Chris Lewis
2013-Jan-07 17:11 UTC
[Samba] Samba 4 Does not join existing domain as additional DC - Refusing to replicate from a read-only repilca into a read-write replica
Hello, This behaviour may be of interest: Attempting to join samba4.0 to an AD domain running a single 2008 R2 server. DNS is being provided by an existing bind 9 server. After command: /usr/local/samba/bin/samba-tool domain join example.com DC -U Administrator -W EXAMPLE --dns-backend=NONE Process to add the DC failed at this point: Refusing to replicate DC=DomainDnsZones,DC=example,DC=com from a read-only repilca into a read-write replica! Failed to convert object DC=DomainDnsZones,DC=inview,DC=local: WERR_DS_DRA_SOURCE_IS_PARTIAL_REPLICA Failed to convert objects: WERR_DS_DRA_SOURCE_IS_PARTIAL_REPLICA Join failed - cleaning up In my test environment, I did some playing around and found that I could delete the troublesome namespaces using ntdsutil in partition management mode (see http://technet.microsoft.com/en-us/library/cc730970%28v=ws.10%29.aspx) ntdsutil delete nc DC=DomainDnsZones,DC=example,DC=com and ntdsutil delete nc DC=DomainDnsZones,DC=example,DC=com (These naming contexts are recreated when DNS server is started on the Win 2008 server.) After doing that, I got when I attempt to add the DC: Refusing to replicate DC=ForestDnsZones\0ADEL:e274cb7e-9b4d-4966-bc51-c4820808d9ba,DC=inview,DC=local from a read-only repilca into a read-write replica! Failed to convert object DC=ForestDnsZones\0ADEL:e274cb7e-9b4d-4966-bc51-c4820808d9ba,DC=inview,DC=local: WERR_DS_DRA_SOURCE_IS_PARTIAL_REPLICA Failed to convert objects: WERR_DS_DRA_SOURCE_IS_PARTIAL_REPLICA Join failed - cleaning up This is because the objects still persist in AD but are tombstoned (hence the 0ADEL). To try and get rid of them, I reduced the tombstone lifetime from 180 days to what I gather is the minimum of 3 days (using ADSI edit). I found after 3 days (and AD garbage collection) I was able to add the DC successfully. Has anyone else come across this? It could be some peculiarity on this particular domain. Thanks in advance. Chris