[Samba] Repair CN=DOMAINDNSZONES

salvatori.g at stsmultiservizi.it salvatori.g at stsmultiservizi.it
Tue Feb 25 08:48:57 UTC 2020 

Hi guys,

i have some issue with our company DC (samba 4.7.12 on a Debain 9 machine) and work ok from about 3 years.
Now we tried to join another DC for redundancy but we receive the following error:

Provision OK for domain DN DC=example,DC=com
Starting replication
Schema-DN[CN=Schema,CN=Configuration,DC=example,DC=com] objects[402/1550] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=example,DC=com] objects[804/1550] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=example,DC=com] objects[1206/1550] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=example,DC=com] objects[1550/1550] linked_values[0/0]
Analyze and apply schema objects
Partition[CN=Configuration,DC=example,DC=com] objects[402/1619] linked_values[0/0]
Partition[CN=Configuration,DC=example,DC=com] objects[804/1619] linked_values[0/0]
Partition[CN=Configuration,DC=example,DC=com] objects[1206/1619] linked_values[0/0]
Partition[CN=Configuration,DC=example,DC=com] objects[1609/1619] linked_values[0/10]
Partition[CN=Configuration,DC=example,DC=com] objects[1619/1619] linked_values[31/31]
Failed to commit objects: DOS code 0x000021bf
Missing target object - retrying with DRS_GET_TGT
Partition[CN=Configuration,DC=example,DC=com] objects[2021/1619] linked_values[31/0]
Partition[CN=Configuration,DC=example,DC=com] objects[2423/1619] linked_values[31/0]
Partition[CN=Configuration,DC=example,DC=com] objects[2825/1619] linked_values[31/0]
Partition[CN=Configuration,DC=example,DC=com] objects[3228/1619] linked_values[31/10]
Partition[CN=Configuration,DC=example,DC=com] objects[3238/1619] linked_values[62/31]
Replicating critical objects from the base DN of the domain
Partition[DC=example,DC=com] objects[98/98] linked_values[28/28]
Partition[DC=example,DC=com] objects[402/927] linked_values[0/201]
../../ldb_key_value/ldb_kv_index.c:2413: duplicate attribute value in CN=DIPIETROA,OU=PC,DC=example,DC=com for index on servicePrincipalName, duplicate of objectGUID 8bb534af-e1fb-4591-8460-dfa5675766dd in @INDEX:SERVICEPRINCIPALNAME:TERMSRV/DIPIETROA.example.com
Partition[DC=example,DC=com] objects[804/927] linked_values[0/560]
../../ldb_key_value/ldb_kv_index.c:2413: duplicate attribute value in CN=OMNIOSBK,OU=PC,DC=example,DC=com for index on servicePrincipalName, duplicate of objectGUID e8f8df31-e78f-48ca-a43a-17b30dfee013 in @INDEX:SERVICEPRINCIPALNAME:HTTP/OMNIOSBK.example.com
Partition[DC=example,DC=com] objects[927/927] linked_values[560/560]
../../ldb_key_value/ldb_kv_index.c:2413: duplicate attribute value in CN=BONAMORE,OU=PC,DC=example,DC=com for index on servicePrincipalName, duplicate of objectGUID 4164606b-d7dd-4fbd-b263-4dca38e0b519 in @INDEX:SERVICEPRINCIPALNAME:TERMSRV/BONAMORE.example.com
Done with always replicated NC (base, config, schema)
Replicating DC=DomainDnsZones,DC=example,DC=com
Join failed - cleaning up
Deleted CN=DC2,OU=Domain Controllers,DC=example,DC=com
Deleted CN=NTDS Settings,CN=DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
Deleted CN=DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
ERROR(runtime): uncaught exception - (8442, 'WERR_DS_DRA_INTERNAL_ERROR')
 File "/usr/lib/python3/dist-packages/samba/netcmd/__init__.py", line 185, in _run
 return self.run(*args, **kwargs)
 File "/usr/lib/python3/dist-packages/samba/netcmd/domain.py", line 700, in run
 backend_store=backend_store)
 File "/usr/lib/python3/dist-packages/samba/join.py", line 1544, in join_DC
 ctx.do_join()
 File "/usr/lib/python3/dist-packages/samba/join.py", line 1438, in do_join
 ctx.join_replicate()
 File "/usr/lib/python3/dist-packages/samba/join.py", line 997, in join_replicate
 replica_flags=ctx.replica_flags)
 File "/usr/lib/python3/dist-packages/samba/drs_utils.py", line 338, in replicate
 (level, ctr) = self.drs.DsGetNCChanges(self.drs_handle, req_level, req)
I tried using the "--dns-backend=NONE" option during the join as suggested here https://wiki.samba.org/index.php/Samba_AD_DC_Troubleshooting (https://wiki.samba.org/index.php/Samba_AD_DC_Troubleshooting), and it work, but when i manually force the replication of the DOMAINDNSZONES partition i got the same error.

Maybe the problem is the database partition DC=DOMAINDNSZONES that seems to be broken, when i try:

ldbsearch -H CN=DOMAINDNSZONES ldb file, i received the error "search error - Indexed and full searches both failed!" after the # record 5.

The samba-tools dbcheck do not report any error.

Using the Windows RSAT tool for DNS works without problem, no error when adding or removing entry and also the dynamic updates works.

Is possible to find the damaged entry, remove it and rebuild the db?

Any help is welcome, thanks

More information about the samba mailing list