WERR_DS_DRA_BUSY on demote windows 2008 R2 DC

Dave Craft wimberosa at gmail.com
Wed Aug 31 13:54:38 MDT 2011 

Easily recreatable problem for me with no special steps.   Add a window 2008 RC2
DC,  reboot, and attempt to delete it.   Fails in the same way on fresh configs.
Is this working for anyone else....a regression....or some weird
anomaly with my
config?   I'd say anomaly if someone would try with a build within the
last day or so
and it worked for them.    Prior configs of mine (with source trees
within the last month)
worked.

On Wed, Aug 31, 2011 at 9:53 AM, Dave Craft <wimberosa at gmail.com> wrote:
> Awhile back there was a user that had issues with removing a windows DC from
> a samba 4 domain.   I have not found where this actually got resolved but I am
> experiencing something very similar.   I am running Windows Server 2008 R2 with
> the latest samba 4 master built as of August 28th.   Below are various
> things I was
> looking at for debug/capture.    I captured a wireshark run on the
> linux server side (appended)
> of the situation as well as ran some experiments (noted below) on examination
> of the database and replication.
>
> I'm not totally sure how I got into this situation since I created
> this domain config new yesterday.   I have
> had one other error occur yesterday in that I attempted to add a
> different windows server
> as a RODC to this configuration.   That failed but at the time I
> ignored it as it wasn't what
> I was really trying to experiment with.   My plan is to blast this
> config and see if I can replicate
> what steps got me to this error.
>
> Some input as to what I'd need to examine in my next debug session (if
> I recreate) would be helpful.
>
> n1win1 (192.168.1.11) is windows server being removed as DC
> n1lin1 (192.168.1.31) is linux samba 4 server remaining as DC
> Initial config was via a samba provision to which the windows server
> was joined as a normal DC.
> I did not allow the windows DC to be a DNS server.   The linux DC is
> the DNS server and is running
> with the bind9 patches.
>
> The error emanating from the windows dc (at dcpromo demote of the DC) is:
>
>  The operation failed because:
>  Active Directory Domain Services could not transfer the remaining
> data in the directory partition
>  CN=Schema,CN=Configuration,DC=ad1,DC=wimberosa,DC=net to
>  Active Directory Domain Controller n1lin1.ad1.wimberosa.net
>
>  "The directory service is too busy to complete the replication
> operation at this time."
>
> Over on n1lin1 I see this error while running the samba server
>    UpdateRefs failed with WERR_DS_DRA_BUSY/NT code 0xc00020f6 for
> 12afbe1a-574d-42ad-9d41-649ff7b01297._msdcs.ad1.wimberosa.net
> CN=Schema,CN=Configuration,DC=ad1,DC=wimberosa,DC=net
>
> Now the configuration I start with has a windows DCs and one linux
> samba 4 DC.   I am demoting
> the windows DCs to a member (no longer a controller) when this issue
> crops up.
>
> So I did a few tests to see if the roles are schema are somehow out of
> whack.   Here's what I see.
>
>    root at n1lin1:/home/dcraft# samba-tool ldapcmp ldap://192.168.1.11
> ldap://192.168.1.31 schema -U Administrator%*******
>
>    * Comparing [SCHEMA] context...
>    * Objects to be compared: 1550
>    * Result for [SCHEMA]: SUCCESS
>
> So schema looks the same on each DC which is what the replication is
> noting in its complaint.
> Comparing the configuration NC I see this complaint.
>
>    root at n1lin1:/home/dcraft# samba-tool ldapcmp ldap://192.168.1.11
> ldap://192.168.1.31 configuration -U Administrator%p at ssw0rd
>
>    * Comparing [CONFIGURATION] context...
>    * Objects to be compared: 1613
>
>    Comparing:
>    'CN=Configuration,DC=ad1,DC=wimberosa,DC=net' [ldap://192.168.1.11]
>    'CN=Configuration,DC=ad1,DC=wimberosa,DC=net' [ldap://192.168.1.31]
>        Attributes found only in ldap://192.168.1.31:
>            subRefs
>        FAILED
>
>    * Result for [CONFIGURATION]: FAILURE
>
>    SUMMARY
>    ---------
>    Attributes found only in ldap://192.168.1.31:
>        subRefs
>    ERROR: Compare failed: -1
>
> And comparing the domain NC I see this complaint.    I suspect the RID
> complaint is normal but include it here
> to attempt a more complete description of the config around the problem.
>
>    root at n1lin1:/home/dcraft# samba-tool ldapcmp ldap://192.168.1.11
> ldap://192.168.1.31 domain -U Administrator%XXXXXX
>
>    * Comparing [DOMAIN] context...
>    * Objects to be compared: 224
>
>    Comparing:
>    'CN=Builtin,DC=ad1,DC=wimberosa,DC=net' [ldap://192.168.1.11]
>    'CN=Builtin,DC=ad1,DC=wimberosa,DC=net' [ldap://192.168.1.31]
>        Attributes found only in ldap://192.168.1.31:
>            serverState
>        FAILED
>
>    Comparing:
>    'CN=RID Set,CN=N1LIN1,OU=Domain
> Controllers,DC=ad1,DC=wimberosa,DC=net' [ldap://192.168.1.11]
>    'CN=RID Set,CN=N1LIN1,OU=Domain
> Controllers,DC=ad1,DC=wimberosa,DC=net' [ldap://192.168.1.31]
>        Attributes found only in ldap://192.168.1.31:
>            rIDNextRID
>            rIDPreviousAllocationPool
>        FAILED
>
>    Comparing:
>    'CN=RID Set,CN=N1WIN1,OU=Domain
> Controllers,DC=ad1,DC=wimberosa,DC=net' [ldap://192.168.1.11]
>    'CN=RID Set,CN=N1WIN1,OU=Domain
> Controllers,DC=ad1,DC=wimberosa,DC=net' [ldap://192.168.1.31]
>        Difference in attribute values:
>            rIDNextRID =>
>    ['1600']
>    ['0']
>            rIDPreviousAllocationPool =>
>    ['9015136355904']
>    ['0']
>         FAILED
>
>    Comparing:
>    'DC=ad1,DC=wimberosa,DC=net' [ldap://192.168.1.11]
>    'DC=ad1,DC=wimberosa,DC=net' [ldap://192.168.1.31]
>        Attributes found only in ldap://192.168.1.31:
>            serverState
>        FAILED
>
>    * Result for [DOMAIN]: FAILURE
>
>    SUMMARY
>    ---------
>
>    Attributes with different values:
>        rIDNextRID
>        rIDPreviousAllocationPool
>
>    Attributes found only in ldap://192.168.1.31:
>
>        rIDPreviousAllocationPool
>        rIDNextRID
>        serverState
>    ERROR: Compare failed: -1
>
>
> If I look at the roles I see that all the roles are in fact held by
> the linux samba DC and no role is held by the
> windows DC that I am attempting to remove.
>
>    samba-tool fsmo show --U=ldap://192.168.1.31 -U administrator%XXXXXX
>    InfrastructureMasterRole owner: CN=NTDS
> Settings,CN=N1LIN1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ad1,DC=wimberosa,DC=net
>    RidAllocationMasterRole owner: CN=NTDS
> Settings,CN=N1LIN1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ad1,DC=wimberosa,DC=net
>    PdcEmulationMasterRole owner: CN=NTDS
> Settings,CN=N1LIN1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ad1,DC=wimberosa,DC=net
>    DomainNamingMasterRole owner: CN=NTDS
> Settings,CN=N1LIN1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ad1,DC=wimberosa,DC=net
>    SchemaMasterRole owner: CN=NTDS
> Settings,CN=N1LIN1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ad1,DC=wimberosa,DC=net
>
> Then i tried to just kick a replication off to see if there would be a
> complaint during a replication and it was successful
>
>   samba-tool drs replicate 192.168.1.31 n1win1
> CN=Schema,CN=Configuration,DC=ad1,DC=wimberosa,DC=net -U
> Administrator%XXXXXX
>   Replicate from n1win1 to 192.168.1.31 was successful
>
>
> --
> Regards, Dave Craft
> Cut the headlights and put it in neutral.
>



-- 
Regards, Dave Craft
Cut the headlights and put it in neutral.

More information about the samba-technical mailing list