[Samba] join samba 4.5.12 to samba 4.1.13 failed(resolved)
Allen Chen
achen at harbourfrontcentre.com
Wed Jul 26 23:49:24 UTC 2017
On 7/26/2017 4:30 AM, Andrew Bartlett wrote:
> On Tue, 2017-07-25 at 14:04 -0400, Allen Chen via samba wrote:
>> Hi there,
>>
>> I have 2 DC servers(samba 4.1.13) working for more than 1 year.
>> When I join samba 4.5.12 to the domain, it fails on this error:
>> ....
>> Replicating critical objects from the base DN of the domain
>> Partition[DC=mydomain,DC=htft] objects[98/98] linked_values[33/0]
>> Join failed - cleaning up
>> Deleted CN=DC3,OU=Domain Controllers,DC=mydomain,DC=htft
>> ...
> Can you share a bit more of the error you see here?
>
> I suspect the issue is a well known issue with the join command
> interacting with the older DC. With Samba 4.5 we started to require
> that we get the parent of every object before the object itself, and we
> correctly implemented that in 4.6 as a server.
>
> The issue is that when joining the older domain, we set the flags for
> 'give me the parent as well', GET_ANC, but the server doesn't know to
> honour it.
>
> We really should detect that and remove the DOMAIN_CRITICAL_ONLY flag,
> which is what causes the trouble here (if we do a full replication we
> generally get all the objects in the right order).
>
> One fix is to upgrade the 4.1.13 servers to 4.6 or above. I understand
> you would prefer to do that on the new DCs you join, but that may not
> be possible in this case.
>
> I hope this helps,
>
> Andrew Bartlett
>
Thanks to all of you: Andrew, Louis and Rowland.
Your suggestions are very helpful.
I think the problem is the speed between DCs:
DC1 and the new DC3 are on the same subnet, no speed issue,
DC2 is on another subnet which has a very slow connection(20-50KB/s) to
DC1 and the new DC3.
The join command found DC2:
# /usr/local/samba/bin/samba-tool domain join mydomain.htft DC
-U"MYDOMAIN.HTFT\administrator" --dns-backend=SAMBA_INTERNAL
Finding a writeable DC for domain 'mydomain.htft'
Found DC dc2.mydomain.htft
Password for [MYDOMAIN.HTFT\administrator]:
.....
I don't know why it found DC2. maybe DC1 has all FSMO!
So I join DC3 to the domain like this:
1. upgrade to samba 4.6.6 on DC2 and DC1 one by one, no problem
2. join DC3(samba 4.6.6) to the domain, "Join failed....."(the same err
message, but one step further)
3. stop samba on DC2(it has a slow connection)
4. join DC3(samba 4.6.6) to the domain, successfully, finished very
fast. (no speed issue between DC3 and DC1)
5. start samba on DC2
6. manually add the missing A record and the objectGUID CNAME Record
7. copy idmap and sysvol over to the new DC3, and reset permissions
8. all the following commands on 3 DCs return normal results:
# samba-tool drs showrepl
# samba-tool fsmo show (now show me 7 FSMO)
# samba-tool dbcheck --cross-nc
samba-tool dbcheck --cross-nc --fix --yes
9. the good thing I noticed is when a PC moved to another subnet(ip
changed), the DNS A record gets updated once the computer started.
Allen
More information about the samba
mailing list