[Samba] Joining new AD controller to old Samba AD controller

Sun Apr 25 00:33:21 UTC 2021

I am adding another Samba AD controller to my home network, building the new
controller (finch) from v4.14.2 source on CentOS 8. The existing (and, up
till now, only) AD controller(turtle) is running on CentOS 7 based on
v4.8.9. At the time, I thought that using the RPMs from what seemed to be a
reliable source would be a good idea. Unfortunately, they changed direction,
stopped updating the RPMs and my AD controller ended up getting trapped in
time. I'll not be repeating that mistake.

So now I am trying to move things into a more supportable environment by
adding in the new AD controller, with a goal to eventually drop the old one
and then add in a second one based on the current build. The problem is that
I am really flying without a net at the moment. V4.8.9 is so old that
tdbbackup does not exist in samba-tool. There are a number of other features
that are also very helpful for maintenance and safety that are just not
available to me. This is one of the reasons I really want to move this
along.

First step is to get the new AD controller joined in and to be 100% certain
I got it right. I need some help here to see if I have got this much right.
I did the join and the log *mostly* looks OK, and I can see with samba-tool
drs showrepl that replication is successful on both controllers. The only
thing giving me concern in the join right now is the error messages in the
middle of the output from the join operation:

Failed to commit objects: DOS code 0x000021bf

Missing target object - retrying with DRS_GET_TGT

There is no indication anywhere else in the log of the join that there was a
problem. However, when I have looked around for information about these
error messages in other forums and postings, those discussions sound like I
might have a problem here. I would just like to know before I do anything
irreversible, have I actually joined the new controller to the domain
properly and should it now have a copy of all the data?

At this time, all the FSMO roles are held by the old controller, turtle.

Log follows:

[root at finch ~]# samba-tool domain join zoo.lan.kitsnet.us DC -k yes
--option='idmap_ldb:use rfc2307 = yes'

INFO 2021-04-23 17:26:09,910 pid:1697
/usr/local/samba/lib64/python3.6/site-packages/samba/join.py #106: Finding a
writeable DC for domain 'zoo.lan.kitsnet.us'

INFO 2021-04-23 17:26:15,921 pid:1697
/usr/local/samba/lib64/python3.6/site-packages/samba/join.py #108: Found DC
turtle.zoo.lan.kitsnet.us

INFO 2021-04-23 17:26:16,013 pid:1697
/usr/local/samba/lib64/python3.6/site-packages/samba/join.py #1541:
workgroup is ZOO

INFO 2021-04-23 17:26:16,013 pid:1697
/usr/local/samba/lib64/python3.6/site-packages/samba/join.py #1544: realm is
zoo.lan.kitsnet.us

Deleted CN=RID Set,CN=FINCH,CN=Computers,DC=zoo,DC=lan,DC=kitsnet,DC=us

Deleted CN=FINCH,CN=Computers,DC=zoo,DC=lan,DC=kitsnet,DC=us

Deleted
CN=FINCH,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=
zoo,DC=lan,DC=kitsnet,DC=us

Adding CN=FINCH,OU=Domain Controllers,DC=zoo,DC=lan,DC=kitsnet,DC=us

Adding
CN=FINCH,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=
zoo,DC=lan,DC=kitsnet,DC=us

Adding CN=NTDS
Settings,CN=FINCH,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configur
ation,DC=zoo,DC=lan,DC=kitsnet,DC=us

Adding SPNs to CN=FINCH,OU=Domain Controllers,DC=zoo,DC=lan,DC=kitsnet,DC=us

Setting account password for FINCH$

Enabling account

Calling bare provision

INFO 2021-04-23 17:26:16,435 pid:1697
/usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py
#2105: Looking up IPv4 addresses

INFO 2021-04-23 17:26:16,436 pid:1697
/usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py
#2122: Looking up IPv6 addresses

WARNING 2021-04-23 17:26:16,437 pid:1697
/usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py
#2127: More than one IPv6 address found. Using 2603:7000:7200:6946::5db

INFO 2021-04-23 17:26:16,649 pid:1697
/usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py
#2273: Setting up share.ldb

INFO 2021-04-23 17:26:16,702 pid:1697
/usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py
#2277: Setting up secrets.ldb

INFO 2021-04-23 17:26:16,738 pid:1697
/usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py
#2282: Setting up the registry

INFO 2021-04-23 17:26:16,900 pid:1697
/usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py
#2285: Setting up the privileges database

INFO 2021-04-23 17:26:16,979 pid:1697
/usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py
#2288: Setting up idmap db

INFO 2021-04-23 17:26:17,044 pid:1697
/usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py
#2295: Setting up SAM db

INFO 2021-04-23 17:26:17,058 pid:1697
/usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py
#880: Setting up sam.ldb partitions and settings

INFO 2021-04-23 17:26:17,058 pid:1697
/usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py
#892: Setting up sam.ldb rootDSE

INFO 2021-04-23 17:26:17,069 pid:1697
/usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py
#1305: Pre-loading the Samba 4 and AD schema

Unable to determine the DomainSID, can not enforce uniqueness constraint on
local domainSIDs

INFO 2021-04-23 17:26:17,107 pid:1697
/usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py
#2348: A Kerberos configuration suitable for Samba AD has been generated at
/usr/local/samba/private/krb5.conf

INFO 2021-04-23 17:26:17,107 pid:1697
/usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py
#2349: Merge the contents of this file with your system krb5.conf or replace
it with this one. Do not create a symlink!

Provision OK for domain DN DC=zoo,DC=lan,DC=kitsnet,DC=us

Starting replication

Schema-DN[CN=Schema,CN=Configuration,DC=zoo,DC=lan,DC=kitsnet,DC=us]
objects[402/1550] linked_values[0/0]

Schema-DN[CN=Schema,CN=Configuration,DC=zoo,DC=lan,DC=kitsnet,DC=us]
objects[804/1550] linked_values[0/0]

Schema-DN[CN=Schema,CN=Configuration,DC=zoo,DC=lan,DC=kitsnet,DC=us]
objects[1206/1550] linked_values[0/0]

Schema-DN[CN=Schema,CN=Configuration,DC=zoo,DC=lan,DC=kitsnet,DC=us]
objects[1550/1550] linked_values[0/0]

Analyze and apply schema objects

Partition[CN=Configuration,DC=zoo,DC=lan,DC=kitsnet,DC=us] objects[402/1625]
linked_values[0/1]

Partition[CN=Configuration,DC=zoo,DC=lan,DC=kitsnet,DC=us] objects[804/1625]
linked_values[0/1]

Partition[CN=Configuration,DC=zoo,DC=lan,DC=kitsnet,DC=us]
objects[1206/1625] linked_values[0/1]

Partition[CN=Configuration,DC=zoo,DC=lan,DC=kitsnet,DC=us]
objects[1608/1625] linked_values[0/1]

Partition[CN=Configuration,DC=zoo,DC=lan,DC=kitsnet,DC=us]
objects[1625/1625] linked_values[34/34]

Failed to commit objects: DOS code 0x000021bf

Missing target object - retrying with DRS_GET_TGT

Partition[CN=Configuration,DC=zoo,DC=lan,DC=kitsnet,DC=us]
objects[2027/1625] linked_values[35/1]

Partition[CN=Configuration,DC=zoo,DC=lan,DC=kitsnet,DC=us]
objects[2429/1625] linked_values[35/1]

Partition[CN=Configuration,DC=zoo,DC=lan,DC=kitsnet,DC=us]
objects[2831/1625] linked_values[35/1]

Partition[CN=Configuration,DC=zoo,DC=lan,DC=kitsnet,DC=us]
objects[3233/1625] linked_values[35/1]

Partition[CN=Configuration,DC=zoo,DC=lan,DC=kitsnet,DC=us]
objects[3250/1625] linked_values[68/34]

Replicating critical objects from the base DN of the domain

Partition[DC=zoo,DC=lan,DC=kitsnet,DC=us] objects[97/97]
linked_values[28/28]

Partition[DC=zoo,DC=lan,DC=kitsnet,DC=us] objects[345/345]
linked_values[33/33]

Done with always replicated NC (base, config, schema)

Replicating DC=DomainDnsZones,DC=zoo,DC=lan,DC=kitsnet,DC=us

Partition[DC=DomainDnsZones,DC=zoo,DC=lan,DC=kitsnet,DC=us] objects[54/54]
linked_values[0/0]

Replicating DC=ForestDnsZones,DC=zoo,DC=lan,DC=kitsnet,DC=us

Partition[DC=ForestDnsZones,DC=zoo,DC=lan,DC=kitsnet,DC=us] objects[20/20]
linked_values[0/0]

Exop on[CN=RID Manager$,CN=System,DC=zoo,DC=lan,DC=kitsnet,DC=us] objects[3]
linked_values[0]

Committing SAM database

Repacking database from v1 to v2 format (first record
CN=ms-WMI-Class,CN=Schema,CN=Configuration,DC=zoo,DC=lan,DC=kitsnet,DC=us)

Repack: re-packed 10000 records so far

Repacking database from v1 to v2 format (first record
CN=IntellimirrorSCP-Display,CN=804,CN=DisplaySpecifiers,CN=Configuration,DC=
zoo,DC=lan,DC=kitsnet,DC=us)

Repacking database from v1 to v2 format (first record
DC=stoli,DC=zoo.lan.kitsnet.us,CN=MicrosoftDNS,DC=DomainDnsZones,DC=zoo,DC=l
an,DC=kitsnet,DC=us)

Repacking database from v1 to v2 format (first record
DC=43d1faaf-c41e-46c5-97d6-0e5f0bfa6faf,DC=_msdcs.zoo.lan.kitsnet.us,CN=Micr
osoftDNS,DC=ForestDnsZones,DC=zoo,DC=lan,DC=kitsnet,DC=us)

Repacking database from v1 to v2 format (first record
CN=ipsecNFA{59319BF3-5EE3-11D2-ACE8-0060B0ECCA17},CN=IP
Security,CN=System,DC=zoo,DC=lan,DC=kitsnet,DC=us)

INFO 2021-04-23 17:26:28,401 pid:1697
/usr/local/samba/lib64/python3.6/site-packages/samba/join.py #1115: Adding 5
remote DNS records for FINCH.zoo.lan.kitsnet.us

INFO 2021-04-23 17:26:28,441 pid:1697
/usr/local/samba/lib64/python3.6/site-packages/samba/join.py #1174: Adding
DNS AAAA record FINCH.zoo.lan.kitsnet.us for IPv6 IP:
2603:7000:7200:6946::5db

INFO 2021-04-23 17:26:28,451 pid:1697
/usr/local/samba/lib64/python3.6/site-packages/samba/join.py #1174: Adding
DNS AAAA record FINCH.zoo.lan.kitsnet.us for IPv6 IP:
2603:7000:7200:6946:28eb:d913:61fa:7012

INFO 2021-04-23 17:26:28,459 pid:1697
/usr/local/samba/lib64/python3.6/site-packages/samba/join.py #1174: Adding
DNS AAAA record FINCH.zoo.lan.kitsnet.us for IPv6 IP: fd06:8328:ea57::5db

INFO 2021-04-23 17:26:28,466 pid:1697
/usr/local/samba/lib64/python3.6/site-packages/samba/join.py #1174: Adding
DNS AAAA record FINCH.zoo.lan.kitsnet.us for IPv6 IP:
fd06:8328:ea57:0:cc02:732c:6160:20f

INFO 2021-04-23 17:26:28,473 pid:1697
/usr/local/samba/lib64/python3.6/site-packages/samba/join.py #1178: Adding
DNS A record FINCH.zoo.lan.kitsnet.us for IPv4 IP: 192.168.12.138

INFO 2021-04-23 17:26:28,484 pid:1697
/usr/local/samba/lib64/python3.6/site-packages/samba/join.py #1206: Adding
DNS CNAME record
3cb0d914-69f3-474a-8d5a-2a2a54be1aab._msdcs.zoo.lan.kitsnet.us for
FINCH.zoo.lan.kitsnet.us

INFO 2021-04-23 17:26:28,496 pid:1697
/usr/local/samba/lib64/python3.6/site-packages/samba/join.py #1231: All
other DNS records (like _ldap SRV records) will be created samba_dnsupdate
on first startup

INFO 2021-04-23 17:26:28,496 pid:1697
/usr/local/samba/lib64/python3.6/site-packages/samba/join.py #1236:
Replicating new DNS records in
DC=DomainDnsZones,DC=zoo,DC=lan,DC=kitsnet,DC=us

Partition[DC=DomainDnsZones,DC=zoo,DC=lan,DC=kitsnet,DC=us] objects[2/2]
linked_values[0/0]

INFO 2021-04-23 17:26:28,532 pid:1697
/usr/local/samba/lib64/python3.6/site-packages/samba/join.py #1236:
Replicating new DNS records in
DC=ForestDnsZones,DC=zoo,DC=lan,DC=kitsnet,DC=us

Partition[DC=ForestDnsZones,DC=zoo,DC=lan,DC=kitsnet,DC=us] objects[2/2]
linked_values[0/0]

INFO 2021-04-23 17:26:28,565 pid:1697
/usr/local/samba/lib64/python3.6/site-packages/samba/join.py #1251: Sending
DsReplicaUpdateRefs for all the replicated partitions

INFO 2021-04-23 17:26:28,585 pid:1697
/usr/local/samba/lib64/python3.6/site-packages/samba/join.py #1281: Setting
isSynchronized and dsServiceName

INFO 2021-04-23 17:26:28,601 pid:1697
/usr/local/samba/lib64/python3.6/site-packages/samba/join.py #1296: Setting
up secrets database

INFO 2021-04-23 17:26:28,826 pid:1697
/usr/local/samba/lib64/python3.6/site-packages/samba/join.py #1558: Joined
domain ZOO (SID S-1-5-21-280931492-1516600349-3173203192) as a DC

[root at finch ~]#

Peter Smode

[Samba] Joining new AD controller to *old* Samba AD controller

[Samba] Joining new AD controller to old Samba AD controller