[Samba] Win 2003 DC Demotion
Garth Keesler
garthk at gdcjk.com
Tue Jul 23 14:37:49 MDT 2013
On 07/23/2013 02:54 PM, Andrew Bartlett wrote:
> On Tue, 2013-07-23 at 06:49 -0500, Garth Keesler wrote:
>> All,
>>
>> I've posted a few times about this but without response so it seems that
>> not many folks are trying to do this. So, before I spend many more hours
>> on this trying to make it work, a simple yes or no question:
>>
>> Has anyone successfully demoted a Win 2003 PDC without error after
>> joining a Samba 4.x DC to it?
>>
>> That's it. I'm primarily interested in "yes" responses but I'll take
>> what I can get.
> It would help if you can describe the errors you get when this fails for
> you.
>
> It certainly is meant to work.
>
> Thanks,
>
> Andrew Bartlett
>
On 07/23/2013 02:54 PM, Andrew Bartlett wrote:
> On Tue, 2013-07-23 at 06:49 -0500, Garth Keesler wrote:
>> All,
>>
>> I've posted a few times about this but without response so it seems that
>> not many folks are trying to do this. So, before I spend many more hours
>> on this trying to make it work, a simple yes or no question:
>>
>> Has anyone successfully demoted a Win 2003 PDC without error after
>> joining a Samba 4.x DC to it?
>>
>> That's it. I'm primarily interested in "yes" responses but I'll take
>> what I can get.
> It would help if you can describe the errors you get when this fails for
> you.
>
> It certainly is meant to work.
>
> Thanks,
>
> Andrew Bartlett
>
First, thanx for the reply. I'm not exactly sure what to send so I'll
send a lot. Let me know if you need more. The errors (not really errors)
have to do with the fact that Forest and Domain DNS repl are one-way
from WINDC to SAMBADC so when I try and demote WINDC, it refuses to
demote because it believes it is the only holder of that info.
Also, when I try and add the Samba DC to the Win DNS MMC, it refuses to
add it because it does not detect that the Samba DC is in fact an Active
Domain server. This is in spite of the fact that (some) replication does
occur.
root at sambadc:~# samba --version
Version 4.1.0rc1
root at sambadc:~#
root at sambadc:~# samba-tool drs showrepl
PRR\SAMBADC
DSA Options: 0x00000001
DSA object GUID: 981910d4-81a9-4421-8134-4961a3c474ad
DSA invocationId: c004e70f-5b8c-4dd8-b364-b1c110cd241c
==== INBOUND NEIGHBORS ====
DC=mydomain,DC=com
PRR\WINDC via RPC
DSA object GUID: a8260438-0154-4429-829b-c0b7914e4525
Last attempt @ Tue Jul 23 14:57:42 2013 CDT was successful
0 consecutive failure(s).
Last success @ Tue Jul 23 14:57:42 2013 CDT
DC=ForestDnsZones,DC=mydomain,DC=com
PRR\WINDC via RPC
DSA object GUID: a8260438-0154-4429-829b-c0b7914e4525
Last attempt @ Tue Jul 23 14:57:42 2013 CDT was successful
0 consecutive failure(s).
Last success @ Tue Jul 23 14:57:42 2013 CDT
CN=Configuration,DC=mydomain,DC=com
PRR\WINDC via RPC
DSA object GUID: a8260438-0154-4429-829b-c0b7914e4525
Last attempt @ Tue Jul 23 14:57:42 2013 CDT was successful
0 consecutive failure(s).
Last success @ Tue Jul 23 14:57:42 2013 CDT
CN=Schema,CN=Configuration,DC=mydomain,DC=com
PRR\WINDC via RPC
DSA object GUID: a8260438-0154-4429-829b-c0b7914e4525
Last attempt @ Tue Jul 23 14:57:42 2013 CDT was successful
0 consecutive failure(s).
Last success @ Tue Jul 23 14:57:42 2013 CDT
DC=DomainDnsZones,DC=mydomain,DC=com
PRR\WINDC via RPC
DSA object GUID: a8260438-0154-4429-829b-c0b7914e4525
Last attempt @ Tue Jul 23 14:57:42 2013 CDT was successful
0 consecutive failure(s).
Last success @ Tue Jul 23 14:57:42 2013 CDT
==== OUTBOUND NEIGHBORS ====
DC=mydomain,DC=com
PRR\WINDC via RPC
DSA object GUID: a8260438-0154-4429-829b-c0b7914e4525
Last attempt @ Sat Jul 20 05:57:20 2013 CDT was successful
0 consecutive failure(s).
Last success @ Sat Jul 20 05:57:20 2013 CDT
CN=Configuration,DC=mydomain,DC=com
PRR\WINDC via RPC
DSA object GUID: a8260438-0154-4429-829b-c0b7914e4525
Last attempt @ Sat Jul 20 05:57:20 2013 CDT was successful
0 consecutive failure(s).
Last success @ Sat Jul 20 05:57:20 2013 CDT
CN=Schema,CN=Configuration,DC=mydomain,DC=com
PRR\WINDC via RPC
DSA object GUID: a8260438-0154-4429-829b-c0b7914e4525
Last attempt @ Sat Jul 20 05:57:20 2013 CDT was successful
0 consecutive failure(s).
Last success @ Sat Jul 20 05:57:20 2013 CDT
==== KCC CONNECTION OBJECTS ====
Connection --
Connection name: 130d9758-a7b2-4a25-b0b7-40ce00d9ef2a
Enabled : TRUE
Server DNS name : windc.mydomain.com
Server DN name : CN=NTDS
Settings,CN=WINDC,CN=Servers,CN=PRR,CN=Sites,CN=Configuration,DC=mydomain,DC=com
TransportType: RPC
options: 0x00000001
Warning: No NC replicated for Connection!
root at sambadc:~#
root at sambadc:~# samba-tool dbcheck
Checking 2290 objects
ERROR: missing GUID component for ipsecOwnersReference in object
CN=ipsecISAKMPPolicy{7238523D-70FA-11D1-864C-14A300000000},CN=IP
Security,CN=System,DC=mydomain,DC=com -
CN=ipsecPolicy{7238523C-70FA-11D1-864C-14A300000000},CN=IP
Security,CN=System,CN=System,DC=mydomain,DC=com
unable to find object for DN
CN=ipsecPolicy{7238523C-70FA-11D1-864C-14A300000000},CN=IP
Security,CN=System,CN=System,DC=mydomain,DC=com - (No such Base DN:
CN=ipsecPolicy{7238523C-70FA-11D1-864C-14A300000000},CN=IP
Security,CN=System,CN=System,DC=mydomain,DC=com)
Not removing dangling forward link
Please use --fix to fix these errors
Checked 2290 objects (1 errors)
root at sambadc:~#
<I tried the --fix option with no success>
root at sambadc:~# cat /etc/krb5.conf
[libdefaults]
default_realm = MYDOMAIN.COM
# The following krb5.conf variables are only for MIT Kerberos.
krb4_config = /etc/krb.conf
krb4_realms = /etc/krb.realms
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
dns_lookup_realm = true
dns_lookup_kdc = true
# The following encryption type specification will be used by MIT Kerberos
# if uncommented. In general, the defaults in the MIT Kerberos code are
# correct and overriding these specifications only serves to disable new
# encryption types as they are added, creating interoperability problems.
#
# Thie only time when you might need to uncomment these lines and change
# the enctypes is if you have local software that will break on ticket
# caches containing ticket encryption types it doesn't know about (such as
# old versions of Sun Java).
# default_tgs_enctypes = des3-hmac-sha1
# default_tkt_enctypes = des3-hmac-sha1
# permitted_enctypes = des3-hmac-sha1
# The following libdefaults parameters are only for Heimdal Kerberos.
v4_instance_resolve = false
v4_name_convert = {
host = {
rcmd = host
ftp = ftp
}
plain = {
something = something-else
}
}
fcc-mit-ticketflags = true
[realms]
MYDOMAIN.COM = {
kdc = windc
kdc = sambadc
admin_server = windc
}
ATHENA.MIT.EDU = {
kdc = kerberos.mit.edu:88
kdc = kerberos-1.mit.edu:88
kdc = kerberos-2.mit.edu:88
admin_server = kerberos.mit.edu
default_domain = mit.edu
}
MEDIA-LAB.MIT.EDU = {
kdc = kerberos.media.mit.edu
admin_server = kerberos.media.mit.edu
}
ZONE.MIT.EDU = {
kdc = casio.mit.edu
kdc = seiko.mit.edu
admin_server = casio.mit.edu
}
MOOF.MIT.EDU = {
kdc = three-headed-dogcow.mit.edu:88
kdc = three-headed-dogcow-1.mit.edu:88
admin_server = three-headed-dogcow.mit.edu
}
CSAIL.MIT.EDU = {
kdc = kerberos-1.csail.mit.edu
kdc = kerberos-2.csail.mit.edu
admin_server = kerberos.csail.mit.edu
default_domain = csail.mit.edu
krb524_server = krb524.csail.mit.edu
}
IHTFP.ORG = {
kdc = kerberos.ihtfp.org
admin_server = kerberos.ihtfp.org
}
GNU.ORG = {
kdc = kerberos.gnu.org
kdc = kerberos-2.gnu.org
kdc = kerberos-3.gnu.org
admin_server = kerberos.gnu.org
}
1TS.ORG = {
kdc = kerberos.1ts.org
admin_server = kerberos.1ts.org
}
GRATUITOUS.ORG = {
kdc = kerberos.gratuitous.org
admin_server = kerberos.gratuitous.org
}
DOOMCOM.ORG = {
kdc = kerberos.doomcom.org
admin_server = kerberos.doomcom.org
}
ANDREW.CMU.EDU = {
kdc = vice28.fs.andrew.cmu.edu
kdc = vice2.fs.andrew.cmu.edu
kdc = vice11.fs.andrew.cmu.edu
kdc = vice12.fs.andrew.cmu.edu
admin_server = vice28.fs.andrew.cmu.edu
default_domain = andrew.cmu.edu
}
CS.CMU.EDU = {
kdc = kerberos.cs.cmu.edu
kdc = kerberos-2.srv.cs.cmu.edu
admin_server = kerberos.cs.cmu.edu
}
DEMENTIA.ORG = {
kdc = kerberos.dementia.org
kdc = kerberos2.dementia.org
admin_server = kerberos.dementia.org
}
stanford.edu = {
kdc = krb5auth1.stanford.edu
kdc = krb5auth2.stanford.edu
kdc = krb5auth3.stanford.edu
master_kdc = krb5auth1.stanford.edu
admin_server = krb5-admin.stanford.edu
default_domain = stanford.edu
}
[domain_realm]
.mit.edu = ATHENA.MIT.EDU
mit.edu = ATHENA.MIT.EDU
.media.mit.edu = MEDIA-LAB.MIT.EDU
media.mit.edu = MEDIA-LAB.MIT.EDU
.csail.mit.edu = CSAIL.MIT.EDU
csail.mit.edu = CSAIL.MIT.EDU
.whoi.edu = ATHENA.MIT.EDU
whoi.edu = ATHENA.MIT.EDU
.stanford.edu = stanford.edu
.slac.stanford.edu = SLAC.STANFORD.EDU
[login]
krb4_convert = true
krb4_get_tickets = false
root at sambadc:~#
root at sambadc:~# cat /usr/local/samba/etc/smb.conf
# Global parameters
[global]
workgroup = MYDOMAIN
realm = mydomain.com
netbios name = SAMBADC
server role = active directory domain controller
allow dns updates = signed
dns forwarder = 216.180.99.2
[netlogon]
path = /usr/local/samba/var/locks/sysvol/mydomain.com/scripts
read only = No
[sysvol]
path = /usr/local/samba/var/locks/sysvol
read only = No
root at sambadc:~#
root at sambadc:~# samba-tool drs kcc windc
Consistency check on windc successful.
root at sambadc:~#
root at sambadc:~# samba-tool drs kcc sambadc
ERROR(runtime): DsExecuteKCC failed - (-1073610723,
'NT_STATUS_RPC_PROTOCOL_ERROR')
root at sambadc:~#
root at sambadc:~# cat /etc/nsswitch.conf
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.
passwd: compat winbind
group: compat winbind
shadow: compat
hosts: files dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
root at sambadc:~#
The Win DC reports the following but in spite of this replication
appears to be working between the two servers except for Forest and
Domain DNS which is one-way from windc to sambadc.
Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.
C:\Documents and Settings\garthk>repadmin /kcc sambadc
DsReplicaConsistencyCheck() failed with status 1752 (0x6d8):
C:\Documents and Settings\garthk>dcdiag /s:windc
Domain Controller Diagnosis
Performing initial setup:
Done gathering initial info.
Doing initial required tests
Testing server: PRR\WINDC
Starting test: Connectivity
......................... WINDC passed test Connectivity
Doing primary tests
Testing server: PRR\WINDC
Starting test: Replications
......................... WINDC passed test Replications
Starting test: NCSecDesc
......................... WINDC passed test NCSecDesc
Starting test: NetLogons
......................... WINDC passed test NetLogons
Starting test: Advertising
......................... WINDC passed test Advertising
Starting test: KnowsOfRoleHolders
......................... WINDC passed test KnowsOfRoleHolders
Starting test: RidManager
......................... WINDC passed test RidManager
Starting test: MachineAccount
......................... WINDC passed test MachineAccount
Starting test: Services
......................... WINDC passed test Services
Starting test: ObjectsReplicated
......................... WINDC passed test ObjectsReplicated
Starting test: frssysvol
......................... WINDC passed test frssysvol
Starting test: frsevent
......................... WINDC passed test frsevent
Starting test: kccevent
......................... WINDC passed test kccevent
Starting test: systemlog
......................... WINDC passed test systemlog
Starting test: VerifyReferences
......................... WINDC passed test VerifyReferences
Running partition tests on : ForestDnsZones
Starting test: CrossRefValidation
......................... ForestDnsZones passed test
CrossRefValidation
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom
Running partition tests on : DomainDnsZones
Starting test: CrossRefValidation
......................... DomainDnsZones passed test
CrossRefValidation
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom
Running partition tests on : Schema
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Running partition tests on : Configuration
Starting test: CrossRefValidation
......................... Configuration passed test
CrossRefValidation
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Running partition tests on : mydomain
Starting test: CrossRefValidation
......................... mydomain passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... mydomain passed test CheckSDRefDom
Running enterprise tests on : mydomain.com
Starting test: Intersite
......................... mydomain.com passed test Intersite
Starting test: FsmoCheck
......................... mydomain.com passed test FsmoCheck
C:\Documents and Settings\garthk>dcdiag /s:sambadc
Domain Controller Diagnosis
Performing initial setup:
Done gathering initial info.
Doing initial required tests
Testing server: PRR\SAMBADC
Starting test: Connectivity
......................... SAMBADC passed test Connectivity
Doing primary tests
Testing server: PRR\SAMBADC
Starting test: Replications
REPLICATION-RECEIVED LATENCY WARNING
SAMBADC: Current time is 2013-07-23 15:26:22.
DC=DomainDnsZones,DC=mydomain,DC=com
Last replication recieved from WINDC at 1601-01-01 00:21:41.
WARNING: This latency is over the Tombstone Lifetime of
60 days!
CN=Schema,CN=Configuration,DC=mydomain,DC=com
Last replication recieved from WINDC at 1601-01-01 00:21:41.
WARNING: This latency is over the Tombstone Lifetime of
60 days!
CN=Configuration,DC=mydomain,DC=com
Last replication recieved from WINDC at 1601-01-01 00:21:41.
WARNING: This latency is over the Tombstone Lifetime of
60 days!
DC=ForestDnsZones,DC=mydomain,DC=com
Last replication recieved from WINDC at 1601-01-01 00:21:41.
WARNING: This latency is over the Tombstone Lifetime of
60 days!
DC=mydomain,DC=com
Last replication recieved from WINDC at 1601-01-01 00:21:41.
WARNING: This latency is over the Tombstone Lifetime of
60 days!
......................... SAMBADC passed test Replications
Starting test: NCSecDesc
......................... SAMBADC passed test NCSecDesc
Starting test: NetLogons
......................... SAMBADC passed test NetLogons
Starting test: Advertising
......................... SAMBADC passed test Advertising
Starting test: KnowsOfRoleHolders
......................... SAMBADC passed test KnowsOfRoleHolders
Starting test: RidManager
No rids allocated -- please check eventlog.
......................... SAMBADC passed test RidManager
Starting test: MachineAccount
......................... SAMBADC passed test MachineAccount
Starting test: Services
Could not open Dnscache Service on [SAMBADC]:failed with 8:
Not enou
gh storage is available to process this command.
Could not open NtFrs Service on [SAMBADC]:failed with 8:
Not enough
storage is available to process this command.
Could not open IsmServ Service on [SAMBADC]:failed with 8:
Not enoug
h storage is available to process this command.
Could not open kdc Service on [SAMBADC]:failed with 8: Not
enough st
orage is available to process this command.
Could not open SamSs Service on [SAMBADC]:failed with 8:
Not enough
storage is available to process this command.
Could not open LanmanServer Service on [SAMBADC]:failed
with 8: Not
enough storage is available to process this command.
Could not open LanmanWorkstation Service on
[SAMBADC]:failed with 8:
Not enough storage is available to process this command.
Could not open RpcSs Service on [SAMBADC]:failed with 8:
Not enough
storage is available to process this command.
Could not open w32time Service on [SAMBADC]:failed with 8:
Not enoug
h storage is available to process this command.
......................... SAMBADC failed test Services
Starting test: ObjectsReplicated
Failed to read object metadata on SAMBADC, error The request
is not sup
ported.
Failed to read object metadata on SAMBADC, error The request
is not sup
ported.
......................... SAMBADC passed test ObjectsReplicated
Starting test: frssysvol
The SysVol is not ready. This can cause the DC to not advertise
itself as a DC for netlogon after dcpromo. Also trouble with FRS
SysVol replication can cause Group Policy problems. Check the FRS
event log on this DC.
......................... SAMBADC failed test frssysvol
Starting test: frsevent
Error 161 opening FRS eventlog \\SAMBADC:File Replication Service:
The specified path is invalid.
......................... SAMBADC failed test frsevent
Starting test: kccevent
Error 161 opening FRS eventlog \\SAMBADC:Directory Service:
The specified path is invalid.
Failed to enumerate event log records, error The specified
path is inva
lid.
......................... SAMBADC failed test kccevent
Starting test: systemlog
Error 161 opening FRS eventlog \\SAMBADC:System:
The specified path is invalid.
Failed to enumerate event log records, error The specified
path is inva
lid.
......................... SAMBADC failed test systemlog
Starting test: VerifyReferences
Some objects relating to the DC SAMBADC have problems:
[1] Problem: Missing Expected Value
Base Object: CN=SAMBADC,OU=Domain
Controllers,DC=mydomain,DC=com
Base Object Description: "DC Account Object"
Value Object Attribute Name: frsComputerReferenceBL
Value Object Description: "SYSVOL FRS Member Object"
Recommended Action: See Knowledge Base Article: Q312862
[1] Problem: Missing Expected Value
Base Object:
CN=NTDS
Settings,CN=SAMBADC,CN=Servers,CN=PRR,CN=Sites,CN=Configurat
ion,DC=mydomain,DC=com
Base Object Description: "DSA Object"
Value Object Attribute Name: serverReferenceBL
Value Object Description: "SYSVOL FRS Member Object"
Recommended Action: See Knowledge Base Article: Q312862
......................... SAMBADC failed test VerifyReferences
Running partition tests on : DomainDnsZones
Starting test: CrossRefValidation
......................... DomainDnsZones passed test
CrossRefValidation
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom
Running partition tests on : Schema
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Running partition tests on : Configuration
Starting test: CrossRefValidation
......................... Configuration passed test
CrossRefValidation
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Running partition tests on : ForestDnsZones
Starting test: CrossRefValidation
......................... ForestDnsZones passed test
CrossRefValidation
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom
Running partition tests on : mydomain
Starting test: CrossRefValidation
......................... mydomain passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... mydomain passed test CheckSDRefDom
Running enterprise tests on : mydomain.com
Starting test: Intersite
......................... mydomain.com passed test Intersite
Starting test: FsmoCheck
Error: The server returned by DsGetDcName() did not match
DsListRoles()
for the PDC
......................... mydomain.com passed test FsmoCheck
C:\Documents and Settings\garthk>
Let me know if there is more I can provide. Dumb error? I accept full
blame! I've just not been able to figure it out.
In the meantime, I'm rereading the man pages from the Samba website.
Thanx,
Garth
More information about the samba
mailing list