Web lists-archives.com

Re: [Samba] error with joining new DC to domain




On Wed, 12 Dec 2018 18:09:16 +0100
peter grotz via samba <samba@xxxxxxxxxxxxxxx> wrote:

> Thanks Rowloand for the  hint!
> 
> I installed sernet-samba 4.7 and give it a try. Now I get:
> 
> [root@dc-12 1]# samba-tool domain join obel.lan DC --realm=obel.lan
> -Uadministrator Finding a writeable DC for domain 'obel.lan'
> Found DC dc-11.obel.lan
> Password for [OBEL\administrator]:
> workgroup is OBEL
> realm is obel.lan
> Adding CN=DC-12,OU=Domain Controllers,DC=obel,DC=lan
> Adding
> CN=DC-12,CN=Servers,CN=Obel-und-Partner,CN=Sites,CN=Configuration,DC=obel,DC=lan
> Adding CN=NTDS
> Settings,CN=DC-12,CN=Servers,CN=Obel-und-Partner,CN=Sites,CN=Configuration,DC=obel,DC=lan
> Adding SPNs to CN=DC-12,OU=Domain Controllers,DC=obel,DC=lan Setting
> account password for DC-12$ Enabling account Calling bare provision
> Looking up IPv4 addresses
> More than one IPv4 address found. Using 192.168.0.12
> Looking up IPv6 addresses
> No IPv6 address will be assigned
> Setting up share.ldb
> Setting up secrets.ldb
> Setting up the registry
> Setting up the privileges database
> Setting up idmap db
> Setting up SAM db
> Setting up sam.ldb partitions and settings
> Setting up sam.ldb rootDSE
> Pre-loading the Samba 4 and AD schema
> A Kerberos configuration suitable for Samba AD has been generated
> at /var/lib/samba/private/krb5.conf Provision OK for domain DN
> DC=obel,DC=lan Starting replication
> Schema-DN[CN=Schema,CN=Configuration,DC=obel,DC=lan]
> objects[402/1550] linked_values[0/0]
> Schema-DN[CN=Schema,CN=Configuration,DC=obel,DC=lan]
> objects[804/1550] linked_values[0/0]
> Schema-DN[CN=Schema,CN=Configuration,DC=obel,DC=lan]
> objects[1206/1550] linked_values[0/0]
> Schema-DN[CN=Schema,CN=Configuration,DC=obel,DC=lan]
> objects[1550/1550] linked_values[0/0] Analyze and apply schema
> objects Partition[CN=Configuration,DC=obel,DC=lan] objects[402/1654]
> linked_values[0/0] Partition[CN=Configuration,DC=obel,DC=lan]
> objects[804/1654] linked_values[0/0]
> Partition[CN=Configuration,DC=obel,DC=lan] objects[1206/1654]
> linked_values[0/0] Partition[CN=Configuration,DC=obel,DC=lan]
> objects[1609/1654] linked_values[0/9]
> Partition[CN=Configuration,DC=obel,DC=lan] objects[1654/1654]
> linked_values[54/54] Replicating critical objects from the base DN of
> the domain Partition[DC=obel,DC=lan] objects[99/99]
> linked_values[34/34] Partition[DC=obel,DC=lan] objects[501/681]
> linked_values[0/0] Partition[DC=obel,DC=lan] objects[780/681]
> linked_values[585/585] Done with always replicated NC (base, config,
> schema) Replicating DC=DomainDnsZones,DC=obel,DC=lan
> Partition[DC=DomainDnsZones,DC=obel,DC=lan] objects[230/230]
> linked_values[0/0] Replicating DC=ForestDnsZones,DC=obel,DC=lan
> Partition[DC=ForestDnsZones,DC=obel,DC=lan] objects[37/37]
> linked_values[0/0] Exop on[CN=RID Manager$,CN=System,DC=obel,DC=lan]
> objects[3] linked_values[0] Committing SAM database Adding 2 remote
> DNS records for DC-12.obel.lan Adding DNS A record DC-12.obel.lan for
> IPv4 IP: 192.168.0.12 Adding DNS CNAME record
> 1b846be4-7d24-49c5-98da-9aeecf2761ec._msdcs.obel.lan for
> DC-12.obel.lan All other DNS records (like _ldap SRV records) will be
> created samba_dnsupdate on first startup Replicating new DNS records
> in DC=DomainDnsZones,DC=obel,DC=lan
> Partition[DC=DomainDnsZones,DC=obel,DC=lan] objects[3/3]
> linked_values[0/0] Replicating new DNS records in
> DC=ForestDnsZones,DC=obel,DC=lan
> Partition[DC=ForestDnsZones,DC=obel,DC=lan] objects[2/2]
> linked_values[0/0] Sending DsReplicaUpdateRefs for all the replicated
> partitions Setting isSynchronized and dsServiceName Setting up
> secrets database Joined domain OBEL (SID
> S-1-5-21-1994583749-1469429152-1855221660) as a DC
> 
> 
> 
> 
> samba-tool drs showrepl gives me replication success.
> Thank you so much Rowland!!!!!
> May I update my samba to 4.9.3 now???

You can certainly try, but you are in a bit of a chicken & egg
situation, you need 4.9.3 to get an up to date backup/restore system,
but you need to backup everything first ;-)

Rowland

> 
> Thanks again,
> Peter
> 
> 
> Am Mittwoch, 12. Dezember 2018 um 16:36 schrieben Sie:
> 
> RPvs> On Wed, 12 Dec 2018 16:01:52 +0100
> RPvs> "peter.grotz--- via samba" <samba@xxxxxxxxxxxxxxx> wrote:
> 
> >> Thanks Rowland for your answer. 
> 
> >> these are sernet-packages from their subscription. 
> 
> >> There are 4 DCs (all with last sernet-rpms) 2 are demoted with
> >> probs (dc-01 and dc-02 both centos6) and 2 are running (dc-10 and
> >> dc-11 on centos 7) 
> 
> >> dc-11 has all  fsmo. joining with the old dc-01 and dc-02 doesn´t
> >> even work. 
> 
> >> dc-01 joins but gives me this: 
> 
> >> Deleted
> >> CN=DC-01,CN=Servers,CN=Obel-und-Partner,CN=Sites,CN=Configuration,DC=obel,DC=lan
> >> Adding CN=DC-01,OU=Domain Controllers,DC=obel,DC=lan
> >> Adding
> >> CN=DC-01,CN=Servers,CN=Obel-und-Partner,CN=Sites,CN=Configuration,DC=obel,DC=lan
> >> Adding CN=NTDS
> >> Settings,CN=DC-01,CN=Servers,CN=Obel-und-Partner,CN=Sites,CN=Configuration,DC=obel,DC=lan
> >> Adding SPNs to CN=DC-01,OU=Domain Controllers,DC=obel,DC=lan
> >> Setting account password for DC-01$
> >> Enabling account
> >> Calling bare provision
> >> Looking up IPv4 addresses
> >> Looking up IPv6 addresses
> >> No IPv6 address will be assigned
> >> Setting up share.ldb
> >> Setting up secrets.ldb
> >> Setting up the registry
> >> Setting up the privileges database
> >> Setting up idmap db
> >> Setting up SAM db
> >> Setting up sam.ldb partitions and settings
> >> Setting up sam.ldb rootDSE
> >> Pre-loading the Samba 4 and AD schema
> >> Unable to determine the DomainSID, can not enforce uniqueness
> >> constraint on local domainSIDs
> 
> >> A Kerberos configuration suitable for Samba AD has been generated
> >> at /var/lib/samba/private/krb5.conf
> >> Merge the contents of this file with your system krb5.conf or
> >> replace it with this one. Do not create a symlink!
> >> Provision OK for domain DN DC=obel,DC=lan
> >> Starting replication
> >> Schema-DN[CN=Schema,CN=Configuration,DC=obel,DC=lan]
> >> objects[402/1550] linked_values[0/0]
> >> Schema-DN[CN=Schema,CN=Configuration,DC=obel,DC=lan]
> >> objects[804/1550] linked_values[0/0]
> >> Schema-DN[CN=Schema,CN=Configuration,DC=obel,DC=lan]
> >> objects[1206/1550] linked_values[0/0]
> >> Schema-DN[CN=Schema,CN=Configuration,DC=obel,DC=lan]
> >> objects[1550/1550] linked_values[0/0]
> >> Analyze and apply schema objects
> >> Partition[CN=Configuration,DC=obel,DC=lan] objects[402/1646]
> >> linked_values[0/0]
> >> Partition[CN=Configuration,DC=obel,DC=lan] objects[804/1646]
> >> linked_values[0/0]
> >> Partition[CN=Configuration,DC=obel,DC=lan] objects[1206/1646]
> >> linked_values[0/0]
> >> Partition[CN=Configuration,DC=obel,DC=lan] objects[1608/1646]
> >> linked_values[0/0]
> >> Partition[CN=Configuration,DC=obel,DC=lan] objects[1646/1646]
> >> linked_values[44/44]
> >> Failed to commit objects: DOS code 0x000021bf
> >> Missing target object - retrying with DRS_GET_TGT
> >> Partition[CN=Configuration,DC=obel,DC=lan] objects[2048/1646]
> >> linked_values[0/0]
> >> Partition[CN=Configuration,DC=obel,DC=lan] objects[2450/1646]
> >> linked_values[0/0]
> >> Partition[CN=Configuration,DC=obel,DC=lan] objects[2852/1646]
> >> linked_values[0/0]
> >> Partition[CN=Configuration,DC=obel,DC=lan] objects[3254/1646]
> >> linked_values[0/0]
> >> Partition[CN=Configuration,DC=obel,DC=lan] objects[3292/1646]
> >> linked_values[44/44]
> >> Replicating critical objects from the base DN of the domain
> >> Partition[DC=obel,DC=lan] objects[98/98] linked_values[34/34]
> >> Partition[DC=obel,DC=lan] objects[501/669] linked_values[0/24]
> >> Partition[DC=obel,DC=lan] objects[767/669] linked_values[585/585]
> >> Done with always replicated NC (base, config, schema)
> >> Replicating DC=DomainDnsZones,DC=obel,DC=lan
> >> Partition[DC=DomainDnsZones,DC=obel,DC=lan] objects[229/229]
> >> linked_values[0/0]
> >> Replicating DC=ForestDnsZones,DC=obel,DC=lan
> >> Partition[DC=ForestDnsZones,DC=obel,DC=lan] objects[35/35]
> >> linked_values[0/0]
> >> WARNING: Unable to replicate own RID Set, as server dc-10.obel.lan
> >> (the server we joined) is not the RID Master.
> >> NOTE: This is normal and expected, Samba will be able to create
> >> users after it contacts the RID Master at first startup.
> >> Committing SAM database
> >> Adding 1 remote DNS records for DC-01.obel.lan
> >> Adding DNS A record DC-01.obel.lan for IPv4 IP: 192.168.0.101
> >> Adding DNS CNAME record
> >> 96ed5e12-99b8-4f8d-b9bf-f58b9c82eaa5._msdcs.obel.lan for
> >> DC-01.obel.lan All other DNS records (like _ldap SRV records) will
> >> be created samba_dnsupdate on first startup
> >> Replicating new DNS records in DC=DomainDnsZones,DC=obel,DC=lan
> >> Partition[DC=DomainDnsZones,DC=obel,DC=lan] objects[2/2]
> >> linked_values[0/0]
> >> Replicating new DNS records in DC=ForestDnsZones,DC=obel,DC=lan
> >> Partition[DC=ForestDnsZones,DC=obel,DC=lan] objects[2/2]
> >> linked_values[0/0]
> >> Sending DsReplicaUpdateRefs for all the replicated partitions
> >> Setting isSynchronized and dsServiceName
> >> Setting up secrets database
> >> Joined domain OBEL (SID S-1-5-21-1994583749-1469429152-1855221660)
> >> as a DC 
> 
> >> Then he joined but is not really working (now drs replicatin on
> >> samba-tool drs showrepl 
> 
> >> demoting dc-01 brings me the following: 
> 
> >> [root@dc-01 samba]# samba-tool domain demote --server=dc-10
> >> -Uadministrator
> >> Using dc-10 as partner server for the demotion
> >> Password for [OBEL\administrator]:
> >> Deactivating inbound replication
> >> Asking partner server dc-10 to synchronize from us
> >> Error while replicating out last local changes from
> >> 'CN=Schema,CN=Configuration,DC=obel,DC=lan' for demotion,
> >> re-enabling inbound replication
> >> ERROR(<class 'samba.WERRORError'>): Error while sending a
> >> DsReplicaSync for partition
> >> 'CN=Schema,CN=Configuration,DC=obel,DC=lan' - (2,
> >> 'WERR_FILE_NOT_FOUND') File
> >> "/usr/lib64/python2.6/site-packages/samba/netcmd/domain.py", line
> >> 855, in run drsuapiBind.DsReplicaSync(drsuapi_handle, 1, req1)
> >> [root@dc-01 samba]# samba-tool domain demote --server=dc-10
> >> -Uadministrator
> >> Using dc-10 as partner server for the demotion
> >> Password for [OBEL\administrator]:
> >> Deactivating inbound replication
> >> Asking partner server dc-10 to synchronize from us
> >> Error while replicating out last local changes from
> >> 'CN=Schema,CN=Configuration,DC=obel,DC=lan' for demotion,
> >> re-enabling inbound replication
> >> ERROR(<class 'samba.WERRORError'>): Error while sending a
> >> DsReplicaSync for partition
> >> 'CN=Schema,CN=Configuration,DC=obel,DC=lan' - (2,
> >> 'WERR_FILE_NOT_FOUND') File
> >> "/usr/lib64/python2.6/site-packages/samba/netcmd/domain.py", line
> >> 855, in run drsuapiBind.DsReplicaSync(drsuapi_handle, 1, req1) 
> 
> >> Peter
> 
> >> Am 12.12.2018 15:53, schrieb Rowland Penny via samba:
> 
> >> > On Wed, 12 Dec 2018 15:43:09 +0100
> >> > peter grotz via samba <samba@xxxxxxxxxxxxxxx> wrote:
> >> > 
> >> >> I forgot: this is samba 4.9.3 on centos 7
> >> > 
> >> > Where did you get Samba 4.9.3 from ?
> >> > 
> >> >> Thanks
> >> >> 
> >> >> Hello,
> >> >> 
> >> >> I got a problem with adding an new dc to a domain. when I try to
> >> >> join I get the following:
> >> > 
> >> > What are the other DC(s) ?
> >> > 
> >> > Rowland
> 
> RPvs> There was a similar thread here:
> 
> RPvs> https://lists.samba.org/archive/samba/2018-June/216543.html
> 
> RPvs> Rowland
> 
> 
> 
> 


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba