Marc-Henri Pamiseux
2017-Dec-20 21:55 UTC
[Samba] Unable to Join the Active Directory as a Domain Controller
Hello,
I am trying to use Samba in version 4.7.0 as a replication of an Active
Directory running on Windows 2012-R2.
For that, I execute the process described on this page:
https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory
When I run the command to join the domain controller, samba-tool returns
the following error:
DsAddEntry failed with status WERR_ACCESS_DENIED info (8567,
'WERR_DS_INCOMPATIBLE_VERSION')
I read the documentation that specifies which version of Samba is
compatible with the version of the Active Directory schema:
https://wiki.samba.org/index.php/AD_Schema_Version_Support
I was able to check on the Windows 2012-R2 server that the Active
Directory schema is in version 69, so theoretically compatible with
Samba 4.7.
User "MYDOMAIN\marcori" is a domain admin.
Do you have a way to explore further?
Respectfully,
Marc-Henri Pamiseux
PS: Here is the command invoked and its error message:
# samba-tool domain join example.com DC -U"MYDOMAIN\marcori"
--dns-backend=SAMBA_INTERNAL --realm=EXAMPLE.COM -W MYDOMAIN
Finding a writeable DC for domain 'example.com'
Found DC SRV-ADM1.example.com
Password for [MYDOMAIN\marcori]:
workgroup is MYDOMAIN
realm is example.com
Adding CN=SRVSMB-DC1,OU=Domain Controllers,DC=example,DC=com
Adding
CN=SRVSMB-DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
Adding CN=NTDS
Settings,CN=SRVSMB-DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
DsAddEntry failed with status WERR_ACCESS_DENIED info (8567,
'WERR_DS_INCOMPATIBLE_VERSION')
Join failed - cleaning up
Deleted CN=SRVSMB-DC1,OU=Domain Controllers,DC=example,DC=com
Deleted
CN=SRVSMB-DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
ERROR(runtime): uncaught exception - DsAddEntry failed
File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py",
line
176, in _run
return self.run(*args, **kwargs)
File "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py", line
661, in run
machinepass=machinepass, use_ntvfs=use_ntvfs, dns_backend=dns_backend)
File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1474, in
join_DC
ctx.do_join()
File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1375, in
do_join
ctx.join_add_objects()
File "/usr/lib/python2.7/dist-packages/samba/join.py", line 639, in
join_add_objects
ctx.join_add_ntdsdsa()
File "/usr/lib/python2.7/dist-packages/samba/join.py", line 570, in
join_add_ntdsdsa
ctx.DsAddEntry([rec])
File "/usr/lib/python2.7/dist-packages/samba/join.py", line 521, in
DsAddEntry
raise RuntimeError("DsAddEntry failed")
# samba -V
Version 4.7.0-Debian
--
Marc-Henri Pamiseux - SARL Libricks - www.libricks.fr
6 rue Léonard de Vinci - CS 20119, 53001 LAVAL Cedex
Tel. : 02.30.96.15.24 / Mobile : 06.26.71.30.97
Luke Barone
2017-Dec-20 22:37 UTC
[Samba] Unable to Join the Active Directory as a Domain Controller
What is the schema level on your Server 2012? On Wed, Dec 20, 2017 at 1:55 PM, Marc-Henri Pamiseux via samba < samba at lists.samba.org> wrote:> Hello, > > I am trying to use Samba in version 4.7.0 as a replication of an Active > Directory running on Windows 2012-R2. > > For that, I execute the process described on this page: > https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_ > Existing_Active_Directory > > When I run the command to join the domain controller, samba-tool returns > the following error: > DsAddEntry failed with status WERR_ACCESS_DENIED info (8567, > 'WERR_DS_INCOMPATIBLE_VERSION') > > I read the documentation that specifies which version of Samba is > compatible with the version of the Active Directory schema: > https://wiki.samba.org/index.php/AD_Schema_Version_Support > > I was able to check on the Windows 2012-R2 server that the Active > Directory schema is in version 69, so theoretically compatible with > Samba 4.7. > > User "MYDOMAIN\marcori" is a domain admin. > Do you have a way to explore further? > > Respectfully, > > Marc-Henri Pamiseux > > PS: Here is the command invoked and its error message: > > # samba-tool domain join example.com DC -U"MYDOMAIN\marcori" > --dns-backend=SAMBA_INTERNAL --realm=EXAMPLE.COM -W MYDOMAIN > Finding a writeable DC for domain 'example.com' > Found DC SRV-ADM1.example.com > Password for [MYDOMAIN\marcori]: > workgroup is MYDOMAIN > realm is example.com > Adding CN=SRVSMB-DC1,OU=Domain Controllers,DC=example,DC=com > Adding > CN=SRVSMB-DC1,CN=Servers,CN=Default-First-Site-Name,CN> Sites,CN=Configuration,DC=example,DC=com > Adding CN=NTDS > Settings,CN=SRVSMB-DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN> Configuration,DC=example,DC=com > DsAddEntry failed with status WERR_ACCESS_DENIED info (8567, > 'WERR_DS_INCOMPATIBLE_VERSION') > Join failed - cleaning up > Deleted CN=SRVSMB-DC1,OU=Domain Controllers,DC=example,DC=com > Deleted > CN=SRVSMB-DC1,CN=Servers,CN=Default-First-Site-Name,CN> Sites,CN=Configuration,DC=example,DC=com > ERROR(runtime): uncaught exception - DsAddEntry failed > File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line > 176, in _run > return self.run(*args, **kwargs) > File "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py", line > 661, in run > machinepass=machinepass, use_ntvfs=use_ntvfs, dns_backend=dns_backend) > File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1474, in > join_DC > ctx.do_join() > File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1375, in > do_join > ctx.join_add_objects() > File "/usr/lib/python2.7/dist-packages/samba/join.py", line 639, in > join_add_objects > ctx.join_add_ntdsdsa() > File "/usr/lib/python2.7/dist-packages/samba/join.py", line 570, in > join_add_ntdsdsa > ctx.DsAddEntry([rec]) > File "/usr/lib/python2.7/dist-packages/samba/join.py", line 521, in > DsAddEntry > raise RuntimeError("DsAddEntry failed") > > # samba -V > Version 4.7.0-Debian > > -- > Marc-Henri Pamiseux - SARL Libricks - www.libricks.fr > 6 rue Léonard de Vinci - CS 20119, 53001 LAVAL Cedex > Tel. : 02.30.96.15.24 / Mobile : 06.26.71.30.97 > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
Marc-Henri Pamiseux
2017-Dec-20 23:31 UTC
[Samba] Unable to Join the Active Directory as a Domain Controller
Hello Luke, I think you have not seen this line : "Active Directory shema is in version 69". So, schema level is 69. Respectfully -- Marc-Henri Pamiseux - SARL Libricks - www.libricks.fr 6 rue Léonard de Vinci - CS 20119, 53001 LAVAL Cedex Tel. : 02.30.96.15.24 / Mobile : 06.26.71.30.97 Le 20/12/2017 à 23:37, Luke Barone a écrit :> What is the schema level on your Server 2012? > > On Wed, Dec 20, 2017 at 1:55 PM, Marc-Henri Pamiseux via samba > I was able to check on the Windows 2012-R2 server that the Active > Directory schema is in version 69, so theoretically compatible with > Samba 4.7.
Garming Sam
2017-Dec-21 00:55 UTC
[Samba] Unable to Join the Active Directory as a Domain Controller
I don't think it should be the schema that is the problem, but the domain functionality level the 2012 server is operating at. We currently only operate at 2008 R2 functional level (although there are some patches currently pending to change some aspects of that). If it's running at the 2012 R2 functional level, it would have to be downgraded first (or re-promoted to only be using 2008 R2 functionality). Cheers, Garming On 21/12/17 10:55, Marc-Henri Pamiseux via samba wrote:> Hello, > > I am trying to use Samba in version 4.7.0 as a replication of an Active > Directory running on Windows 2012-R2. > > For that, I execute the process described on this page: > https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory > > When I run the command to join the domain controller, samba-tool returns > the following error: > DsAddEntry failed with status WERR_ACCESS_DENIED info (8567, > 'WERR_DS_INCOMPATIBLE_VERSION') > > I read the documentation that specifies which version of Samba is > compatible with the version of the Active Directory schema: > https://wiki.samba.org/index.php/AD_Schema_Version_Support > > I was able to check on the Windows 2012-R2 server that the Active > Directory schema is in version 69, so theoretically compatible with > Samba 4.7. > > User "MYDOMAIN\marcori" is a domain admin. > Do you have a way to explore further? > > Respectfully, > > Marc-Henri Pamiseux > > PS: Here is the command invoked and its error message: > > # samba-tool domain join example.com DC -U"MYDOMAIN\marcori" > --dns-backend=SAMBA_INTERNAL --realm=EXAMPLE.COM -W MYDOMAIN > Finding a writeable DC for domain 'example.com' > Found DC SRV-ADM1.example.com > Password for [MYDOMAIN\marcori]: > workgroup is MYDOMAIN > realm is example.com > Adding CN=SRVSMB-DC1,OU=Domain Controllers,DC=example,DC=com > Adding > CN=SRVSMB-DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com > Adding CN=NTDS > Settings,CN=SRVSMB-DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com > DsAddEntry failed with status WERR_ACCESS_DENIED info (8567, > 'WERR_DS_INCOMPATIBLE_VERSION') > Join failed - cleaning up > Deleted CN=SRVSMB-DC1,OU=Domain Controllers,DC=example,DC=com > Deleted > CN=SRVSMB-DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com > ERROR(runtime): uncaught exception - DsAddEntry failed > File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line > 176, in _run > return self.run(*args, **kwargs) > File "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py", line > 661, in run > machinepass=machinepass, use_ntvfs=use_ntvfs, dns_backend=dns_backend) > File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1474, in > join_DC > ctx.do_join() > File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1375, in > do_join > ctx.join_add_objects() > File "/usr/lib/python2.7/dist-packages/samba/join.py", line 639, in > join_add_objects > ctx.join_add_ntdsdsa() > File "/usr/lib/python2.7/dist-packages/samba/join.py", line 570, in > join_add_ntdsdsa > ctx.DsAddEntry([rec]) > File "/usr/lib/python2.7/dist-packages/samba/join.py", line 521, in > DsAddEntry > raise RuntimeError("DsAddEntry failed") > > # samba -V > Version 4.7.0-Debian >
Marc-Henri Pamiseux
2017-Dec-21 08:44 UTC
[Samba] Unable to Join the Active Directory as a Domain Controller
Hello Garming, In the link above (sorry, it's in French), I can read how to downgrade a feature level of a 2012-R2 domain to work in 2008 R2. https://sloze.wordpress.com/2014/06/18/active-directory-diminuer-le-niveau-fonctionnel-dune-foret-etou-dun-domaine-2/ Here is the English version of the Set-ADDomainMode command: https://technet.microsoft.com/fr-fr/library/hh852281(v=wps.630).aspx Has anyone ever used successfully this command? Respectfully, -- Marc-Henri Pamiseux - SARL Libricks - www.libricks.fr 6 rue Léonard de Vinci - CS 20119, 53001 LAVAL Cedex Tel. : 02.30.96.15.24 / Mobile : 06.26.71.30.97 Le 21/12/2017 à 01:55, Garming Sam a écrit :> I don't think it should be the schema that is the problem, but the > domain functionality level the 2012 server is operating at. We currently > only operate at 2008 R2 functional level (although there are some > patches currently pending to change some aspects of that). If it's > running at the 2012 R2 functional level, it would have to be downgraded > first (or re-promoted to only be using 2008 R2 functionality). > > Cheers, > > Garming
Denis Cardon
2017-Dec-21 14:35 UTC
[Samba] Unable to Join the Active Directory as a Domain Controller
Hi Marc-Henri Pamiseux,> > I am trying to use Samba in version 4.7.0 as a replication of an Active > Directory running on Windows 2012-R2. > > For that, I execute the process described on this page: > https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory > > When I run the command to join the domain controller, samba-tool returns > the following error: > DsAddEntry failed with status WERR_ACCESS_DENIED info (8567, > 'WERR_DS_INCOMPATIBLE_VERSION') > > I read the documentation that specifies which version of Samba is > compatible with the version of the Active Directory schema: > https://wiki.samba.org/index.php/AD_Schema_Version_Support > > I was able to check on the Windows 2012-R2 server that the Active > Directory schema is in version 69, so theoretically compatible with > Samba 4.7.in the small prints, one can read "69 :* Experimental support. To report problems, click https://bugzilla.samba.org". With such warning I wouldn't put that in production...> User "MYDOMAIN\marcori" is a domain admin. > Do you have a way to explore further?I think you can explore the page https://wiki.samba.org/index.php/Joining_a_Windows_Server_2012_/_2012_R2_DC_to_a_Samba_AD TL;DR : with current samba releases, it is not possible to join a win2k12 or above Active Directory to a Samba AD. Stick to 2k8r2 or wait for Gaming/Douglas work on that subject. Cheers, Denis> > Respectfully, > > Marc-Henri Pamiseux > > PS: Here is the command invoked and its error message: > > # samba-tool domain join example.com DC -U"MYDOMAIN\marcori" > --dns-backend=SAMBA_INTERNAL --realm=EXAMPLE.COM -W MYDOMAIN > Finding a writeable DC for domain 'example.com' > Found DC SRV-ADM1.example.com > Password for [MYDOMAIN\marcori]: > workgroup is MYDOMAIN > realm is example.com > Adding CN=SRVSMB-DC1,OU=Domain Controllers,DC=example,DC=com > Adding > CN=SRVSMB-DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com > Adding CN=NTDS > Settings,CN=SRVSMB-DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com > DsAddEntry failed with status WERR_ACCESS_DENIED info (8567, > 'WERR_DS_INCOMPATIBLE_VERSION') > Join failed - cleaning up > Deleted CN=SRVSMB-DC1,OU=Domain Controllers,DC=example,DC=com > Deleted > CN=SRVSMB-DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com > ERROR(runtime): uncaught exception - DsAddEntry failed > File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line > 176, in _run > return self.run(*args, **kwargs) > File "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py", line > 661, in run > machinepass=machinepass, use_ntvfs=use_ntvfs, dns_backend=dns_backend) > File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1474, in > join_DC > ctx.do_join() > File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1375, in > do_join > ctx.join_add_objects() > File "/usr/lib/python2.7/dist-packages/samba/join.py", line 639, in > join_add_objects > ctx.join_add_ntdsdsa() > File "/usr/lib/python2.7/dist-packages/samba/join.py", line 570, in > join_add_ntdsdsa > ctx.DsAddEntry([rec]) > File "/usr/lib/python2.7/dist-packages/samba/join.py", line 521, in > DsAddEntry > raise RuntimeError("DsAddEntry failed") > > # samba -V > Version 4.7.0-Debian >-- Denis Cardon Tranquil IT Systems Les Espaces Jules Verne, bâtiment A 12 avenue Jules Verne 44230 Saint Sébastien sur Loire tel : +33 (0) 2.40.97.57.55 http://www.tranquil-it-systems.fr
Possibly Parallel Threads
- Unable to Join the Active Directory as a Domain Controller
- Unable to Join the Active Directory as a Domain Controller
- Unable to Join the Active Directory as a Domain Controller
- Linux/Windows Domain Controller
- Joining samba4 as a DC to Windows Server 2012 active directory