Unable to complete post-deployment configuration wizard of Windows Server Essentials role
Felix Botner
botner at univention.de
Thu Mar 20 04:54:57 MDT 2014
Hi,
i have a Windows Server 2012R2 joined as a member (not dc) into a samba4
domain with one samba 4.1.0-1 dc (domain level w2k8 r2). After adding the
Windows Server Essentials role i am asked to configure the role but this
failes with a very generic "Configuration encountered some issues".
A wireshark trace revealed that the windows server looked for a "Managed
Service Accounts" container (searchRequest:
'<WKGUID=1EB93889E40C45DF9F0C64D23BBB6237,DC=PERF,DC=TEST>' baseObject)
but found none. So i added the container and the WKGUID to the
wellKnownObjects of the base object and restarted the configuration,
but again "some issues" during the configuration.
-> ldbadd -H /var/lib/samba/private/sam.ldb <<-%EOF
dn: CN=Managed Service Accounts,DC=PERF,DC=TEST
objectClass: container
cn: Managed Service Accounts
description: Default container for managed service accounts
name: Managed Service Accounts
%EOF
-> ldbmodify -H /var/lib/samba/private/sam.ldb <<-%EOF
dn: $samba4_ldap_base
changetype: modify
add: wellKnownObjects
wellKnownObjects: B:32:1EB93889E40C45DF9F0C64D23BBB6237:CN=Managed Service
Accounts,DC=PERF,DC=TEST
%EOF
Then i installed Essentials on a W2K12R2 DC (domain level w2k8 r2).
First, the Managed Service Accounts container already exists here, so this is
maybe something samba has to do in the provisioning. And during the successful
Essentials configuration two Managed Service Accounts are created, ServerAdmin
and MediaAdmin. These accounts are not created if the DC is a samba server
although the Managed Service Accounts container exists.
I don't know how the Essentials configuration creates these accounts,
but on the windows server in the samba domain the powerShell cmdlets for
managing Managed Service Accounts do not work. Maybe this is the reason the
configuration fails.
(http://blogs.technet.com/b/askds/archive/2009/09/10/managed-service-accounts-understanding-implementing-best-practices-and-troubleshooting.aspx)
Get-ADServiceAccount, New-ADServiceAccount, Install-ADS...
-> "Unable to find a default server with Active Directory Web Services
running"
I also tried to create these accounts on my samba dc but that doesn't help
either.
Does samba support this "Managed Service Accounts" feature?
Does anybody successfully configured the Windows Server Essentials Experience
role in a samba domain?
attachments:
Managed Service Accounts container and DC object from the W2K12R2 DC after
the successful configuration of the Essentials role.
--
Felix Botner
Open Source Software Engineer
Univention GmbH
be open
Mary-Somerville-Str.1
28359 Bremen
Tel. : +49 421 22232-0
Fax : +49 421 22232-99
<botner at univention.de>
http://www.univention.de
Geschäftsführer: Peter H. Ganten
HRB 20755 Amtsgericht Bremen
Steuer-Nr.: 71-597-02876
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Windows-CN=Managed Service Accounts.ldif
Type: text/x-ldif
Size: 3285 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20140320/a7901125/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Windows-DC-object.ldif
Type: text/x-ldif
Size: 6966 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20140320/a7901125/attachment-0001.bin>
More information about the samba-technical
mailing list