I ran ldbsearch on my sam.ldb I searched for CBADC02, CBADC03, and TESTES (all VMs that fail to join domain), results are below: CBADC02 shows up a few times: # record 1906 dn: CN=CBADC02\0ADEL:de85228c-f92b-4d5d-9d6a-01c3f915dec9,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configu$ objectClass: top objectClass: server instanceType: 4 whenCreated: 20160310044543.0Z uSNCreated: 4215 objectGUID: de85228c-f92b-4d5d-9d6a-01c3f915dec9 systemFlags: 1375731712 dNSHostName: cbadc02.cb.cliffbells.com cn:: Q0JBREMwMgpERUw6ZGU4NTIyOGMtZjkyYi00ZDVkLTlkNmEtMDFjM2Y5MTVkZWM5 isDeleted: TRUE name:: Q0JBREMwMgpERUw6ZGU4NTIyOGMtZjkyYi00ZDVkLTlkNmEtMDFjM2Y5MTVkZWM5 lastKnownParent: CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configurati on,DC=cb,DC=cliffbells,DC=com isRecycled: TRUE whenChanged: 20160319092438.0Z uSNChanged: 4261 distinguishedName: CN=CBADC02\0ADEL:de85228c-f92b-4d5d-9d6a-01c3f915dec9,CN=Se rvers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=cb,DC=cliffbell s,DC=com # record 2372 dn: CN=NTDS Settings\0ADEL:a5d3b626-e936-4a65-97bc-cade176d1b10,CN=CBADC02\0ADEL:de85228c-f92b-4d5d-9d6a-01c3f915dec$ objectClass: top objectClass: applicationSettings objectClass: nTDSDSA instanceType: 4 whenCreated: 20160310044546.0Z uSNCreated: 4214 objectGUID: a5d3b626-e936-4a65-97bc-cade176d1b10 systemFlags: 33554432 cn:: TlREUyBTZXR0aW5ncwpERUw6YTVkM2I2MjYtZTkzNi00YTY1LTk3YmMtY2FkZTE3NmQxYjEw isDeleted: TRUE name:: TlREUyBTZXR0aW5ncwpERUw6YTVkM2I2MjYtZTkzNi00YTY1LTk3YmMtY2FkZTE3NmQxYjE w isRecycled: TRUE whenChanged: 20160319092438.0Z uSNChanged: 4259 distinguishedName: CN=NTDS Settings\0ADEL:a5d3b626-e936-4a65-97bc-cade176d1b10 ,CN=CBADC02\0ADEL:de85228c-f92b-4d5d-9d6a-01c3f915dec9,CN=Servers,CN=Default- First-Site-Name,CN=Sites,CN=Configuration,DC=cb,DC=cliffbells,DC=com # record 3275 dn: CN=CBADC02\0ADEL:b34ccfd9-0f88-4f7b-8c00-3296ed92507d,CN=Deleted Objects,DC=cb,DC=cliffbells,DC=com objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user objectClass: computer instanceType: 4 whenCreated: 20160321212014.0Z uSNCreated: 4287 objectGUID: b34ccfd9-0f88-4f7b-8c00-3296ed92507d userAccountControl: 4128 objectSid: S-1-5-21-2555112579-3841919511-698463993-1602 sAMAccountName: CBADC02$ isDeleted: TRUE lastKnownParent: OU=Domain Controllers,DC=cb,DC=cliffbells,DC=com isRecycled: TRUE cn:: Q0JBREMwMgpERUw6YjM0Y2NmZDktMGY4OC00ZjdiLThjMDAtMzI5NmVkOTI1MDdk name:: Q0JBREMwMgpERUw6YjM0Y2NmZDktMGY4OC00ZjdiLThjMDAtMzI5NmVkOTI1MDdk whenChanged: 20160327050242.0Z uSNChanged: 4293 distinguishedName: CN=CBADC02\0ADEL:b34ccfd9-0f88-4f7b-8c00-3296ed92507d,CN=De leted Objects,DC=cb,DC=cliffbells,DC=com # record 3481 dn: CN=CBADC02\0ADEL:ec36364c-6f01-4c82-be95-8def84528d9a,CN=Deleted Objects,DC=cb,DC=cliffbells,DC=com objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user objectClass: computer instanceType: 4 whenCreated: 20160310044542.0Z uSNCreated: 4212 objectGUID: ec36364c-6f01-4c82-be95-8def84528d9a userAccountControl: 532480 objectSid: S-1-5-21-2555112579-3841919511-698463993-1122 sAMAccountName: CBADC02$ dNSHostName: cbadc02.cb.cliffbells.com cn:: Q0JBREMwMgpERUw6ZWMzNjM2NGMtNmYwMS00YzgyLWJlOTUtOGRlZjg0NTI4ZDlh whenChanged: 20160318045619.0Z isDeleted: TRUE uSNChanged: 4253 name:: Q0JBREMwMgpERUw6ZWMzNjM2NGMtNmYwMS00YzgyLWJlOTUtOGRlZjg0NTI4ZDlh lastKnownParent: OU=Domain Controllers,DC=cb,DC=cliffbells,DC=com isRecycled: TRUE distinguishedName: CN=CBADC02\0ADEL:ec36364c-6f01-4c82-be95-8def84528d9a,CN=De leted Objects,DC=cb,DC=cliffbells,DC=com CBADC03 is there once: # record 3431 dn: CN=CBADC03\0ADEL:0d3362c2-c153-415e-b077-0772a61b96b5\0ADEL:0d3362c2-c153-415e-b077-0772a61b96b5,CN=Deleted Obje$ objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user objectClass: computer instanceType: 4 whenCreated: 20160321211933.0Z uSNCreated: 4286 objectGUID: 0d3362c2-c153-415e-b077-0772a61b96b5 userAccountControl: 4128 objectSid: S-1-5-21-2555112579-3841919511-698463993-1601 sAMAccountName: CBADC03$ isDeleted: TRUE lastKnownParent: CN=LostAndFound,DC=cb,DC=cliffbells,DC=com isRecycled: TRUE cn:: Q0JBREMwMwpERUw6MGQzMzYyYzItYzE1My00MTVlLWIwNzctMDc3MmE2MWI5NmI1CkRFTDowZ DMzNjJjMi1jMTUzLTQxNWUtYjA3Ny0wNzcyYTYxYjk2YjUname:: Q0JBREMwMwpERUw6MGQzMzYyYzItYzE1My00MTVlLWIwNzctMDc3MmE2MWI5NmI1CkRFTDo wZDMzNjJjMi1jMTUzLTQxNWUtYjA3Ny0wNzcyYTYxYjk2YjUwhenChanged: 20160327050527.0Z uSNChanged: 4294 distinguishedName: CN=CBADC03\0ADEL:0d3362c2-c153-415e-b077-0772a61b96b5\0ADEL :0d3362c2-c153-415e-b077-0772a61b96b5,CN=Deleted Objects,DC=cb,DC=cliffbells, DC=com TESTES is nowhere to be found and still fails due to ObjectSID. I don't understand how that is even possible. I also manually inspected ADUC, ADSS, ADSIEdit and DNS in RSAT for both of my live DCs (FILER & CBADC01) and removed all references to CBADC02 & CBADC03. Replication between FILER and CBADC01 is successful. RSync replication of sysvol from FILER to CBADC01 is running via cron. I am spun. I've been banging my head against Samba since 12/17/2015. Please advise, I need to get these VMs joined to the domain so I can sieze FSMO roles off of FILER so I don't have to keep restoring this ^&*(@^#()*&^ database every 36 hours. JS On Sun, Mar 27, 2016 at 12:15 AM, IT Admin <it at cliffbells.com> wrote:> Good times... > > Spent hours today rolling a fresh VM. > > FAIL > > itwerks at testes:~$ kinit administrator > Password for administrator at CB.CLIFFBELLS.COM: > itwerks at testes:~$ klist -e > Ticket cache: FILE:/tmp/krb5cc_1000 > Default principal: administrator at CB.CLIFFBELLS.COM > > Valid starting Expires Service principal > 03/27/2016 00:07:04 03/27/2016 10:07:04 krbtgt/ > CB.CLIFFBELLS.COM at CB.CLIFFBELLS.COM > renew until 03/28/2016 00:06:59, Etype (skey, tkt): > aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96 > itwerks at testes:~$ sudo /usr/local/samba/bin/samba-tool domain join > cb.cliffbells.com DC -Uadministrator --realm=CB.CLIFFBELLS.COM > --dns-backend=SAMBA_INTERNAL > Finding a writeable DC for domain 'cb.cliffbells.com' > Found DC filer.cb.cliffbells.com > Password for [WORKGROUP\administrator]: > workgroup is CB > realm is cb.cliffbells.com > checking sAMAccountName > Adding CN=TESTES,OU=Domain Controllers,DC=cb,DC=cliffbells,DC=com > Join failed - cleaning up > checking sAMAccountName > ERROR(ldb): uncaught exception - LDAP error 68 LDAP_ENTRY_ALREADY_EXISTS - > <00002071: ../lib/ldb/ldb_tdb/ldb_index.c:1216: Failed to re-index > objectSid in CN=TESTES,OU=Domain Controllers,DC=cb,DC=cliffbells,DC=com - > ../lib/ldb/ldb_tdb/ldb_index.c:1148: unique index violation on objectSid in > CN=TESTES,OU=Domain Controllers,DC=cb,DC=cliffbells,DC=com> <> > File > "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py", > line 175, in _run > return self.run(*args, **kwargs) > File > "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/domain.py", line > 621, in run > machinepass=machinepass, use_ntvfs=use_ntvfs, dns_backend=dns_backend) > File "/usr/local/samba/lib/python2.7/site-packages/samba/join.py", line > 1183, in join_DC > ctx.do_join() > File "/usr/local/samba/lib/python2.7/site-packages/samba/join.py", line > 1086, in do_join > ctx.join_add_objects() > File "/usr/local/samba/lib/python2.7/site-packages/samba/join.py", line > 536, in join_add_objects > ctx.samdb.add(rec) > > > sigh. > > *&@$^@&$(@*$&@^$@!)($#)(^)%@*%_ > > Please advise. > > JS > > On Fri, Mar 25, 2016 at 1:19 PM, IT Admin <it at cliffbells.com> wrote: > >> "I expect you don't have just copied your VMs disks without changing VMs >> hostname and FQDN. I expect you don't fully re-use smb.conf from another >> DC >> (you can do that but you must change hostname into smb.conf)." >> >> 1) These are new Ubuntu VMs, not cloned, built from scratch. I tried >> joining them with no smb.conf in /usr/local/samba/etc >> >> You have disabled SELinux too >> >> 2) AFAIK Ubuntu uses apparmor, not selinux. I have not disabled apparmor. >> >> 3) --show-deleted reveals a single instance of cbadc02: >> >> twerks at filer:~$ sudo /usr/local/samba/bin/ldbsearch -H >> /usr/local/samba/private/sam.ldb --cross-ncs --show-deleted > >> ldbsearch_cross-ncs_deleted.txt >> itwerks at filer:~$ cat ldbsearch_cross-ncs_deleted.txt | grep >> cbadc >> dNSHostName: cbadc02.cb.cliffbells.com >> dNSHostName: cbadc01.cb.cliffbells.com >> dn: DC=cbadc01,DC=cb.cliffbells.com >> ,CN=MicrosoftDNS,DC=DomainDnsZones,DC=cb,DC=cliffbells,DC=com >> name: cbadc01 >> dc: cbadc01 >> distinguishedName: DC=cbadc01,DC=cb.cliffbells.com >> ,CN=MicrosoftDNS,DC=DomainDn >> dNSHostName: cbadc01.cb.cliffbells.com >> dNSHostName: cbadc01.cb.cliffbells.com >> servicePrincipalName: HOST/cbadc01.cb.cliffbells.com >> servicePrincipalName: GC/cbadc01.cb.cliffbells.com/cb.cliffbells.com >> servicePrincipalName: HOST/cbadc01.cb.cliffbells.com/CB >> servicePrincipalName: ldap/cbadc01.cb.cliffbells.com/CB >> servicePrincipalName: ldap/cbadc01.cb.cliffbells.com >> servicePrincipalName: HOST/cbadc01.cb.cliffbells.com/cb.cliffbells.com >> servicePrincipalName: ldap/cbadc01.cb.cliffbells.com/cb.cliffbells.com >> servicePrincipalName: RestrictedKrbHost/cbadc01.cb.cliffbells.com >> servicePrincipalName: ldap/ >> cbadc01.cb.cliffbells.com/DomainDnsZones.cb.cliffbe >> servicePrincipalName: ldap/ >> cbadc01.cb.cliffbells.com/ForestDnsZones.cb.cliffbe >> dNSHostName: <http://cbadc02.cb.cliffbells.com>cbadc02. >> <http://cbadc02.cb.cliffbells.com>cb.cliffbells.com >> <http://cbadc02.cb.cliffbells.com> >> itwerks at filer:~$ >> >> This article seems to explain how to resolve this issue from a Windows >> ADC: >> >> http://social.technet.microsoft.com/wiki/contents/articles/15435.active-directory-duplicate-object-name-resolution.aspx >> >> How could I replicate the approach in a Samba AD? >> >> Re: spinning up a new VM, I tried that with cbadc03... I'll try again >> with a radically different hostname this weekend. >> >> JS >> >> >> Hi JS, >> >> You said in your firt mail you have this very same behaviour with two new >> VMs you tried to join in your AD domain. >> >> I expect you don't have just copied your VMs disks without changing VMs >> hostname and FQDN. I expect you don't fully re-use smb.conf from another >> DC >> (you can do that but you must change hostname into smb.conf). >> >> You have disabled SELinux too. >> >> So you have 3 systems to be AD DC: >> cbaddc01 (working and running) >> cbaddc02 (one of the two new VMs which refuse to be joined to AD domain >> hosted on cbaddc01) >> cbaddc03 (the other one new VMs which also refuses to be joined) >> >> I found that few minutes ago speaking about LDB: >> http://somewoman.com/?p=261 >> Here two options were interesting me about your issue: >> --cross-ncs to search not only in main DIT >> --show-deleted to show deleted objects >> >> In addition --show-binary switch can be used to decode base64 encoded >> values when needed. >> >> As I have no real idea about your issue I would first try to set up a new >> VM with a different name, very different name, to test if your domain >> refuses to add all new DC (whatever is the name) or only DC with names >> already used. >> >> 2016-03-21 22:25 GMT+01:00 IT Admin <it at cliffbells.com>: >> >> > No dice. >> > >> > Logged in to a workstation with RSAT installed. Added computer to OU >> > Domain Controllers, closed ADUC, attempted join again. >> > >> > itwerks at cbadc03:~$ kinit >> > Administrator >> > Password for Administrator at CB.CLIFFBELLS.COM: >> > itwerks at cbadc03:~$ klist >> > -e >> > Ticket cache: FILE:/tmp/krb5cc_1000 >> > Default principal: Administrator at CB.CLIFFBELLS.COM >> > >> > Valid starting Expires Service principal >> > 03/21/2016 17:21:42 03/22/2016 03:21:42 krbtgt/ >> > CB.CLIFFBELLS.COM at CB.CLIFFBELLS.COM >> > renew until 03/22/2016 17:21:29, Etype (skey, tkt): >> > aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96 >> > itwerks at cbadc03:~$ sudo /usr/local/samba/bin/samba-tool domain join >> > cb.cliffbells.com DC -Uadministrator --realm=CB.CLIFFBELLS.COM >> > --dns-backend=SAMBA_INTERNAL >> > [sudo] password for itwerks: >> > Finding a writeable DC for domain 'cb.cliffbells.com' >> > Found DC filer.cb.cliffbells.com >> > Password for [WORKGROUP\administrator]: >> > workgroup is CB >> > realm is cb.cliffbells.com >> > checking sAMAccountName >> > Deleted CN=CBADC03,OU=Domain Controllers,DC=cb,DC=cliffbells,DC=com >> > Adding CN=CBADC03,OU=Domain Controllers,DC=cb,DC=cliffbells,DC=com >> > Join failed - cleaning up >> > checking sAMAccountName >> > ERROR(ldb): uncaught exception - LDAP error 68 >> LDAP_ENTRY_ALREADY_EXISTS - >> > <00002071: ../lib/ldb/ldb_tdb/ldb_index.c:1216: Failed to re-index >> > objectSid in CN=CBADC03,OU=Domain >> Controllers,DC=cb,DC=cliffbells,DC=com - >> > ../lib/ldb/ldb_tdb/ldb_index.c:1148: unique index violation on >> objectSid in >> > CN=CBADC03,OU=Domain Controllers,DC=cb,DC=cliffbells,DC=com> <> >> > File >> > "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py", >> > line 175, in _run >> > return self.run(*args, **kwargs) >> > File >> > "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/domain.py", >> line >> > 621, in run >> > machinepass=machinepass, use_ntvfs=use_ntvfs, >> dns_backend=dns_backend) >> > File "/usr/local/samba/lib/python2.7/site-packages/samba/join.py", >> line >> > 1183, in join_DC >> > ctx.do_join() >> > File "/usr/local/samba/lib/python2.7/site-packages/samba/join.py", >> line >> > 1086, in do_join >> > ctx.join_add_objects() >> > File "/usr/local/samba/lib/python2.7/site-packages/samba/join.py", >> line >> > 536, in join_add_objects >> > ctx.samdb.add(rec) >> > itwerks at cbadc03:~ >> > >> > Please advise. >> > >> > JS >> > On Mar 21, 2016 3:54 PM, "Rowland penny" <rpenny at samba.org> wrote: >> > >> > > On 21/03/16 04:26, IT Admin wrote: >> > > >> > >> I cannot join two new VMs to my domain, I receive the following >> error on >> > >> both machines: >> > >> >> > >> twerks at cbadc03:~$ kinit >> > >> Administrator >> > >> Password for Administrator at CB.CLIFFBELLS.COM: >> > >> itwerks at cbadc03:~$ klist -e >> > >> Ticket cache: FILE:/tmp/krb5cc_1000 >> > >> Default principal: Administrator at CB.CLIFFBELLS.COM >> > >> >> > >> Valid starting Expires Service principal >> > >> 03/21/2016 00:19:56 03/21/2016 10:19:56 krbtgt/ >> > >> CB.CLIFFBELLS.COM at CB.CLIFFBELLS.COM >> > >> renew until 03/22/2016 00:19:41, Etype (skey, tkt): >> > >> aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96 >> > >> itwerks at cbadc03:~$ sudo /usr/local/samba/bin/samba-tool domain join >> > >> cb.cliffbells.com DC -Uadministrator --realm=CB.CLIFFBELLS.COM >> > >> --dns-backend=SAMBA_INTERNAL >> > >> Finding a writeable DC for domain 'cb.cliffbells.com' >> > >> Found DC filer.cb.cliffbells.com >> > >> Password for [WORKGROUP\administrator]: >> > >> workgroup is CB >> > >> realm is cb.cliffbells.com >> > >> checking sAMAccountName >> > >> Adding CN=CBADC03,OU=Domain Controllers,DC=cb,DC=cliffbells,DC=com >> > >> Join failed - cleaning up >> > >> checking sAMAccountName >> > >> ERROR(ldb): uncaught exception - LDAP error 68 >> > LDAP_ENTRY_ALREADY_EXISTS - >> > >> <00002071: ../lib/ldb/ldb_tdb/ldb_index.c:1216: Failed to re-index >> > >> objectSid in CN=CBADC03,OU=Domain >> > Controllers,DC=cb,DC=cliffbells,DC=com - >> > >> ../lib/ldb/ldb_tdb/ldb_index.c:1148: unique index violation on >> objectSid >> > >> in >> > >> CN=CBADC03,OU=Domain Controllers,DC=cb,DC=cliffbells,DC=com> <> >> > >> File >> > >> >> "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py", >> > >> line 175, in _run >> > >> return self.run(*args, **kwargs) >> > >> File >> > >> >> "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/domain.py", >> > >> line >> > >> 621, in run >> > >> machinepass=machinepass, use_ntvfs=use_ntvfs, >> > >> dns_backend=dns_backend) >> > >> File "/usr/local/samba/lib/python2.7/site-packages/samba/join.py", >> > line >> > >> 1183, in join_DC >> > >> ctx.do_join() >> > >> File "/usr/local/samba/lib/python2.7/site-packages/samba/join.py", >> > line >> > >> 1086, in do_join >> > >> ctx.join_add_objects() >> > >> File "/usr/local/samba/lib/python2.7/site-packages/samba/join.py", >> > line >> > >> 536, in join_add_objects >> > >> ctx.samdb.add(rec) >> > >> itwerks at cbadc03:~$ >> > >> >> > >> Neither machine exists in ADUC on either of my current DCs. Neither >> > >> machine has any records in DNS. I ran ldbsearch and dumped it's >> output >> > to >> > >> a text file, there are no references to either machine name in the >> file. >> > >> >> > >> Please advise. >> > >> >> > >> JS >> > >> >> > > >> > > The join seems to be failing because it seems to be trying to add an >> > > objectsid that already exists: >> > > >> > > unique index violation on objectSid in CN=CBADC03,OU=Domain >> > > Controllers,DC=cb,DC=cliffbells,DC=com >> > > >> > > Try pre-creating the computer in 'OU=Domain >> > > Controllers,DC=cb,DC=cliffbells,DC=com' and then try joining again. >> > > >> > > Rowland >> > > >> > > >> > > >> > > -- >> > > To unsubscribe from this list go to the following URL and read the >> > > instructions: https://lists.samba.org/mailman/options/samba >> > > >> > -- >> > To unsubscribe from this list go to the following URL and read the >> > instructions: https://lists.samba.org/mailman/options/samba >> > >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >> > >
On 27/03/16 07:25, IT Admin wrote:> I ran ldbsearch on my sam.ldb > I searched for CBADC02, CBADC03, and TESTES (all VMs that fail to join > domain), results are below: > > > CBADC02 shows up a few times: > > # record 1906 > dn: > CN=CBADC02\0ADEL:de85228c-f92b-4d5d-9d6a-01c3f915dec9,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configu$ > objectClass: top > objectClass: server > instanceType: 4 > whenCreated: 20160310044543.0Z > uSNCreated: 4215 > objectGUID: de85228c-f92b-4d5d-9d6a-01c3f915dec9 > systemFlags: 1375731712 > dNSHostName: cbadc02.cb.cliffbells.com > cn:: Q0JBREMwMgpERUw6ZGU4NTIyOGMtZjkyYi00ZDVkLTlkNmEtMDFjM2Y5MTVkZWM5 > isDeleted: TRUE > name:: Q0JBREMwMgpERUw6ZGU4NTIyOGMtZjkyYi00ZDVkLTlkNmEtMDFjM2Y5MTVkZWM5 > lastKnownParent: > CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configurati > on,DC=cb,DC=cliffbells,DC=com > isRecycled: TRUE > whenChanged: 20160319092438.0Z > uSNChanged: 4261 > distinguishedName: > CN=CBADC02\0ADEL:de85228c-f92b-4d5d-9d6a-01c3f915dec9,CN=Se > rvers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=cb,DC=cliffbell > s,DC=com > > > # record 2372 > dn: CN=NTDS > Settings\0ADEL:a5d3b626-e936-4a65-97bc-cade176d1b10,CN=CBADC02\0ADEL:de85228c-f92b-4d5d-9d6a-01c3f915dec$ > objectClass: top > objectClass: applicationSettings > objectClass: nTDSDSA > instanceType: 4 > whenCreated: 20160310044546.0Z > uSNCreated: 4214 > objectGUID: a5d3b626-e936-4a65-97bc-cade176d1b10 > systemFlags: 33554432 > cn:: > TlREUyBTZXR0aW5ncwpERUw6YTVkM2I2MjYtZTkzNi00YTY1LTk3YmMtY2FkZTE3NmQxYjEw > isDeleted: TRUE > name:: > TlREUyBTZXR0aW5ncwpERUw6YTVkM2I2MjYtZTkzNi00YTY1LTk3YmMtY2FkZTE3NmQxYjE > w > isRecycled: TRUE > whenChanged: 20160319092438.0Z > uSNChanged: 4259 > distinguishedName: CN=NTDS > Settings\0ADEL:a5d3b626-e936-4a65-97bc-cade176d1b10 > ,CN=CBADC02\0ADEL:de85228c-f92b-4d5d-9d6a-01c3f915dec9,CN=Servers,CN=Default- > First-Site-Name,CN=Sites,CN=Configuration,DC=cb,DC=cliffbells,DC=com > > > > # record 3275 > dn: CN=CBADC02\0ADEL:b34ccfd9-0f88-4f7b-8c00-3296ed92507d,CN=Deleted > Objects,DC=cb,DC=cliffbells,DC=com > objectClass: top > objectClass: person > objectClass: organizationalPerson > objectClass: user > objectClass: computer > instanceType: 4 > whenCreated: 20160321212014.0Z > uSNCreated: 4287 > objectGUID: b34ccfd9-0f88-4f7b-8c00-3296ed92507d > userAccountControl: 4128 > objectSid: S-1-5-21-2555112579-3841919511-698463993-1602 > sAMAccountName: CBADC02$ > isDeleted: TRUE > lastKnownParent: OU=Domain Controllers,DC=cb,DC=cliffbells,DC=com > isRecycled: TRUE > cn:: Q0JBREMwMgpERUw6YjM0Y2NmZDktMGY4OC00ZjdiLThjMDAtMzI5NmVkOTI1MDdk > name:: Q0JBREMwMgpERUw6YjM0Y2NmZDktMGY4OC00ZjdiLThjMDAtMzI5NmVkOTI1MDdk > whenChanged: 20160327050242.0Z > uSNChanged: 4293 > distinguishedName: > CN=CBADC02\0ADEL:b34ccfd9-0f88-4f7b-8c00-3296ed92507d,CN=De > leted Objects,DC=cb,DC=cliffbells,DC=com > > > > > > # record 3481 > dn: CN=CBADC02\0ADEL:ec36364c-6f01-4c82-be95-8def84528d9a,CN=Deleted > Objects,DC=cb,DC=cliffbells,DC=com > objectClass: top > objectClass: person > objectClass: organizationalPerson > objectClass: user > objectClass: computer > instanceType: 4 > whenCreated: 20160310044542.0Z > uSNCreated: 4212 > objectGUID: ec36364c-6f01-4c82-be95-8def84528d9a > userAccountControl: 532480 > objectSid: S-1-5-21-2555112579-3841919511-698463993-1122 > sAMAccountName: CBADC02$ > dNSHostName: cbadc02.cb.cliffbells.com > cn:: Q0JBREMwMgpERUw6ZWMzNjM2NGMtNmYwMS00YzgyLWJlOTUtOGRlZjg0NTI4ZDlh > whenChanged: 20160318045619.0Z > isDeleted: TRUE > uSNChanged: 4253 > name:: Q0JBREMwMgpERUw6ZWMzNjM2NGMtNmYwMS00YzgyLWJlOTUtOGRlZjg0NTI4ZDlh > lastKnownParent: OU=Domain Controllers,DC=cb,DC=cliffbells,DC=com > isRecycled: TRUE > distinguishedName: > CN=CBADC02\0ADEL:ec36364c-6f01-4c82-be95-8def84528d9a,CN=De > leted Objects,DC=cb,DC=cliffbells,DC=com > > > > > > > > > CBADC03 is there once: > > > > # record 3431 > dn: > CN=CBADC03\0ADEL:0d3362c2-c153-415e-b077-0772a61b96b5\0ADEL:0d3362c2-c153-415e-b077-0772a61b96b5,CN=Deleted > Obje$ > objectClass: top > objectClass: person > objectClass: organizationalPerson > objectClass: user > objectClass: computer > instanceType: 4 > whenCreated: 20160321211933.0Z > uSNCreated: 4286 > objectGUID: 0d3362c2-c153-415e-b077-0772a61b96b5 > userAccountControl: 4128 > objectSid: S-1-5-21-2555112579-3841919511-698463993-1601 > sAMAccountName: CBADC03$ > isDeleted: TRUE > lastKnownParent: CN=LostAndFound,DC=cb,DC=cliffbells,DC=com > isRecycled: TRUE > cn:: > Q0JBREMwMwpERUw6MGQzMzYyYzItYzE1My00MTVlLWIwNzctMDc3MmE2MWI5NmI1CkRFTDowZ > DMzNjJjMi1jMTUzLTQxNWUtYjA3Ny0wNzcyYTYxYjk2YjU> name:: > Q0JBREMwMwpERUw6MGQzMzYyYzItYzE1My00MTVlLWIwNzctMDc3MmE2MWI5NmI1CkRFTDo > wZDMzNjJjMi1jMTUzLTQxNWUtYjA3Ny0wNzcyYTYxYjk2YjU> whenChanged: 20160327050527.0Z > uSNChanged: 4294 > distinguishedName: > CN=CBADC03\0ADEL:0d3362c2-c153-415e-b077-0772a61b96b5\0ADEL > :0d3362c2-c153-415e-b077-0772a61b96b5,CN=Deleted > Objects,DC=cb,DC=cliffbells, > DC=com > > > > TESTES is nowhere to be found and still fails due to ObjectSID. I don't > understand how that is even possible. I also manually inspected ADUC, > ADSS, ADSIEdit and DNS in RSAT for both of my live DCs (FILER & CBADC01) > and removed all references to CBADC02 & CBADC03. Replication between FILER > and CBADC01 is successful. RSync replication of sysvol from FILER to > CBADC01 is running via cron. > > I am spun. I've been banging my head against Samba since 12/17/2015. > Please advise, I need to get these VMs joined to the domain so I can sieze > FSMO roles off of FILER so I don't have to keep restoring this ^&*(@^#()*&^ > database every 36 hours. > > > JS >OK, so you cannot join another DC and you have to keep restoring every 36 hours, doesn't this tell you something ? It looks like the database you keep restoring is badly corrupted, you should also be aware that you shouldn't restore a DC if another DC in the domain is running. Are 'FILER' and 'CBADC01' joined ? If so, is 'FILER' the only database that is giving problems ? If so, then I think your best option is to seize all the fsmo roles to 'CBADC01', turn off 'FILER' and then try to join a new DC to 'CBADC01' Rowland
Alright... appreciate the info. Gave it a shot. Domain is still up but
shares are down because they were hosted on FILER which has now been
demoted and is no longer running any samba services.
What I did while following the wiki "Transfer/Seize FSMO Roles":
1) logged on to FILER, ran samba-tool fsmo show, verified all 7 roles were
owned by FILER.
2) logged on to CBADC01, executed samba-tool fsmo transfer --role=all -U
administrator --realm=cb.cliffbells.com which succeeded.
3) ran samba-tool fsmo show again on FILER, verified all 7 roles were now
owned by CBADC01.
4) ran samba-tool drs showrepl on FILER, replication succeded after
transferring fsmo roles.
5) ran samba-tool domain demote -Uadministrator on FILER.
6) shut down samba on FILER, removed smb.conf, removed initscript
7) followed guidelines to cleanup any remaining references to FILER, it
existed in AD Sites and Services, I removed it. I did not delete DNS
references as FILER is critical in this network and must remain accessible.
8) rebooted FILER and CBADC01
Currently AD is allowing users to login to computers, all shares are dead
because FILER isn't providing them and I can't set it up as a Domain
Member
to provide the shares again because CBADC01 is missing 3 of 7 fsmoroleowner
entries. I think I have empty fSMORoleOwner attributes as discussed here:
https://lists.samba.org/archive/samba-technical/2016-January/111516.html
Here's where I'm at:
sudo /usr/local/samba/bin/samba-tool fsmo show
ERROR(<type 'exceptions.KeyError'>): uncaught exception - 'No
such element'
File
"/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py",
line 175, in _run
return self.run(*args, **kwargs)
File
"/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/fsmo.py",
line 390, in run
infrastructureMaster = get_fsmo_roleowner(samdb, infrastructure_dn)
File
"/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/fsmo.py",
line 42, in get_fsmo_roleowner
master_owner = res[0]["fSMORoleOwner"][0]
sudo /usr/local/samba/bin/samba-tool dbcheck --fix --cross-ncs
Checking 3527 objects
ERROR: fSMORoleOwner not found for role CN=RID
Manager$,CN=System,DC=cb,DC=cliffbells,DC=com
Sieze role CN=RID Manager$,CN=System,DC=cb,DC=cliffbells,DC=com onto
current DC by adding fSMORoleOwner=CN=NTDS
Settings,CN=CBADC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=cb,DC=cliffbells,DC=com
[y/N/all/none] y
Failed to sieze role CN=RID Manager$,CN=System,DC=cb,DC=cliffbells,DC=com
onto current DC by adding fSMORoleOwner=CN=NTDS
Settings,CN=CBADC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=cb,DC=cliffbells,DC=com
: (20, 'SINGLE-VALUE attribute fSMORoleOwner on CN=RID
Manager$,CN=System,DC=cb,DC=cliffbells,DC=com specified more than once')
ERROR: fSMORoleOwner not found for role
CN=Infrastructure,DC=cb,DC=cliffbells,DC=com
Sieze role CN=Infrastructure,DC=cb,DC=cliffbells,DC=com onto current DC by
adding fSMORoleOwner=CN=NTDS
Settings,CN=CBADC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=cb,DC=cliffbells,DC=com
[y/N/all/none] y
Failed to sieze role CN=Infrastructure,DC=cb,DC=cliffbells,DC=com onto
current DC by adding fSMORoleOwner=CN=NTDS
Settings,CN=CBADC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=cb,DC=cliffbells,DC=com
: (20, 'SINGLE-VALUE attribute fSMORoleOwner on
CN=Infrastructure,DC=cb,DC=cliffbells,DC=com specified more than once')
Checked 3527 objects (2 errors)
itwerks at cbadc01:~$ sudo /usr/local/samba/bin/samba-tool fsmo seize
--role=rid --force -U administrator --realm=cb.cliffbells.com
ERROR(<type 'exceptions.KeyError'>): uncaught exception - 'No
such element'
File
"/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py",
line 175, in _run
return self.run(*args, **kwargs)
File
"/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/fsmo.py",
line 353, in run
self.seize_role(role, samdb, force)
File
"/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/fsmo.py",
line 255, in seize_role
master_owner = get_fsmo_roleowner(samdb, m.dn)
File
"/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/fsmo.py",
line 42, in get_fsmo_roleowner
master_owner = res[0]["fSMORoleOwner"][0]
sudo /usr/local/samba/bin/samba-tool fsmo seize --role=infrastructure
--force -U administrator --realm=cb.cliffbells.com
ERROR(<type 'exceptions.KeyError'>): uncaught exception - 'No
such element'
File
"/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py",
line 175, in _run
return self.run(*args, **kwargs)
File
"/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/fsmo.py",
line 353, in run
self.seize_role(role, samdb, force)
File
"/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/fsmo.py",
line 255, in seize_role
master_owner = get_fsmo_roleowner(samdb, m.dn)
File
"/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/fsmo.py",
line 42, in get_fsmo_roleowner
master_owner = res[0]["fSMORoleOwner"][0]
sudo /usr/local/samba/bin/samba-tool fsmo seize --role=domaindns --force
-U administrator --realm=cb.cliffbells.com
ERROR(<type 'exceptions.KeyError'>): uncaught exception - 'No
such element'
File
"/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py",
line 175, in _run
return self.run(*args, **kwargs)
File
"/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/fsmo.py",
line 351, in run
versionopts, force)
File
"/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/fsmo.py",
line 301, in seize_dns_role
master_owner = get_fsmo_roleowner(samdb, m.dn)
File
"/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/fsmo.py",
line 42, in get_fsmo_roleowner
master_owner = res[0]["fSMORoleOwner"][0]
sudo /usr/local/samba/bin/samba-tool fsmo seize --role=forestdns --force -U
administrator --realm=cb.cliffbells.com
ERROR(<type 'exceptions.KeyError'>): uncaught exception - 'No
such element'
File
"/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py",
line 175, in _run
return self.run(*args, **kwargs)
File
"/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/fsmo.py",
line 351, in run
versionopts, force)
File
"/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/fsmo.py",
line 301, in seize_dns_role
master_owner = get_fsmo_roleowner(samdb, m.dn)
File
"/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/fsmo.py",
line 42, in get_fsmo_roleowner
master_owner = res[0]["fSMORoleOwner"][0]
I guess I need ldiffs for these, client will be down on a Monday.
JS
On Sun, Mar 27, 2016 at 5:02 AM, Rowland penny <rpenny at samba.org>
wrote:
> On 27/03/16 07:25, IT Admin wrote:
>
>> I ran ldbsearch on my sam.ldb
>> I searched for CBADC02, CBADC03, and TESTES (all VMs that fail to join
>> domain), results are below:
>>
>>
>> CBADC02 shows up a few times:
>>
>> # record 1906
>> dn:
>>
>>
CN=CBADC02\0ADEL:de85228c-f92b-4d5d-9d6a-01c3f915dec9,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configu$
>> objectClass: top
>> objectClass: server
>> instanceType: 4
>> whenCreated: 20160310044543.0Z
>> uSNCreated: 4215
>> objectGUID: de85228c-f92b-4d5d-9d6a-01c3f915dec9
>> systemFlags: 1375731712
>> dNSHostName: cbadc02.cb.cliffbells.com
>> cn:: Q0JBREMwMgpERUw6ZGU4NTIyOGMtZjkyYi00ZDVkLTlkNmEtMDFjM2Y5MTVkZWM5
>> isDeleted: TRUE
>> name:: Q0JBREMwMgpERUw6ZGU4NTIyOGMtZjkyYi00ZDVkLTlkNmEtMDFjM2Y5MTVkZWM5
>> lastKnownParent:
>> CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configurati
>> on,DC=cb,DC=cliffbells,DC=com
>> isRecycled: TRUE
>> whenChanged: 20160319092438.0Z
>> uSNChanged: 4261
>> distinguishedName:
>> CN=CBADC02\0ADEL:de85228c-f92b-4d5d-9d6a-01c3f915dec9,CN=Se
>>
>>
rvers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=cb,DC=cliffbell
>> s,DC=com
>>
>>
>> # record 2372
>> dn: CN=NTDS
>>
>>
Settings\0ADEL:a5d3b626-e936-4a65-97bc-cade176d1b10,CN=CBADC02\0ADEL:de85228c-f92b-4d5d-9d6a-01c3f915dec$
>> objectClass: top
>> objectClass: applicationSettings
>> objectClass: nTDSDSA
>> instanceType: 4
>> whenCreated: 20160310044546.0Z
>> uSNCreated: 4214
>> objectGUID: a5d3b626-e936-4a65-97bc-cade176d1b10
>> systemFlags: 33554432
>> cn::
>>
TlREUyBTZXR0aW5ncwpERUw6YTVkM2I2MjYtZTkzNi00YTY1LTk3YmMtY2FkZTE3NmQxYjEw
>> isDeleted: TRUE
>> name::
>> TlREUyBTZXR0aW5ncwpERUw6YTVkM2I2MjYtZTkzNi00YTY1LTk3YmMtY2FkZTE3NmQxYjE
>> w
>> isRecycled: TRUE
>> whenChanged: 20160319092438.0Z
>> uSNChanged: 4259
>> distinguishedName: CN=NTDS
>> Settings\0ADEL:a5d3b626-e936-4a65-97bc-cade176d1b10
>>
>>
,CN=CBADC02\0ADEL:de85228c-f92b-4d5d-9d6a-01c3f915dec9,CN=Servers,CN=Default-
>> First-Site-Name,CN=Sites,CN=Configuration,DC=cb,DC=cliffbells,DC=com
>>
>>
>>
>> # record 3275
>> dn: CN=CBADC02\0ADEL:b34ccfd9-0f88-4f7b-8c00-3296ed92507d,CN=Deleted
>> Objects,DC=cb,DC=cliffbells,DC=com
>> objectClass: top
>> objectClass: person
>> objectClass: organizationalPerson
>> objectClass: user
>> objectClass: computer
>> instanceType: 4
>> whenCreated: 20160321212014.0Z
>> uSNCreated: 4287
>> objectGUID: b34ccfd9-0f88-4f7b-8c00-3296ed92507d
>> userAccountControl: 4128
>> objectSid: S-1-5-21-2555112579-3841919511-698463993-1602
>> sAMAccountName: CBADC02$
>> isDeleted: TRUE
>> lastKnownParent: OU=Domain Controllers,DC=cb,DC=cliffbells,DC=com
>> isRecycled: TRUE
>> cn:: Q0JBREMwMgpERUw6YjM0Y2NmZDktMGY4OC00ZjdiLThjMDAtMzI5NmVkOTI1MDdk
>> name:: Q0JBREMwMgpERUw6YjM0Y2NmZDktMGY4OC00ZjdiLThjMDAtMzI5NmVkOTI1MDdk
>> whenChanged: 20160327050242.0Z
>> uSNChanged: 4293
>> distinguishedName:
>> CN=CBADC02\0ADEL:b34ccfd9-0f88-4f7b-8c00-3296ed92507d,CN=De
>> leted Objects,DC=cb,DC=cliffbells,DC=com
>>
>>
>>
>>
>>
>> # record 3481
>> dn: CN=CBADC02\0ADEL:ec36364c-6f01-4c82-be95-8def84528d9a,CN=Deleted
>> Objects,DC=cb,DC=cliffbells,DC=com
>> objectClass: top
>> objectClass: person
>> objectClass: organizationalPerson
>> objectClass: user
>> objectClass: computer
>> instanceType: 4
>> whenCreated: 20160310044542.0Z
>> uSNCreated: 4212
>> objectGUID: ec36364c-6f01-4c82-be95-8def84528d9a
>> userAccountControl: 532480
>> objectSid: S-1-5-21-2555112579-3841919511-698463993-1122
>> sAMAccountName: CBADC02$
>> dNSHostName: cbadc02.cb.cliffbells.com
>> cn:: Q0JBREMwMgpERUw6ZWMzNjM2NGMtNmYwMS00YzgyLWJlOTUtOGRlZjg0NTI4ZDlh
>> whenChanged: 20160318045619.0Z
>> isDeleted: TRUE
>> uSNChanged: 4253
>> name:: Q0JBREMwMgpERUw6ZWMzNjM2NGMtNmYwMS00YzgyLWJlOTUtOGRlZjg0NTI4ZDlh
>> lastKnownParent: OU=Domain Controllers,DC=cb,DC=cliffbells,DC=com
>> isRecycled: TRUE
>> distinguishedName:
>> CN=CBADC02\0ADEL:ec36364c-6f01-4c82-be95-8def84528d9a,CN=De
>> leted Objects,DC=cb,DC=cliffbells,DC=com
>>
>>
>>
>>
>>
>>
>>
>>
>> CBADC03 is there once:
>>
>>
>>
>> # record 3431
>> dn:
>>
>>
CN=CBADC03\0ADEL:0d3362c2-c153-415e-b077-0772a61b96b5\0ADEL:0d3362c2-c153-415e-b077-0772a61b96b5,CN=Deleted
>> Obje$
>> objectClass: top
>> objectClass: person
>> objectClass: organizationalPerson
>> objectClass: user
>> objectClass: computer
>> instanceType: 4
>> whenCreated: 20160321211933.0Z
>> uSNCreated: 4286
>> objectGUID: 0d3362c2-c153-415e-b077-0772a61b96b5
>> userAccountControl: 4128
>> objectSid: S-1-5-21-2555112579-3841919511-698463993-1601
>> sAMAccountName: CBADC03$
>> isDeleted: TRUE
>> lastKnownParent: CN=LostAndFound,DC=cb,DC=cliffbells,DC=com
>> isRecycled: TRUE
>> cn::
>>
Q0JBREMwMwpERUw6MGQzMzYyYzItYzE1My00MTVlLWIwNzctMDc3MmE2MWI5NmI1CkRFTDowZ
>> DMzNjJjMi1jMTUzLTQxNWUtYjA3Ny0wNzcyYTYxYjk2YjU>> name::
>> Q0JBREMwMwpERUw6MGQzMzYyYzItYzE1My00MTVlLWIwNzctMDc3MmE2MWI5NmI1CkRFTDo
>> wZDMzNjJjMi1jMTUzLTQxNWUtYjA3Ny0wNzcyYTYxYjk2YjU>> whenChanged:
20160327050527.0Z
>> uSNChanged: 4294
>> distinguishedName:
>> CN=CBADC03\0ADEL:0d3362c2-c153-415e-b077-0772a61b96b5\0ADEL
>> :0d3362c2-c153-415e-b077-0772a61b96b5,CN=Deleted
>> Objects,DC=cb,DC=cliffbells,
>> DC=com
>>
>>
>>
>> TESTES is nowhere to be found and still fails due to ObjectSID. I
don't
>> understand how that is even possible. I also manually inspected ADUC,
>> ADSS, ADSIEdit and DNS in RSAT for both of my live DCs (FILER &
CBADC01)
>> and removed all references to CBADC02 & CBADC03. Replication
between
>> FILER
>> and CBADC01 is successful. RSync replication of sysvol from FILER to
>> CBADC01 is running via cron.
>>
>> I am spun. I've been banging my head against Samba since
12/17/2015.
>> Please advise, I need to get these VMs joined to the domain so I can
sieze
>> FSMO roles off of FILER so I don't have to keep restoring this
>> ^&*(@^#()*&^
>> database every 36 hours.
>>
>>
>> JS
>>
>>
> OK, so you cannot join another DC and you have to keep restoring every 36
> hours, doesn't this tell you something ?
>
> It looks like the database you keep restoring is badly corrupted, you
> should also be aware that you shouldn't restore a DC if another DC in
the
> domain is running.
>
> Are 'FILER' and 'CBADC01' joined ?
> If so, is 'FILER' the only database that is giving problems ?
> If so, then I think your best option is to seize all the fsmo roles to
> 'CBADC01', turn off 'FILER' and then try to join a new DC
to 'CBADC01'
>
>
> Rowland
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>