[Samba] New Windows 8 RSAT and "OU=Domain Controllers" support?

Pekka L.J. Jalkanen pekka.jalkanen at vihreat.fi
Mon May 6 07:31:24 MDT 2013 

On 6.5.2013 13:41, Pekka L.J. Jalkanen wrote:
> I think that the thing I'm going to try right now is to actually run the
> MS adprep.exe tool that ships with W2k8 R2. It should add RODC support
> to the schema and MS also tells to run it before installing any W2k8 DCs
> (RODC or not) to an existing W2k3 domain, so at least it shouldn't do
> any damage. If it works around this bug, all the better.

I've now run the first phase of the procedure described in
http://technet.microsoft.com/en-us/library/cc731243%28v=ws.10%29.aspx,
i.e. the "adprep /forestprep" part. The tool itself ran successfully,
and extended the schema with the files sch32.ldf - sch47.ldf and
PAS.ldf, but it seems that now I'm having a replication problem:

Windows Directory Service log:

-----
Event Type:	Error
Event Source:	NTDS Replication
Event Category:	DS RPC Client
Event ID:	1411
Date:		6.5.2013
Time:		15:17:00
User:		NT AUTHORITY\ANONYMOUS LOGON
Computer:	W2K3R2DC
Description:
Active Directory failed to construct a mutual authentication service
principal name (SPN) for the following domain controller.

Domain controller:
005c4019-c468-411d-9090-7b130c5c4fe5._msdcs.mydomain.site

The call was denied. Communication with this domain controller might be
affected.

Additional Data
Error value:
8589 The DS cannot derive a service principal name (SPN) with which to
mutually authenticate the target server because the corresponding server
object in the local DS database has no serverReference attribute.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
-----

The error is repeated many times (at least 30).

I took a look of the schema with ADSI Edit. If the active DC is the
Windows DC, I can see the attribute serverReferenceBL on both DC
objects. If the active DC is the Samba DC, ADSI Edit first throws an
error that says "Windows could not load the values for all the
attributes. Error code: Xac". At the same time the familiar "cannot find
attr[msDS-isRODC] in of schema" is seen on log.samba. After that the
dialog opens, but shows all the attribute values as unset.

log.samba (loglevel 0) at roughly the same time when the replication
error appears in windows shows the following:

-----
[2013/05/06 15:18:09,  0]
../source4/dsdb/repl/replicated_objects.c:159(dsdb_repl_make_working_schema)
  Can't continue Schema load: didn't manage to convert any objects: all
6 remaining of 133 objects failed to convert
[2013/05/06 15:18:09,  0]
../source4/dsdb/repl/drepl_out_helpers.c:676(dreplsrv_op_pull_source_apply_changes_trigger)
  Failed to create working schema: WERR_INTERNAL_ERROR
[2013/05/06 15:18:09,  0]
../source4/dsdb/repl/replicated_objects.c:159(dsdb_repl_make_working_schema)
  Can't continue Schema load: didn't manage to convert any objects: all
6 remaining of 133 objects failed to convert
[2013/05/06 15:18:09,  0]
../source4/dsdb/repl/drepl_out_helpers.c:676(dreplsrv_op_pull_source_apply_changes_trigger)
  Failed to create working schema: WERR_INTERNAL_ERROR
[2013/05/06 15:18:09,  0]
../source4/dsdb/repl/replicated_objects.c:159(dsdb_repl_make_working_schema)
  Can't continue Schema load: didn't manage to convert any objects: all
6 remaining of 133 objects failed to convert
[2013/05/06 15:18:09,  0]
../source4/dsdb/repl/drepl_out_helpers.c:676(dreplsrv_op_pull_source_apply_changes_trigger)
  Failed to create working schema: WERR_INTERNAL_ERROR
[2013/05/06 15:18:09,  0]
../source4/dsdb/repl/replicated_objects.c:159(dsdb_repl_make_working_schema)
  Can't continue Schema load: didn't manage to convert any objects: all
6 remaining of 133 objects failed to convert
[2013/05/06 15:18:09,  0]
../source4/dsdb/repl/drepl_out_helpers.c:676(dreplsrv_op_pull_source_apply_changes_trigger)
  Failed to create working schema: WERR_INTERNAL_ERROR
[2013/05/06 15:18:09,  0]
../source4/dsdb/repl/drepl_out_helpers.c:705(dreplsrv_op_pull_source_apply_changes_trigger)
  Failed to convert objects:
WERR_DS_DRA_SCHEMA_MISMATCH/NT_STATUS_INVALID_NETWORK_RESPONSE
[2013/05/06 15:18:09,  0]
../source4/dsdb/repl/drepl_out_helpers.c:705(dreplsrv_op_pull_source_apply_changes_trigger)
  Failed to convert objects:
WERR_DS_DRA_SCHEMA_MISMATCH/NT_STATUS_INVALID_NETWORK_RESPONSE
[2013/05/06 15:18:09,  0]
../source4/dsdb/repl/replicated_objects.c:159(dsdb_repl_make_working_schema)
  Can't continue Schema load: didn't manage to convert any objects: all
6 remaining of 133 objects failed to convert
[2013/05/06 15:18:09,  0]
../source4/dsdb/repl/drepl_out_helpers.c:676(dreplsrv_op_pull_source_apply_changes_trigger)
  Failed to create working schema: WERR_INTERNAL_ERROR
[2013/05/06 15:18:09,  0]
../source4/dsdb/repl/replicated_objects.c:159(dsdb_repl_make_working_schema)
  Can't continue Schema load: didn't manage to convert any objects: all
6 remaining of 133 objects failed to convert
[2013/05/06 15:18:09,  0]
../source4/dsdb/repl/drepl_out_helpers.c:676(dreplsrv_op_pull_source_apply_changes_trigger)
  Failed to create working schema: WERR_INTERNAL_ERROR
[2013/05/06 15:18:09,  0]
../source4/dsdb/repl/drepl_out_helpers.c:705(dreplsrv_op_pull_source_apply_changes_trigger)
  Failed to convert objects:
WERR_DS_DRA_SCHEMA_MISMATCH/NT_STATUS_INVALID_NETWORK_RESPONSE
[2013/05/06 15:18:09,  0]
../source4/dsdb/repl/drepl_out_helpers.c:705(dreplsrv_op_pull_source_apply_changes_trigger)
  Failed to convert objects:
WERR_DS_DRA_SCHEMA_MISMATCH/NT_STATUS_INVALID_NETWORK_RESPONSE
[2013/05/06 15:18:10,  0]
../source4/dsdb/repl/replicated_objects.c:159(dsdb_repl_make_working_schema)
  Can't continue Schema load: didn't manage to convert any objects: all
6 remaining of 133 objects failed to convert
[2013/05/06 15:18:10,  0]
../source4/dsdb/repl/drepl_out_helpers.c:676(dreplsrv_op_pull_source_apply_changes_trigger)
  Failed to create working schema: WERR_INTERNAL_ERROR
[2013/05/06 15:18:10,  0]
../source4/dsdb/repl/replicated_objects.c:159(dsdb_repl_make_working_schema)
  Can't continue Schema load: didn't manage to convert any objects: all
6 remaining of 133 objects failed to convert
[2013/05/06 15:18:10,  0]
../source4/dsdb/repl/drepl_out_helpers.c:676(dreplsrv_op_pull_source_apply_changes_trigger)
  Failed to create working schema: WERR_INTERNAL_ERROR
[2013/05/06 15:18:10,  0]
../source4/dsdb/repl/drepl_out_helpers.c:705(dreplsrv_op_pull_source_apply_changes_trigger)
  Failed to convert objects:
WERR_DS_DRA_SCHEMA_MISMATCH/NT_STATUS_INVALID_NETWORK_RESPONSE
[2013/05/06 15:18:10,  0]
../source4/dsdb/repl/drepl_out_helpers.c:705(dreplsrv_op_pull_source_apply_changes_trigger)
  Failed to convert objects:
WERR_DS_DRA_SCHEMA_MISMATCH/NT_STATUS_INVALID_NETWORK_RESPONSE
[2013/05/06 15:18:10,  0]
../source4/dsdb/repl/replicated_objects.c:159(dsdb_repl_make_working_schema)
  Can't continue Schema load: didn't manage to convert any objects: all
6 remaining of 133 objects failed to convert
[2013/05/06 15:18:10,  0]
../source4/dsdb/repl/drepl_out_helpers.c:676(dreplsrv_op_pull_source_apply_changes_trigger)
  Failed to create working schema: WERR_INTERNAL_ERROR
[2013/05/06 15:18:10,  0]
../source4/dsdb/repl/replicated_objects.c:159(dsdb_repl_make_working_schema)
  Can't continue Schema load: didn't manage to convert any objects: all
6 remaining of 133 objects failed to convert
[2013/05/06 15:18:10,  0]
../source4/dsdb/repl/drepl_out_helpers.c:676(dreplsrv_op_pull_source_apply_changes_trigger)
  Failed to create working schema: WERR_INTERNAL_ERROR

-----

There are many pages of similar errors, and Samba tries in vain to
continue replication all the time. "samba-tool drs showrepl" is
reporting increasing number of consecutive failures.

I guess I'll have little alternatives to demoting and re-promoting my
Samba DC again. *sigh*

Pekka L.J. Jalkanen

More information about the samba mailing list