On 07/07/16 21:39, Jason Waters wrote:> I did that, it fixed 6 errors, ran it again, 0 errors. Still not able > to join. > > On Thu, Jul 7, 2016 at 4:38 PM, Rowland penny <rpenny at samba.org > <mailto:rpenny at samba.org>> wrote: > > On 07/07/16 21:13, Jason Waters wrote: > > So I joined with samba's internal DNS, then converted to BIND, > then tested. Seems like it was working. I forced the 2003 > machine out, cleaned up the meta data and everything seemed to > be working ok. So I raised the domain level like this > > samba-tool domain level raise > samba-tool domain level raise --domain-level=2008_R2 > samba-tool domain level raise --forest-level=2008_R2 > > everything shows as 2008_R2 > > so now I think I'm making progress. I spin up another linux > box, get it ready to join, starts to join, then fails > > says LDAP error 16 LDAP_NO_SUCH_ATTRIBUTE - <0000200A: > objectclass_attrs: attribute 'msDS-SupportedEncryptionTypes' > on entry 'CN=DC04,OU=Domain Controllers,DC=example,DC=local' > was not found in the schema > > so I thought well I'm going to try having a windows 2008 r2 > server join as a DC, run dcpromo and it says I need to run > /forestprep on the AD. Well I can't do that now that it is on > linux right? > > > It should be there, it sounds like you have an incomplete schema, > you could try running 'samba-tool dbcheck --fix' > > Rowland > >Try adding '--cross-ncs' After this, I am running out of suggestions. Rowland
I'm pretty sure the domain level raise is failing on this system. This is what I just tested. Joined Samba(dc03) to windows 2003(pdc) DC. Shut down PDC seized all fsmo roles did metadata cleanup Open AD Users and Computers I can view computers, users, etc. but it fails when trying to open Domain Controllers. I get this error cannot find attr[msDS-isRODC] in of schema Now this is a VM so I restored a snapshot before I upgraded the domain/forest level and I'm still getting that error. So I'm not sure where to look. I run samba-tool dbcheck --fix --cross-ncs, finds 2 errors, run it again and fins 0. So how to I fix my AD schema? This just seems to fail because I'm pulling it from 2003. If I spin up a new samba domain with the same version installed it just works... On Thu, Jul 7, 2016 at 4:57 PM, Rowland penny <rpenny at samba.org> wrote:> On 07/07/16 21:39, Jason Waters wrote: > > I did that, it fixed 6 errors, ran it again, 0 errors. Still not able to > join. > > On Thu, Jul 7, 2016 at 4:38 PM, Rowland penny <rpenny at samba.org> wrote: > >> On 07/07/16 21:13, Jason Waters wrote: >> >>> So I joined with samba's internal DNS, then converted to BIND, then >>> tested. Seems like it was working. I forced the 2003 machine out, cleaned >>> up the meta data and everything seemed to be working ok. So I raised the >>> domain level like this >>> >>> samba-tool domain level raise >>> samba-tool domain level raise --domain-level=2008_R2 >>> samba-tool domain level raise --forest-level=2008_R2 >>> >>> everything shows as 2008_R2 >>> >>> so now I think I'm making progress. I spin up another linux box, get it >>> ready to join, starts to join, then fails >>> >>> says LDAP error 16 LDAP_NO_SUCH_ATTRIBUTE - <0000200A: >>> objectclass_attrs: attribute 'msDS-SupportedEncryptionTypes' on entry >>> 'CN=DC04,OU=Domain Controllers,DC=example,DC=local' was not found in the >>> schema >>> >>> so I thought well I'm going to try having a windows 2008 r2 server join >>> as a DC, run dcpromo and it says I need to run /forestprep on the AD. Well >>> I can't do that now that it is on linux right? >>> >>> >> It should be there, it sounds like you have an incomplete schema, you >> could try running 'samba-tool dbcheck --fix' >> >> Rowland >> >> > > Try adding '--cross-ncs' > After this, I am running out of suggestions. > > Rowland > >
I bumped the logging up. samba-tool domain level raise --domain-level=2008_R2 schema_fsmo_init: we are master[yes] updates allowed[no] schema_fsmo_init: we are master[yes] updates allowed[no] The updates_allowed[no] concerns me? On Fri, Jul 8, 2016 at 9:45 AM, Jason Waters <jason at geeknocity.com> wrote:> I'm pretty sure the domain level raise is failing on this system. This is > what I just tested. > > Joined Samba(dc03) to windows 2003(pdc) DC. > Shut down PDC > seized all fsmo roles > did metadata cleanup > Open AD Users and Computers > I can view computers, users, etc. but it fails when trying to open Domain > Controllers. > > I get this error cannot find attr[msDS-isRODC] in of schema > > Now this is a VM so I restored a snapshot before I upgraded the > domain/forest level and I'm still getting that error. So I'm not sure where > to look. > > I run samba-tool dbcheck --fix --cross-ncs, finds 2 errors, run it again > and fins 0. > > So how to I fix my AD schema? This just seems to fail because I'm pulling > it from 2003. If I spin up a new samba domain with the same version > installed it just works... > > > > On Thu, Jul 7, 2016 at 4:57 PM, Rowland penny <rpenny at samba.org> wrote: > >> On 07/07/16 21:39, Jason Waters wrote: >> >> I did that, it fixed 6 errors, ran it again, 0 errors. Still not able to >> join. >> >> On Thu, Jul 7, 2016 at 4:38 PM, Rowland penny <rpenny at samba.org> wrote: >> >>> On 07/07/16 21:13, Jason Waters wrote: >>> >>>> So I joined with samba's internal DNS, then converted to BIND, then >>>> tested. Seems like it was working. I forced the 2003 machine out, cleaned >>>> up the meta data and everything seemed to be working ok. So I raised the >>>> domain level like this >>>> >>>> samba-tool domain level raise >>>> samba-tool domain level raise --domain-level=2008_R2 >>>> samba-tool domain level raise --forest-level=2008_R2 >>>> >>>> everything shows as 2008_R2 >>>> >>>> so now I think I'm making progress. I spin up another linux box, get >>>> it ready to join, starts to join, then fails >>>> >>>> says LDAP error 16 LDAP_NO_SUCH_ATTRIBUTE - <0000200A: >>>> objectclass_attrs: attribute 'msDS-SupportedEncryptionTypes' on entry >>>> 'CN=DC04,OU=Domain Controllers,DC=example,DC=local' was not found in the >>>> schema >>>> >>>> so I thought well I'm going to try having a windows 2008 r2 server join >>>> as a DC, run dcpromo and it says I need to run /forestprep on the AD. Well >>>> I can't do that now that it is on linux right? >>>> >>>> >>> It should be there, it sounds like you have an incomplete schema, you >>> could try running 'samba-tool dbcheck --fix' >>> >>> Rowland >>> >>> >> >> Try adding '--cross-ncs' >> After this, I am running out of suggestions. >> >> Rowland >> >> >