[Samba] error with joining new DC to domain

peter.grotz at grotz.org peter.grotz at grotz.org
Wed Dec 12 15:01:52 UTC 2018 

Thanks Rowland for your answer. 

these are sernet-packages from their subscription. 

There are 4 DCs (all with last sernet-rpms) 2 are demoted with probs
(dc-01 and dc-02 both centos6) and 2 are running (dc-10 and  dc-11 on
centos 7) 

dc-11 has all  fsmo. joining with the old dc-01 and dc-02 doesn´t even
work. 

dc-01 joins but gives me this: 

Deleted
CN=DC-01,CN=Servers,CN=Obel-und-Partner,CN=Sites,CN=Configuration,DC=obel,DC=lan
Adding CN=DC-01,OU=Domain Controllers,DC=obel,DC=lan
Adding
CN=DC-01,CN=Servers,CN=Obel-und-Partner,CN=Sites,CN=Configuration,DC=obel,DC=lan
Adding CN=NTDS
Settings,CN=DC-01,CN=Servers,CN=Obel-und-Partner,CN=Sites,CN=Configuration,DC=obel,DC=lan
Adding SPNs to CN=DC-01,OU=Domain Controllers,DC=obel,DC=lan
Setting account password for DC-01$
Enabling account
Calling bare provision
Looking up IPv4 addresses
Looking up IPv6 addresses
No IPv6 address will be assigned
Setting up share.ldb
Setting up secrets.ldb
Setting up the registry
Setting up the privileges database
Setting up idmap db
Setting up SAM db
Setting up sam.ldb partitions and settings
Setting up sam.ldb rootDSE
Pre-loading the Samba 4 and AD schema
Unable to determine the DomainSID, can not enforce uniqueness constraint
on local domainSIDs

A Kerberos configuration suitable for Samba AD has been generated at
/var/lib/samba/private/krb5.conf
Merge the contents of this file with your system krb5.conf or replace it
with this one. Do not create a symlink!
Provision OK for domain DN DC=obel,DC=lan
Starting replication
Schema-DN[CN=Schema,CN=Configuration,DC=obel,DC=lan] objects[402/1550]
linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=obel,DC=lan] objects[804/1550]
linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=obel,DC=lan] objects[1206/1550]
linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=obel,DC=lan] objects[1550/1550]
linked_values[0/0]
Analyze and apply schema objects
Partition[CN=Configuration,DC=obel,DC=lan] objects[402/1646]
linked_values[0/0]
Partition[CN=Configuration,DC=obel,DC=lan] objects[804/1646]
linked_values[0/0]
Partition[CN=Configuration,DC=obel,DC=lan] objects[1206/1646]
linked_values[0/0]
Partition[CN=Configuration,DC=obel,DC=lan] objects[1608/1646]
linked_values[0/0]
Partition[CN=Configuration,DC=obel,DC=lan] objects[1646/1646]
linked_values[44/44]
Failed to commit objects: DOS code 0x000021bf
Missing target object - retrying with DRS_GET_TGT
Partition[CN=Configuration,DC=obel,DC=lan] objects[2048/1646]
linked_values[0/0]
Partition[CN=Configuration,DC=obel,DC=lan] objects[2450/1646]
linked_values[0/0]
Partition[CN=Configuration,DC=obel,DC=lan] objects[2852/1646]
linked_values[0/0]
Partition[CN=Configuration,DC=obel,DC=lan] objects[3254/1646]
linked_values[0/0]
Partition[CN=Configuration,DC=obel,DC=lan] objects[3292/1646]
linked_values[44/44]
Replicating critical objects from the base DN of the domain
Partition[DC=obel,DC=lan] objects[98/98] linked_values[34/34]
Partition[DC=obel,DC=lan] objects[501/669] linked_values[0/24]
Partition[DC=obel,DC=lan] objects[767/669] linked_values[585/585]
Done with always replicated NC (base, config, schema)
Replicating DC=DomainDnsZones,DC=obel,DC=lan
Partition[DC=DomainDnsZones,DC=obel,DC=lan] objects[229/229]
linked_values[0/0]
Replicating DC=ForestDnsZones,DC=obel,DC=lan
Partition[DC=ForestDnsZones,DC=obel,DC=lan] objects[35/35]
linked_values[0/0]
WARNING: Unable to replicate own RID Set, as server dc-10.obel.lan (the
server we joined) is not the RID Master.
NOTE: This is normal and expected, Samba will be able to create users
after it contacts the RID Master at first startup.
Committing SAM database
Adding 1 remote DNS records for DC-01.obel.lan
Adding DNS A record DC-01.obel.lan for IPv4 IP: 192.168.0.101
Adding DNS CNAME record
96ed5e12-99b8-4f8d-b9bf-f58b9c82eaa5._msdcs.obel.lan for DC-01.obel.lan
All other DNS records (like _ldap SRV records) will be created
samba_dnsupdate on first startup
Replicating new DNS records in DC=DomainDnsZones,DC=obel,DC=lan
Partition[DC=DomainDnsZones,DC=obel,DC=lan] objects[2/2]
linked_values[0/0]
Replicating new DNS records in DC=ForestDnsZones,DC=obel,DC=lan
Partition[DC=ForestDnsZones,DC=obel,DC=lan] objects[2/2]
linked_values[0/0]
Sending DsReplicaUpdateRefs for all the replicated partitions
Setting isSynchronized and dsServiceName
Setting up secrets database
Joined domain OBEL (SID S-1-5-21-1994583749-1469429152-1855221660) as a
DC 

Then he joined but is not really working (now drs replicatin on
samba-tool drs showrepl 

demoting dc-01 brings me the following: 

[root at dc-01 samba]# samba-tool domain demote --server=dc-10
-Uadministrator
Using dc-10 as partner server for the demotion
Password for [OBEL\administrator]:
Deactivating inbound replication
Asking partner server dc-10 to synchronize from us
Error while replicating out last local changes from
'CN=Schema,CN=Configuration,DC=obel,DC=lan' for demotion, re-enabling
inbound replication
ERROR(<class 'samba.WERRORError'>): Error while sending a DsReplicaSync
for partition 'CN=Schema,CN=Configuration,DC=obel,DC=lan' - (2,
'WERR_FILE_NOT_FOUND')
  File "/usr/lib64/python2.6/site-packages/samba/netcmd/domain.py", line
855, in run
    drsuapiBind.DsReplicaSync(drsuapi_handle, 1, req1)
[root at dc-01 samba]# samba-tool domain demote --server=dc-10
-Uadministrator
Using dc-10 as partner server for the demotion
Password for [OBEL\administrator]:
Deactivating inbound replication
Asking partner server dc-10 to synchronize from us
Error while replicating out last local changes from
'CN=Schema,CN=Configuration,DC=obel,DC=lan' for demotion, re-enabling
inbound replication
ERROR(<class 'samba.WERRORError'>): Error while sending a DsReplicaSync
for partition 'CN=Schema,CN=Configuration,DC=obel,DC=lan' - (2,
'WERR_FILE_NOT_FOUND')
  File "/usr/lib64/python2.6/site-packages/samba/netcmd/domain.py", line
855, in run
    drsuapiBind.DsReplicaSync(drsuapi_handle, 1, req1) 

Peter

Am 12.12.2018 15:53, schrieb Rowland Penny via samba:

> On Wed, 12 Dec 2018 15:43:09 +0100
> peter grotz via samba <samba at lists.samba.org> wrote:
> 
>> I forgot: this is samba 4.9.3 on centos 7
> 
> Where did you get Samba 4.9.3 from ?
> 
>> Thanks
>> 
>> Hello,
>> 
>> I got a problem with adding an new dc to a domain. when I try to join
>> I get the following:
> 
> What are the other DC(s) ?
> 
> Rowland

More information about the samba mailing list