[Samba] Error when joining new DC

Peter Mittermayer samba.lists at outlook.com
Sat Dec 7 12:56:08 UTC 2024


Hi,

I'm trying to upgrade my very old samba domain controllers (4.11) to latest samba. (4.21). The process I'm following is to demote on of the existing DCs and repalce it with a news system (up-to-date OS & samba version). Unfortunately when trying to join as DC I get below error:

INFO 2024-12-05 19:29:42,222 pid:126140 /usr/local/samba/lib64/python3.9/site-packages/samba/join.py #1084: Committing SAM database - this may take some time
descriptor_prepare_commit: changes: num_registrations=9259
descriptor_prepare_commit: changes: num_registered=7537
descriptor_prepare_commit: changes: num_toplevel=5
descriptor_prepare_commit: changes: num_processed=3471
descriptor_prepare_commit: objects: num_processed=7537
descriptor_prepare_commit: objects: num_skipped=5182
replmd_prepare_commit: Processing linked attributes
Discarding older DRS linked attribute update to msDS-NC-Replica-Locations on CN=c91724e5-3fb9-4271-bffb-fe7e6f2ce1d1,CN=Partitions,CN=Configuration,DC=SUB,DC=DOM,DC=TLD from 881faa18-9c28-4104-98db-608783574de4
Discarding older DRS linked attribute update to msDS-NC-Replica-Locations on CN=c91724e5-3fb9-4271-bffb-fe7e6f2ce1d1,CN=Partitions,CN=Configuration,DC=SUB,DC=DOM,DC=TLD from 9ef0b613-3006-443e-9f94-85332d9c8b3f
replmd_allow_missing_target: CN=NTDS Settings\0ADEL:69281dbf-6928-42b6-937a-1db7b3d2ff5f,CN=MDC02\0ADEL:fd4a1bfb-6d65-440d-b402-cf887284b6a8,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=SUB,DC=DOM,DC=TLD is Deleted but up to date. Ignoring link from CN=c91724e5-3fb9-4271-bffb-fe7e6f2ce1d1,CN=Partitions,CN=Configuration,DC=SUB,DC=DOM,DC=TLD
replmd_allow_missing_target: CN=NTDS Settings\0ADEL:7ac144e3-f403-4a90-b3b7-263cb63b4e87,CN=MDC02\0ADEL:eb1cd9c1-3a2e-42c2-ae00-5f9a5446943b,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=SUB,DC=DOM,DC=TLD is Deleted but up to date. Ignoring link from CN=c91724e5-3fb9-4271-bffb-fe7e6f2ce1d1,CN=Partitions,CN=Configuration,DC=SUB,DC=DOM,DC=TLD
replmd_allow_missing_target: CN=NTDS Settings\0ADEL:69281dbf-6928-42b6-937a-1db7b3d2ff5f,CN=MDC02\0ADEL:fd4a1bfb-6d65-440d-b402-cf887284b6a8,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=SUB,DC=DOM,DC=TLD is Deleted but up to date. Ignoring link from CN=c5a07c82-4af5-4e68-ac4c-242b0dc77b91,CN=Partitions,CN=Configuration,DC=SUB,DC=DOM,DC=TLD
replmd_allow_missing_target: CN=NTDS Settings\0ADEL:7ac144e3-f403-4a90-b3b7-263cb63b4e87,CN=MDC02\0ADEL:eb1cd9c1-3a2e-42c2-ae00-5f9a5446943b,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=SUB,DC=DOM,DC=TLD is Deleted but up to date. Ignoring link from CN=c5a07c82-4af5-4e68-ac4c-242b0dc77b91,CN=Partitions,CN=Configuration,DC=SUB,DC=DOM,DC=TLD
Discarding older DRS linked attribute update to member on CN=Denied RODC Password Replication Group,CN=Users,DC=SUB,DC=DOM,DC=TLD from 9ef0b613-3006-443e-9f94-85332d9c8b3f
Discarding older DRS linked attribute update to member on CN=Denied RODC Password Replication Group,CN=Users,DC=SUB,DC=DOM,DC=TLD from 9ef0b613-3006-443e-9f94-85332d9c8b3f
Discarding older DRS linked attribute update to member on CN=Denied RODC Password Replication Group,CN=Users,DC=SUB,DC=DOM,DC=TLD from 9ef0b613-3006-443e-9f94-85332d9c8b3f
Discarding older DRS linked attribute update to member on CN=Denied RODC Password Replication Group,CN=Users,DC=SUB,DC=DOM,DC=TLD from 9ef0b613-3006-443e-9f94-85332d9c8b3f
Discarding older DRS linked attribute update to member on CN=Denied RODC Password Replication Group,CN=Users,DC=SUB,DC=DOM,DC=TLD from 9ef0b613-3006-443e-9f94-85332d9c8b3f
Discarding older DRS linked attribute update to member on CN=Denied RODC Password Replication Group,CN=Users,DC=SUB,DC=DOM,DC=TLD from 9ef0b613-3006-443e-9f94-85332d9c8b3f
Discarding older DRS linked attribute update to member on CN=Denied RODC Password Replication Group,CN=Users,DC=SUB,DC=DOM,DC=TLD from 9ef0b613-3006-443e-9f94-85332d9c8b3f
Discarding older DRS linked attribute update to member on CN=Denied RODC Password Replication Group,CN=Users,DC=SUB,DC=DOM,DC=TLD from 9ef0b613-3006-443e-9f94-85332d9c8b3f
Discarding older DRS linked attribute update to member on CN=Guests,CN=Builtin,DC=SUB,DC=DOM,DC=TLD from 9ef0b613-3006-443e-9f94-85332d9c8b3f
Discarding older DRS linked attribute update to member on CN=Guests,CN=Builtin,DC=SUB,DC=DOM,DC=TLD from 9ef0b613-3006-443e-9f94-85332d9c8b3f
Discarding older DRS linked attribute update to member on CN=IIS_IUSRS,CN=Builtin,DC=SUB,DC=DOM,DC=TLD from 9ef0b613-3006-443e-9f94-85332d9c8b3f
Discarding older DRS linked attribute update to member on CN=Domain Admins,CN=Users,DC=SUB,DC=DOM,DC=TLD from 881faa18-9c28-4104-98db-608783574de4
Discarding older DRS linked attribute update to member on CN=Domain Admins,CN=Users,DC=SUB,DC=DOM,DC=TLD from 9ef0b613-3006-443e-9f94-85332d9c8b3f
Discarding older DRS linked attribute update to member on CN=Domain Admins,CN=Users,DC=SUB,DC=DOM,DC=TLD from 81741076-5ded-4f25-947f-edddf7ae86d5
Discarding older DRS linked attribute update to member on CN=Account Operators,CN=Builtin,DC=SUB,DC=DOM,DC=TLD from 881faa18-9c28-4104-98db-608783574de4
Discarding older DRS linked attribute update to member on CN=Pre-Windows 2000 Compatible Access,CN=Builtin,DC=SUB,DC=DOM,DC=TLD from 9ef0b613-3006-443e-9f94-85332d9c8b3f
Discarding older DRS linked attribute update to member on CN=Windows Authorization Access Group,CN=Builtin,DC=SUB,DC=DOM,DC=TLD from 9ef0b613-3006-443e-9f94-85332d9c8b3f
Discarding older DRS linked attribute update to member on CN=Users,CN=Builtin,DC=SUB,DC=DOM,DC=TLD from 9ef0b613-3006-443e-9f94-85332d9c8b3f
Discarding older DRS linked attribute update to member on CN=Users,CN=Builtin,DC=SUB,DC=DOM,DC=TLD from 9ef0b613-3006-443e-9f94-85332d9c8b3f
Discarding older DRS linked attribute update to member on CN=Users,CN=Builtin,DC=SUB,DC=DOM,DC=TLD from 9ef0b613-3006-443e-9f94-85332d9c8b3f
Discarding older DRS linked attribute update to member on CN=Group Policy Creator Owners,CN=Users,DC=SUB,DC=DOM,DC=TLD from 9ef0b613-3006-443e-9f94-85332d9c8b3f
Discarding older DRS linked attribute update to member on CN=Enterprise Admins,CN=Users,DC=SUB,DC=DOM,DC=TLD from 9ef0b613-3006-443e-9f94-85332d9c8b3f
Discarding older DRS linked attribute update to member on CN=Schema Admins,CN=Users,DC=SUB,DC=DOM,DC=TLD from 9ef0b613-3006-443e-9f94-85332d9c8b3f
Discarding older DRS linked attribute update to member on CN=Administrators,CN=Builtin,DC=SUB,DC=DOM,DC=TLD from 9ef0b613-3006-443e-9f94-85332d9c8b3f
Discarding older DRS linked attribute update to member on CN=Administrators,CN=Builtin,DC=SUB,DC=DOM,DC=TLD from 9ef0b613-3006-443e-9f94-85332d9c8b3f
Discarding older DRS linked attribute update to member on CN=Administrators,CN=Builtin,DC=SUB,DC=DOM,DC=TLD from 9ef0b613-3006-443e-9f94-85332d9c8b3f
Repacking database from v1 to v2 format (first record CN=ms-DS-Local-Effective-Deletion-Time,CN=Schema,CN=Configuration,DC=SUB,DC=DOM,DC=TLD)
Repack: re-packed 10000 records so far
Repacking database from v1 to v2 format (first record CN=serviceAdministrationPoint-Display,CN=40B,CN=DisplaySpecifiers,CN=Configuration,DC=SUB,DC=DOM,DC=TLD)
Repacking database from v1 to v2 format (first record DC=mecapp01,DC=SUB.DOM.TLD,CN=MicrosoftDNS,DC=DomainDnsZones,DC=SUB,DC=DOM,DC=TLD)
Repack: re-packed 10000 records so far
Repacking database from v1 to v2 format (first record CN=NTDS Quotas,DC=ForestDnsZones,DC=SUB,DC=DOM,DC=TLD)
Repacking database from v1 to v2 format (first record CN=FirstName LastName,CN=Users,DC=SUB,DC=DOM,DC=TLD)
An operation failed during a batch mode transaction, the transaction was rolled back
DSDB Transaction [commit] at [Thu, 05 Dec 2024 19:29:47.054187 EET] duration [24679161] status [1] reason [end_trans error on DC=SUB,DC=DOM,DC=TLD: An operation failed during a batch mode transaction, the transaction was rolled back]
{"timestamp": "2024-12-05T19:29:47.054240+0200", "type": "dsdbTransaction", "dsdbTransaction": {"version": {"major": 1, "minor": 0}, "action": "commit", "transactionId": "6c245342-5ecc-4c4e-8e13-1196825d7116", "duration": 24679161, "statusCode": 1, "status": "Operations error", "reason": "end_trans error on DC=SUB,DC=DOM,DC=TLD: An operation failed during a batch mode transaction, the transaction was rolled back"}}
Join failed - cleaning up
ldb_wrap open of secrets.ldb
dsdb_search: SUB SEARCH_ONE_ONLY flags=0x00000200 cn=Primary Domains (&(flatname=SUB)(objectclass=primaryDomain)) -> 0 results
Could not find machine account in secrets database: Failed to fetch machine account password for SUB from both secrets.ldb (Could not find entry to match filter: '(&(flatname=SUB)(objectclass=primaryDomain))' base: 'cn=Primary Domains': No such object: dsdb_search at ../../source4/dsdb/common/util.c:5731) and from /usr/local/samba/private/secrets.tdb: NT_STATUS_CANT_ACCESS_DOMAIN_INFO
Deleted CN=RID Set,CN=MDC02,OU=Domain Controllers,DC=SUB,DC=DOM,DC=TLD
Deleted CN=MDC02,OU=Domain Controllers,DC=SUB,DC=DOM,DC=TLD
Deleted CN=dns-MDC02,CN=Users,DC=SUB,DC=DOM,DC=TLD
Deleted CN=NTDS Settings,CN=MDC02,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=SUB,DC=DOM,DC=TLD
Deleted CN=MDC02,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=SUB,DC=DOM,DC=TLD
ERROR(ldb): uncaught exception - end_trans error on DC=SUB,DC=DOM,DC=TLD: An operation failed during a batch mode transaction, the transaction was rolled back
  File "/usr/local/samba/lib64/python3.9/site-packages/samba/netcmd/__init__.py", line 353, in _run
    return self.run(*args, **kwargs)
  File "/usr/local/samba/lib64/python3.9/site-packages/samba/netcmd/domain/join.py", line 128, in run
    join_DC(logger=logger, server=server, creds=creds, lp=lp, domain=domain,
  File "/usr/local/samba/lib64/python3.9/site-packages/samba/join.py", line 1621, in join_DC
    ctx.do_join()
  File "/usr/local/samba/lib64/python3.9/site-packages/samba/join.py", line 1511, in do_join
    ctx.join_replicate()
  File "/usr/local/samba/lib64/python3.9/site-packages/samba/join.py", line 1101, in join_replicate
    ctx.local_samdb.transaction_commit()

When using same procedure to join a Sambe 4.12 DC - no issue,. But when using 4.14 same error as above. Currently testing with 4.13 to isolate where it starts.
I also found this wiki page https://wiki.samba.org/index.php/Samba_AD_DC_Troubleshooting<https://deref-gmx.net/mail/client/VUfL1TaQmnc/dereferrer/?redirectUrl=https%3A%2F%2Fwiki.samba.org%2Findex.php%2FSamba_AD_DC_Troubleshooting> which mentions same error but in different context. I'm not coming from Windows domain. The domain was originally created on 4.11 and is running functional level 2008_R2. I already have ForestDnsZones, DomainDnsZones.

Not sure how to proceed. Any ideas anyone?

Thanks
Peter



More information about the samba mailing list