thr3ads.net - samba - [Samba] Samba Join error: WERR_DS_ADD_REPLICA

If this information is useful, please help other people find it:
Share via:

Nicolás Hermida

2025-Jun-17 20:04 UTC

[Samba] Samba Join error: WERR_DS_ADD_REPLICA_INHIBITED

Hi everyone.

We have an Active Directory environment with a WS 2008 R2 functional
level. There are two Windows Server, one is a 2008 R2 and the other a 2016.
We started the
task of migrating these servers to Samba. We prepared a virtual machine
with Debian 12 and Samba 4.17.12.

The actual replication is based on DFS-R. As we intend there is no rollback
for this, but there is a workaround with robocopy.

So we have:
SERVER1: Windows Server 2008 R2 Domain Controller (owner of the FSMO roles)
SERVER2: Windows Server 2016 Domain Controller
SERVER3: Debian 12 with Samba 4.17.12

When we try to make the join of the SERVER3 (Debian) we get this error:
WERR_DS_ADD_REPLICA_INHIBITED
At the end I paste the full output of the join process for your review.

We have found in older posts that an option is to compile and use an older
version of Samba 4.7. As this post said this version do not make some
checks and could bypass this "WERR_DS_ADD_REPLICA_INHIBITED" error,
but it
may carry other ones.

Any idea how we can solve this Debian Samba Join issue?

Here you have a copy of the main configuration files:
-- /etc/samba/smb.conf
# Global parameters
[global]
netbios name = SERVER3
realm = VIAMONTE.LAN
server role = active directory domain controller
workgroup = VIAMONTE

[sysvol]
path = /var/lib/samba/sysvol
read only = No

[netlogon]
path = /var/lib/samba/sysvol/viamonte.iecs/scripts
read only = No

-- /etc/hosts
127.0.0.1 localhost
192.168.0.239 server3.viamonte.lan server3

# The following lines are desirable for IPv6 capable hosts
::1     localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

-- /etc/resolv.conf
nameserver 192.168.0.254
nameserver 192.168.0.252


FULL JOIN OUTPUT:
root at dc05:~# samba-tool domain join viamonte.lan DC
-U"viamonte\sysadminUser" --dns-backend=SAMBA_INTERNAL
INFO 2025-05-28 17:14:34,329 pid:992
/usr/lib/python3/dist-packages/samba/join.py #106: Finding a writeable DC
for domain 'viamonte.lan'
INFO 2025-05-28 17:14:34,338 pid:992
/usr/lib/python3/dist-packages/samba/join.py #108: Found DC
SERVER1.viamonte.lan
Password for [VIAMONTE\sysadminUser]:
INFO 2025-05-28 17:14:37,882 pid:992
/usr/lib/python3/dist-packages/samba/join.py #1582: workgroup is VIAMONTE
INFO 2025-05-28 17:14:37,882 pid:992
/usr/lib/python3/dist-packages/samba/join.py #1585: realm is viamonte.lan
Adding CN=DC05,OU=Domain Controllers,DC=viamonte,DC=lan
Adding
CN=DC05,CN=Servers,CN=Ravignani,CN=Sites,CN=Configuration,DC=viamonte,DC=lan
Adding CN=NTDS
Settings,CN=DC05,CN=Servers,CN=Ravignani,CN=Sites,CN=Configuration,DC=viamonte,DC=lan
Adding SPNs to CN=DC05,OU=Domain Controllers,DC=viamonte,DC=lan
Setting account password for DC05$
Enabling account
Calling bare provision
INFO 2025-05-28 17:14:38,529 pid:992
/usr/lib/python3/dist-packages/samba/provision/__init__.py #2108: Looking
up IPv4 addresses
INFO 2025-05-28 17:14:38,529 pid:992
/usr/lib/python3/dist-packages/samba/provision/__init__.py #2125: Looking
up IPv6 addresses
WARNING 2025-05-28 17:14:38,530 pid:992
/usr/lib/python3/dist-packages/samba/provision/__init__.py #2132: No IPv6
address will be assigned
INFO 2025-05-28 17:14:38,833 pid:992
/usr/lib/python3/dist-packages/samba/provision/__init__.py #2278: Setting
up secrets.ldb
INFO 2025-05-28 17:14:39,025 pid:992
/usr/lib/python3/dist-packages/samba/provision/__init__.py #2283: Setting
up the registry
INFO 2025-05-28 17:14:39,136 pid:992
/usr/lib/python3/dist-packages/samba/provision/__init__.py #2286: Setting
up the privileges database
INFO 2025-05-28 17:14:39,522 pid:992
/usr/lib/python3/dist-packages/samba/provision/__init__.py #2289: Setting
up idmap db
INFO 2025-05-28 17:14:39,797 pid:992
/usr/lib/python3/dist-packages/samba/provision/__init__.py #2296: Setting
up SAM db
INFO 2025-05-28 17:14:39,865 pid:992
/usr/lib/python3/dist-packages/samba/provision/__init__.py #880: Setting up
sam.ldb partitions and settings
INFO 2025-05-28 17:14:39,866 pid:992
/usr/lib/python3/dist-packages/samba/provision/__init__.py #892: Setting up
sam.ldb rootDSE
INFO 2025-05-28 17:14:39,922 pid:992
/usr/lib/python3/dist-packages/samba/provision/__init__.py #1305:
Pre-loading the Samba 4 and AD schema
Unable to determine the DomainSID, can not enforce uniqueness constraint on
local domainSIDs

INFO 2025-05-28 17:14:40,113 pid:992
/usr/lib/python3/dist-packages/samba/provision/__init__.py #2348: A
Kerberos configuration suitable for Samba AD has been generated at
/var/lib/samba/private/krb5.conf
INFO 2025-05-28 17:14:40,113 pid:992
/usr/lib/python3/dist-packages/samba/provision/__init__.py #2350: Merge the
contents of this file with your system krb5.conf or replace it with this
one. Do not create a symlink!
Provision OK for domain DN DC=viamonte,DC=lan
INFO 2025-05-28 17:14:40,156 pid:992
/usr/lib/python3/dist-packages/samba/join.py #940: Starting replication
Schema-DN[CN=Schema,CN=Configuration,DC=viamonte,DC=lan] objects[402/1328]
linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=viamonte,DC=lan] objects[804/1328]
linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=viamonte,DC=lan] objects[1206/1328]
linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=viamonte,DC=lan] objects[1608/1328]
linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=viamonte,DC=lan] objects[1773/1328]
linked_values[0/0]
Analyze and apply schema objects
Partition[CN=Configuration,DC=viamonte,DC=lan] objects[402/2037]
linked_values[0/67]
Partition[CN=Configuration,DC=viamonte,DC=lan] objects[804/2037]
linked_values[0/67]
Partition[CN=Configuration,DC=viamonte,DC=lan] objects[1206/2037]
linked_values[0/67]
Partition[CN=Configuration,DC=viamonte,DC=lan] objects[1608/2037]
linked_values[10/67]
Partition[CN=Configuration,DC=viamonte,DC=lan] objects[1898/2037]
linked_values[67/67]
dsdb_replicated_objects_convert: Ignoring object outside partition
cf1247a6-cab9-4041-8541-76d924301fa5
CN=Schema,CN=Configuration,DC=viamonte,DC=lan: WERR_DS_ADD_REPLICA_INHIBITED
Replicating critical objects from the base DN of the domain
Partition[DC=viamonte,DC=lan] objects[119/198] linked_values[10/294]
Partition[DC=viamonte,DC=lan] objects[243/3109] linked_values[0/294]
Partition[DC=viamonte,DC=lan] objects[412/3109] linked_values[0/294]
Partition[DC=viamonte,DC=lan] objects[623/3109] linked_values[177/294]
Failed to commit objects: WERR_DS_DRA_RECYCLED_TARGET
Missing target object - retrying with DRS_GET_TGT
Partition[DC=viamonte,DC=lan] objects[812/3109] linked_values[277/294]
Partition[DC=viamonte,DC=lan] objects[998/3109] linked_values[475/294]
Partition[DC=viamonte,DC=lan] objects[1129/3109] linked_values[491/294]
dsdb_replicated_objects_convert: Ignoring object outside partition
f8e9f320-a7a8-466e-9813-9291b4a0887a CN=Configuration,DC=viamonte,DC=lan:
WERR_DS_ADD_REPLICA_INHIBITED
dsdb_replicated_objects_convert: Ignoring object outside partition
83dff523-3add-4db8-8418-d98304629e8a DC=DomainDnsZones,DC=viamonte,DC=lan:
WERR_DS_ADD_REPLICA_INHIBITED
dsdb_replicated_objects_convert: Ignoring object outside partition
1325c57e-9ef3-45c8-b81b-1b8c8c8cd574 DC=ForestDnsZones,DC=viamonte,DC=lan:
WERR_DS_ADD_REPLICA_INHIBITED
Done with always replicated NC (base, config, schema)
Replicating DC=DomainDnsZones,DC=viamonte,DC=lan
Partition[DC=DomainDnsZones,DC=viamonte,DC=lan] objects[66/66]
linked_values[0/0]
Replicating DC=ForestDnsZones,DC=viamonte,DC=lan
Partition[DC=ForestDnsZones,DC=viamonte,DC=lan] objects[25/25]
linked_values[0/0]
Exop on[CN=RID Manager$,CN=System,DC=viamonte,DC=lan] objects[3]
linked_values[0]
INFO 2025-05-28 17:14:46,859 pid:992
/usr/lib/python3/dist-packages/samba/join.py #1060: Committing SAM database
- this may take some time
Repacking database from v1 to v2 format (first record
CN=Person,CN=Schema,CN=Configuration,DC=viamonte,DC=lan)
Repack: re-packed 10000 records so far
Repacking database from v1 to v2 format (first record
CN=msCOM-Partition-Display,CN=413,CN=DisplaySpecifiers,CN=Configuration,DC=viamonte,DC=lan)
Repacking database from v1 to v2 format (first record
DC=NB-lan-169,DC=viamonte.lan,CN=MicrosoftDNS,DC=DomainDnsZones,DC=viamonte,DC=lan)
Repacking database from v1 to v2 format (first record
DC=dc04.viamonte.lan.,DC=_msdcs.viamonte.lan,CN=MicrosoftDNS,DC=ForestDnsZones,DC=viamonte,DC=lan)
Repacking database from v1 to v2 format (first record
CN=WS40,CN=Computers,DC=viamonte,DC=lan)
An operation failed during a batch mode transaction, the transaction was
rolled back
Join failed - cleaning up
Deleted CN=RID Set,CN=DC05,OU=Domain Controllers,DC=viamonte,DC=lan
Deleted CN=DC05,OU=Domain Controllers,DC=viamonte,DC=lan
Deleted CN=NTDS
Settings,CN=DC05,CN=Servers,CN=Ravignani,CN=Sites,CN=Configuration,DC=viamonte,DC=lan
Deleted
CN=DC05,CN=Servers,CN=Ravignani,CN=Sites,CN=Configuration,DC=viamonte,DC=lan
ERROR(ldb): uncaught exception - end_trans error on DC=viamonte,DC=lan: An
operation failed during a batch mode transaction, the transaction was
rolled back
  File "/usr/lib/python3/dist-packages/samba/netcmd/__init__.py", line
185,
in _run
    return self.run(*args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/samba/netcmd/domain.py", line
702,
in run
    join_DC(logger=logger, server=server, creds=creds, lp=lp, domain=domain,
  File "/usr/lib/python3/dist-packages/samba/join.py", line 1598, in
join_DC
    ctx.do_join()
  File "/usr/lib/python3/dist-packages/samba/join.py", line 1488, in
do_join
    ctx.join_replicate()
  File "/usr/lib/python3/dist-packages/samba/join.py", line 1077, in
join_replicate
    ctx.local_samdb.transaction_commit()

Rowland Penny

2025-Jun-17 20:26 UTC

head link

[Samba] Samba Join error: WERR_DS_ADD_REPLICA_INHIBITED

On Tue, 17 Jun 2025 17:04:15 -0300
Nicol?s Hermida via samba <samba at lists.samba.org> wrote:
> Hi everyone.
> 
> We have an Active Directory environment with a WS 2008 R2 functional
> level. There are two Windows Server, one is a 2008 R2 and the other a
> 2016. We started the
> task of migrating these servers to Samba. We prepared a virtual
> machine with Debian 12 and Samba 4.17.12.
> 
> The actual replication is based on DFS-R. As we intend there is no
> rollback for this, but there is a workaround with robocopy.
> 
> So we have:
> SERVER1: Windows Server 2008 R2 Domain Controller (owner of the FSMO
> roles) SERVER2: Windows Server 2016 Domain Controller
> SERVER3: Debian 12 with Samba 4.17.12
> 
> When we try to make the join of the SERVER3 (Debian) we get this
> error: WERR_DS_ADD_REPLICA_INHIBITED
> At the end I paste the full output of the join process for your
> review.
> 
> We have found in older posts that an option is to compile and use an
> older version of Samba 4.7. As this post said this version do not
> make some checks and could bypass this
> "WERR_DS_ADD_REPLICA_INHIBITED" error, but it may carry other
ones.
> 
> Any idea how we can solve this Debian Samba Join issue?
> 
Never had this problem, but then again I do not use Windows DCs, but I
wonder if your problem isn't that your Samba isn't old enough, it
isn't
new enough.

Read this:

https://wiki.samba.org/index.php/Samba_4.20_Features_added/changed#AD_DC_support_for_Authentication_Silos_and_Authentication_Policies

Then try again with Samba from bookworm-backports, this will get you
4.22.2

Rowland

samba - Jun 2025 - Samba Join error: WERR_DS_ADD_REPLICA_INHIBITED

[Samba] Samba Join error: WERR_DS_ADD_REPLICA_INHIBITED

[Samba] Samba Join error: WERR_DS_ADD_REPLICA_INHIBITED