Fabrizio Rompani
2023-Mar-08 14:38 UTC
[Samba] Unable to "rejoin" existing DC after upgrade (infamous WERR_FILE_NOT_FOUND)
hi , thank's for your reply . no , current DC doesn't have that GUID: samba-tool spn list zimbra$ zimbra$ ... ldap/3ecb2a51-b21d-4bef-84ed-700db7963ff4._msdcs.domain.lan samba-tool spn list landc$ landc$ ... ldap/5bf8cf1f-1e35-40c6-a20d-0abc88238d92._msdcs.domain.lan that GUID is of the machine we are trying to join to: samba-tool spn list nextcloud$ nextcloud$ ... ldap/3fa4ff9a-7fdc-4912-ad73-08b98f6bf347._msdcs.domain.lan is there some other we can look at? thank's ----- Messaggio originale ----- Da: "Lorenzo Milesi" <lorenzo.milesi at yetopen.com> A: "Fabrizio Rompani" <fabrizio.rompani at yetopen.com> Inviato: Mercoled?, 8 marzo 2023 13:33:47 Oggetto: Fwd: [Samba] Unable to "rejoin" existing DC after upgrade (infamous WERR_FILE_NOT_FOUND) ----- Forwarded Message -----> From: "Rowland Penny via samba" <samba at lists.samba.org> > To: "samba" <samba at lists.samba.org> > Cc: "Rowland Penny" <rpenny at samba.org> > Sent: Wednesday, March 8, 2023 12:56:09 PM > Subject: Re: [Samba] Unable to "rejoin" existing DC after upgrade (infamous WERR_FILE_NOT_FOUND)> On 08/03/2023 11:07, Lorenzo Milesi via samba wrote: >> Hi. >> As happened some weeks ago, here I am again updating an old Samba 4.14.x network >> to a current version. The server hosting the FSMO roles is a Debian10 with >> 4.14.14, while the third node is a Ubuntu 18 running LinuxSchools build 4.14.8. >> >> We started from a Ubuntu 20.04 server running Louis builds. We demoted the node >> and joined it back to the domain with 4.17.5 from Michael. Although on the node >> itself everything seemed ok, the DC didn't appear in DNS, while visible in >> Sites and ADUC. >> Replication is reported as ALL GOOD on the upgraded node, but the remote ones >> are in error with WERR_FILE_NOT_FOUND. >> >> We enabled drs_repl log on the 4.14.8, pasting below. >> It seems failing because it cannot find the DNS records, which it cannot have >> because replication is not working. If I run >> dig 3fa4ff9a-7fdc-4912-ad73-08b98f6bf347._msdcs.domain.lan @zimbraip >> it returns the correct value, while the same command against any of the two >> other DCs fails. But maybe this is not the root cause of the problem. >> >> samba_dnsupdate ran without errors on the 4.17 node, but the other DCs never >> received those DNS records. >> >> What else can we check? >> thanks >> >> >> # conf on 4.14.8 >> [global] >> netbios name = ZIMBRA >> realm = DOMAIN.LAN >> server role = active directory domain controller >> workgroup = DOM >> server services = -dns >> allow dns updates = disabled >> interfaces = tun0 lo >> log level = 1 drs_repl:10 >> >> [sysvol] >> path = /var/lib/samba/sysvol >> read only = No >> >> [netlogon] >> path = /var/lib/samba/sysvol/domain.lan/scripts >> read only = No >> >> # conf on newly upgraded 4.17.5 >> [global] >> interfaces = tun0 lo >> netbios name = NEXTCLOUD >> realm = DOMAIN.LAN >> server role = active directory domain controller >> workgroup = DOM >> >> log level = 1 drs_repl:10 >> [sysvol] >> path = /var/lib/samba/sysvol >> read only = No >> >> [netlogon] >> path = /var/lib/samba/sysvol/domain.lan/scripts >> read only = No >> >> # log excerpt from 4.14.8 - zimbra node >> [2023/03/08 11:53:48.764405, 10, pid=4709, effective(0, 0), real(0, 0), >> class=drs_repl] >> ../../source4/dsdb/repl/drepl_notify.c:391(dreplsrv_notify_check) >> dreplsrv_notify_check: queued DsReplicaSync for DC=domain,DC=lan to >> 3fa4ff9a-7fdc-4912-ad73-08b98f6bf347._msdcs.domain.lan (urgent=true) >> uSN=0:27662 > > It looks like it is trying to replicate to the GUID representation of a > DC, if you check the DC objects you should find SPN's like this: > > servicePrincipalName: > ldap/3fa4ff9a-7fdc-4912-ad73-08b98f6bf347._msdcs.domain.lan > > Each DC should have a similar SPN, but with a different GUID and the > GUID will probably be a part of other SPN's in each DC object. > > Do any of your current DC's use that GUID > (3fa4ff9a-7fdc-4912-ad73-08b98f6bf347) ? > > Rowland > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba-- Lorenzo Milesi - lorenzo.milesi at yetopen.com CTO @ YetOpen Srl Corso Martiri della Liberazione 114 - 23900 Lecco - ITALY - | 4801 Glenwood Avenue - Suite 200 - Raleigh, NC 27612 - USA - Tel +39 0341 220 205 - info.it at yetopen.com | Phone +1 919-817-8106 - info.us at yetopen.com Think green - Non stampare questa e-mail se non necessario / Don't print this email unless necessary -------- D.Lgs. 196/2003 e GDPR 679/2016 -------- Tutte le informazioni contenute in questo messaggio sono riservate ed a uso esclusivo del destinatario. Tutte le informazioni ivi contenute, compresi eventuali allegati, sono da ritenere confidenziali e riservate secondo i termini del vigente D.Lgs. 196/2003 in materia di privacy e del Regolamento europeo 679/2016 - GDPR - e quindi ne e' proibita l'utilizzazione ulteriore non autorizzata. Nel caso in cui questo messaggio Le fosse pervenuto per errore, La invitiamo ad eliminarlo senza copiarlo, stamparlo, a non inoltrarlo a terzi e ad avvertirci non appena possibile. Grazie. Confidentiality notice: this email message including any attachment is for the sole use of the intended recipient and may contain confidential and privileged information; pursuant to Legislative Decree 196/2003 and the European General Data Protection Regulation 679/2016 - GDPR - any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recepient please delete this message without copying, printing or forwarding it to others, and alert us as soon as possible. Thank you. Corso Martiri della Liberazione 114 - 23900 Lecco - ITALY - | 4801 Glenwood Avenue - Suite 200 - Raleigh, NC 27612 - USA - Tel +39 0341 220 205 - info.it at yetopen.com | Phone +1 919-817-8106 - info.us at yetopen.com Think green - Non stampare questa e-mail se non necessario / Don't print this email unless necessary -------- D.Lgs. 196/2003 e GDPR 679/2016 -------- Tutte le informazioni contenute in questo messaggio sono riservate ed a uso esclusivo del destinatario. Tutte le informazioni ivi contenute, compresi eventuali allegati, sono da ritenere confidenziali e riservate secondo i termini del vigente D.Lgs. 196/2003 in materia di privacy e del Regolamento europeo 679/2016 - GDPR - e quindi ne e' proibita l'utilizzazione ulteriore non autorizzata. Nel caso in cui questo messaggio Le fosse pervenuto per errore, La invitiamo ad eliminarlo senza copiarlo, stamparlo, a non inoltrarlo a terzi e ad avvertirci non appena possibile. Grazie. Confidentiality notice: this email message including any attachment is for the sole use of the intended recipient and may contain confidential and privileged information; pursuant to Legislative Decree 196/2003 and the European General Data Protection Regulation 679/2016 - GDPR - any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recepient please delete this message without copying, printing or forwarding it to others, and alert us as soon as possible. Thank you.
Rowland Penny
2023-Mar-08 15:05 UTC
[Samba] Unable to "rejoin" existing DC after upgrade (infamous WERR_FILE_NOT_FOUND)
On 08/03/2023 14:38, Fabrizio Rompani via samba wrote:> hi , > thank's for your reply . > no , current DC doesn't have that GUID: > > samba-tool spn list zimbra$ > zimbra$ > ... > ldap/3ecb2a51-b21d-4bef-84ed-700db7963ff4._msdcs.domain.lan > > > samba-tool spn list landc$ > landc$ > ... > ldap/5bf8cf1f-1e35-40c6-a20d-0abc88238d92._msdcs.domain.lan > > > that GUID is of the machine we are trying to join to: > samba-tool spn list nextcloud$ > nextcloud$ > ... > ldap/3fa4ff9a-7fdc-4912-ad73-08b98f6bf347._msdcs.domain.lan > > is there some other we can look at? > thank's >I might be misunderstanding something here, but it sounds like you are trying to join a running DC to a running domain Forget you have three 'potential' DC's for a moment, the way to join a new DC goes like this: You have a fully working DC, lets call it DC1 You now want to add another DC, lets call this DC2 You go to DC2 (which it this point isn't a DC), you configure it to use DC1 as its name server, you remove the smb.conf and stop any running Samba daemons. You then run the command to join as a DC: samba-tool domain join domain.lan DC ................... This should then replicate most of the AD records from an existing AD DC to what is becoming your new DC (the rest are created when the new DC is started or shortly after) Is this basically what you are doing ? Or do you have a computer that is already running as a DC that you are trying to join to a an existing domain ? Rowland
Possibly Parallel Threads
- Unable to "rejoin" existing DC after upgrade (infamous WERR_FILE_NOT_FOUND)
- Unable to "rejoin" existing DC after upgrade (infamous WERR_FILE_NOT_FOUND)
- Unable to "rejoin" existing DC after upgrade (infamous WERR_FILE_NOT_FOUND)
- Unable to "rejoin" existing DC after upgrade (infamous WERR_FILE_NOT_FOUND)
- Unable to "rejoin" existing DC after upgrade (infamous WERR_FILE_NOT_FOUND)