samba - Oct 2018 - WERR_DS_DOMAIN_RENAME_IN_PROGRESS - Join Failed

Hi,

I'm trying to join a Samba 4.9.1 Debian Strech installation (also tested
with 4.8.6) to a Windows 2012 R2 Server which runs in 2008-R2 functional
level. This is a production system and it is going to be first Samba DC
in domain. There is currently two Windows DC's in domain. All FSMO
roles hold by DC1.

It seems there's something going on with Widows DC's bu I'm not able
to
the find the cause of the problem yet. Google search didn't help
either.

Any suggestion will be appreciated.

# samba-tool domain join testdomain.tld DC --dns-backend=BIND9_DLZ
--server=10.0.1.91 -U"TESTDOMAIN.TLD\Administrator"

Password for [TESTDOMAIN.TLD\Administrator]: 
workgroup is TESTDOMAIN
realm is testdomain.tld
Adding CN=SDC1,OU=Domain Controllers,DC=testdomain,DC=tld
Adding
CN=SDC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=testdomain,DC=tld
Adding CN=NTDS
Settings,CN=SDC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=testdomain,DC=tld
DsAddEntry failed with status WERR_ACCESS_DENIED info (8612,
'WERR_DS_DOMAIN_RENAME_IN_PROGRESS') Join failed - cleaning up Deleted
CN=SDC1,OU=Domain Controllers,DC=testdomain,DC=tld Deleted
CN=SDC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=testdomain,DC=tld
ERROR(runtime): uncaught exception - DsAddEntry failed File
"/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 177,
in _run return self.run(*args, **kwargs) File
"/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py", line 716,
in
run backend_store=backend_store) File
"/usr/lib/python2.7/dist-packages/samba/join.py", line 1500, in
join_DC
ctx.do_join() File "/usr/lib/python2.7/dist-packages/samba/join.py",
line 1396, in do_join ctx.join_add_objects() File
"/usr/lib/python2.7/dist-packages/samba/join.py", line 653, in
join_add_objects ctx.join_add_ntdsdsa() File
"/usr/lib/python2.7/dist-packages/samba/join.py", line 578, in
join_add_ntdsdsa ctx.DsAddEntry([rec]) File
"/usr/lib/python2.7/dist-packages/samba/join.py", line 527, in
DsAddEntry raise RuntimeError("DsAddEntry failed")

---
Taner Tas

On Wed, 31 Oct 2018 11:10:43 +0300
Taner Tas via samba <samba at lists.samba.org> wrote:
> Hi,
> 
> I'm trying to join a Samba 4.9.1 Debian Strech installation 
Please define 'installation', do you mean that you have installed the
required Samba packages and have not provisioned or something else ?
>(also
> tested with 4.8.6) to a Windows 2012 R2 Server which runs in 2008-R2
> functional level. This is a production system and it is going to be
> first Samba DC in domain. There is currently two Windows DC's in
> domain. All FSMO roles hold by DC1.
> 
> It seems there's something going on with Widows DC's bu I'm not
able
> to the find the cause of the problem yet. Google search didn't help
> either.
> 
> Any suggestion will be appreciated.
> 
> # samba-tool domain join testdomain.tld DC --dns-backend=BIND9_DLZ
> --server=10.0.1.91 -U"TESTDOMAIN.TLD\Administrator"
>
Is your Windows domain actually called 'testdomain.tld' ?
 
I have never tried to join a Samba DC to a Windows 2012 DC (or
visa-versa), but there is a wikipage that says you need a 2008 DC in
the mix, see here:

https://wiki.samba.org/index.php/Joining_a_Windows_Server_2012_/_2012_R2_DC_to_a_Samba_AD

Yes, I know it is about joining in the opposite direction to what you
are trying, but replication is a two way thing, so I suspect that what
will not work in one direction, will not work in the other direction
either (unless someone knows different)

Rowland

> > I'm trying to join a Samba 4.9.1 Debian Strech installation   
> 
> Please define 'installation', do you mean that you have installed
the
> required Samba packages and have not provisioned or something else ?
Yes, I just installed required packages prior to join a DC. Just like
preparing a join to any other Samba DC. Since there's already two
Windows DC's running, a new provision doesn't needed.

 
> Is your Windows domain actually called 'testdomain.tld' ?
No. I masked the actual domain name.
> I have never tried to join a Samba DC to a Windows 2012 DC (or
> visa-versa), but there is a wikipage that says you need a 2008 DC in
> the mix, see here:
> 
>
https://wiki.samba.org/index.php/Joining_a_Windows_Server_2012_/_2012_R2_DC_to_a_Samba_AD
> 
> Yes, I know it is about joining in the opposite direction to what you
> are trying, but replication is a two way thing, so I suspect that what
> will not work in one direction, will not work in the other direction
> either (unless someone knows different)
> 
> Rowland
Windows sysadmin (who actually provisioned the Windows DC's) said that
they changed the auto-assigned NETBIOS name, from "DOMAIN0" to
"DOMAIN" after provision. I suspect that this change is recognized by
Samba during join but not elaborated properly.

On my test setup, I used VM image of actual Windows DC and I was getting
same error during join. I removed AD setup on Windows DC and then
provisioned a new DC from scratch on my test setup. After this, Samba
was able to join domain properly. I can't to a new installation on
production environment.

---
Taner Tas