[Samba] Unable to join DC to domain
Rowland penny
rpenny at samba.org
Mon Mar 28 08:46:34 UTC 2016
On 28/03/16 09:09, IT Admin wrote:
> Alright... appreciate the info. Gave it a shot. Domain is still up
> but shares are down because they were hosted on FILER which has now
> been demoted and is no longer running any samba services.
>
> What I did while following the wiki "Transfer/Seize FSMO Roles":
>
> 1) logged on to FILER, ran samba-tool fsmo show, verified all 7 roles
> were owned by FILER.
>
> 2) logged on to CBADC01, executed samba-tool fsmo transfer --role=all
> -U administrator --realm=cb.cliffbells.com <http://cb.cliffbells.com>
> which succeeded.
>
> 3) ran samba-tool fsmo show again on FILER, verified all 7 roles were
> now owned by CBADC01.
>
> 4) ran samba-tool drs showrepl on FILER, replication succeded after
> transferring fsmo roles.
>
> 5) ran samba-tool domain demote -Uadministrator on FILER.
>
> 6) shut down samba on FILER, removed smb.conf, removed initscript
>
> 7) followed guidelines to cleanup any remaining references to FILER,
> it existed in AD Sites and Services, I removed it. I did not delete
> DNS references as FILER is critical in this network and must remain
> accessible.
>
> 8) rebooted FILER and CBADC01
>
>
> Currently AD is allowing users to login to computers, all shares are
> dead because FILER isn't providing them and I can't set it up as a
> Domain Member to provide the shares again because CBADC01 is missing 3
> of 7 fsmoroleowner entries. I think I have empty fSMORoleOwner
> attributes//as discussed here:
> https://lists.samba.org/archive/samba-technical/2016-January/111516.html
>
>
> Here's where I'm at:
>
> sudo /usr/local/samba/bin/samba-tool fsmo show
> ERROR(<type 'exceptions.KeyError'>): uncaught exception - 'No such
> element'
> File
> "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py",
> line 175, in _run
> return self.run(*args, **kwargs)
> File
> "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/fsmo.py",
> line 390, in run
> infrastructureMaster = get_fsmo_roleowner(samdb, infrastructure_dn)
> File
> "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/fsmo.py",
> line 42, in get_fsmo_roleowner
> master_owner = res[0]["fSMORoleOwner"][0]
>
>
> sudo /usr/local/samba/bin/samba-tool dbcheck --fix --cross-ncs
> Checking 3527 objects
> ERROR: fSMORoleOwner not found for role CN=RID
> Manager$,CN=System,DC=cb,DC=cliffbells,DC=com
> Sieze role CN=RID Manager$,CN=System,DC=cb,DC=cliffbells,DC=com onto
> current DC by adding fSMORoleOwner=CN=NTDS
> Settings,CN=CBADC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=cb,DC=cliffbells,DC=com
> [y/N/all/none] y
> Failed to sieze role CN=RID
> Manager$,CN=System,DC=cb,DC=cliffbells,DC=com onto current DC by
> adding fSMORoleOwner=CN=NTDS
> Settings,CN=CBADC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=cb,DC=cliffbells,DC=com
> : (20, 'SINGLE-VALUE attribute fSMORoleOwner on CN=RID
> Manager$,CN=System,DC=cb,DC=cliffbells,DC=com specified more than once')
> ERROR: fSMORoleOwner not found for role
> CN=Infrastructure,DC=cb,DC=cliffbells,DC=com
> Sieze role CN=Infrastructure,DC=cb,DC=cliffbells,DC=com onto current
> DC by adding fSMORoleOwner=CN=NTDS
> Settings,CN=CBADC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=cb,DC=cliffbells,DC=com
> [y/N/all/none] y
> Failed to sieze role CN=Infrastructure,DC=cb,DC=cliffbells,DC=com onto
> current DC by adding fSMORoleOwner=CN=NTDS
> Settings,CN=CBADC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=cb,DC=cliffbells,DC=com
> : (20, 'SINGLE-VALUE attribute fSMORoleOwner on
> CN=Infrastructure,DC=cb,DC=cliffbells,DC=com specified more than once')
> Checked 3527 objects (2 errors)
>
>
> itwerks at cbadc01:~$ sudo /usr/local/samba/bin/samba-tool fsmo seize
> --role=rid --force -U administrator --realm=cb.cliffbells.com
> <http://cb.cliffbells.com>
> ERROR(<type 'exceptions.KeyError'>): uncaught exception - 'No such
> element'
> File
> "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py",
> line 175, in _run
> return self.run(*args, **kwargs)
> File
> "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/fsmo.py",
> line 353, in run
> self.seize_role(role, samdb, force)
> File
> "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/fsmo.py",
> line 255, in seize_role
> master_owner = get_fsmo_roleowner(samdb, m.dn)
> File
> "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/fsmo.py",
> line 42, in get_fsmo_roleowner
> master_owner = res[0]["fSMORoleOwner"][0]
>
> sudo /usr/local/samba/bin/samba-tool fsmo seize --role=infrastructure
> --force -U administrator --realm=cb.cliffbells.com
> <http://cb.cliffbells.com>
> ERROR(<type 'exceptions.KeyError'>): uncaught exception - 'No such
> element'
> File
> "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py",
> line 175, in _run
> return self.run(*args, **kwargs)
> File
> "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/fsmo.py",
> line 353, in run
> self.seize_role(role, samdb, force)
> File
> "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/fsmo.py",
> line 255, in seize_role
> master_owner = get_fsmo_roleowner(samdb, m.dn)
> File
> "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/fsmo.py",
> line 42, in get_fsmo_roleowner
> master_owner = res[0]["fSMORoleOwner"][0]
>
>
> sudo /usr/local/samba/bin/samba-tool fsmo seize --role=domaindns
> --force -U administrator --realm=cb.cliffbells.com
> <http://cb.cliffbells.com>
> ERROR(<type 'exceptions.KeyError'>): uncaught exception - 'No such
> element'
> File
> "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py",
> line 175, in _run
> return self.run(*args, **kwargs)
> File
> "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/fsmo.py",
> line 351, in run
> versionopts, force)
> File
> "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/fsmo.py",
> line 301, in seize_dns_role
> master_owner = get_fsmo_roleowner(samdb, m.dn)
> File
> "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/fsmo.py",
> line 42, in get_fsmo_roleowner
> master_owner = res[0]["fSMORoleOwner"][0]
>
>
> sudo /usr/local/samba/bin/samba-tool fsmo seize --role=forestdns
> --force -U administrator --realm=cb.cliffbells.com
> <http://cb.cliffbells.com>
> ERROR(<type 'exceptions.KeyError'>): uncaught exception - 'No such
> element'
> File
> "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py",
> line 175, in _run
> return self.run(*args, **kwargs)
> File
> "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/fsmo.py",
> line 351, in run
> versionopts, force)
> File
> "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/fsmo.py",
> line 301, in seize_dns_role
> master_owner = get_fsmo_roleowner(samdb, m.dn)
> File
> "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/fsmo.py",
> line 42, in get_fsmo_roleowner
> master_owner = res[0]["fSMORoleOwner"][0]
>
>
> I guess I need ldiffs for these, client will be down on a Monday.
>
>
> JS
>
> On Sun, Mar 27, 2016 at 5:02 AM, Rowland penny <rpenny at samba.org
> <mailto:rpenny at samba.org>> wrote:
>
> On 27/03/16 07:25, IT Admin wrote:
>
> I ran ldbsearch on my sam.ldb
> I searched for CBADC02, CBADC03, and TESTES (all VMs that fail
> to join
> domain), results are below:
>
>
> CBADC02 shows up a few times:
>
> # record 1906
> dn:
> CN=CBADC02\0ADEL:de85228c-f92b-4d5d-9d6a-01c3f915dec9,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configu$
> objectClass: top
> objectClass: server
> instanceType: 4
> whenCreated: 20160310044543.0Z
> uSNCreated: 4215
> objectGUID: de85228c-f92b-4d5d-9d6a-01c3f915dec9
> systemFlags: 1375731712
> dNSHostName: cbadc02.cb.cliffbells.com
> <http://cbadc02.cb.cliffbells.com>
> cn::
> Q0JBREMwMgpERUw6ZGU4NTIyOGMtZjkyYi00ZDVkLTlkNmEtMDFjM2Y5MTVkZWM5
> isDeleted: TRUE
> name::
> Q0JBREMwMgpERUw6ZGU4NTIyOGMtZjkyYi00ZDVkLTlkNmEtMDFjM2Y5MTVkZWM5
> lastKnownParent:
> CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configurati
> on,DC=cb,DC=cliffbells,DC=com
> isRecycled: TRUE
> whenChanged: 20160319092438.0Z
> uSNChanged: 4261
> distinguishedName:
> CN=CBADC02\0ADEL:de85228c-f92b-4d5d-9d6a-01c3f915dec9,CN=Se
> rvers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=cb,DC=cliffbell
> s,DC=com
>
>
> # record 2372
> dn: CN=NTDS
> Settings\0ADEL:a5d3b626-e936-4a65-97bc-cade176d1b10,CN=CBADC02\0ADEL:de85228c-f92b-4d5d-9d6a-01c3f915dec$
> objectClass: top
> objectClass: applicationSettings
> objectClass: nTDSDSA
> instanceType: 4
> whenCreated: 20160310044546.0Z
> uSNCreated: 4214
> objectGUID: a5d3b626-e936-4a65-97bc-cade176d1b10
> systemFlags: 33554432
> cn::
> TlREUyBTZXR0aW5ncwpERUw6YTVkM2I2MjYtZTkzNi00YTY1LTk3YmMtY2FkZTE3NmQxYjEw
> isDeleted: TRUE
> name::
> TlREUyBTZXR0aW5ncwpERUw6YTVkM2I2MjYtZTkzNi00YTY1LTk3YmMtY2FkZTE3NmQxYjE
> w
> isRecycled: TRUE
> whenChanged: 20160319092438.0Z
> uSNChanged: 4259
> distinguishedName: CN=NTDS
> Settings\0ADEL:a5d3b626-e936-4a65-97bc-cade176d1b10
> ,CN=CBADC02\0ADEL:de85228c-f92b-4d5d-9d6a-01c3f915dec9,CN=Servers,CN=Default-
> First-Site-Name,CN=Sites,CN=Configuration,DC=cb,DC=cliffbells,DC=com
>
>
>
> # record 3275
> dn:
> CN=CBADC02\0ADEL:b34ccfd9-0f88-4f7b-8c00-3296ed92507d,CN=Deleted
> Objects,DC=cb,DC=cliffbells,DC=com
> objectClass: top
> objectClass: person
> objectClass: organizationalPerson
> objectClass: user
> objectClass: computer
> instanceType: 4
> whenCreated: 20160321212014.0Z
> uSNCreated: 4287
> objectGUID: b34ccfd9-0f88-4f7b-8c00-3296ed92507d
> userAccountControl: 4128
> objectSid: S-1-5-21-2555112579-3841919511-698463993-1602
> sAMAccountName: CBADC02$
> isDeleted: TRUE
> lastKnownParent: OU=Domain Controllers,DC=cb,DC=cliffbells,DC=com
> isRecycled: TRUE
> cn::
> Q0JBREMwMgpERUw6YjM0Y2NmZDktMGY4OC00ZjdiLThjMDAtMzI5NmVkOTI1MDdk
> name::
> Q0JBREMwMgpERUw6YjM0Y2NmZDktMGY4OC00ZjdiLThjMDAtMzI5NmVkOTI1MDdk
> whenChanged: 20160327050242.0Z
> uSNChanged: 4293
> distinguishedName:
> CN=CBADC02\0ADEL:b34ccfd9-0f88-4f7b-8c00-3296ed92507d,CN=De
> leted Objects,DC=cb,DC=cliffbells,DC=com
>
>
>
>
>
> # record 3481
> dn:
> CN=CBADC02\0ADEL:ec36364c-6f01-4c82-be95-8def84528d9a,CN=Deleted
> Objects,DC=cb,DC=cliffbells,DC=com
> objectClass: top
> objectClass: person
> objectClass: organizationalPerson
> objectClass: user
> objectClass: computer
> instanceType: 4
> whenCreated: 20160310044542.0Z
> uSNCreated: 4212
> objectGUID: ec36364c-6f01-4c82-be95-8def84528d9a
> userAccountControl: 532480
> objectSid: S-1-5-21-2555112579-3841919511-698463993-1122
> sAMAccountName: CBADC02$
> dNSHostName: cbadc02.cb.cliffbells.com
> <http://cbadc02.cb.cliffbells.com>
> cn::
> Q0JBREMwMgpERUw6ZWMzNjM2NGMtNmYwMS00YzgyLWJlOTUtOGRlZjg0NTI4ZDlh
> whenChanged: 20160318045619.0Z
> isDeleted: TRUE
> uSNChanged: 4253
> name::
> Q0JBREMwMgpERUw6ZWMzNjM2NGMtNmYwMS00YzgyLWJlOTUtOGRlZjg0NTI4ZDlh
> lastKnownParent: OU=Domain Controllers,DC=cb,DC=cliffbells,DC=com
> isRecycled: TRUE
> distinguishedName:
> CN=CBADC02\0ADEL:ec36364c-6f01-4c82-be95-8def84528d9a,CN=De
> leted Objects,DC=cb,DC=cliffbells,DC=com
>
>
>
>
>
>
>
>
> CBADC03 is there once:
>
>
>
> # record 3431
> dn:
> CN=CBADC03\0ADEL:0d3362c2-c153-415e-b077-0772a61b96b5\0ADEL:0d3362c2-c153-415e-b077-0772a61b96b5,CN=Deleted
> Obje$
> objectClass: top
> objectClass: person
> objectClass: organizationalPerson
> objectClass: user
> objectClass: computer
> instanceType: 4
> whenCreated: 20160321211933.0Z
> uSNCreated: 4286
> objectGUID: 0d3362c2-c153-415e-b077-0772a61b96b5
> userAccountControl: 4128
> objectSid: S-1-5-21-2555112579-3841919511-698463993-1601
> sAMAccountName: CBADC03$
> isDeleted: TRUE
> lastKnownParent: CN=LostAndFound,DC=cb,DC=cliffbells,DC=com
> isRecycled: TRUE
> cn::
> Q0JBREMwMwpERUw6MGQzMzYyYzItYzE1My00MTVlLWIwNzctMDc3MmE2MWI5NmI1CkRFTDowZ
> DMzNjJjMi1jMTUzLTQxNWUtYjA3Ny0wNzcyYTYxYjk2YjU=
> name::
> Q0JBREMwMwpERUw6MGQzMzYyYzItYzE1My00MTVlLWIwNzctMDc3MmE2MWI5NmI1CkRFTDo
> wZDMzNjJjMi1jMTUzLTQxNWUtYjA3Ny0wNzcyYTYxYjk2YjU=
> whenChanged: 20160327050527.0Z
> uSNChanged: 4294
> distinguishedName:
> CN=CBADC03\0ADEL:0d3362c2-c153-415e-b077-0772a61b96b5\0ADEL
> :0d3362c2-c153-415e-b077-0772a61b96b5,CN=Deleted
> Objects,DC=cb,DC=cliffbells,
> DC=com
>
>
>
> TESTES is nowhere to be found and still fails due to
> ObjectSID. I don't
> understand how that is even possible. I also manually
> inspected ADUC,
> ADSS, ADSIEdit and DNS in RSAT for both of my live DCs (FILER
> & CBADC01)
> and removed all references to CBADC02 & CBADC03. Replication
> between FILER
> and CBADC01 is successful. RSync replication of sysvol from
> FILER to
> CBADC01 is running via cron.
>
> I am spun. I've been banging my head against Samba since
> 12/17/2015.
> Please advise, I need to get these VMs joined to the domain so
> I can sieze
> FSMO roles off of FILER so I don't have to keep restoring this
> ^&*(@^#()*&^
> database every 36 hours.
>
>
> JS
>
>
> OK, so you cannot join another DC and you have to keep restoring
> every 36 hours, doesn't this tell you something ?
>
> It looks like the database you keep restoring is badly corrupted,
> you should also be aware that you shouldn't restore a DC if
> another DC in the domain is running.
>
> Are 'FILER' and 'CBADC01' joined ?
> If so, is 'FILER' the only database that is giving problems ?
> If so, then I think your best option is to seize all the fsmo
> roles to 'CBADC01', turn off 'FILER' and then try to join a new DC
> to 'CBADC01'
>
>
> Rowland
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
>
Strange, you cannot seize the role because it already exists, try
running this:
ldbsearch --cross-ncs -H /var/lib/samba/private/sam.ldb
'(fsmoroleowner=*)' | grep 'dn:' | sed 's|dn: ||'
This should show all the DNs that have a 'fSMORoleOwner' attribute.
Have you tried running
'samba-tool fsmo seize --force --role=all -UAdministrator
--password=ADMINISTRATORPASSWORD'
on the DC
Rowland
More information about the samba
mailing list