[Samba] Unable to transfer ForestDns/DomainDNS

Jason Waters jason at geeknocity.com
Fri Jul 8 19:50:45 UTC 2016


So I was finally able to get this working.  Not that I like my solution!
Anyone new or not committed to using samba would have given up
days/hours/weeks ago! :)

These are my rough notes....

Machines:
PDC: Current Windows 2003 DC
DC2008: New windows 2008 R2 machine
DC03: Samba 4.3.9 Ubuntu
DC04: Samba 4.3.9 Ubuntu


1. PDC - /forestprep /rodcprep /domainprep /gpprep
2. DC2008 - dcpromo
3. DC2008 - Make sure DNS is there
4. DC2008 - changes fsmo roles to DC2008
regsvr32 schmmgmt.dll
4. PDC - Shutdown PDC(without running dcpromo because that screws things up)
5. DC2008 - Run Metatdata cleanup on DC2008, removing PDC
6. DC2008 - ADSIEDIT
DC=DomainDnsZones,DC=example,DC=local
DC=ForestDnsZones,DC=example,DC=local

Fix Infrastructure so the fSMORoleOwner is below
CN=NTDS
Settings,CN=DC2008,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=local

6. DC2008 - Check repadmin /showrepl
7. DC2008 - Remove DNS junk, like PDC from everywhere
8. DC2008 - Reboot
9. DC03 - Join samba, make sure everything is synced
samba-tool domain join example.local DC -UAdministrator
--dns-backend=BIND_DLZ
10. DC03 - Reboot, make sure everything is working
11. DC2008 - Raise domain/forest levels
12. DC03 - Seize the roles
13. DC2008 - dcpromo /forceremoval
14. Run Metadata Cleanup and remove DC2008
15. Adjust DNS settings so only DC03 is listed
16. DC03 - Reboot
17. DC03 - Run database cleanup on AD
samba-tool dbcheck --cross-ncs --reset-well-known-acls --fix
samba-tool ntacl sysvolreset
samba-tool dbcheck --cross-ncs --fix
18. DC04 - Join domain
kinit administrator
samba-tool domain join example.local DC -UAdministrator
--dns-backend=BIND9_DLZ
19. DC04 - Setup Bind

Edit /etc/bind/named.conf.options
auth-nxdomain yes;
    empty-zones-enable no;
  tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";

Edit /etc/bind/named.conf
include "/var/lib/samba/private/named.conf";

chgrp bind /var/lib/samba/private/dns.keytab
chmod g+r /var/lib/samba/private/dns.keytab
20. DC04 - Reboot
21. Test fsmo role transfers, dns updates, etc...





On Fri, Jul 8, 2016 at 11:24 AM, Jason Waters <jason at geeknocity.com> wrote:

>
> I bumped the logging up.
>
> samba-tool domain level raise --domain-level=2008_R2
>
> schema_fsmo_init: we are master[yes] updates allowed[no]
> schema_fsmo_init: we are master[yes] updates allowed[no]
>
> The updates_allowed[no] concerns me?
>
>
>
>
>
> On Fri, Jul 8, 2016 at 9:45 AM, Jason Waters <jason at geeknocity.com> wrote:
>
>> I'm pretty sure the domain level raise is failing on this system.  This
>> is what I just tested.
>>
>> Joined Samba(dc03) to windows 2003(pdc) DC.
>> Shut down PDC
>> seized all fsmo roles
>> did metadata cleanup
>> Open AD Users and Computers
>> I can view computers, users, etc. but it fails when trying to open Domain
>> Controllers.
>>
>> I get this error cannot find attr[msDS-isRODC] in of schema
>>
>> Now this is a VM so I restored a snapshot before I upgraded the
>> domain/forest level and I'm still getting that error. So I'm not sure where
>> to look.
>>
>> I run samba-tool dbcheck --fix --cross-ncs, finds 2 errors, run it again
>> and fins 0.
>>
>> So how to I fix my AD schema?  This just seems to fail because I'm
>> pulling it from 2003.  If I spin up a new samba domain with the same
>> version installed it just works...
>>
>>
>>
>> On Thu, Jul 7, 2016 at 4:57 PM, Rowland penny <rpenny at samba.org> wrote:
>>
>>> On 07/07/16 21:39, Jason Waters wrote:
>>>
>>> I did that, it fixed 6 errors, ran it again, 0 errors.  Still not able
>>> to join.
>>>
>>> On Thu, Jul 7, 2016 at 4:38 PM, Rowland penny <rpenny at samba.org> wrote:
>>>
>>>> On 07/07/16 21:13, Jason Waters wrote:
>>>>
>>>>> So I joined with samba's internal DNS, then converted to BIND, then
>>>>> tested.  Seems like it was working.  I forced the 2003 machine out, cleaned
>>>>> up the meta data and everything seemed to be working ok.  So I raised the
>>>>> domain level like this
>>>>>
>>>>> samba-tool domain level raise
>>>>> samba-tool domain level raise --domain-level=2008_R2
>>>>> samba-tool domain level raise --forest-level=2008_R2
>>>>>
>>>>> everything shows as 2008_R2
>>>>>
>>>>> so now I think I'm making progress.  I spin up another linux box, get
>>>>> it ready to join, starts to join, then fails
>>>>>
>>>>> says LDAP error 16 LDAP_NO_SUCH_ATTRIBUTE - <0000200A:
>>>>> objectclass_attrs: attribute 'msDS-SupportedEncryptionTypes' on entry
>>>>> 'CN=DC04,OU=Domain Controllers,DC=example,DC=local' was not found in the
>>>>> schema
>>>>>
>>>>> so I thought well I'm going to try having a windows 2008 r2 server
>>>>> join as a DC, run dcpromo and it says I need to run /forestprep on the AD.
>>>>> Well I can't do that now that it is on linux right?
>>>>>
>>>>>
>>>> It should be there, it sounds like you have an incomplete schema, you
>>>> could try running 'samba-tool dbcheck --fix'
>>>>
>>>> Rowland
>>>>
>>>>
>>>
>>> Try adding '--cross-ncs'
>>> After this, I am running out of suggestions.
>>>
>>> Rowland
>>>
>>>
>>
>


More information about the samba mailing list