Rowland Penny
2025-Jun-17 20:26 UTC
[Samba] Samba Join error: WERR_DS_ADD_REPLICA_INHIBITED
On Tue, 17 Jun 2025 17:04:15 -0300 Nicol?s Hermida via samba <samba at lists.samba.org> wrote:> Hi everyone. > > We have an Active Directory environment with a WS 2008 R2 functional > level. There are two Windows Server, one is a 2008 R2 and the other a > 2016. We started the > task of migrating these servers to Samba. We prepared a virtual > machine with Debian 12 and Samba 4.17.12. > > The actual replication is based on DFS-R. As we intend there is no > rollback for this, but there is a workaround with robocopy. > > So we have: > SERVER1: Windows Server 2008 R2 Domain Controller (owner of the FSMO > roles) SERVER2: Windows Server 2016 Domain Controller > SERVER3: Debian 12 with Samba 4.17.12 > > When we try to make the join of the SERVER3 (Debian) we get this > error: WERR_DS_ADD_REPLICA_INHIBITED > At the end I paste the full output of the join process for your > review. > > We have found in older posts that an option is to compile and use an > older version of Samba 4.7. As this post said this version do not > make some checks and could bypass this > "WERR_DS_ADD_REPLICA_INHIBITED" error, but it may carry other ones. > > Any idea how we can solve this Debian Samba Join issue? >Never had this problem, but then again I do not use Windows DCs, but I wonder if your problem isn't that your Samba isn't old enough, it isn't new enough. Read this: https://wiki.samba.org/index.php/Samba_4.20_Features_added/changed#AD_DC_support_for_Authentication_Silos_and_Authentication_Policies Then try again with Samba from bookworm-backports, this will get you 4.22.2 Rowland
Nicolás Hermida
2025-Jun-23 17:23 UTC
[Samba] Samba Join error: WERR_DS_ADD_REPLICA_INHIBITED
Thank you Rowland for always being there to help us.
I have updated Samba from bookworm-backports:
# apt-cache policy samba
samba:
Installed: 2:4.22.2+dfsg-1~bpo12+1
Candidate: 2:4.22.2+dfsg-1~bpo12+1
Version table:
*** 2:4.22.2+dfsg-1~bpo12+1 100
100 http://deb.debian.org/debian bookworm-backports/main amd64 Packages
100 /var/lib/dpkg/status
2:4.17.12+dfsg-0+deb12u1 500
500 http://deb.debian.org/debian bookworm/main amd64 Packages
500 http://security.debian.org/debian-security
bookworm-security/main amd64 Packages
I do not understand how can I use this, because I have domain
functional level 2008 R2, and not 2012 R2. Perhaps I am not
understanding the documentation:
https://wiki.samba.org/index.php/Samba_4.20_Features_added/changed#AD_DC_support_for_Authentication_Silos_and_Authentication_Policies
You are trying to tell me too first raise the domain functional level
and then retry the process with Samba taking into account the
configurations shown in the link?
After updating the Samba version, I have tried again to make the join,
but it fails again:
root at dc05:/etc/apt/sources.list.d# samba-tool domain join viamonte.lan
DC -U"viamonte\sysadminUser" --dns-backend=SAMBA_INTERNAL
INFO 2025-06-23 14:02:09,375 pid:74534
/usr/lib/python3/dist-packages/samba/join.py #104: Finding a writeable
DC for domain 'viamonte.lan'
INFO 2025-06-23 14:02:09,385 pid:74534
/usr/lib/python3/dist-packages/samba/join.py #106: Found DC
SERVER1.viamonte.lan
Password for [VIAMONTE\sysadminUser]:
INFO 2025-06-23 14:02:12,885 pid:74534
/usr/lib/python3/dist-packages/samba/join.py #1605: workgroup is
VIAMONTE
INFO 2025-06-23 14:02:12,885 pid:74534
/usr/lib/python3/dist-packages/samba/join.py #1608: realm is
viamonte.lan
Adding CN=DC05,OU=Domain Controllers,DC=viamonte,DC=lan
Adding
CN=DC05,CN=Servers,CN=Ravignani,CN=Sites,CN=Configuration,DC=viamonte,DC=lan
Adding CN=NTDS
Settings,CN=DC05,CN=Servers,CN=Ravignani,CN=Sites,CN=Configuration,DC=viamonte,DC=lan
Adding SPNs to CN=DC05,OU=Domain Controllers,DC=viamonte,DC=lan
Setting account password for DC05$
Enabling account
Calling bare provision
INFO 2025-06-23 14:02:14,114 pid:74534
/usr/lib/python3/dist-packages/samba/provision/__init__.py #2112:
Looking up IPv4 addresses
INFO 2025-06-23 14:02:14,115 pid:74534
/usr/lib/python3/dist-packages/samba/provision/__init__.py #2129:
Looking up IPv6 addresses
WARNING 2025-06-23 14:02:14,115 pid:74534
/usr/lib/python3/dist-packages/samba/provision/__init__.py #2136: No
IPv6 address will be assigned
INFO 2025-06-23 14:02:14,478 pid:74534
/usr/lib/python3/dist-packages/samba/provision/__init__.py #2306:
Setting up secrets.ldb
INFO 2025-06-23 14:02:14,694 pid:74534
/usr/lib/python3/dist-packages/samba/provision/__init__.py #2311:
Setting up the registry
INFO 2025-06-23 14:02:14,844 pid:74534
/usr/lib/python3/dist-packages/samba/provision/__init__.py #2314:
Setting up the privileges database
INFO 2025-06-23 14:02:15,245 pid:74534
/usr/lib/python3/dist-packages/samba/provision/__init__.py #2317:
Setting up idmap db
INFO 2025-06-23 14:02:16,214 pid:74534
/usr/lib/python3/dist-packages/samba/provision/__init__.py #2324:
Setting up SAM db
INFO 2025-06-23 14:02:16,290 pid:74534
/usr/lib/python3/dist-packages/samba/provision/__init__.py #887:
Setting up sam.ldb partitions and settings
INFO 2025-06-23 14:02:16,291 pid:74534
/usr/lib/python3/dist-packages/samba/provision/__init__.py #899:
Setting up sam.ldb rootDSE
INFO 2025-06-23 14:02:16,341 pid:74534
/usr/lib/python3/dist-packages/samba/provision/__init__.py #1312:
Pre-loading the Samba 4 and AD schema
Unable to determine the DomainSID, can not enforce uniqueness
constraint on local domainSIDs
INFO 2025-06-23 14:02:16,495 pid:74534
/usr/lib/python3/dist-packages/samba/provision/__init__.py #2425: A
Kerberos configuration suitable for Samba AD has been generated at
/var/lib/samba/private/krb5.conf
INFO 2025-06-23 14:02:16,495 pid:74534
/usr/lib/python3/dist-packages/samba/provision/__init__.py #2427:
Merge the contents of this file with your system krb5.conf or replace
it with this one. Do not create a symlink!
Provision OK for domain DN DC=viamonte,DC=lan
INFO 2025-06-23 14:02:16,543 pid:74534
/usr/lib/python3/dist-packages/samba/join.py #964: Starting
replication
Schema-DN[CN=Schema,CN=Configuration,DC=viamonte,DC=lan]
objects[402/1322] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=viamonte,DC=lan]
objects[804/1322] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=viamonte,DC=lan]
objects[1206/1322] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=viamonte,DC=lan]
objects[1608/1322] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=viamonte,DC=lan]
objects[1773/1322] linked_values[0/0]
Analyze and apply schema objects
Partition[CN=Configuration,DC=viamonte,DC=lan] objects[402/2045]
linked_values[0/67]
Partition[CN=Configuration,DC=viamonte,DC=lan] objects[804/2045]
linked_values[0/67]
Partition[CN=Configuration,DC=viamonte,DC=lan] objects[1206/2045]
linked_values[0/67]
Partition[CN=Configuration,DC=viamonte,DC=lan] objects[1608/2045]
linked_values[10/67]
Partition[CN=Configuration,DC=viamonte,DC=lan] objects[1904/2045]
linked_values[67/67]
dsdb_replicated_objects_convert: Ignoring object outside partition
cf1247a6-cab9-4041-8541-76d924301fa5
CN=Schema,CN=Configuration,DC=viamonte,DC=lan:
WERR_DS_ADD_REPLICA_INHIBITED
Partition[CN=Configuration,DC=viamonte,DC=lan] objects[1904/2045]
linked_values[67/67]
Replicating critical objects from the base DN of the domain
Partition[DC=viamonte,DC=lan] objects[119/198] linked_values[10/344]
Partition[DC=viamonte,DC=lan] objects[243/3139] linked_values[0/344]
Partition[DC=viamonte,DC=lan] objects[412/3139] linked_values[0/344]
Partition[DC=viamonte,DC=lan] objects[617/3139] linked_values[192/344]
Failed to commit objects: WERR_DS_DRA_RECYCLED_TARGET
Missing target object - retrying with DRS_GET_TGT
Partition[DC=viamonte,DC=lan] objects[802/3139] linked_values[295/344]
Partition[DC=viamonte,DC=lan] objects[985/3139] linked_values[493/344]
Partition[DC=viamonte,DC=lan] objects[1142/3139] linked_values[544/344]
dsdb_replicated_objects_convert: Ignoring object outside partition
f8e9f320-a7a8-466e-9813-9291b4a0887a
CN=Configuration,DC=viamonte,DC=lan: WERR_DS_ADD_REPLICA_INHIBITED
dsdb_replicated_objects_convert: Ignoring object outside partition
83dff523-3add-4db8-8418-d98304629e8a
DC=DomainDnsZones,DC=viamonte,DC=lan: WERR_DS_ADD_REPLICA_INHIBITED
dsdb_replicated_objects_convert: Ignoring object outside partition
1325c57e-9ef3-45c8-b81b-1b8c8c8cd574
DC=ForestDnsZones,DC=viamonte,DC=lan: WERR_DS_ADD_REPLICA_INHIBITED
Done with always replicated NC (base, config, schema)
Replicating DC=DomainDnsZones,DC=viamonte,DC=lan
Partition[DC=DomainDnsZones,DC=viamonte,DC=lan] objects[64/64]
linked_values[0/0]
Replicating DC=ForestDnsZones,DC=viamonte,DC=lan
Partition[DC=ForestDnsZones,DC=viamonte,DC=lan] objects[25/25]
linked_values[0/0]
Exop on[CN=RID Manager$,CN=System,DC=viamonte,DC=lan] objects[3]
linked_values[0]
INFO 2025-06-23 14:02:23,444 pid:74534
/usr/lib/python3/dist-packages/samba/join.py #1084: Committing SAM
database - this may take some time
Repacking database from v1 to v2 format (first record
CN=Person,CN=Schema,CN=Configuration,DC=viamonte,DC=lan)
Repack: re-packed 10000 records so far
Repacking database from v1 to v2 format (first record
CN=msCOM-Partition-Display,CN=413,CN=DisplaySpecifiers,CN=Configuration,DC=viamonte,DC=lan)
Repacking database from v1 to v2 format (first record
DC=NB-lan-169,DC=viamonte.lan,CN=MicrosoftDNS,DC=DomainDnsZones,DC=viamonte,DC=lan)
Repacking database from v1 to v2 format (first record
DC=dc04.viamonte.lan.,DC=_msdcs.viamonte.lan,CN=MicrosoftDNS,DC=ForestDnsZones,DC=viamonte,DC=lan)
Repacking database from v1 to v2 format (first record
CN=WS40,CN=Computers,DC=viamonte,DC=lan)
An operation failed during a batch mode transaction, the transaction
was rolled back
Join failed - cleaning up
Deleted CN=RID Set,CN=DC05,OU=Domain Controllers,DC=viamonte,DC=lan
Deleted CN=DC05,OU=Domain Controllers,DC=viamonte,DC=lan
Deleted CN=NTDS
Settings,CN=DC05,CN=Servers,CN=Ravignani,CN=Sites,CN=Configuration,DC=viamonte,DC=lan
Deleted
CN=DC05,CN=Servers,CN=Ravignani,CN=Sites,CN=Configuration,DC=viamonte,DC=lan
ERROR(ldb): uncaught exception - end_trans error on
DC=viamonte,DC=lan: An operation failed during a batch mode
transaction, the transaction was rolled back
File "/usr/lib/python3/dist-packages/samba/netcmd/__init__.py", line
356, in _run
return self.run(*args, **kwargs)
^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3/dist-packages/samba/netcmd/domain/join.py",
line 128, in run
join_DC(logger=logger, server=server, creds=creds, lp=lp, domain=domain,
File "/usr/lib/python3/dist-packages/samba/join.py", line 1621, in
join_DC
ctx.do_join()
File "/usr/lib/python3/dist-packages/samba/join.py", line 1511, in
do_join
ctx.join_replicate()
File "/usr/lib/python3/dist-packages/samba/join.py", line 1101, in
join_replicate
ctx.local_samdb.transaction_commit()
On Tue, Jun 17, 2025 at 5:28?PM Rowland Penny via samba
<samba at lists.samba.org> wrote:>
> On Tue, 17 Jun 2025 17:04:15 -0300
> Nicol?s Hermida via samba <samba at lists.samba.org> wrote:
>
> > Hi everyone.
> >
> > We have an Active Directory environment with a WS 2008 R2 functional
> > level. There are two Windows Server, one is a 2008 R2 and the other a
> > 2016. We started the
> > task of migrating these servers to Samba. We prepared a virtual
> > machine with Debian 12 and Samba 4.17.12.
> >
> > The actual replication is based on DFS-R. As we intend there is no
> > rollback for this, but there is a workaround with robocopy.
> >
> > So we have:
> > SERVER1: Windows Server 2008 R2 Domain Controller (owner of the FSMO
> > roles) SERVER2: Windows Server 2016 Domain Controller
> > SERVER3: Debian 12 with Samba 4.17.12
> >
> > When we try to make the join of the SERVER3 (Debian) we get this
> > error: WERR_DS_ADD_REPLICA_INHIBITED
> > At the end I paste the full output of the join process for your
> > review.
> >
> > We have found in older posts that an option is to compile and use an
> > older version of Samba 4.7. As this post said this version do not
> > make some checks and could bypass this
> > "WERR_DS_ADD_REPLICA_INHIBITED" error, but it may carry
other ones.
> >
> > Any idea how we can solve this Debian Samba Join issue?
> >
>
> Never had this problem, but then again I do not use Windows DCs, but I
> wonder if your problem isn't that your Samba isn't old enough, it
isn't
> new enough.
>
> Read this:
>
>
https://wiki.samba.org/index.php/Samba_4.20_Features_added/changed#AD_DC_support_for_Authentication_Silos_and_Authentication_Policies
>
> Then try again with Samba from bookworm-backports, this will get you
> 4.22.2
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba