[Samba] Unable to join DC to domain
IT Admin
it at cliffbells.com
Mon Mar 28 08:09:34 UTC 2016
Alright... appreciate the info. Gave it a shot. Domain is still up but
shares are down because they were hosted on FILER which has now been
demoted and is no longer running any samba services.
What I did while following the wiki "Transfer/Seize FSMO Roles":
1) logged on to FILER, ran samba-tool fsmo show, verified all 7 roles were
owned by FILER.
2) logged on to CBADC01, executed samba-tool fsmo transfer --role=all -U
administrator --realm=cb.cliffbells.com which succeeded.
3) ran samba-tool fsmo show again on FILER, verified all 7 roles were now
owned by CBADC01.
4) ran samba-tool drs showrepl on FILER, replication succeded after
transferring fsmo roles.
5) ran samba-tool domain demote -Uadministrator on FILER.
6) shut down samba on FILER, removed smb.conf, removed initscript
7) followed guidelines to cleanup any remaining references to FILER, it
existed in AD Sites and Services, I removed it. I did not delete DNS
references as FILER is critical in this network and must remain accessible.
8) rebooted FILER and CBADC01
Currently AD is allowing users to login to computers, all shares are dead
because FILER isn't providing them and I can't set it up as a Domain Member
to provide the shares again because CBADC01 is missing 3 of 7 fsmoroleowner
entries. I think I have empty fSMORoleOwner attributes as discussed here:
https://lists.samba.org/archive/samba-technical/2016-January/111516.html
Here's where I'm at:
sudo /usr/local/samba/bin/samba-tool fsmo show
ERROR(<type 'exceptions.KeyError'>): uncaught exception - 'No such element'
File
"/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py",
line 175, in _run
return self.run(*args, **kwargs)
File "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/fsmo.py",
line 390, in run
infrastructureMaster = get_fsmo_roleowner(samdb, infrastructure_dn)
File "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/fsmo.py",
line 42, in get_fsmo_roleowner
master_owner = res[0]["fSMORoleOwner"][0]
sudo /usr/local/samba/bin/samba-tool dbcheck --fix --cross-ncs
Checking 3527 objects
ERROR: fSMORoleOwner not found for role CN=RID
Manager$,CN=System,DC=cb,DC=cliffbells,DC=com
Sieze role CN=RID Manager$,CN=System,DC=cb,DC=cliffbells,DC=com onto
current DC by adding fSMORoleOwner=CN=NTDS
Settings,CN=CBADC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=cb,DC=cliffbells,DC=com
[y/N/all/none] y
Failed to sieze role CN=RID Manager$,CN=System,DC=cb,DC=cliffbells,DC=com
onto current DC by adding fSMORoleOwner=CN=NTDS
Settings,CN=CBADC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=cb,DC=cliffbells,DC=com
: (20, 'SINGLE-VALUE attribute fSMORoleOwner on CN=RID
Manager$,CN=System,DC=cb,DC=cliffbells,DC=com specified more than once')
ERROR: fSMORoleOwner not found for role
CN=Infrastructure,DC=cb,DC=cliffbells,DC=com
Sieze role CN=Infrastructure,DC=cb,DC=cliffbells,DC=com onto current DC by
adding fSMORoleOwner=CN=NTDS
Settings,CN=CBADC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=cb,DC=cliffbells,DC=com
[y/N/all/none] y
Failed to sieze role CN=Infrastructure,DC=cb,DC=cliffbells,DC=com onto
current DC by adding fSMORoleOwner=CN=NTDS
Settings,CN=CBADC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=cb,DC=cliffbells,DC=com
: (20, 'SINGLE-VALUE attribute fSMORoleOwner on
CN=Infrastructure,DC=cb,DC=cliffbells,DC=com specified more than once')
Checked 3527 objects (2 errors)
itwerks at cbadc01:~$ sudo /usr/local/samba/bin/samba-tool fsmo seize
--role=rid --force -U administrator --realm=cb.cliffbells.com
ERROR(<type 'exceptions.KeyError'>): uncaught exception - 'No such element'
File
"/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py",
line 175, in _run
return self.run(*args, **kwargs)
File "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/fsmo.py",
line 353, in run
self.seize_role(role, samdb, force)
File "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/fsmo.py",
line 255, in seize_role
master_owner = get_fsmo_roleowner(samdb, m.dn)
File "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/fsmo.py",
line 42, in get_fsmo_roleowner
master_owner = res[0]["fSMORoleOwner"][0]
sudo /usr/local/samba/bin/samba-tool fsmo seize --role=infrastructure
--force -U administrator --realm=cb.cliffbells.com
ERROR(<type 'exceptions.KeyError'>): uncaught exception - 'No such element'
File
"/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py",
line 175, in _run
return self.run(*args, **kwargs)
File "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/fsmo.py",
line 353, in run
self.seize_role(role, samdb, force)
File "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/fsmo.py",
line 255, in seize_role
master_owner = get_fsmo_roleowner(samdb, m.dn)
File "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/fsmo.py",
line 42, in get_fsmo_roleowner
master_owner = res[0]["fSMORoleOwner"][0]
sudo /usr/local/samba/bin/samba-tool fsmo seize --role=domaindns --force
-U administrator --realm=cb.cliffbells.com
ERROR(<type 'exceptions.KeyError'>): uncaught exception - 'No such element'
File
"/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py",
line 175, in _run
return self.run(*args, **kwargs)
File "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/fsmo.py",
line 351, in run
versionopts, force)
File "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/fsmo.py",
line 301, in seize_dns_role
master_owner = get_fsmo_roleowner(samdb, m.dn)
File "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/fsmo.py",
line 42, in get_fsmo_roleowner
master_owner = res[0]["fSMORoleOwner"][0]
sudo /usr/local/samba/bin/samba-tool fsmo seize --role=forestdns --force -U
administrator --realm=cb.cliffbells.com
ERROR(<type 'exceptions.KeyError'>): uncaught exception - 'No such element'
File
"/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py",
line 175, in _run
return self.run(*args, **kwargs)
File "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/fsmo.py",
line 351, in run
versionopts, force)
File "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/fsmo.py",
line 301, in seize_dns_role
master_owner = get_fsmo_roleowner(samdb, m.dn)
File "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/fsmo.py",
line 42, in get_fsmo_roleowner
master_owner = res[0]["fSMORoleOwner"][0]
I guess I need ldiffs for these, client will be down on a Monday.
JS
On Sun, Mar 27, 2016 at 5:02 AM, Rowland penny <rpenny at samba.org> wrote:
> On 27/03/16 07:25, IT Admin wrote:
>
>> I ran ldbsearch on my sam.ldb
>> I searched for CBADC02, CBADC03, and TESTES (all VMs that fail to join
>> domain), results are below:
>>
>>
>> CBADC02 shows up a few times:
>>
>> # record 1906
>> dn:
>>
>> CN=CBADC02\0ADEL:de85228c-f92b-4d5d-9d6a-01c3f915dec9,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configu$
>> objectClass: top
>> objectClass: server
>> instanceType: 4
>> whenCreated: 20160310044543.0Z
>> uSNCreated: 4215
>> objectGUID: de85228c-f92b-4d5d-9d6a-01c3f915dec9
>> systemFlags: 1375731712
>> dNSHostName: cbadc02.cb.cliffbells.com
>> cn:: Q0JBREMwMgpERUw6ZGU4NTIyOGMtZjkyYi00ZDVkLTlkNmEtMDFjM2Y5MTVkZWM5
>> isDeleted: TRUE
>> name:: Q0JBREMwMgpERUw6ZGU4NTIyOGMtZjkyYi00ZDVkLTlkNmEtMDFjM2Y5MTVkZWM5
>> lastKnownParent:
>> CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configurati
>> on,DC=cb,DC=cliffbells,DC=com
>> isRecycled: TRUE
>> whenChanged: 20160319092438.0Z
>> uSNChanged: 4261
>> distinguishedName:
>> CN=CBADC02\0ADEL:de85228c-f92b-4d5d-9d6a-01c3f915dec9,CN=Se
>>
>> rvers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=cb,DC=cliffbell
>> s,DC=com
>>
>>
>> # record 2372
>> dn: CN=NTDS
>>
>> Settings\0ADEL:a5d3b626-e936-4a65-97bc-cade176d1b10,CN=CBADC02\0ADEL:de85228c-f92b-4d5d-9d6a-01c3f915dec$
>> objectClass: top
>> objectClass: applicationSettings
>> objectClass: nTDSDSA
>> instanceType: 4
>> whenCreated: 20160310044546.0Z
>> uSNCreated: 4214
>> objectGUID: a5d3b626-e936-4a65-97bc-cade176d1b10
>> systemFlags: 33554432
>> cn::
>> TlREUyBTZXR0aW5ncwpERUw6YTVkM2I2MjYtZTkzNi00YTY1LTk3YmMtY2FkZTE3NmQxYjEw
>> isDeleted: TRUE
>> name::
>> TlREUyBTZXR0aW5ncwpERUw6YTVkM2I2MjYtZTkzNi00YTY1LTk3YmMtY2FkZTE3NmQxYjE
>> w
>> isRecycled: TRUE
>> whenChanged: 20160319092438.0Z
>> uSNChanged: 4259
>> distinguishedName: CN=NTDS
>> Settings\0ADEL:a5d3b626-e936-4a65-97bc-cade176d1b10
>>
>> ,CN=CBADC02\0ADEL:de85228c-f92b-4d5d-9d6a-01c3f915dec9,CN=Servers,CN=Default-
>> First-Site-Name,CN=Sites,CN=Configuration,DC=cb,DC=cliffbells,DC=com
>>
>>
>>
>> # record 3275
>> dn: CN=CBADC02\0ADEL:b34ccfd9-0f88-4f7b-8c00-3296ed92507d,CN=Deleted
>> Objects,DC=cb,DC=cliffbells,DC=com
>> objectClass: top
>> objectClass: person
>> objectClass: organizationalPerson
>> objectClass: user
>> objectClass: computer
>> instanceType: 4
>> whenCreated: 20160321212014.0Z
>> uSNCreated: 4287
>> objectGUID: b34ccfd9-0f88-4f7b-8c00-3296ed92507d
>> userAccountControl: 4128
>> objectSid: S-1-5-21-2555112579-3841919511-698463993-1602
>> sAMAccountName: CBADC02$
>> isDeleted: TRUE
>> lastKnownParent: OU=Domain Controllers,DC=cb,DC=cliffbells,DC=com
>> isRecycled: TRUE
>> cn:: Q0JBREMwMgpERUw6YjM0Y2NmZDktMGY4OC00ZjdiLThjMDAtMzI5NmVkOTI1MDdk
>> name:: Q0JBREMwMgpERUw6YjM0Y2NmZDktMGY4OC00ZjdiLThjMDAtMzI5NmVkOTI1MDdk
>> whenChanged: 20160327050242.0Z
>> uSNChanged: 4293
>> distinguishedName:
>> CN=CBADC02\0ADEL:b34ccfd9-0f88-4f7b-8c00-3296ed92507d,CN=De
>> leted Objects,DC=cb,DC=cliffbells,DC=com
>>
>>
>>
>>
>>
>> # record 3481
>> dn: CN=CBADC02\0ADEL:ec36364c-6f01-4c82-be95-8def84528d9a,CN=Deleted
>> Objects,DC=cb,DC=cliffbells,DC=com
>> objectClass: top
>> objectClass: person
>> objectClass: organizationalPerson
>> objectClass: user
>> objectClass: computer
>> instanceType: 4
>> whenCreated: 20160310044542.0Z
>> uSNCreated: 4212
>> objectGUID: ec36364c-6f01-4c82-be95-8def84528d9a
>> userAccountControl: 532480
>> objectSid: S-1-5-21-2555112579-3841919511-698463993-1122
>> sAMAccountName: CBADC02$
>> dNSHostName: cbadc02.cb.cliffbells.com
>> cn:: Q0JBREMwMgpERUw6ZWMzNjM2NGMtNmYwMS00YzgyLWJlOTUtOGRlZjg0NTI4ZDlh
>> whenChanged: 20160318045619.0Z
>> isDeleted: TRUE
>> uSNChanged: 4253
>> name:: Q0JBREMwMgpERUw6ZWMzNjM2NGMtNmYwMS00YzgyLWJlOTUtOGRlZjg0NTI4ZDlh
>> lastKnownParent: OU=Domain Controllers,DC=cb,DC=cliffbells,DC=com
>> isRecycled: TRUE
>> distinguishedName:
>> CN=CBADC02\0ADEL:ec36364c-6f01-4c82-be95-8def84528d9a,CN=De
>> leted Objects,DC=cb,DC=cliffbells,DC=com
>>
>>
>>
>>
>>
>>
>>
>>
>> CBADC03 is there once:
>>
>>
>>
>> # record 3431
>> dn:
>>
>> CN=CBADC03\0ADEL:0d3362c2-c153-415e-b077-0772a61b96b5\0ADEL:0d3362c2-c153-415e-b077-0772a61b96b5,CN=Deleted
>> Obje$
>> objectClass: top
>> objectClass: person
>> objectClass: organizationalPerson
>> objectClass: user
>> objectClass: computer
>> instanceType: 4
>> whenCreated: 20160321211933.0Z
>> uSNCreated: 4286
>> objectGUID: 0d3362c2-c153-415e-b077-0772a61b96b5
>> userAccountControl: 4128
>> objectSid: S-1-5-21-2555112579-3841919511-698463993-1601
>> sAMAccountName: CBADC03$
>> isDeleted: TRUE
>> lastKnownParent: CN=LostAndFound,DC=cb,DC=cliffbells,DC=com
>> isRecycled: TRUE
>> cn::
>> Q0JBREMwMwpERUw6MGQzMzYyYzItYzE1My00MTVlLWIwNzctMDc3MmE2MWI5NmI1CkRFTDowZ
>> DMzNjJjMi1jMTUzLTQxNWUtYjA3Ny0wNzcyYTYxYjk2YjU=
>> name::
>> Q0JBREMwMwpERUw6MGQzMzYyYzItYzE1My00MTVlLWIwNzctMDc3MmE2MWI5NmI1CkRFTDo
>> wZDMzNjJjMi1jMTUzLTQxNWUtYjA3Ny0wNzcyYTYxYjk2YjU=
>> whenChanged: 20160327050527.0Z
>> uSNChanged: 4294
>> distinguishedName:
>> CN=CBADC03\0ADEL:0d3362c2-c153-415e-b077-0772a61b96b5\0ADEL
>> :0d3362c2-c153-415e-b077-0772a61b96b5,CN=Deleted
>> Objects,DC=cb,DC=cliffbells,
>> DC=com
>>
>>
>>
>> TESTES is nowhere to be found and still fails due to ObjectSID. I don't
>> understand how that is even possible. I also manually inspected ADUC,
>> ADSS, ADSIEdit and DNS in RSAT for both of my live DCs (FILER & CBADC01)
>> and removed all references to CBADC02 & CBADC03. Replication between
>> FILER
>> and CBADC01 is successful. RSync replication of sysvol from FILER to
>> CBADC01 is running via cron.
>>
>> I am spun. I've been banging my head against Samba since 12/17/2015.
>> Please advise, I need to get these VMs joined to the domain so I can sieze
>> FSMO roles off of FILER so I don't have to keep restoring this
>> ^&*(@^#()*&^
>> database every 36 hours.
>>
>>
>> JS
>>
>>
> OK, so you cannot join another DC and you have to keep restoring every 36
> hours, doesn't this tell you something ?
>
> It looks like the database you keep restoring is badly corrupted, you
> should also be aware that you shouldn't restore a DC if another DC in the
> domain is running.
>
> Are 'FILER' and 'CBADC01' joined ?
> If so, is 'FILER' the only database that is giving problems ?
> If so, then I think your best option is to seize all the fsmo roles to
> 'CBADC01', turn off 'FILER' and then try to join a new DC to 'CBADC01'
>
>
> Rowland
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
More information about the samba
mailing list