Unable to Join the Active Directory as a Domain Controller

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

Unable to Join the Active Directory as a Domain Controller

Samba - General mailing list
Hello,

I am trying to use Samba in version 4.7.0 as a replication of an Active
Directory running on Windows 2012-R2.

For that, I execute the process described on this page:
https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory

When I run the command to join the domain controller, samba-tool returns
the following error:
DsAddEntry failed with status WERR_ACCESS_DENIED info (8567,
'WERR_DS_INCOMPATIBLE_VERSION')

I read the documentation that specifies which version of Samba is
compatible with the version of the Active Directory schema:
https://wiki.samba.org/index.php/AD_Schema_Version_Support

I was able to check on the Windows 2012-R2 server that the Active
Directory schema is in version 69, so theoretically compatible with
Samba 4.7.

User "MYDOMAIN\marcori" is a domain admin.
Do you have a way to explore further?

Respectfully,

Marc-Henri Pamiseux

PS: Here is the command invoked and its error message:

# samba-tool domain join example.com DC -U"MYDOMAIN\marcori"
--dns-backend=SAMBA_INTERNAL --realm=EXAMPLE.COM -W MYDOMAIN
Finding a writeable DC for domain 'example.com'
Found DC SRV-ADM1.example.com
Password for [MYDOMAIN\marcori]:
workgroup is MYDOMAIN
realm is example.com
Adding CN=SRVSMB-DC1,OU=Domain Controllers,DC=example,DC=com
Adding
CN=SRVSMB-DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
Adding CN=NTDS
Settings,CN=SRVSMB-DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
DsAddEntry failed with status WERR_ACCESS_DENIED info (8567,
'WERR_DS_INCOMPATIBLE_VERSION')
Join failed - cleaning up
Deleted CN=SRVSMB-DC1,OU=Domain Controllers,DC=example,DC=com
Deleted
CN=SRVSMB-DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
ERROR(runtime): uncaught exception - DsAddEntry failed
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line
176, in _run
    return self.run(*args, **kwargs)
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py", line
661, in run
    machinepass=machinepass, use_ntvfs=use_ntvfs, dns_backend=dns_backend)
  File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1474, in
join_DC
    ctx.do_join()
  File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1375, in
do_join
    ctx.join_add_objects()
  File "/usr/lib/python2.7/dist-packages/samba/join.py", line 639, in
join_add_objects
    ctx.join_add_ntdsdsa()
  File "/usr/lib/python2.7/dist-packages/samba/join.py", line 570, in
join_add_ntdsdsa
    ctx.DsAddEntry([rec])
  File "/usr/lib/python2.7/dist-packages/samba/join.py", line 521, in
DsAddEntry
    raise RuntimeError("DsAddEntry failed")

# samba -V
Version 4.7.0-Debian

--
Marc-Henri Pamiseux - SARL Libricks - www.libricks.fr
6 rue Léonard de Vinci - CS 20119, 53001 LAVAL Cedex
Tel. : 02.30.96.15.24 / Mobile : 06.26.71.30.97

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Unable to Join the Active Directory as a Domain Controller

Samba - General mailing list
What is the schema level on your Server 2012?

On Wed, Dec 20, 2017 at 1:55 PM, Marc-Henri Pamiseux via samba <
[hidden email]> wrote:

> Hello,
>
> I am trying to use Samba in version 4.7.0 as a replication of an Active
> Directory running on Windows 2012-R2.
>
> For that, I execute the process described on this page:
> https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_
> Existing_Active_Directory
>
> When I run the command to join the domain controller, samba-tool returns
> the following error:
> DsAddEntry failed with status WERR_ACCESS_DENIED info (8567,
> 'WERR_DS_INCOMPATIBLE_VERSION')
>
> I read the documentation that specifies which version of Samba is
> compatible with the version of the Active Directory schema:
> https://wiki.samba.org/index.php/AD_Schema_Version_Support
>
> I was able to check on the Windows 2012-R2 server that the Active
> Directory schema is in version 69, so theoretically compatible with
> Samba 4.7.
>
> User "MYDOMAIN\marcori" is a domain admin.
> Do you have a way to explore further?
>
> Respectfully,
>
> Marc-Henri Pamiseux
>
> PS: Here is the command invoked and its error message:
>
> # samba-tool domain join example.com DC -U"MYDOMAIN\marcori"
> --dns-backend=SAMBA_INTERNAL --realm=EXAMPLE.COM -W MYDOMAIN
> Finding a writeable DC for domain 'example.com'
> Found DC SRV-ADM1.example.com
> Password for [MYDOMAIN\marcori]:
> workgroup is MYDOMAIN
> realm is example.com
> Adding CN=SRVSMB-DC1,OU=Domain Controllers,DC=example,DC=com
> Adding
> CN=SRVSMB-DC1,CN=Servers,CN=Default-First-Site-Name,CN=
> Sites,CN=Configuration,DC=example,DC=com
> Adding CN=NTDS
> Settings,CN=SRVSMB-DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=
> Configuration,DC=example,DC=com
> DsAddEntry failed with status WERR_ACCESS_DENIED info (8567,
> 'WERR_DS_INCOMPATIBLE_VERSION')
> Join failed - cleaning up
> Deleted CN=SRVSMB-DC1,OU=Domain Controllers,DC=example,DC=com
> Deleted
> CN=SRVSMB-DC1,CN=Servers,CN=Default-First-Site-Name,CN=
> Sites,CN=Configuration,DC=example,DC=com
> ERROR(runtime): uncaught exception - DsAddEntry failed
>   File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line
> 176, in _run
>     return self.run(*args, **kwargs)
>   File "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py", line
> 661, in run
>     machinepass=machinepass, use_ntvfs=use_ntvfs, dns_backend=dns_backend)
>   File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1474, in
> join_DC
>     ctx.do_join()
>   File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1375, in
> do_join
>     ctx.join_add_objects()
>   File "/usr/lib/python2.7/dist-packages/samba/join.py", line 639, in
> join_add_objects
>     ctx.join_add_ntdsdsa()
>   File "/usr/lib/python2.7/dist-packages/samba/join.py", line 570, in
> join_add_ntdsdsa
>     ctx.DsAddEntry([rec])
>   File "/usr/lib/python2.7/dist-packages/samba/join.py", line 521, in
> DsAddEntry
>     raise RuntimeError("DsAddEntry failed")
>
> # samba -V
> Version 4.7.0-Debian
>
> --
> Marc-Henri Pamiseux - SARL Libricks - www.libricks.fr
> 6 rue Léonard de Vinci - CS 20119, 53001 LAVAL Cedex
> Tel. : 02.30.96.15.24 / Mobile : 06.26.71.30.97
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Unable to Join the Active Directory as a Domain Controller

Samba - General mailing list
Hello Luke,

I think you have not seen this line :
"Active Directory shema is in version 69".

So, schema level is 69.

Respectfully
--
Marc-Henri Pamiseux - SARL Libricks - www.libricks.fr
6 rue Léonard de Vinci - CS 20119, 53001 LAVAL Cedex
Tel. : 02.30.96.15.24 / Mobile : 06.26.71.30.97

Le 20/12/2017 à 23:37, Luke Barone a écrit :
> What is the schema level on your Server 2012?
>
> On Wed, Dec 20, 2017 at 1:55 PM, Marc-Henri Pamiseux via samba
>     I was able to check on the Windows 2012-R2 server that the Active
>     Directory schema is in version 69, so theoretically compatible with
>     Samba 4.7.

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Unable to Join the Active Directory as a Domain Controller

Samba - General mailing list
In reply to this post by Samba - General mailing list
I don't think it should be the schema that is the problem, but the
domain functionality level the 2012 server is operating at. We currently
only operate at 2008 R2 functional level (although there are some
patches currently pending to change some aspects of that). If it's
running at the 2012 R2 functional level, it would have to be downgraded
first (or re-promoted to only be using 2008 R2 functionality).

Cheers,

Garming

On 21/12/17 10:55, Marc-Henri Pamiseux via samba wrote:

> Hello,
>
> I am trying to use Samba in version 4.7.0 as a replication of an Active
> Directory running on Windows 2012-R2.
>
> For that, I execute the process described on this page:
> https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory
>
> When I run the command to join the domain controller, samba-tool returns
> the following error:
> DsAddEntry failed with status WERR_ACCESS_DENIED info (8567,
> 'WERR_DS_INCOMPATIBLE_VERSION')
>
> I read the documentation that specifies which version of Samba is
> compatible with the version of the Active Directory schema:
> https://wiki.samba.org/index.php/AD_Schema_Version_Support
>
> I was able to check on the Windows 2012-R2 server that the Active
> Directory schema is in version 69, so theoretically compatible with
> Samba 4.7.
>
> User "MYDOMAIN\marcori" is a domain admin.
> Do you have a way to explore further?
>
> Respectfully,
>
> Marc-Henri Pamiseux
>
> PS: Here is the command invoked and its error message:
>
> # samba-tool domain join example.com DC -U"MYDOMAIN\marcori"
> --dns-backend=SAMBA_INTERNAL --realm=EXAMPLE.COM -W MYDOMAIN
> Finding a writeable DC for domain 'example.com'
> Found DC SRV-ADM1.example.com
> Password for [MYDOMAIN\marcori]:
> workgroup is MYDOMAIN
> realm is example.com
> Adding CN=SRVSMB-DC1,OU=Domain Controllers,DC=example,DC=com
> Adding
> CN=SRVSMB-DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
> Adding CN=NTDS
> Settings,CN=SRVSMB-DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
> DsAddEntry failed with status WERR_ACCESS_DENIED info (8567,
> 'WERR_DS_INCOMPATIBLE_VERSION')
> Join failed - cleaning up
> Deleted CN=SRVSMB-DC1,OU=Domain Controllers,DC=example,DC=com
> Deleted
> CN=SRVSMB-DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
> ERROR(runtime): uncaught exception - DsAddEntry failed
>   File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line
> 176, in _run
>     return self.run(*args, **kwargs)
>   File "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py", line
> 661, in run
>     machinepass=machinepass, use_ntvfs=use_ntvfs, dns_backend=dns_backend)
>   File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1474, in
> join_DC
>     ctx.do_join()
>   File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1375, in
> do_join
>     ctx.join_add_objects()
>   File "/usr/lib/python2.7/dist-packages/samba/join.py", line 639, in
> join_add_objects
>     ctx.join_add_ntdsdsa()
>   File "/usr/lib/python2.7/dist-packages/samba/join.py", line 570, in
> join_add_ntdsdsa
>     ctx.DsAddEntry([rec])
>   File "/usr/lib/python2.7/dist-packages/samba/join.py", line 521, in
> DsAddEntry
>     raise RuntimeError("DsAddEntry failed")
>
> # samba -V
> Version 4.7.0-Debian
>


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Unable to Join the Active Directory as a Domain Controller

Samba - General mailing list
Hello Garming,

In the link above (sorry, it's in French), I can read how to downgrade a
feature level of a 2012-R2 domain to work in 2008 R2.

https://sloze.wordpress.com/2014/06/18/active-directory-diminuer-le-niveau-fonctionnel-dune-foret-etou-dun-domaine-2/

Here is the English version of the Set-ADDomainMode command:
https://technet.microsoft.com/fr-fr/library/hh852281(v=wps.630).aspx

Has anyone ever used successfully this command?

Respectfully,
--
Marc-Henri Pamiseux - SARL Libricks - www.libricks.fr
6 rue Léonard de Vinci - CS 20119, 53001 LAVAL Cedex
Tel. : 02.30.96.15.24 / Mobile : 06.26.71.30.97
Le 21/12/2017 à 01:55, Garming Sam a écrit :

> I don't think it should be the schema that is the problem, but the
> domain functionality level the 2012 server is operating at. We currently
> only operate at 2008 R2 functional level (although there are some
> patches currently pending to change some aspects of that). If it's
> running at the 2012 R2 functional level, it would have to be downgraded
> first (or re-promoted to only be using 2008 R2 functionality).
>
> Cheers,
>
> Garming

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Unable to Join the Active Directory as a Domain Controller

Samba - General mailing list
In reply to this post by Samba - General mailing list
Hi Marc-Henri Pamiseux,

>
> I am trying to use Samba in version 4.7.0 as a replication of an Active
> Directory running on Windows 2012-R2.
>
> For that, I execute the process described on this page:
> https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory
>
> When I run the command to join the domain controller, samba-tool returns
> the following error:
> DsAddEntry failed with status WERR_ACCESS_DENIED info (8567,
> 'WERR_DS_INCOMPATIBLE_VERSION')
>
> I read the documentation that specifies which version of Samba is
> compatible with the version of the Active Directory schema:
> https://wiki.samba.org/index.php/AD_Schema_Version_Support
>
> I was able to check on the Windows 2012-R2 server that the Active
> Directory schema is in version 69, so theoretically compatible with
> Samba 4.7.

in the small prints, one can read "69 :* Experimental support. To report
problems,  click https://bugzilla.samba.org". With such warning I
wouldn't put that in production...

> User "MYDOMAIN\marcori" is a domain admin.
> Do you have a way to explore further?

I think you can explore the page
https://wiki.samba.org/index.php/Joining_a_Windows_Server_2012_/_2012_R2_DC_to_a_Samba_AD

TL;DR : with current samba releases, it is not possible to join a
win2k12 or above Active Directory to a Samba AD. Stick to 2k8r2 or wait
for Gaming/Douglas work on that subject.

Cheers,

Denis

>
> Respectfully,
>
> Marc-Henri Pamiseux
>
> PS: Here is the command invoked and its error message:
>
> # samba-tool domain join example.com DC -U"MYDOMAIN\marcori"
> --dns-backend=SAMBA_INTERNAL --realm=EXAMPLE.COM -W MYDOMAIN
> Finding a writeable DC for domain 'example.com'
> Found DC SRV-ADM1.example.com
> Password for [MYDOMAIN\marcori]:
> workgroup is MYDOMAIN
> realm is example.com
> Adding CN=SRVSMB-DC1,OU=Domain Controllers,DC=example,DC=com
> Adding
> CN=SRVSMB-DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
> Adding CN=NTDS
> Settings,CN=SRVSMB-DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
> DsAddEntry failed with status WERR_ACCESS_DENIED info (8567,
> 'WERR_DS_INCOMPATIBLE_VERSION')
> Join failed - cleaning up
> Deleted CN=SRVSMB-DC1,OU=Domain Controllers,DC=example,DC=com
> Deleted
> CN=SRVSMB-DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
> ERROR(runtime): uncaught exception - DsAddEntry failed
>   File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line
> 176, in _run
>     return self.run(*args, **kwargs)
>   File "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py", line
> 661, in run
>     machinepass=machinepass, use_ntvfs=use_ntvfs, dns_backend=dns_backend)
>   File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1474, in
> join_DC
>     ctx.do_join()
>   File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1375, in
> do_join
>     ctx.join_add_objects()
>   File "/usr/lib/python2.7/dist-packages/samba/join.py", line 639, in
> join_add_objects
>     ctx.join_add_ntdsdsa()
>   File "/usr/lib/python2.7/dist-packages/samba/join.py", line 570, in
> join_add_ntdsdsa
>     ctx.DsAddEntry([rec])
>   File "/usr/lib/python2.7/dist-packages/samba/join.py", line 521, in
> DsAddEntry
>     raise RuntimeError("DsAddEntry failed")
>
> # samba -V
> Version 4.7.0-Debian
>

--
Denis Cardon
Tranquil IT Systems
Les Espaces Jules Verne, bâtiment A
12 avenue Jules Verne
44230 Saint Sébastien sur Loire
tel : +33 (0) 2.40.97.57.55
http://www.tranquil-it-systems.fr


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Unable to Join the Active Directory as a Domain Controller

Samba - General mailing list
In reply to this post by Samba - General mailing list
Hi,

The solution was simpler than anything I was looking for. The user
"MYDOMAIN\marcori" can be a domain administrator and a schema
administrator, but he does not have sufficient rights to join an
existing directory. By using the Administrator account, everything works.

Similarly, the creation of the kerberos ticket was not functional. So no
ticket, no domain. However, before joining the domain, I followed the
tutorial explaining how to downgrade the schema to Windows 2008R2. It
works fine and my AD Samba now replicates Microsoft AD.

Best regards,
--
Marc-Henri Pamiseux - SARL Libricks - www.libricks.fr
6 rue Léonard de Vinci - CS 20119, 53001 LAVAL Cedex
Tel. : 02.30.96.15.24 / Mobile : 06.26.71.30.97

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba