Problem joining 2008 Domain as DC (zero GUID issue)

Stephan Wolf stephan at
Wed Nov 13 00:57:02 MST 2013

Am 12.11.2013 20:01, schrieb Andrew Bartlett:
> On Tue, 2013-11-12 at 15:18 +0100, Stephan Wolf wrote:
>> Hi all,
>> joining a Win 2008 Domain (in my case a 2008 SBS) will fail with the
>> following error
>> Refusing replication of object containing invalid zero invocationID on
>> attribute 13 of CN=Deleted Objects,CN=Configuration,DC=g75,DC=local:
>> Failed to convert object CN=Deleted
>> Objects,CN=Configuration,DC=g75,DC=local: WERR_DS_SRC_GUID_MISMATCH
>> Failed to convert objects: WERR_DS_SRC_GUID_MISMATCH
>> ERROR(<type 'exceptions.TypeError'>): uncaught exception - Failed to
>> process chunk: NT code 0xc0002128
>>     File
>> "/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/",
>> line 175, in _run
>>       return*args, **kwargs)
>>     File
>> "/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/",
>> line 609, in run
>>       machinepass=machinepass, use_ntvfs=use_ntvfs, dns_backend=dns_backend)
>>     File "/usr/local/samba/lib64/python2.7/site-packages/samba/",
>> line 1172, in join_DC
>>       ctx.do_join()
>>     File "/usr/local/samba/lib64/python2.7/site-packages/samba/",
>> line 1077, in do_join
>>       ctx.join_replicate()
>>     File "/usr/local/samba/lib64/python2.7/site-packages/samba/",
>> line 813, in join_replicate
>>       replica_flags=ctx.replica_flags)
>>     File
>> "/usr/local/samba/lib64/python2.7/site-packages/samba/",
>> line 256, in replicate
>>       schema=schema, req_level=req_level, req=req)
>> the issue is caused by the following commit
>> which breaks joining the 2008 domain as an DC.
>> Is there a way to check for the function level of the domain in front of
>> this GUID check?
> As far as we are aware, this can only break if you ran a pre-release
> version of Samba 4.1 against your server, and joining Windows 2008R2
> will likewise break.
> Is this the case?  Can you test a trial copy of Windows 2008R2 to
> confirm?  If we differ from Windows in implementing this check then we
> can re-consider, but currently we are trying very hard not to further
> propagate a corrupted domain.
I ran the latest version from git master so I think it is newer than 
samba 4.1 release.
But my server is a Win 2008 not a Win 2008R2.
I also tested it with a 2008R2 and joining the domain works fine. But 
the replication is not working.
samba-tool drs showrepl shows an error WERR_BADFILE and the log file 
contains an entry like this:

[2013/11/13 08:49:49.909760,  0] 
   ../source4/dsdb/repl/drepl_ridalloc.c:43: RID Manager failed RID 
allocation - WERR_BADFILE - extended_ret[0x0]

> All that said, if you had for a time joined Samba 4.1 pre-releases (ie
> git master around June to September this year) then clearly we need to
> find a way to resolve this corruption for you.  We have such tools for
> Samba DCs once replicated, but our anti-corruption test is preventing
> you getting into a state where we could run it!
> Andrew Bartlett

More information about the samba-technical mailing list