04f6-4762-ab7a-4986c76b3f9a;;RU)(OA;; 
>> RP;b8119fd0-04f6-4762-ab7a-4986c76b3f9a;;AU)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967aba-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a9c-0de6-11d0-a285-00aa 
>> 003049e2;ED)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a86-0de6-11d0-a285-00aa003049e2;ED)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;DD)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;ED)(OA;;CR;113 
>> 1f6ad-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;BA)(OA;;CR;e2a36dc9-ae17-47c3-b58b-be34c55ba633;;S-1-5-32-557)(OA;;CR;280f369c-67c7-438e-ae98-1d46f3c6f541;;AU)(OA;;CR;ccc2dc7 
>> d-a6ad-4a7a-8846-c04e3cc53501;;AU)(OA;;CR;05c74c5e-4deb-43b4-bd9f-86664c2a7fd5;;AU)(OA;;CR;1131f6ae-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ae-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;CIIO;CRRPWP;91e647de-d96f 
>> -4b70-9557-d63ff4f3ccd8;;PS)S:(AU;SA;WDWOWP;;;WD)(AU;SA;CR;;;BA)(AU;SA;CR;;;DU)(OU;CISA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CISA;WP;f30e3bbf-9ff0-11d1-b603-0000f8 
>> 0367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD) Schema class object:
>> CN=Domain-DNS,CN=Schema,O=Boot  
>> As a result, the schema cache load will fail.  
>> User Action Verify that the default security descriptor on the class 
>> is valid. If it is not valid, change it to a correct value.  
>> Additional Data Error value:
>> 1337 The security ID structure is invalid.
> I verified that the defaultSecurityDescriptor displayed in the error 
> message is the same as the one included in the W2K8 schema we install. 
> I also broke the defaultSecurityDescriptor down and inspected the 
> components, and everything looks right.  I then tried changing the 
> defaultSecurityDescriptor to something extremely simple ("D:S:"), but 
> I still receive the exact same error (with the extremely long 
> defaultSecurityDescriptor value).
> This is where I am currently stuck.  I am posting the progress I have 
> made thus far in hopes that someone can either point me in the right 
> direction or build on what I have done to get this working.
> Sincerely,
> Andrew Kroeger

More information about the samba-technical mailing list