WERR_DS_DRA_BUSY on demote windows 2008 R2 DC

Dave Craft wimberosa at gmail.com
Wed Aug 31 08:53:11 MDT 2011 

Awhile back there was a user that had issues with removing a windows DC from
a samba 4 domain.   I have not found where this actually got resolved but I am
experiencing something very similar.   I am running Windows Server 2008 R2 with
the latest samba 4 master built as of August 28th.   Below are various
things I was
looking at for debug/capture.    I captured a wireshark run on the
linux server side (appended)
of the situation as well as ran some experiments (noted below) on examination
of the database and replication.

I'm not totally sure how I got into this situation since I created
this domain config new yesterday.   I have
had one other error occur yesterday in that I attempted to add a
different windows server
as a RODC to this configuration.   That failed but at the time I
ignored it as it wasn't what
I was really trying to experiment with.   My plan is to blast this
config and see if I can replicate
what steps got me to this error.

Some input as to what I'd need to examine in my next debug session (if
I recreate) would be helpful.

n1win1 (192.168.1.11) is windows server being removed as DC
n1lin1 (192.168.1.31) is linux samba 4 server remaining as DC
Initial config was via a samba provision to which the windows server
was joined as a normal DC.
I did not allow the windows DC to be a DNS server.   The linux DC is
the DNS server and is running
with the bind9 patches.

The error emanating from the windows dc (at dcpromo demote of the DC) is:

  The operation failed because:
  Active Directory Domain Services could not transfer the remaining
data in the directory partition
  CN=Schema,CN=Configuration,DC=ad1,DC=wimberosa,DC=net to
  Active Directory Domain Controller n1lin1.ad1.wimberosa.net

  "The directory service is too busy to complete the replication
operation at this time."

Over on n1lin1 I see this error while running the samba server
    UpdateRefs failed with WERR_DS_DRA_BUSY/NT code 0xc00020f6 for
12afbe1a-574d-42ad-9d41-649ff7b01297._msdcs.ad1.wimberosa.net
CN=Schema,CN=Configuration,DC=ad1,DC=wimberosa,DC=net

Now the configuration I start with has a windows DCs and one linux
samba 4 DC.   I am demoting
the windows DCs to a member (no longer a controller) when this issue
crops up.

So I did a few tests to see if the roles are schema are somehow out of
whack.   Here's what I see.

    root at n1lin1:/home/dcraft# samba-tool ldapcmp ldap://192.168.1.11
ldap://192.168.1.31 schema -U Administrator%*******

    * Comparing [SCHEMA] context...
    * Objects to be compared: 1550
    * Result for [SCHEMA]: SUCCESS

So schema looks the same on each DC which is what the replication is
noting in its complaint.
Comparing the configuration NC I see this complaint.

    root at n1lin1:/home/dcraft# samba-tool ldapcmp ldap://192.168.1.11
ldap://192.168.1.31 configuration -U Administrator%p at ssw0rd

    * Comparing [CONFIGURATION] context...
    * Objects to be compared: 1613

    Comparing:
    'CN=Configuration,DC=ad1,DC=wimberosa,DC=net' [ldap://192.168.1.11]
    'CN=Configuration,DC=ad1,DC=wimberosa,DC=net' [ldap://192.168.1.31]
        Attributes found only in ldap://192.168.1.31:
            subRefs
        FAILED

    * Result for [CONFIGURATION]: FAILURE

    SUMMARY
    ---------
    Attributes found only in ldap://192.168.1.31:
        subRefs
    ERROR: Compare failed: -1

And comparing the domain NC I see this complaint.    I suspect the RID
complaint is normal but include it here
to attempt a more complete description of the config around the problem.

    root at n1lin1:/home/dcraft# samba-tool ldapcmp ldap://192.168.1.11
ldap://192.168.1.31 domain -U Administrator%XXXXXX

    * Comparing [DOMAIN] context...
    * Objects to be compared: 224

    Comparing:
    'CN=Builtin,DC=ad1,DC=wimberosa,DC=net' [ldap://192.168.1.11]
    'CN=Builtin,DC=ad1,DC=wimberosa,DC=net' [ldap://192.168.1.31]
        Attributes found only in ldap://192.168.1.31:
            serverState
        FAILED

    Comparing:
    'CN=RID Set,CN=N1LIN1,OU=Domain
Controllers,DC=ad1,DC=wimberosa,DC=net' [ldap://192.168.1.11]
    'CN=RID Set,CN=N1LIN1,OU=Domain
Controllers,DC=ad1,DC=wimberosa,DC=net' [ldap://192.168.1.31]
        Attributes found only in ldap://192.168.1.31:
            rIDNextRID
            rIDPreviousAllocationPool
        FAILED

    Comparing:
    'CN=RID Set,CN=N1WIN1,OU=Domain
Controllers,DC=ad1,DC=wimberosa,DC=net' [ldap://192.168.1.11]
    'CN=RID Set,CN=N1WIN1,OU=Domain
Controllers,DC=ad1,DC=wimberosa,DC=net' [ldap://192.168.1.31]
        Difference in attribute values:
            rIDNextRID =>
    ['1600']
    ['0']
            rIDPreviousAllocationPool =>
    ['9015136355904']
    ['0']
         FAILED

    Comparing:
    'DC=ad1,DC=wimberosa,DC=net' [ldap://192.168.1.11]
    'DC=ad1,DC=wimberosa,DC=net' [ldap://192.168.1.31]
        Attributes found only in ldap://192.168.1.31:
            serverState
        FAILED

    * Result for [DOMAIN]: FAILURE

    SUMMARY
    ---------

    Attributes with different values:
        rIDNextRID
        rIDPreviousAllocationPool

    Attributes found only in ldap://192.168.1.31:

        rIDPreviousAllocationPool
        rIDNextRID
        serverState
    ERROR: Compare failed: -1


If I look at the roles I see that all the roles are in fact held by
the linux samba DC and no role is held by the
windows DC that I am attempting to remove.

    samba-tool fsmo show --U=ldap://192.168.1.31 -U administrator%XXXXXX
    InfrastructureMasterRole owner: CN=NTDS
Settings,CN=N1LIN1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ad1,DC=wimberosa,DC=net
    RidAllocationMasterRole owner: CN=NTDS
Settings,CN=N1LIN1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ad1,DC=wimberosa,DC=net
    PdcEmulationMasterRole owner: CN=NTDS
Settings,CN=N1LIN1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ad1,DC=wimberosa,DC=net
    DomainNamingMasterRole owner: CN=NTDS
Settings,CN=N1LIN1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ad1,DC=wimberosa,DC=net
    SchemaMasterRole owner: CN=NTDS
Settings,CN=N1LIN1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ad1,DC=wimberosa,DC=net

Then i tried to just kick a replication off to see if there would be a
complaint during a replication and it was successful

   samba-tool drs replicate 192.168.1.31 n1win1
CN=Schema,CN=Configuration,DC=ad1,DC=wimberosa,DC=net -U
Administrator%XXXXXX
   Replicate from n1win1 to 192.168.1.31 was successful


-- 
Regards, Dave Craft
Cut the headlights and put it in neutral.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: wire.capture
Type: application/octet-stream
Size: 43369 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20110831/744fb6d4/attachment.obj>

More information about the samba-technical mailing list