[Samba] domain join RODC failed

Andrej Gessel Andrej.Gessel at janztec.com
Thu Jun 8 07:54:44 UTC 2017 

*Resend to the list*

Hi,

i had the same problem.

The Solution was to check the permissions on NC for Enterprise Read-only domain controllers group.

Here some additional information: https://support.microsoft.com/en-us/help/2022387/troubleshooting-ad-replication-error-8453-replication-access-was-denied. Look at "Fix Invalid Default Security Descriptors"


Andrej

-----Ursprüngliche Nachricht-----
Von: samba [mailto:samba-bounces at lists.samba.org] Im Auftrag von Evgeniy Semenov via samba
Gesendet: Mittwoch, 7. Juni 2017 19:24
An: samba at lists.samba.org
Betreff: [Samba] domain join RODC failed

Hello,

I try to test joining new RODC (samba-tool domain join unn.global RODC -U Administrator -d5) and it's fail with message:

Could not find machine account in secrets database: Failed to fetch machine account password for UNN from both secrets.ldb (Could not find entry to match filter: '(&(flatname=UNN)(objectclass=primaryDomain))' 
base: 'cn=Primary Domains': No such object: dsdb_search at
../source4/dsdb/common/util.c:4576) and from
/root/rodc/private/secrets.tdb: NT_STATUS_CANT_ACCESS_DOMAIN_INFO
ERROR(runtime): uncaught exception - (8453, 'WERR_DS_DRA_ACCESS_DENIED')
   File
"/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/__init__.py",
line 176, in _run
     return self.run(*args, **kwargs)
   File
"/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/domain.py",
line 667, in run
     dns_backend=dns_backend)
   File "/usr/local/samba/lib64/python2.7/site-packages/samba/join.py",
line 1239, in join_RODC
     ctx.do_join()
   File "/usr/local/samba/lib64/python2.7/site-packages/samba/join.py",
line 1177, in do_join
     ctx.join_replicate()
   File "/usr/local/samba/lib64/python2.7/site-packages/samba/join.py",
line 903, in join_replicate
     replica_flags=ctx.domain_replica_flags)
   File
"/usr/local/samba/lib64/python2.7/site-packages/samba/drs_utils.py",
line 254, in replicate
     (level, ctr) = self.drs.DsGetNCChanges(self.drs_handle, req_level,
req)
Adding CN=DCG3RO-TEST,OU=Domain Controllers,DC=unn,DC=global Adding CN=krbtgt_DCG3RO-TEST,CN=Users,DC=unn,DC=global
Got krbtgt_name=krbtgt_24698
Renaming CN=krbtgt_DCG3RO-TEST,CN=Users,DC=unn,DC=global to CN=krbtgt_24698,CN=Users,DC=unn,DC=global
Adding
CN=DCG3RO-TEST,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=unn,DC=global
Adding CN=NTDS
Settings,CN=DCG3RO-TEST,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=unn,DC=global
Adding CN=RODC Connection (FRS),CN=NTDS Settings,CN=DCG3RO-TEST,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=unn,DC=global
Adding SPNs to CN=DCG3RO-TEST,OU=Domain Controllers,DC=unn,DC=global Setting account password for DCG3RO-TEST$ Enabling account Calling bare provision Provision OK for domain DN DC=unn,DC=global Starting replication Replicating critical objects from the base DN of the domain Join failed - cleaning up Deleted CN=DCG3RO-TEST,OU=Domain Controllers,DC=unn,DC=global Deleted CN=RODC Connection (FRS),CN=NTDS Settings,CN=DCG3RO-TEST,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=unn,DC=global
Deleted CN=NTDS
Settings,CN=DCG3RO-TEST,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=unn,DC=global
Deleted
CN=DCG3RO-TEST,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=unn,DC=global

My test environment:

dcg1.unn.global  192.168.59.23 DC (CentOS 7.3.1611, 3.10.0-514.6.1  x64, 
firewall stoped, selinux disabled, Samba 4.6.4, DNS=SAMBA_INTERNAL)

dcg2.unn.global 192.168.59.29  DC FSMO (CentOS 7.3.1611, 3.10.0-514.6.1  
x64,  firewall stoped, selinux disabled, Samba 4.6.4, DNS=SAMBA_INTERNAL)

dcg3ro-test.unn.global 192.168.59.233 It does not want to become RODC 
(CentOS 7.3.1611,   3.10.0-514.21.1  x64,  firewall stoped, selinux 
disabled, Samba 4.6.4)

Samba configure options: --exec-prefix=/usr --sysconfdir=/etc 
--libdir=/usr/lib64 --localstatedir=/var --enable-fhs 
--with-lockdir=/var/cache/samba --with-modulesdir=/usr/lib64/samba

There are ~54000 objects in domain.

Can you give me some advice?

-- 
Best Wishes,
Evgeniy Semenov

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list