[Samba] Win 2003 DC Demotion
Garth Keesler
garthk at gdcjk.com
Tue Jul 23 14:49:48 MDT 2013
On 07/23/2013 03:37 PM, Garth Keesler wrote:
>
> On 07/23/2013 02:54 PM, Andrew Bartlett wrote:
>> On Tue, 2013-07-23 at 06:49 -0500, Garth Keesler wrote:
>>> All,
>>>
>>> I've posted a few times about this but without response so it seems
>>> that
>>> not many folks are trying to do this. So, before I spend many more
>>> hours
>>> on this trying to make it work, a simple yes or no question:
>>>
>>> Has anyone successfully demoted a Win 2003 PDC without error after
>>> joining a Samba 4.x DC to it?
>>>
>>> That's it. I'm primarily interested in "yes" responses but I'll take
>>> what I can get.
>> It would help if you can describe the errors you get when this fails for
>> you.
>>
>> It certainly is meant to work.
>>
>> Thanks,
>>
>> Andrew Bartlett
>>
> On 07/23/2013 02:54 PM, Andrew Bartlett wrote:
>> On Tue, 2013-07-23 at 06:49 -0500, Garth Keesler wrote:
>>> All,
>>>
>>> I've posted a few times about this but without response so it seems
>>> that
>>> not many folks are trying to do this. So, before I spend many more
>>> hours
>>> on this trying to make it work, a simple yes or no question:
>>>
>>> Has anyone successfully demoted a Win 2003 PDC without error after
>>> joining a Samba 4.x DC to it?
>>>
>>> That's it. I'm primarily interested in "yes" responses but I'll take
>>> what I can get.
>> It would help if you can describe the errors you get when this fails for
>> you.
>>
>> It certainly is meant to work.
>>
>> Thanks,
>>
>> Andrew Bartlett
>>
> First, thanx for the reply. I'm not exactly sure what to send so I'll
> send a lot. Let me know if you need more. The errors (not really
> errors) have to do with the fact that Forest and Domain DNS repl are
> one-way from WINDC to SAMBADC so when I try and demote WINDC, it
> refuses to demote because it believes it is the only holder of that info.
>
> Also, when I try and add the Samba DC to the Win DNS MMC, it refuses
> to add it because it does not detect that the Samba DC is in fact an
> Active Domain server. This is in spite of the fact that (some)
> replication does occur.
>
> root at sambadc:~# samba --version
> Version 4.1.0rc1
> root at sambadc:~#
> root at sambadc:~# samba-tool drs showrepl
> PRR\SAMBADC
> DSA Options: 0x00000001
> DSA object GUID: 981910d4-81a9-4421-8134-4961a3c474ad
> DSA invocationId: c004e70f-5b8c-4dd8-b364-b1c110cd241c
>
> ==== INBOUND NEIGHBORS ====
>
> DC=mydomain,DC=com
> PRR\WINDC via RPC
> DSA object GUID: a8260438-0154-4429-829b-c0b7914e4525
> Last attempt @ Tue Jul 23 14:57:42 2013 CDT was successful
> 0 consecutive failure(s).
> Last success @ Tue Jul 23 14:57:42 2013 CDT
>
> DC=ForestDnsZones,DC=mydomain,DC=com
> PRR\WINDC via RPC
> DSA object GUID: a8260438-0154-4429-829b-c0b7914e4525
> Last attempt @ Tue Jul 23 14:57:42 2013 CDT was successful
> 0 consecutive failure(s).
> Last success @ Tue Jul 23 14:57:42 2013 CDT
>
> CN=Configuration,DC=mydomain,DC=com
> PRR\WINDC via RPC
> DSA object GUID: a8260438-0154-4429-829b-c0b7914e4525
> Last attempt @ Tue Jul 23 14:57:42 2013 CDT was successful
> 0 consecutive failure(s).
> Last success @ Tue Jul 23 14:57:42 2013 CDT
>
> CN=Schema,CN=Configuration,DC=mydomain,DC=com
> PRR\WINDC via RPC
> DSA object GUID: a8260438-0154-4429-829b-c0b7914e4525
> Last attempt @ Tue Jul 23 14:57:42 2013 CDT was successful
> 0 consecutive failure(s).
> Last success @ Tue Jul 23 14:57:42 2013 CDT
>
> DC=DomainDnsZones,DC=mydomain,DC=com
> PRR\WINDC via RPC
> DSA object GUID: a8260438-0154-4429-829b-c0b7914e4525
> Last attempt @ Tue Jul 23 14:57:42 2013 CDT was successful
> 0 consecutive failure(s).
> Last success @ Tue Jul 23 14:57:42 2013 CDT
>
> ==== OUTBOUND NEIGHBORS ====
>
> DC=mydomain,DC=com
> PRR\WINDC via RPC
> DSA object GUID: a8260438-0154-4429-829b-c0b7914e4525
> Last attempt @ Sat Jul 20 05:57:20 2013 CDT was successful
> 0 consecutive failure(s).
> Last success @ Sat Jul 20 05:57:20 2013 CDT
>
> CN=Configuration,DC=mydomain,DC=com
> PRR\WINDC via RPC
> DSA object GUID: a8260438-0154-4429-829b-c0b7914e4525
> Last attempt @ Sat Jul 20 05:57:20 2013 CDT was successful
> 0 consecutive failure(s).
> Last success @ Sat Jul 20 05:57:20 2013 CDT
>
> CN=Schema,CN=Configuration,DC=mydomain,DC=com
> PRR\WINDC via RPC
> DSA object GUID: a8260438-0154-4429-829b-c0b7914e4525
> Last attempt @ Sat Jul 20 05:57:20 2013 CDT was successful
> 0 consecutive failure(s).
> Last success @ Sat Jul 20 05:57:20 2013 CDT
>
> ==== KCC CONNECTION OBJECTS ====
>
> Connection --
> Connection name: 130d9758-a7b2-4a25-b0b7-40ce00d9ef2a
> Enabled : TRUE
> Server DNS name : windc.mydomain.com
> Server DN name : CN=NTDS
> Settings,CN=WINDC,CN=Servers,CN=PRR,CN=Sites,CN=Configuration,DC=mydomain,DC=com
> TransportType: RPC
> options: 0x00000001
> Warning: No NC replicated for Connection!
> root at sambadc:~#
> root at sambadc:~# samba-tool dbcheck
> Checking 2290 objects
> ERROR: missing GUID component for ipsecOwnersReference in object
> CN=ipsecISAKMPPolicy{7238523D-70FA-11D1-864C-14A300000000},CN=IP
> Security,CN=System,DC=mydomain,DC=com -
> CN=ipsecPolicy{7238523C-70FA-11D1-864C-14A300000000},CN=IP
> Security,CN=System,CN=System,DC=mydomain,DC=com
> unable to find object for DN
> CN=ipsecPolicy{7238523C-70FA-11D1-864C-14A300000000},CN=IP
> Security,CN=System,CN=System,DC=mydomain,DC=com - (No such Base DN:
> CN=ipsecPolicy{7238523C-70FA-11D1-864C-14A300000000},CN=IP
> Security,CN=System,CN=System,DC=mydomain,DC=com)
> Not removing dangling forward link
> Please use --fix to fix these errors
> Checked 2290 objects (1 errors)
> root at sambadc:~#
>
> <I tried the --fix option with no success>
>
> root at sambadc:~# cat /etc/krb5.conf
> [libdefaults]
> default_realm = MYDOMAIN.COM
>
> # The following krb5.conf variables are only for MIT Kerberos.
> krb4_config = /etc/krb.conf
> krb4_realms = /etc/krb.realms
> kdc_timesync = 1
> ccache_type = 4
> forwardable = true
> proxiable = true
> dns_lookup_realm = true
> dns_lookup_kdc = true
>
> # The following encryption type specification will be used by MIT
> Kerberos
> # if uncommented. In general, the defaults in the MIT Kerberos code are
> # correct and overriding these specifications only serves to disable new
> # encryption types as they are added, creating interoperability problems.
> #
> # Thie only time when you might need to uncomment these lines and change
> # the enctypes is if you have local software that will break on ticket
> # caches containing ticket encryption types it doesn't know about
> (such as
> # old versions of Sun Java).
>
> # default_tgs_enctypes = des3-hmac-sha1
> # default_tkt_enctypes = des3-hmac-sha1
> # permitted_enctypes = des3-hmac-sha1
>
> # The following libdefaults parameters are only for Heimdal Kerberos.
> v4_instance_resolve = false
> v4_name_convert = {
> host = {
> rcmd = host
> ftp = ftp
> }
> plain = {
> something = something-else
> }
> }
> fcc-mit-ticketflags = true
>
> [realms]
> MYDOMAIN.COM = {
> kdc = windc
> kdc = sambadc
> admin_server = windc
> }
> ATHENA.MIT.EDU = {
> kdc = kerberos.mit.edu:88
> kdc = kerberos-1.mit.edu:88
> kdc = kerberos-2.mit.edu:88
> admin_server = kerberos.mit.edu
> default_domain = mit.edu
> }
> MEDIA-LAB.MIT.EDU = {
> kdc = kerberos.media.mit.edu
> admin_server = kerberos.media.mit.edu
> }
> ZONE.MIT.EDU = {
> kdc = casio.mit.edu
> kdc = seiko.mit.edu
> admin_server = casio.mit.edu
> }
> MOOF.MIT.EDU = {
> kdc = three-headed-dogcow.mit.edu:88
> kdc = three-headed-dogcow-1.mit.edu:88
> admin_server = three-headed-dogcow.mit.edu
> }
> CSAIL.MIT.EDU = {
> kdc = kerberos-1.csail.mit.edu
> kdc = kerberos-2.csail.mit.edu
> admin_server = kerberos.csail.mit.edu
> default_domain = csail.mit.edu
> krb524_server = krb524.csail.mit.edu
> }
> IHTFP.ORG = {
> kdc = kerberos.ihtfp.org
> admin_server = kerberos.ihtfp.org
> }
> GNU.ORG = {
> kdc = kerberos.gnu.org
> kdc = kerberos-2.gnu.org
> kdc = kerberos-3.gnu.org
> admin_server = kerberos.gnu.org
> }
> 1TS.ORG = {
> kdc = kerberos.1ts.org
> admin_server = kerberos.1ts.org
> }
> GRATUITOUS.ORG = {
> kdc = kerberos.gratuitous.org
> admin_server = kerberos.gratuitous.org
> }
> DOOMCOM.ORG = {
> kdc = kerberos.doomcom.org
> admin_server = kerberos.doomcom.org
> }
> ANDREW.CMU.EDU = {
> kdc = vice28.fs.andrew.cmu.edu
> kdc = vice2.fs.andrew.cmu.edu
> kdc = vice11.fs.andrew.cmu.edu
> kdc = vice12.fs.andrew.cmu.edu
> admin_server = vice28.fs.andrew.cmu.edu
> default_domain = andrew.cmu.edu
> }
> CS.CMU.EDU = {
> kdc = kerberos.cs.cmu.edu
> kdc = kerberos-2.srv.cs.cmu.edu
> admin_server = kerberos.cs.cmu.edu
> }
> DEMENTIA.ORG = {
> kdc = kerberos.dementia.org
> kdc = kerberos2.dementia.org
> admin_server = kerberos.dementia.org
> }
> stanford.edu = {
> kdc = krb5auth1.stanford.edu
> kdc = krb5auth2.stanford.edu
> kdc = krb5auth3.stanford.edu
> master_kdc = krb5auth1.stanford.edu
> admin_server = krb5-admin.stanford.edu
> default_domain = stanford.edu
> }
>
> [domain_realm]
> .mit.edu = ATHENA.MIT.EDU
> mit.edu = ATHENA.MIT.EDU
> .media.mit.edu = MEDIA-LAB.MIT.EDU
> media.mit.edu = MEDIA-LAB.MIT.EDU
> .csail.mit.edu = CSAIL.MIT.EDU
> csail.mit.edu = CSAIL.MIT.EDU
> .whoi.edu = ATHENA.MIT.EDU
> whoi.edu = ATHENA.MIT.EDU
> .stanford.edu = stanford.edu
> .slac.stanford.edu = SLAC.STANFORD.EDU
>
> [login]
> krb4_convert = true
> krb4_get_tickets = false
> root at sambadc:~#
>
> root at sambadc:~# cat /usr/local/samba/etc/smb.conf
> # Global parameters
> [global]
> workgroup = MYDOMAIN
> realm = mydomain.com
> netbios name = SAMBADC
> server role = active directory domain controller
> allow dns updates = signed
> dns forwarder = 216.180.99.2
>
> [netlogon]
> path = /usr/local/samba/var/locks/sysvol/mydomain.com/scripts
> read only = No
>
> [sysvol]
> path = /usr/local/samba/var/locks/sysvol
> read only = No
> root at sambadc:~#
>
> root at sambadc:~# samba-tool drs kcc windc
> Consistency check on windc successful.
> root at sambadc:~#
>
> root at sambadc:~# samba-tool drs kcc sambadc
> ERROR(runtime): DsExecuteKCC failed - (-1073610723,
> 'NT_STATUS_RPC_PROTOCOL_ERROR')
> root at sambadc:~#
> root at sambadc:~# cat /etc/nsswitch.conf
> # /etc/nsswitch.conf
> #
> # Example configuration of GNU Name Service Switch functionality.
> # If you have the `glibc-doc-reference' and `info' packages installed,
> try:
> # `info libc "Name Service Switch"' for information about this file.
>
> passwd: compat winbind
> group: compat winbind
> shadow: compat
>
> hosts: files dns
> networks: files
>
> protocols: db files
> services: db files
> ethers: db files
> rpc: db files
>
> netgroup: nis
> root at sambadc:~#
>
> The Win DC reports the following but in spite of this replication
> appears to be working between the two servers except for Forest and
> Domain DNS which is one-way from windc to sambadc.
>
> Microsoft Windows [Version 5.2.3790]
> (C) Copyright 1985-2003 Microsoft Corp.
>
> C:\Documents and Settings\garthk>repadmin /kcc sambadc
> DsReplicaConsistencyCheck() failed with status 1752 (0x6d8):
> C:\Documents and Settings\garthk>dcdiag /s:windc
>
> Domain Controller Diagnosis
>
> Performing initial setup:
> Done gathering initial info.
>
> Doing initial required tests
>
> Testing server: PRR\WINDC
> Starting test: Connectivity
> ......................... WINDC passed test Connectivity
>
> Doing primary tests
>
> Testing server: PRR\WINDC
> Starting test: Replications
> ......................... WINDC passed test Replications
> Starting test: NCSecDesc
> ......................... WINDC passed test NCSecDesc
> Starting test: NetLogons
> ......................... WINDC passed test NetLogons
> Starting test: Advertising
> ......................... WINDC passed test Advertising
> Starting test: KnowsOfRoleHolders
> ......................... WINDC passed test KnowsOfRoleHolders
> Starting test: RidManager
> ......................... WINDC passed test RidManager
> Starting test: MachineAccount
> ......................... WINDC passed test MachineAccount
> Starting test: Services
> ......................... WINDC passed test Services
> Starting test: ObjectsReplicated
> ......................... WINDC passed test ObjectsReplicated
> Starting test: frssysvol
> ......................... WINDC passed test frssysvol
> Starting test: frsevent
> ......................... WINDC passed test frsevent
> Starting test: kccevent
> ......................... WINDC passed test kccevent
> Starting test: systemlog
> ......................... WINDC passed test systemlog
> Starting test: VerifyReferences
> ......................... WINDC passed test VerifyReferences
>
> Running partition tests on : ForestDnsZones
> Starting test: CrossRefValidation
> ......................... ForestDnsZones passed test
> CrossRefValidation
>
> Starting test: CheckSDRefDom
> ......................... ForestDnsZones passed test
> CheckSDRefDom
>
> Running partition tests on : DomainDnsZones
> Starting test: CrossRefValidation
> ......................... DomainDnsZones passed test
> CrossRefValidation
>
> Starting test: CheckSDRefDom
> ......................... DomainDnsZones passed test
> CheckSDRefDom
>
> Running partition tests on : Schema
> Starting test: CrossRefValidation
> ......................... Schema passed test CrossRefValidation
> Starting test: CheckSDRefDom
> ......................... Schema passed test CheckSDRefDom
>
> Running partition tests on : Configuration
> Starting test: CrossRefValidation
> ......................... Configuration passed test
> CrossRefValidation
> Starting test: CheckSDRefDom
> ......................... Configuration passed test
> CheckSDRefDom
>
> Running partition tests on : mydomain
> Starting test: CrossRefValidation
> ......................... mydomain passed test
> CrossRefValidation
> Starting test: CheckSDRefDom
> ......................... mydomain passed test CheckSDRefDom
>
> Running enterprise tests on : mydomain.com
> Starting test: Intersite
> ......................... mydomain.com passed test Intersite
> Starting test: FsmoCheck
> ......................... mydomain.com passed test FsmoCheck
>
> C:\Documents and Settings\garthk>dcdiag /s:sambadc
>
> Domain Controller Diagnosis
>
> Performing initial setup:
> Done gathering initial info.
>
> Doing initial required tests
>
> Testing server: PRR\SAMBADC
> Starting test: Connectivity
> ......................... SAMBADC passed test Connectivity
>
> Doing primary tests
>
> Testing server: PRR\SAMBADC
> Starting test: Replications
> REPLICATION-RECEIVED LATENCY WARNING
> SAMBADC: Current time is 2013-07-23 15:26:22.
> DC=DomainDnsZones,DC=mydomain,DC=com
> Last replication recieved from WINDC at 1601-01-01
> 00:21:41.
> WARNING: This latency is over the Tombstone Lifetime
> of 60 days!
>
> CN=Schema,CN=Configuration,DC=mydomain,DC=com
> Last replication recieved from WINDC at 1601-01-01
> 00:21:41.
> WARNING: This latency is over the Tombstone Lifetime
> of 60 days!
>
> CN=Configuration,DC=mydomain,DC=com
> Last replication recieved from WINDC at 1601-01-01
> 00:21:41.
> WARNING: This latency is over the Tombstone Lifetime
> of 60 days!
>
> DC=ForestDnsZones,DC=mydomain,DC=com
> Last replication recieved from WINDC at 1601-01-01
> 00:21:41.
> WARNING: This latency is over the Tombstone Lifetime
> of 60 days!
>
> DC=mydomain,DC=com
> Last replication recieved from WINDC at 1601-01-01
> 00:21:41.
> WARNING: This latency is over the Tombstone Lifetime
> of 60 days!
>
> ......................... SAMBADC passed test Replications
> Starting test: NCSecDesc
> ......................... SAMBADC passed test NCSecDesc
> Starting test: NetLogons
> ......................... SAMBADC passed test NetLogons
> Starting test: Advertising
> ......................... SAMBADC passed test Advertising
> Starting test: KnowsOfRoleHolders
> ......................... SAMBADC passed test KnowsOfRoleHolders
> Starting test: RidManager
> No rids allocated -- please check eventlog.
> ......................... SAMBADC passed test RidManager
> Starting test: MachineAccount
> ......................... SAMBADC passed test MachineAccount
> Starting test: Services
> Could not open Dnscache Service on [SAMBADC]:failed with
> 8: Not enou
> gh storage is available to process this command.
> Could not open NtFrs Service on [SAMBADC]:failed with 8:
> Not enough
> storage is available to process this command.
> Could not open IsmServ Service on [SAMBADC]:failed with 8:
> Not enoug
> h storage is available to process this command.
> Could not open kdc Service on [SAMBADC]:failed with 8: Not
> enough st
> orage is available to process this command.
> Could not open SamSs Service on [SAMBADC]:failed with 8:
> Not enough
> storage is available to process this command.
> Could not open LanmanServer Service on [SAMBADC]:failed
> with 8: Not
> enough storage is available to process this command.
> Could not open LanmanWorkstation Service on
> [SAMBADC]:failed with 8:
> Not enough storage is available to process this command.
> Could not open RpcSs Service on [SAMBADC]:failed with 8:
> Not enough
> storage is available to process this command.
> Could not open w32time Service on [SAMBADC]:failed with 8:
> Not enoug
> h storage is available to process this command.
> ......................... SAMBADC failed test Services
> Starting test: ObjectsReplicated
> Failed to read object metadata on SAMBADC, error The request
> is not sup
> ported.
> Failed to read object metadata on SAMBADC, error The request
> is not sup
> ported.
> ......................... SAMBADC passed test ObjectsReplicated
> Starting test: frssysvol
> The SysVol is not ready. This can cause the DC to not advertise
> itself as a DC for netlogon after dcpromo. Also trouble with
> FRS
> SysVol replication can cause Group Policy problems. Check the
> FRS
> event log on this DC.
> ......................... SAMBADC failed test frssysvol
> Starting test: frsevent
> Error 161 opening FRS eventlog \\SAMBADC:File Replication
> Service:
> The specified path is invalid.
> ......................... SAMBADC failed test frsevent
> Starting test: kccevent
> Error 161 opening FRS eventlog \\SAMBADC:Directory Service:
> The specified path is invalid.
> Failed to enumerate event log records, error The specified
> path is inva
> lid.
> ......................... SAMBADC failed test kccevent
> Starting test: systemlog
> Error 161 opening FRS eventlog \\SAMBADC:System:
> The specified path is invalid.
> Failed to enumerate event log records, error The specified
> path is inva
> lid.
> ......................... SAMBADC failed test systemlog
> Starting test: VerifyReferences
> Some objects relating to the DC SAMBADC have problems:
> [1] Problem: Missing Expected Value
> Base Object: CN=SAMBADC,OU=Domain
> Controllers,DC=mydomain,DC=com
> Base Object Description: "DC Account Object"
> Value Object Attribute Name: frsComputerReferenceBL
> Value Object Description: "SYSVOL FRS Member Object"
> Recommended Action: See Knowledge Base Article: Q312862
>
> [1] Problem: Missing Expected Value
> Base Object:
> CN=NTDS
> Settings,CN=SAMBADC,CN=Servers,CN=PRR,CN=Sites,CN=Configurat
> ion,DC=mydomain,DC=com
> Base Object Description: "DSA Object"
> Value Object Attribute Name: serverReferenceBL
> Value Object Description: "SYSVOL FRS Member Object"
> Recommended Action: See Knowledge Base Article: Q312862
>
> ......................... SAMBADC failed test VerifyReferences
>
> Running partition tests on : DomainDnsZones
> Starting test: CrossRefValidation
> ......................... DomainDnsZones passed test
> CrossRefValidation
>
> Starting test: CheckSDRefDom
> ......................... DomainDnsZones passed test
> CheckSDRefDom
>
> Running partition tests on : Schema
> Starting test: CrossRefValidation
> ......................... Schema passed test CrossRefValidation
> Starting test: CheckSDRefDom
> ......................... Schema passed test CheckSDRefDom
>
> Running partition tests on : Configuration
> Starting test: CrossRefValidation
> ......................... Configuration passed test
> CrossRefValidation
> Starting test: CheckSDRefDom
> ......................... Configuration passed test
> CheckSDRefDom
>
> Running partition tests on : ForestDnsZones
> Starting test: CrossRefValidation
> ......................... ForestDnsZones passed test
> CrossRefValidation
>
> Starting test: CheckSDRefDom
> ......................... ForestDnsZones passed test
> CheckSDRefDom
>
> Running partition tests on : mydomain
> Starting test: CrossRefValidation
> ......................... mydomain passed test
> CrossRefValidation
> Starting test: CheckSDRefDom
> ......................... mydomain passed test CheckSDRefDom
>
> Running enterprise tests on : mydomain.com
> Starting test: Intersite
> ......................... mydomain.com passed test Intersite
> Starting test: FsmoCheck
> Error: The server returned by DsGetDcName() did not match
> DsListRoles()
> for the PDC
> ......................... mydomain.com passed test FsmoCheck
>
> C:\Documents and Settings\garthk>
>
>
> Let me know if there is more I can provide. Dumb error? I accept full
> blame! I've just not been able to figure it out.
>
> In the meantime, I'm rereading the man pages from the Samba website.
>
> Thanx,
> Garth
>
Sorry, I forgot to mention. This ONLY occurs when I join Samba 4.x to an
existing Windows domain. When I join a Windows DC to an existing Samba
4.x domain, all works correctly including Forest and Domain
bi-directional DNS repl.
Thanx,
Garth
More information about the samba
mailing list