Marc-Henri Pamiseux
2017-Dec-20 21:55 UTC
[Samba] Unable to Join the Active Directory as a Domain Controller
Hello, I am trying to use Samba in version 4.7.0 as a replication of an Active Directory running on Windows 2012-R2. For that, I execute the process described on this page: https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory When I run the command to join the domain controller, samba-tool returns the following error: DsAddEntry failed with status WERR_ACCESS_DENIED info (8567, 'WERR_DS_INCOMPATIBLE_VERSION') I read the documentation that specifies which version of Samba is compatible with the version of the Active Directory schema: https://wiki.samba.org/index.php/AD_Schema_Version_Support I was able to check on the Windows 2012-R2 server that the Active Directory schema is in version 69, so theoretically compatible with Samba 4.7. User "MYDOMAIN\marcori" is a domain admin. Do you have a way to explore further? Respectfully, Marc-Henri Pamiseux PS: Here is the command invoked and its error message: # samba-tool domain join example.com DC -U"MYDOMAIN\marcori" --dns-backend=SAMBA_INTERNAL --realm=EXAMPLE.COM -W MYDOMAIN Finding a writeable DC for domain 'example.com' Found DC SRV-ADM1.example.com Password for [MYDOMAIN\marcori]: workgroup is MYDOMAIN realm is example.com Adding CN=SRVSMB-DC1,OU=Domain Controllers,DC=example,DC=com Adding CN=SRVSMB-DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com Adding CN=NTDS Settings,CN=SRVSMB-DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com DsAddEntry failed with status WERR_ACCESS_DENIED info (8567, 'WERR_DS_INCOMPATIBLE_VERSION') Join failed - cleaning up Deleted CN=SRVSMB-DC1,OU=Domain Controllers,DC=example,DC=com Deleted CN=SRVSMB-DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com ERROR(runtime): uncaught exception - DsAddEntry failed File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 176, in _run return self.run(*args, **kwargs) File "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py", line 661, in run machinepass=machinepass, use_ntvfs=use_ntvfs, dns_backend=dns_backend) File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1474, in join_DC ctx.do_join() File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1375, in do_join ctx.join_add_objects() File "/usr/lib/python2.7/dist-packages/samba/join.py", line 639, in join_add_objects ctx.join_add_ntdsdsa() File "/usr/lib/python2.7/dist-packages/samba/join.py", line 570, in join_add_ntdsdsa ctx.DsAddEntry([rec]) File "/usr/lib/python2.7/dist-packages/samba/join.py", line 521, in DsAddEntry raise RuntimeError("DsAddEntry failed") # samba -V Version 4.7.0-Debian -- Marc-Henri Pamiseux - SARL Libricks - www.libricks.fr 6 rue Léonard de Vinci - CS 20119, 53001 LAVAL Cedex Tel. : 02.30.96.15.24 / Mobile : 06.26.71.30.97
Luke Barone
2017-Dec-20 22:37 UTC
[Samba] Unable to Join the Active Directory as a Domain Controller
What is the schema level on your Server 2012? On Wed, Dec 20, 2017 at 1:55 PM, Marc-Henri Pamiseux via samba < samba at lists.samba.org> wrote:> Hello, > > I am trying to use Samba in version 4.7.0 as a replication of an Active > Directory running on Windows 2012-R2. > > For that, I execute the process described on this page: > https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_ > Existing_Active_Directory > > When I run the command to join the domain controller, samba-tool returns > the following error: > DsAddEntry failed with status WERR_ACCESS_DENIED info (8567, > 'WERR_DS_INCOMPATIBLE_VERSION') > > I read the documentation that specifies which version of Samba is > compatible with the version of the Active Directory schema: > https://wiki.samba.org/index.php/AD_Schema_Version_Support > > I was able to check on the Windows 2012-R2 server that the Active > Directory schema is in version 69, so theoretically compatible with > Samba 4.7. > > User "MYDOMAIN\marcori" is a domain admin. > Do you have a way to explore further? > > Respectfully, > > Marc-Henri Pamiseux > > PS: Here is the command invoked and its error message: > > # samba-tool domain join example.com DC -U"MYDOMAIN\marcori" > --dns-backend=SAMBA_INTERNAL --realm=EXAMPLE.COM -W MYDOMAIN > Finding a writeable DC for domain 'example.com' > Found DC SRV-ADM1.example.com > Password for [MYDOMAIN\marcori]: > workgroup is MYDOMAIN > realm is example.com > Adding CN=SRVSMB-DC1,OU=Domain Controllers,DC=example,DC=com > Adding > CN=SRVSMB-DC1,CN=Servers,CN=Default-First-Site-Name,CN> Sites,CN=Configuration,DC=example,DC=com > Adding CN=NTDS > Settings,CN=SRVSMB-DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN> Configuration,DC=example,DC=com > DsAddEntry failed with status WERR_ACCESS_DENIED info (8567, > 'WERR_DS_INCOMPATIBLE_VERSION') > Join failed - cleaning up > Deleted CN=SRVSMB-DC1,OU=Domain Controllers,DC=example,DC=com > Deleted > CN=SRVSMB-DC1,CN=Servers,CN=Default-First-Site-Name,CN> Sites,CN=Configuration,DC=example,DC=com > ERROR(runtime): uncaught exception - DsAddEntry failed > File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line > 176, in _run > return self.run(*args, **kwargs) > File "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py", line > 661, in run > machinepass=machinepass, use_ntvfs=use_ntvfs, dns_backend=dns_backend) > File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1474, in > join_DC > ctx.do_join() > File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1375, in > do_join > ctx.join_add_objects() > File "/usr/lib/python2.7/dist-packages/samba/join.py", line 639, in > join_add_objects > ctx.join_add_ntdsdsa() > File "/usr/lib/python2.7/dist-packages/samba/join.py", line 570, in > join_add_ntdsdsa > ctx.DsAddEntry([rec]) > File "/usr/lib/python2.7/dist-packages/samba/join.py", line 521, in > DsAddEntry > raise RuntimeError("DsAddEntry failed") > > # samba -V > Version 4.7.0-Debian > > -- > Marc-Henri Pamiseux - SARL Libricks - www.libricks.fr > 6 rue Léonard de Vinci - CS 20119, 53001 LAVAL Cedex > Tel. : 02.30.96.15.24 / Mobile : 06.26.71.30.97 > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
Marc-Henri Pamiseux
2017-Dec-20 23:31 UTC
[Samba] Unable to Join the Active Directory as a Domain Controller
Hello Luke, I think you have not seen this line : "Active Directory shema is in version 69". So, schema level is 69. Respectfully -- Marc-Henri Pamiseux - SARL Libricks - www.libricks.fr 6 rue Léonard de Vinci - CS 20119, 53001 LAVAL Cedex Tel. : 02.30.96.15.24 / Mobile : 06.26.71.30.97 Le 20/12/2017 à 23:37, Luke Barone a écrit :> What is the schema level on your Server 2012? > > On Wed, Dec 20, 2017 at 1:55 PM, Marc-Henri Pamiseux via samba > I was able to check on the Windows 2012-R2 server that the Active > Directory schema is in version 69, so theoretically compatible with > Samba 4.7.
Garming Sam
2017-Dec-21 00:55 UTC
[Samba] Unable to Join the Active Directory as a Domain Controller
I don't think it should be the schema that is the problem, but the domain functionality level the 2012 server is operating at. We currently only operate at 2008 R2 functional level (although there are some patches currently pending to change some aspects of that). If it's running at the 2012 R2 functional level, it would have to be downgraded first (or re-promoted to only be using 2008 R2 functionality). Cheers, Garming On 21/12/17 10:55, Marc-Henri Pamiseux via samba wrote:> Hello, > > I am trying to use Samba in version 4.7.0 as a replication of an Active > Directory running on Windows 2012-R2. > > For that, I execute the process described on this page: > https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory > > When I run the command to join the domain controller, samba-tool returns > the following error: > DsAddEntry failed with status WERR_ACCESS_DENIED info (8567, > 'WERR_DS_INCOMPATIBLE_VERSION') > > I read the documentation that specifies which version of Samba is > compatible with the version of the Active Directory schema: > https://wiki.samba.org/index.php/AD_Schema_Version_Support > > I was able to check on the Windows 2012-R2 server that the Active > Directory schema is in version 69, so theoretically compatible with > Samba 4.7. > > User "MYDOMAIN\marcori" is a domain admin. > Do you have a way to explore further? > > Respectfully, > > Marc-Henri Pamiseux > > PS: Here is the command invoked and its error message: > > # samba-tool domain join example.com DC -U"MYDOMAIN\marcori" > --dns-backend=SAMBA_INTERNAL --realm=EXAMPLE.COM -W MYDOMAIN > Finding a writeable DC for domain 'example.com' > Found DC SRV-ADM1.example.com > Password for [MYDOMAIN\marcori]: > workgroup is MYDOMAIN > realm is example.com > Adding CN=SRVSMB-DC1,OU=Domain Controllers,DC=example,DC=com > Adding > CN=SRVSMB-DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com > Adding CN=NTDS > Settings,CN=SRVSMB-DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com > DsAddEntry failed with status WERR_ACCESS_DENIED info (8567, > 'WERR_DS_INCOMPATIBLE_VERSION') > Join failed - cleaning up > Deleted CN=SRVSMB-DC1,OU=Domain Controllers,DC=example,DC=com > Deleted > CN=SRVSMB-DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com > ERROR(runtime): uncaught exception - DsAddEntry failed > File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line > 176, in _run > return self.run(*args, **kwargs) > File "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py", line > 661, in run > machinepass=machinepass, use_ntvfs=use_ntvfs, dns_backend=dns_backend) > File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1474, in > join_DC > ctx.do_join() > File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1375, in > do_join > ctx.join_add_objects() > File "/usr/lib/python2.7/dist-packages/samba/join.py", line 639, in > join_add_objects > ctx.join_add_ntdsdsa() > File "/usr/lib/python2.7/dist-packages/samba/join.py", line 570, in > join_add_ntdsdsa > ctx.DsAddEntry([rec]) > File "/usr/lib/python2.7/dist-packages/samba/join.py", line 521, in > DsAddEntry > raise RuntimeError("DsAddEntry failed") > > # samba -V > Version 4.7.0-Debian >
Marc-Henri Pamiseux
2017-Dec-21 08:44 UTC
[Samba] Unable to Join the Active Directory as a Domain Controller
Hello Garming, In the link above (sorry, it's in French), I can read how to downgrade a feature level of a 2012-R2 domain to work in 2008 R2. https://sloze.wordpress.com/2014/06/18/active-directory-diminuer-le-niveau-fonctionnel-dune-foret-etou-dun-domaine-2/ Here is the English version of the Set-ADDomainMode command: https://technet.microsoft.com/fr-fr/library/hh852281(v=wps.630).aspx Has anyone ever used successfully this command? Respectfully, -- Marc-Henri Pamiseux - SARL Libricks - www.libricks.fr 6 rue Léonard de Vinci - CS 20119, 53001 LAVAL Cedex Tel. : 02.30.96.15.24 / Mobile : 06.26.71.30.97 Le 21/12/2017 à 01:55, Garming Sam a écrit :> I don't think it should be the schema that is the problem, but the > domain functionality level the 2012 server is operating at. We currently > only operate at 2008 R2 functional level (although there are some > patches currently pending to change some aspects of that). If it's > running at the 2012 R2 functional level, it would have to be downgraded > first (or re-promoted to only be using 2008 R2 functionality). > > Cheers, > > Garming
Denis Cardon
2017-Dec-21 14:35 UTC
[Samba] Unable to Join the Active Directory as a Domain Controller
Hi Marc-Henri Pamiseux,> > I am trying to use Samba in version 4.7.0 as a replication of an Active > Directory running on Windows 2012-R2. > > For that, I execute the process described on this page: > https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory > > When I run the command to join the domain controller, samba-tool returns > the following error: > DsAddEntry failed with status WERR_ACCESS_DENIED info (8567, > 'WERR_DS_INCOMPATIBLE_VERSION') > > I read the documentation that specifies which version of Samba is > compatible with the version of the Active Directory schema: > https://wiki.samba.org/index.php/AD_Schema_Version_Support > > I was able to check on the Windows 2012-R2 server that the Active > Directory schema is in version 69, so theoretically compatible with > Samba 4.7.in the small prints, one can read "69 :* Experimental support. To report problems, click https://bugzilla.samba.org". With such warning I wouldn't put that in production...> User "MYDOMAIN\marcori" is a domain admin. > Do you have a way to explore further?I think you can explore the page https://wiki.samba.org/index.php/Joining_a_Windows_Server_2012_/_2012_R2_DC_to_a_Samba_AD TL;DR : with current samba releases, it is not possible to join a win2k12 or above Active Directory to a Samba AD. Stick to 2k8r2 or wait for Gaming/Douglas work on that subject. Cheers, Denis> > Respectfully, > > Marc-Henri Pamiseux > > PS: Here is the command invoked and its error message: > > # samba-tool domain join example.com DC -U"MYDOMAIN\marcori" > --dns-backend=SAMBA_INTERNAL --realm=EXAMPLE.COM -W MYDOMAIN > Finding a writeable DC for domain 'example.com' > Found DC SRV-ADM1.example.com > Password for [MYDOMAIN\marcori]: > workgroup is MYDOMAIN > realm is example.com > Adding CN=SRVSMB-DC1,OU=Domain Controllers,DC=example,DC=com > Adding > CN=SRVSMB-DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com > Adding CN=NTDS > Settings,CN=SRVSMB-DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com > DsAddEntry failed with status WERR_ACCESS_DENIED info (8567, > 'WERR_DS_INCOMPATIBLE_VERSION') > Join failed - cleaning up > Deleted CN=SRVSMB-DC1,OU=Domain Controllers,DC=example,DC=com > Deleted > CN=SRVSMB-DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com > ERROR(runtime): uncaught exception - DsAddEntry failed > File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line > 176, in _run > return self.run(*args, **kwargs) > File "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py", line > 661, in run > machinepass=machinepass, use_ntvfs=use_ntvfs, dns_backend=dns_backend) > File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1474, in > join_DC > ctx.do_join() > File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1375, in > do_join > ctx.join_add_objects() > File "/usr/lib/python2.7/dist-packages/samba/join.py", line 639, in > join_add_objects > ctx.join_add_ntdsdsa() > File "/usr/lib/python2.7/dist-packages/samba/join.py", line 570, in > join_add_ntdsdsa > ctx.DsAddEntry([rec]) > File "/usr/lib/python2.7/dist-packages/samba/join.py", line 521, in > DsAddEntry > raise RuntimeError("DsAddEntry failed") > > # samba -V > Version 4.7.0-Debian >-- Denis Cardon Tranquil IT Systems Les Espaces Jules Verne, bâtiment A 12 avenue Jules Verne 44230 Saint Sébastien sur Loire tel : +33 (0) 2.40.97.57.55 http://www.tranquil-it-systems.fr