[Samba] Unable to Join the Active Directory as a Domain Controller
Garming Sam
garming at catalyst.net.nz
Thu Dec 21 00:55:30 UTC 2017
I don't think it should be the schema that is the problem, but the
domain functionality level the 2012 server is operating at. We currently
only operate at 2008 R2 functional level (although there are some
patches currently pending to change some aspects of that). If it's
running at the 2012 R2 functional level, it would have to be downgraded
first (or re-promoted to only be using 2008 R2 functionality).
Cheers,
Garming
On 21/12/17 10:55, Marc-Henri Pamiseux via samba wrote:
> Hello,
>
> I am trying to use Samba in version 4.7.0 as a replication of an Active
> Directory running on Windows 2012-R2.
>
> For that, I execute the process described on this page:
> https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory
>
> When I run the command to join the domain controller, samba-tool returns
> the following error:
> DsAddEntry failed with status WERR_ACCESS_DENIED info (8567,
> 'WERR_DS_INCOMPATIBLE_VERSION')
>
> I read the documentation that specifies which version of Samba is
> compatible with the version of the Active Directory schema:
> https://wiki.samba.org/index.php/AD_Schema_Version_Support
>
> I was able to check on the Windows 2012-R2 server that the Active
> Directory schema is in version 69, so theoretically compatible with
> Samba 4.7.
>
> User "MYDOMAIN\marcori" is a domain admin.
> Do you have a way to explore further?
>
> Respectfully,
>
> Marc-Henri Pamiseux
>
> PS: Here is the command invoked and its error message:
>
> # samba-tool domain join example.com DC -U"MYDOMAIN\marcori"
> --dns-backend=SAMBA_INTERNAL --realm=EXAMPLE.COM -W MYDOMAIN
> Finding a writeable DC for domain 'example.com'
> Found DC SRV-ADM1.example.com
> Password for [MYDOMAIN\marcori]:
> workgroup is MYDOMAIN
> realm is example.com
> Adding CN=SRVSMB-DC1,OU=Domain Controllers,DC=example,DC=com
> Adding
> CN=SRVSMB-DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
> Adding CN=NTDS
> Settings,CN=SRVSMB-DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
> DsAddEntry failed with status WERR_ACCESS_DENIED info (8567,
> 'WERR_DS_INCOMPATIBLE_VERSION')
> Join failed - cleaning up
> Deleted CN=SRVSMB-DC1,OU=Domain Controllers,DC=example,DC=com
> Deleted
> CN=SRVSMB-DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
> ERROR(runtime): uncaught exception - DsAddEntry failed
> File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line
> 176, in _run
> return self.run(*args, **kwargs)
> File "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py", line
> 661, in run
> machinepass=machinepass, use_ntvfs=use_ntvfs, dns_backend=dns_backend)
> File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1474, in
> join_DC
> ctx.do_join()
> File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1375, in
> do_join
> ctx.join_add_objects()
> File "/usr/lib/python2.7/dist-packages/samba/join.py", line 639, in
> join_add_objects
> ctx.join_add_ntdsdsa()
> File "/usr/lib/python2.7/dist-packages/samba/join.py", line 570, in
> join_add_ntdsdsa
> ctx.DsAddEntry([rec])
> File "/usr/lib/python2.7/dist-packages/samba/join.py", line 521, in
> DsAddEntry
> raise RuntimeError("DsAddEntry failed")
>
> # samba -V
> Version 4.7.0-Debian
>
More information about the samba
mailing list