[Samba] New Windows 8 RSAT and "OU=Domain Controllers" support?
Pekka L.J. Jalkanen
pekka.jalkanen at vihreat.fi
Mon May 6 10:03:14 MDT 2013
On 6.5.2013 16:31, Pekka L.J. Jalkanen wrote:
> On 6.5.2013 13:41, Pekka L.J. Jalkanen wrote:
>> I think that the thing I'm going to try right now is to actually run the
>> MS adprep.exe tool that ships with W2k8 R2. It should add RODC support
>> to the schema and MS also tells to run it before installing any W2k8 DCs
>> (RODC or not) to an existing W2k3 domain, so at least it shouldn't do
>> any damage. If it works around this bug, all the better.
>
> I've now run the first phase of the procedure described in
> http://technet.microsoft.com/en-us/library/cc731243%28v=ws.10%29.aspx,
> i.e. the "adprep /forestprep" part. The tool itself ran successfully,
> and extended the schema with the files sch32.ldf - sch47.ldf and
> PAS.ldf, but it seems that now I'm having a replication problem:
[for actual errors, see the previous messages]
> There are many pages of similar errors, and Samba tries in vain to
> continue replication all the time. "samba-tool drs showrepl" is
> reporting increasing number of consecutive failures.
>
> I guess I'll have little alternatives to demoting and re-promoting my
> Samba DC again. *sigh*
OK, done that now. Actually I couldn't demote using samba-tool, because
the previous replication failures prevented successful demotion. So I
had to delete server and computer objects manually and clean metadata
using the procedure outlined in
http://technet.microsoft.com/en-us/library/cc736378%28v=ws.10%29.aspx.
Now, before re-installing and re-promoting the Samba DC I also ran
second and third steps of the adprep procedure. Lo and behold: it works
now! Can run ADSI edit (and yes, the infamous "msDS-isRODC" -attribute
can be found there now). Can run any version of the RSAT. No errors!
Now, if there only were an RSAT for Windows 8 with support for RFC 2307
attributes...
Barring the immediate resolution of bug 9828 I suggest updating
https://wiki.samba.org/index.php/Samba4/HOWTO/Join_a_domain_as_a_DC so
that it would warn that the complete adprep procedure as described by
Microsoft--including the "/rodcprep" part--should be run _before_
attempting "samba-tool domain join" with Windows 2003 -based domains,
just like should be done before joining any Windows 2008 DCs. If this is
not done, the DC should be demoted before the adprep is run.
As this now works for me I'm not willing to build a full-scale test
environment just to get bug 9828 solved, and probably even couldn't do
that given the workaround stated above: It's quite clear now that the
problem is reproducible only if all the Windows DCs in the domain are
still 2003s. As I'm not aware of any W2k3 evaluation versions, and I
don't have free licences for testing purposes, I most likely wouldn't be
able to reproduce the situation.
Having said that, I can still send my keytab to you, Andrew, if you feel
like you want to investigate that bug anyway.
Oh, and the "samba-tool domain exportkeytab" command still fails exactly
the same way it did before. But to investigate that further I need more
advice.
Pekka L.J. Jalkanen
More information about the samba
mailing list