samba - Oct 2016 - Joining a Windows Server 2008 R2 to existing Samba4 domain

Hi all,

A bit of back story.

A few years back we upgraded our Samba3 domain to Samba4 using the
classicupgrade method. After a few stumbles we got there and now have 9
DC's globally all running 4.5.0.

We dropped the ball when naming our domain and now need to change it. This
has led me down the path of attempting to join a Windows Server 2008 R2
machine as a DC and then run the RENDOM tool from there.

Unfortunately, I'm having trouble getting past the first hurdle of joining
a Windows server to the domain. I have a test rig which I'm working on and
have tried various different methods. Some have ended with the Windows
Server almost becoming a DC but DNS replication (Forest and Domain) have
never worked. Occasionally things just get stuck when replicating the
Configuration over.

I have followed this doc to the letter:

https://wiki.samba.org/index.php/Joining_a_Windows_Server_2008_/_2008_R2_DC_to_a_Samba_AD

but have never managed to get full replication working.

Could this be because I'm coming from a classicupgrade? Has anyone else out
there managed to get this working?

Thanks,
Chris.

-- 
ACS (Alavoine Computer Services Ltd)
Chris Alavoine
mob +44 (0)7724 710 730
www.alavoinecs.co.uk
http://twitter.com/#!/alavoinecs
http://www.linkedin.com/pub/chris-alavoine/39/606/192

Hi Chris,

Am 14.10.2016 um 11:53 schrieb Chris Alavoine via samba:
>
https://wiki.samba.org/index.php/Joining_a_Windows_Server_2008_/_2008_R2_DC_to_a_Samba_AD
> 
> but have never managed to get full replication working.
>
> Could this be because I'm coming from a classicupgrade? Has anyone else
out
> there managed to get this working?
I'm the author of this documentation. I recently rewrote it and at the
same time retested the procedure with 4.5.0 and everything worked.
However, I know this does not help you. :-)

* What DNS back end do you use? Internal or BIND9_DLZ?

* Did you let 2008 auto-select a replication partner during the dcpromo
or did you select a specific DC?

* Does "samba-tool dbcheck --cross-ncs" shows any errors? Fix them.


Regards,
Marc

Hi Marc,

Thanks for your reply.

We are using BIND9_DLZ currently as the DNS backend

I manually selected a replication partner (the FSMO roles DC).

We do have some errors when doing a dbcheck but I'm not able to fix them.
I've detailed this in another post.

Here is an example of each type:

Example1:
*ERROR: incorrect GUID component for member in object
CN=examplegroup,OU=Groups,DC=example,DC=internal,DC=com -
<GUID=77ad92b5ade70e449dcc481624928310>;<RMD_ADDTIME=130393476680000000>;<RMD_CHANGETIME=130976799640000000>;<RMD_FLAGS=1>;<RMD_INVOCID=98307faefea70749933e6946b1b14420>;<RMD_LOCAL_USN=1445979>;<RMD_ORIGINATING_USN=303848>;<RMD_VERSION=1>;<SID=010500000000000515000000e8e83f391df4408a63c6a6b4d25a0000>;CN=simon.test,CN=Users,DC=example,DC=internal,DC=com*

Example2:
*ERROR: incorrect DN string component for member in object
CN=admin-group-001,OU=Groups,DC=example,DC=internal,DC=com -
<GUID=38370cfc-6751-49bb-945e-d2b5e028f0f3>;<RMD_ADDTIME=130941544260000000>;<RMD_CHANGETIME=130941560040000000>;<RMD_FLAGS=1>;<RMD_INVOCID=a65d0f39-311e-4031-aa56-a8585bfc1b8f>;<RMD_LOCAL_USN=1443123>;<RMD_ORIGINATING_USN=1443123>;<RMD_VERSION=1>;<SID=S-1-5-21-960489704-2319512605-3030828643-1219569>;CN=user.test,OU=Test
OU,DC=example,DC=internal,DC=com*

Example3:
*unable to find object for DN
CN=test.user2,CN=Users,DC=example,DC=internal,DC=com - (No such Base DN:
CN=test.user2,CN=Users,DC=example,DC=internal,DC=com)*
*Not removing dangling forward link*

I have edited these entries to maintain anonymity.

Any ideas on how to remove these errors?

Thanks again,
Chris.

On 14 October 2016 at 15:17, Marc Muehlfeld <mmuehlfeld at samba.org>
wrote:
> Hi Chris,
>
> Am 14.10.2016 um 11:53 schrieb Chris Alavoine via samba:
> > https://wiki.samba.org/index.php/Joining_a_Windows_Server_
> 2008_/_2008_R2_DC_to_a_Samba_AD
> >
> > but have never managed to get full replication working.
> >
> > Could this be because I'm coming from a classicupgrade? Has anyone
else
> out
> > there managed to get this working?
>
> I'm the author of this documentation. I recently rewrote it and at the
> same time retested the procedure with 4.5.0 and everything worked.
> However, I know this does not help you. :-)
>
> * What DNS back end do you use? Internal or BIND9_DLZ?
>
> * Did you let 2008 auto-select a replication partner during the dcpromo
> or did you select a specific DC?
>
> * Does "samba-tool dbcheck --cross-ncs" shows any errors? Fix
them.
>
>
> Regards,
> Marc
>


-- 
ACS (Alavoine Computer Services Ltd)
Chris Alavoine
mob +44 (0)7724 710 730
www.alavoinecs.co.uk
http://twitter.com/#!/alavoinecs
http://www.linkedin.com/pub/chris-alavoine/39/606/192