Rowland Penny
2018-Mar-04 08:54 UTC
[Samba] Error joining Samba 4.7.4 DC to existing Win2008R2 domain
On Sun, 4 Mar 2018 00:14:48 +0100 Claudio Nicora <claudio.nicora at gmail.com> wrote:> > > And I can now confirm that 4.7.4 on the latest Ubuntu 18.04 snapshot > > joins to a Samba AD domain as a DC. > I'm sure it does, that's why I suspect something is wrong in my > Win2000-->Win2008R2 upgraded domain AD. > > > Another thing that comes to my mind is that the 2008R2 domain was > > upgraded from an initial Win2000. > > Win2000-->Samba direct migration is not possible because Samba > > requires at least a Win2003 domain. > > So the complete upgrade was Win2000 (SRVAD-OLDOLD) --> Win2008R2 > > (SRVAD-OLD) --> Domain/forest functional level upgrade --> Samba > > 4.7.4 migration. > > > > Could there be something wrong/unexpected in current Win2008R2 > > domain config? > > Could you suggest something to check for? > Even with -d9 there's nothing interesting between the last "Adding > DNS..." line and "Join failed - cleaning up". There should be an > explanation of why the join failed, other than "It failes, I'm > cleaning up".Not really sure where to go from here, I don't have a windows 2008 DC to join to, is there anything in the windows event log ?> > > As a side note, it took me longer to give the Ubuntu VM a fixed ip > > etc than it took to join as a DC and then people ask me why I don't > > like a certain set of packages ;-) > I agree. > Netplan is not something I was needing; another (needless) thing to > learn and yet another configuration format to know (even if I love > YAML for other things). >That's why I didn't use it, I just turned off systemd-resolved and went back to basics i.e. what I know and like. Rowland
denis.shigapov
2018-Mar-05 08:55 UTC
[Samba] Error joining Samba 4.7.4 DC to existing Win2008R2 domain
Hi, run please to Windows DC command dcdiag В Вс, 04/03/2018 в 08:54 +0000, Rowland Penny via samba пишет:> On Sun, 4 Mar 2018 00:14:48 +0100 > Claudio Nicora <claudio.nicora at gmail.com> wrote: > > > > > > And I can now confirm that 4.7.4 on the latest Ubuntu 18.04 snapshot > > > joins to a Samba AD domain as a DC. > > > > I'm sure it does, that's why I suspect something is wrong in my > > Win2000-->Win2008R2 upgraded domain AD. > > > > > Another thing that comes to my mind is that the 2008R2 domain was > > > upgraded from an initial Win2000. > > > Win2000-->Samba direct migration is not possible because Samba > > > requires at least a Win2003 domain. > > > So the complete upgrade was Win2000 (SRVAD-OLDOLD) --> Win2008R2 > > > (SRVAD-OLD) --> Domain/forest functional level upgrade --> Samba > > > 4.7.4 migration. > > > > > > Could there be something wrong/unexpected in current Win2008R2 > > > domain config? > > > > Could you suggest something to check for? > > Even with -d9 there's nothing interesting between the last "Adding > > DNS..." line and "Join failed - cleaning up". There should be an > > explanation of why the join failed, other than "It failes, I'm > > cleaning up". > > Not really sure where to go from here, I don't have a windows 2008 DC to > join to, is there anything in the windows event log ? > > > > > > As a side note, it took me longer to give the Ubuntu VM a fixed ip > > > etc than it took to join as a DC and then people ask me why I don't > > > like a certain set of packages ;-) > > > > I agree. > > Netplan is not something I was needing; another (needless) thing to > > learn and yet another configuration format to know (even if I love > > YAML for other things). > > > > That's why I didn't use it, I just turned off systemd-resolved and went > back to basics i.e. what I know and like. > > Rowland > >
denis.shigapov
2018-Mar-05 13:15 UTC
[Samba] Error joining Samba 4.7.4 DC to existing Win2008R2 domain
Check the DNS settings for the sambom.Local zone where it is located ForestDnsZone or DomainDnsZone. Must be in DomainDnsZone also it is necessary to make sure that in ForestDnsZone there is a zone _msdcs.sambom.local В Вс, 04/03/2018 в 08:54 +0000, Rowland Penny via samba пишет:> On Sun, 4 Mar 2018 00:14:48 +0100 > Claudio Nicora <claudio.nicora at gmail.com> wrote: > > > > > > And I can now confirm that 4.7.4 on the latest Ubuntu 18.04 snapshot > > > joins to a Samba AD domain as a DC. > > > > I'm sure it does, that's why I suspect something is wrong in my > > Win2000-->Win2008R2 upgraded domain AD. > > > > > Another thing that comes to my mind is that the 2008R2 domain was > > > upgraded from an initial Win2000. > > > Win2000-->Samba direct migration is not possible because Samba > > > requires at least a Win2003 domain. > > > So the complete upgrade was Win2000 (SRVAD-OLDOLD) --> Win2008R2 > > > (SRVAD-OLD) --> Domain/forest functional level upgrade --> Samba > > > 4.7.4 migration. > > > > > > Could there be something wrong/unexpected in current Win2008R2 > > > domain config? > > > > Could you suggest something to check for? > > Even with -d9 there's nothing interesting between the last "Adding > > DNS..." line and "Join failed - cleaning up". There should be an > > explanation of why the join failed, other than "It failes, I'm > > cleaning up". > > Not really sure where to go from here, I don't have a windows 2008 DC to > join to, is there anything in the windows event log ? > > > > > > As a side note, it took me longer to give the Ubuntu VM a fixed ip > > > etc than it took to join as a DC and then people ask me why I don't > > > like a certain set of packages ;-) > > > > I agree. > > Netplan is not something I was needing; another (needless) thing to > > learn and yet another configuration format to know (even if I love > > YAML for other things). > > > > That's why I didn't use it, I just turned off systemd-resolved and went > back to basics i.e. what I know and like. > > Rowland > >
Claudio Nicora
2018-Mar-05 13:23 UTC
[Samba] Error joining Samba 4.7.4 DC to existing Win2008R2 domain
Il 05/03/2018 09:55, denis.shigapov via samba ha scritto:> Hi, run please to Windows DC command > dcdiagAlready did it, both plain dcdiag and dcdiag /test:DNS. Nothing interesting in the output except for a warning at the end of /test:dns execution (Warning: Failed to delete the test record dcdiag-test-record in zone SAMDOM.LOCAL): ================PS C:\Users\Administrator.SAMDOM> dcdiag Directory Server Diagnosis Performing initial setup: Trying to find home server... Home Server = SRVAD-OLD * Identified AD Forest. Done gathering initial info. Doing initial required tests Testing server: Default-First-Site-Name\SRVAD-OLD Starting test: Connectivity ......................... SRVAD-OLD passed test Connectivity Doing primary tests Testing server: Default-First-Site-Name\SRVAD-OLD Starting test: Advertising ......................... SRVAD-OLD passed test Advertising Starting test: FrsEvent ......................... SRVAD-OLD passed test FrsEvent Starting test: DFSREvent ......................... SRVAD-OLD passed test DFSREvent Starting test: SysVolCheck ......................... SRVAD-OLD passed test SysVolCheck Starting test: KccEvent ......................... SRVAD-OLD passed test KccEvent Starting test: KnowsOfRoleHolders ......................... SRVAD-OLD passed test KnowsOfRoleHolders Starting test: MachineAccount ......................... SRVAD-OLD passed test MachineAccount Starting test: NCSecDesc ......................... SRVAD-OLD passed test NCSecDesc Starting test: NetLogons ......................... SRVAD-OLD passed test NetLogons Starting test: ObjectsReplicated ......................... SRVAD-OLD passed test ObjectsReplicated Starting test: Replications ......................... SRVAD-OLD passed test Replications Starting test: RidManager ......................... SRVAD-OLD passed test RidManager Starting test: Services ......................... SRVAD-OLD passed test Services Starting test: SystemLog ......................... SRVAD-OLD passed test SystemLog Starting test: VerifyReferences ......................... SRVAD-OLD passed test VerifyReferences Running partition tests on : ForestDnsZones Starting test: CheckSDRefDom ......................... ForestDnsZones passed test CheckSDRefDom Starting test: CrossRefValidation ......................... ForestDnsZones passed test CrossRefValidation Running partition tests on : DomainDnsZones Starting test: CheckSDRefDom ......................... DomainDnsZones passed test CheckSDRefDom Starting test: CrossRefValidation ......................... DomainDnsZones passed test CrossRefValidation Running partition tests on : Schema Starting test: CheckSDRefDom ......................... Schema passed test CheckSDRefDom Starting test: CrossRefValidation ......................... Schema passed test CrossRefValidation Running partition tests on : Configuration Starting test: CheckSDRefDom ......................... Configuration passed test CheckSDRefDom Starting test: CrossRefValidation ......................... Configuration passed test CrossRefValidation Running partition tests on : SAMDOM Starting test: CheckSDRefDom ......................... SAMDOM passed test CheckSDRefDom Starting test: CrossRefValidation ......................... SAMDOM passed test CrossRefValidation Running enterprise tests on : SAMDOM.LOCAL Starting test: LocatorCheck ......................... SAMDOM.LOCAL passed test LocatorCheck Starting test: Intersite ......................... SAMDOM.LOCAL passed test Intersite PS C:\Users\Administrator.SAMDOM> dcdiag /test:DNS Directory Server Diagnosis Performing initial setup: Trying to find home server... Home Server = SRVAD-OLD * Identified AD Forest. Done gathering initial info. Doing initial required tests Testing server: Default-First-Site-Name\SRVAD-OLD Starting test: Connectivity ......................... SRVAD-OLD passed test Connectivity Doing primary tests Testing server: Default-First-Site-Name\SRVAD-OLD Starting test: DNS DNS Tests are running and not hung. Please wait a few minutes... ......................... SRVAD-OLD passed test DNS Running partition tests on : ForestDnsZones Running partition tests on : DomainDnsZones Running partition tests on : Schema Running partition tests on : Configuration Running partition tests on : SAMDOM Running enterprise tests on : SAMDOM.LOCAL Starting test: DNS Test results for domain controllers: DC: SRVAD-OLD.samdom.local Domain: SAMDOM.LOCAL TEST: Dynamic update (Dyn) Warning: Failed to delete the test record dcdiag-test-record in zone SAMDOM.LOCAL SRVAD-OLD PASS PASS PASS PASS WARN PASS n/a ......................... SAMDOM.LOCAL passed test DNS ================PS C:\Users\Administrator.SAMDOM> dcdiag /test:DNS Directory Server Diagnosis Performing initial setup: Trying to find home server... Home Server = SRVAD-OLD * Identified AD Forest. Done gathering initial info. Doing initial required tests Testing server: Default-First-Site-Name\SRVAD-OLD Starting test: Connectivity ......................... SRVAD-OLD passed test Connectivity Doing primary tests Testing server: Default-First-Site-Name\SRVAD-OLD Starting test: DNS DNS Tests are running and not hung. Please wait a few minutes... ......................... SRVAD-OLD passed test DNS Running partition tests on : ForestDnsZones Running partition tests on : DomainDnsZones Running partition tests on : Schema Running partition tests on : Configuration Running partition tests on : SAMDOM Running enterprise tests on : SAMDOM.LOCAL Starting test: DNS Test results for domain controllers: DC: SRVAD-OLD.samdom.local Domain: SAMDOM.LOCAL TEST: Dynamic update (Dyn) Warning: Failed to delete the test record dcdiag-test-record in zone SAMDOM.LOCAL SRVAD-OLD PASS PASS PASS PASS WARN PASS n/a ......................... SAMDOM.LOCAL passed test DNS ================> Not really sure where to go from here, I don't have a windows 2008 DC to > join to, is there anything in the windows event log ?Did you run your tests on a newer (2012/2016) or older (2003) Windows Server version? Since I'm upgrading from 2000 and using a temporary Windows server in between 2000 --> Samba, it's indifferent to me what trial Windows Server version to use. Event viewer "Directory services" log contains this record, created just after the failed join attempt (and a new record is created at each attempt, so I'm sure it's related to them): ======The attempt to establish a replication link for the following writable directory partition failed. Directory partition: DC=ForestDnsZones,DC=SAMDOM,DC=LOCAL Source directory service: CN=NTDS Settings,CN=SRVAD-NEW,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=SAMDOM,DC=LOCAL Source directory service address: 74d3c251-b6dd-4018-b6a3-4cbc02bcb383._msdcs.SAMDOM.LOCAL Intersite transport (if any): This directory service will be unable to replicate with the source directory service until this problem is corrected. User Action Verify if the source directory service is accessible or network connectivity is available. Additional Data Error value: 1722 The RPC server is unavailable. ===== The reported missing "74d3c251-b6dd-4018-b6a3-4cbc02bcb383._msdcs.SAMDOM.LOCAL" value is the same that fails in samba-tool join log. It seems to me that it's trying to update the DNS on the samba machine, which is not yet available because its config files are generated at the end of "samba-tool join" run.>> That's why I didn't use it, I just turned off systemd-resolved and went >> back to basics i.e. what I know and like. >> >> RowlandSame here ;) Claudio
Claudio Nicora
2018-Mar-05 13:23 UTC
[Samba] Error joining Samba 4.7.4 DC to existing Win2008R2 domain
Il 05/03/2018 09:55, denis.shigapov via samba ha scritto:> Hi, run please to Windows DC command > dcdiagAlready did it, both plain dcdiag and dcdiag /test:DNS. Nothing interesting in the output except for a warning at the end of /test:dns execution (Warning: Failed to delete the test record dcdiag-test-record in zone SAMDOM.LOCAL): ================PS C:\Users\Administrator.SAMDOM> dcdiag Directory Server Diagnosis Performing initial setup: Trying to find home server... Home Server = SRVAD-OLD * Identified AD Forest. Done gathering initial info. Doing initial required tests Testing server: Default-First-Site-Name\SRVAD-OLD Starting test: Connectivity ......................... SRVAD-OLD passed test Connectivity Doing primary tests Testing server: Default-First-Site-Name\SRVAD-OLD Starting test: Advertising ......................... SRVAD-OLD passed test Advertising Starting test: FrsEvent ......................... SRVAD-OLD passed test FrsEvent Starting test: DFSREvent ......................... SRVAD-OLD passed test DFSREvent Starting test: SysVolCheck ......................... SRVAD-OLD passed test SysVolCheck Starting test: KccEvent ......................... SRVAD-OLD passed test KccEvent Starting test: KnowsOfRoleHolders ......................... SRVAD-OLD passed test KnowsOfRoleHolders Starting test: MachineAccount ......................... SRVAD-OLD passed test MachineAccount Starting test: NCSecDesc ......................... SRVAD-OLD passed test NCSecDesc Starting test: NetLogons ......................... SRVAD-OLD passed test NetLogons Starting test: ObjectsReplicated ......................... SRVAD-OLD passed test ObjectsReplicated Starting test: Replications ......................... SRVAD-OLD passed test Replications Starting test: RidManager ......................... SRVAD-OLD passed test RidManager Starting test: Services ......................... SRVAD-OLD passed test Services Starting test: SystemLog ......................... SRVAD-OLD passed test SystemLog Starting test: VerifyReferences ......................... SRVAD-OLD passed test VerifyReferences Running partition tests on : ForestDnsZones Starting test: CheckSDRefDom ......................... ForestDnsZones passed test CheckSDRefDom Starting test: CrossRefValidation ......................... ForestDnsZones passed test CrossRefValidation Running partition tests on : DomainDnsZones Starting test: CheckSDRefDom ......................... DomainDnsZones passed test CheckSDRefDom Starting test: CrossRefValidation ......................... DomainDnsZones passed test CrossRefValidation Running partition tests on : Schema Starting test: CheckSDRefDom ......................... Schema passed test CheckSDRefDom Starting test: CrossRefValidation ......................... Schema passed test CrossRefValidation Running partition tests on : Configuration Starting test: CheckSDRefDom ......................... Configuration passed test CheckSDRefDom Starting test: CrossRefValidation ......................... Configuration passed test CrossRefValidation Running partition tests on : SAMDOM Starting test: CheckSDRefDom ......................... SAMDOM passed test CheckSDRefDom Starting test: CrossRefValidation ......................... SAMDOM passed test CrossRefValidation Running enterprise tests on : SAMDOM.LOCAL Starting test: LocatorCheck ......................... SAMDOM.LOCAL passed test LocatorCheck Starting test: Intersite ......................... SAMDOM.LOCAL passed test Intersite PS C:\Users\Administrator.SAMDOM> dcdiag /test:DNS Directory Server Diagnosis Performing initial setup: Trying to find home server... Home Server = SRVAD-OLD * Identified AD Forest. Done gathering initial info. Doing initial required tests Testing server: Default-First-Site-Name\SRVAD-OLD Starting test: Connectivity ......................... SRVAD-OLD passed test Connectivity Doing primary tests Testing server: Default-First-Site-Name\SRVAD-OLD Starting test: DNS DNS Tests are running and not hung. Please wait a few minutes... ......................... SRVAD-OLD passed test DNS Running partition tests on : ForestDnsZones Running partition tests on : DomainDnsZones Running partition tests on : Schema Running partition tests on : Configuration Running partition tests on : SAMDOM Running enterprise tests on : SAMDOM.LOCAL Starting test: DNS Test results for domain controllers: DC: SRVAD-OLD.samdom.local Domain: SAMDOM.LOCAL TEST: Dynamic update (Dyn) Warning: Failed to delete the test record dcdiag-test-record in zone SAMDOM.LOCAL SRVAD-OLD PASS PASS PASS PASS WARN PASS n/a ......................... SAMDOM.LOCAL passed test DNS ================PS C:\Users\Administrator.SAMDOM> dcdiag /test:DNS Directory Server Diagnosis Performing initial setup: Trying to find home server... Home Server = SRVAD-OLD * Identified AD Forest. Done gathering initial info. Doing initial required tests Testing server: Default-First-Site-Name\SRVAD-OLD Starting test: Connectivity ......................... SRVAD-OLD passed test Connectivity Doing primary tests Testing server: Default-First-Site-Name\SRVAD-OLD Starting test: DNS DNS Tests are running and not hung. Please wait a few minutes... ......................... SRVAD-OLD passed test DNS Running partition tests on : ForestDnsZones Running partition tests on : DomainDnsZones Running partition tests on : Schema Running partition tests on : Configuration Running partition tests on : SAMDOM Running enterprise tests on : SAMDOM.LOCAL Starting test: DNS Test results for domain controllers: DC: SRVAD-OLD.samdom.local Domain: SAMDOM.LOCAL TEST: Dynamic update (Dyn) Warning: Failed to delete the test record dcdiag-test-record in zone SAMDOM.LOCAL SRVAD-OLD PASS PASS PASS PASS WARN PASS n/a ......................... SAMDOM.LOCAL passed test DNS ================> Not really sure where to go from here, I don't have a windows 2008 DC to > join to, is there anything in the windows event log ?Did you run your tests on a newer (2012/2016) or older (2003) Windows Server version? Since I'm upgrading from 2000 and using a temporary Windows server in between 2000 --> Samba, it's indifferent to me what trial Windows Server version to use. Event viewer "Directory services" log contains this record, created just after the failed join attempt (and a new record is created at each attempt, so I'm sure it's related to them): ======The attempt to establish a replication link for the following writable directory partition failed. Directory partition: DC=ForestDnsZones,DC=SAMDOM,DC=LOCAL Source directory service: CN=NTDS Settings,CN=SRVAD-NEW,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=SAMDOM,DC=LOCAL Source directory service address: 74d3c251-b6dd-4018-b6a3-4cbc02bcb383._msdcs.SAMDOM.LOCAL Intersite transport (if any): This directory service will be unable to replicate with the source directory service until this problem is corrected. User Action Verify if the source directory service is accessible or network connectivity is available. Additional Data Error value: 1722 The RPC server is unavailable. ===== The reported missing "74d3c251-b6dd-4018-b6a3-4cbc02bcb383._msdcs.SAMDOM.LOCAL" value is the same that fails in samba-tool join log. It seems to me that it's trying to update the DNS on the samba machine, which is not yet available because its config files are generated at the end of "samba-tool join" run.>> That's why I didn't use it, I just turned off systemd-resolved and went >> back to basics i.e. what I know and like. >> >> RowlandSame here ;) Claudio
Claudio Nicora
2018-Mar-05 13:30 UTC
[Samba] Error joining Samba 4.7.4 DC to existing Win2008R2 domain
> Check the DNS settings for the sambom.Local zone where it is located ForestDnsZone or DomainDnsZone. > Must be in DomainDnsZone > > also it is necessary to make sure that in ForestDnsZone there is a zone _msdcs.sambom.localBoth ForestDnsZone and DomainDnsZone only contain "_sites" and "_tcp" domains, no "_msdcs". Tried to create "_msdcs" zones manually but got the same failure in samba-tool join. Claudio
Claudio Nicora
2018-Mar-06 11:39 UTC
[Samba] Error joining Samba 4.7.4 DC to existing Win2008R2 domain
Il 06/03/2018 05:36, denis.shigapov ha scritto:> It is also desirable to check the access rights to DomainDnsZones and subfolders, this can be done through the ADSI editor.Thanks Denis, one of the screenshots attached to your message (reattached here) turned on the light on my issue, you're the winner ;) It seems that my Win2000-->Win2008R2 DNS upgrade went wrong or, at least, it was uncomplete. I was completely missing the new "_msdcs.samdom.local" zone, I only had a subdomain "_msdcs" under the main "samdom.local" domain. All DNS tests I've done worked, because they were returning records from "_msdcs.samdom.local" subdomain and not from the root of the missing "_msdcs.samdom.local" zone. (in my head having both a subdomain and a zone with the same name is a mess, but that's another story...) Now, looking the attached picture turned the light on; I've manually created the missing zone: * created the new "_msdcs.samdom.local" zone on SRVAD-OLD * set it to replicate forest-wide (some records should appear automatically) * set domain zone "samdom.local" and its reverse zone to replicate domain-wide * run these commands: net stop netlogon net start netlogon nltest /dsregdns After these steps the join completed without issues at first shot. I've also reverted back to initial snapshots and retested the whole join again and I can confirm it works! Thanks to all the people that helped me solving the issue. Cheers Claudio