Web lists-archives.com

[Samba] failure joining a domain as a DC




Good evening!

I am having difficulty joining a Samba4 install to my current domain.

A little background, our DC1 box got blown away when we had a disk failure
on our VM server.  We had a backup, but it was old and basically unusable.

I am trying to build a new DC1 and join it to the same domain as DC2

My current DC is DC2, it is a TKL Samba4 box running Samba 4.5.12-Debian.
I upgraded it's Samba to 4.5.12-Debian by adding "deb
http://http.debian.net/debian stretch main" to it's sources.list file.  I
did this mainly so I could seize all 7 FSMO roles since DC1 was dead and
gone.

The new DC1 is a clean install of Stretch, with Samba 4.5.12-Debian on it.
I used Louis' how to's, modified slightly for joining a domain instead of
provisioning one.

I first build a test environment for proof of concept, build a test-DC2
(clean stretch, using Louis' how tos) and a test-DC1 (clean stretch, using
Louis' how tos, modified for joining instead of provisioning).  I then
joined test-DC1 to the same domain as test-DC2 without issues.  they were
replicating nicely.

Unfortunately, when I tried to build a new DC1 and join it to the real
DC2's domain, the join process failed.  Below is the log of the failure.

root@dc1:~# samba-tool domain join REDACTED.COM DC
-U"REDACTED.COM\Administrator"
--dns-backend=SAMBA_INTERNAL -d0
Finding a writeable DC for domain 'REDACTED.COM'
Found DC dc2.REDACTED.COM
Password for [REDACTED.COM\Administrator]:
workgroup is REDACTED
realm is REDACTED.COM
Adding CN=DC1,OU=Domain Controllers,DC=REDACTED,DC=com
Adding
CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=REDACTED,DC=com
Adding CN=NTDS
Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=REDACTED,DC=com
Adding SPNs to CN=DC1,OU=Domain Controllers,DC=REDACTED,DC=com
Setting account password for DC1$
Enabling account
Calling bare provision
Looking up IPv4 addresses
Looking up IPv6 addresses
No IPv6 address will be assigned
Setting up secrets.ldb
Setting up the registry
Setting up the privileges database
Setting up idmap db
Setting up SAM db
Setting up sam.ldb partitions and settings
Setting up sam.ldb rootDSE
Pre-loading the Samba 4 and AD schema
A Kerberos configuration suitable for Samba 4 has been generated at
/var/lib/samba/private/krb5.conf
Provision OK for domain DN DC=REDACTED,DC=com
Starting replication
Schema-DN[CN=Schema,CN=Configuration,DC=REDACTED,DC=com] objects[402/1550]
linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=REDACTED,DC=com] objects[804/1550]
linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=REDACTED,DC=com] objects[1206/1550]
linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=REDACTED,DC=com] objects[1550/1550]
linked_values[0/0]
Analyze and apply schema objects
Partition[CN=Configuration,DC=REDACTED,DC=com] objects[402/1622]
linked_values[0/0]
Partition[CN=Configuration,DC=REDACTED,DC=com] objects[804/1622]
linked_values[0/0]
Partition[CN=Configuration,DC=REDACTED,DC=com] objects[1206/1622]
linked_values[0/0]
Partition[CN=Configuration,DC=REDACTED,DC=com] objects[1608/1622]
linked_values[0/0]
Partition[CN=Configuration,DC=REDACTED,DC=com] objects[1622/1622]
linked_values[29/0]
Replicating critical objects from the base DN of the domain
Partition[DC=REDACTED,DC=com] objects[97/97] linked_values[27/0]
Failed to commit objects: WERR_DS_DRA_MISSING_PARENT
Join failed - cleaning up
Deleted CN=DC1,OU=Domain Controllers,DC=REDACTED,DC=com
Deleted CN=NTDS
Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=REDACTED,DC=com
Deleted
CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=REDACTED,DC=com
ERROR(runtime): uncaught exception - (8460, "Failed to process 'chunk' of
DRS replicated objects: WERR_DS_DRA_MISSING_PARENT")
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line
176, in _run
    return self.run(*args, **kwargs)
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py", line 652,
in run
    machinepass=machinepass, use_ntvfs=use_ntvfs, dns_backend=dns_backend)
  File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1253, in
join_DC
    ctx.do_join()
  File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1153, in
do_join
    ctx.join_replicate()
  File "/usr/lib/python2.7/dist-packages/samba/join.py", line 890, in
join_replicate
    replica_flags=ctx.domain_replica_flags)
  File "/usr/lib/python2.7/dist-packages/samba/drs_utils.py", line 258, in
replicate
    schema=schema, req_level=req_level, req=req)
root@dc1:~#

Could this have something to do with the fact that there was a DC1 in the
REDACTED.COM domain before?  I removed all DNS records for DC1 from the
REDACTED.COM domain, and then used this script (
https://gallery.technet.microsoft.com/scriptcenter/d31f091f-2642-4ede-9f97-0e1cc4d577f3#content)
from microsoft to remove the dead DC1.

Any help you can provide would be greatly appreciated!  My end goal is to
get DC2 to replicate to DC1.  I will then transfer all FSMO roles to DC1,
demote DC2 and take it offline.  Then I would build a new DC2 using a clean
install of stretch and Samba 4.5.12-Debian using Louis' how tos.

-- 
*Taylor Hammerling* |  *IT Manager*
2800 Laura Lane | Middleton, WI 53562
*O *(608) 669-9070 *| C *(608) 512-7849
tcsbasys.com | ubiquistat.com
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba