WERR_DS_DRA_MISSING_PARENT while Joining Samba4 DC to Samba4 Domain

classic Classic list List threaded Threaded
13 messages Options
Reply | Threaded
Open this post in threaded view
|

WERR_DS_DRA_MISSING_PARENT while Joining Samba4 DC to Samba4 Domain

Samba - General mailing list
I have a Samba4 Domain Controller, which we have run in production since ~2009 (early alpha). It's had a few issues over the years which we've managed to recover from. I'm trying to join a second Samba4 DC to the domain, but having trouble when I issue the join. I have run dbcheck on the existing DC, which found and fixed some errors. There are still about 60+ errors like this:

    # samba-tool dbcheck --cross-ncs
    ...
    ERROR: no target object found for GUID component for objectCategory in object DC=...
    Not removing dangling forward link

I'm running the same Samba version on both systems. Just upgraded to 4.7.3 (Ubuntu 18.04 beta) in attempting to resolve this problem. (I attempted with earlier versions with the same problem.)

Any suggestions would be greatly appreciated!

Here is the output from the second DC when I attempt to join:

$ samba --version
    Version 4.7.3-Ubuntu
   
$ sudo samba-tool domain join redacted.domain.local DC -U"REDACTED\my.domain.admin"  --dns-backend=SAMBA_INTERNAL
Finding a writeable DC for domain 'redacted.domain.local'
Found DC samba4dom.redacted.domain.local
Password for [REDACTED\my.domain.admin]:
NO DNS zone information found in source domain, not replicating DNS
workgroup is REDACTED
realm is redacted.domain.local
Adding CN=SAMBA4DC2,OU=Domain Controllers,DC=redacted,DC=domain,DC=local
Adding CN=SAMBA4DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=redacted,DC=domain,DC=local
Adding CN=NTDS Settings,CN=SAMBA4DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=redacted,DC=domain,DC=local
Adding SPNs to CN=SAMBA4DC2,OU=Domain Controllers,DC=redacted,DC=domain,DC=local
Setting account password for SAMBA4DC2$
Enabling account
Calling bare provision
Looking up IPv4 addresses
Looking up IPv6 addresses
No IPv6 address will be assigned
Setting up secrets.ldb
Setting up the registry
Setting up the privileges database
Setting up idmap db
Setting up SAM db
Setting up sam.ldb partitions and settings
Setting up sam.ldb rootDSE
Pre-loading the Samba 4 and AD schema
A Kerberos configuration suitable for Samba AD has been generated at /var/lib/samba/private/krb5.conf
Provision OK for domain DN DC=redacted,DC=domain,DC=local
Starting replication
Schema-DN[CN=Schema,CN=Configuration,DC=redacted,DC=domain,DC=local] objects[402/1550] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=redacted,DC=domain,DC=local] objects[804/1550] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=redacted,DC=domain,DC=local] objects[1206/1550] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=redacted,DC=domain,DC=local] objects[1550/1550] linked_values[0/0]
Analyze and apply schema objects
Partition[CN=Configuration,DC=redacted,DC=domain,DC=local] objects[402/1606] linked_values[0/0]
Partition[CN=Configuration,DC=redacted,DC=domain,DC=local] objects[804/1606] linked_values[0/0]
Partition[CN=Configuration,DC=redacted,DC=domain,DC=local] objects[1206/1606] linked_values[0/0]
Partition[CN=Configuration,DC=redacted,DC=domain,DC=local] objects[1605/1606] linked_values[22/22]
Replicating critical objects from the base DN of the domain
Partition[DC=redacted,DC=domain,DC=local] objects[76/74] linked_values[21/21]
Partition[DC=redacted,DC=domain,DC=local] objects[478/19960] linked_values[0/0]
Failed to commit objects: WERR_DS_DRA_MISSING_PARENT
Join failed - cleaning up
Deleted CN=SAMBA4DC2,OU=Domain Controllers,DC=redacted,DC=domain,DC=local
Deleted CN=NTDS Settings,CN=SAMBA4DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=redacted,DC=domain,DC=local
Deleted CN=SAMBA4DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=redacted,DC=domain,DC=local
ERROR(runtime): uncaught exception - (8460, "Failed to process 'chunk' of DRS replicated objects: WERR_DS_DRA_MISSING_PARENT")
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 176, in _run
    return self.run(*args, **kwargs)
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py", line 661, in run
    machinepass=machinepass, use_ntvfs=use_ntvfs, dns_backend=dns_backend)
  File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1474, in join_DC
    ctx.do_join()
  File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1377, in do_join
    ctx.join_replicate()
  File "/usr/lib/python2.7/dist-packages/samba/join.py", line 936, in join_replicate
    replica_flags=ctx.domain_replica_flags)
  File "/usr/lib/python2.7/dist-packages/samba/drs_utils.py", line 295, in replicate
    schema=schema, req_level=req_level, req=req)
   


Daniel McFeeters


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: WERR_DS_DRA_MISSING_PARENT while Joining Samba4 DC to Samba4 Domain

Samba - General mailing list
On Thu, 21 Dec 2017 11:04:22 -0500 (EST)
Daniel McFeeters via samba <[hidden email]> wrote:

> I have a Samba4 Domain Controller, which we have run in production
> since ~2009 (early alpha). It's had a few issues over the years which
> we've managed to recover from. I'm trying to join a second Samba4 DC
> to the domain, but having trouble when I issue the join. I have run
> dbcheck on the existing DC, which found and fixed some errors. There
> are still about 60+ errors like this:
>
>     # samba-tool dbcheck --cross-ncs
>     ...
>     ERROR: no target object found for GUID component for
> objectCategory in object DC=... Not removing dangling forward link
>
> I'm running the same Samba version on both systems. Just upgraded to
> 4.7.3 (Ubuntu 18.04 beta) in attempting to resolve this problem. (I
> attempted with earlier versions with the same problem.)
>
> Any suggestions would be greatly appreciated!
>

You can ignore these, they seemingly have always been there, but until
a fix for something was added, nobody knew they were there. A fix is
being worked on, but until it is released, you can safely ignore the
'dangling forward links'

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: WERR_DS_DRA_MISSING_PARENT while Joining Samba4 DC to Samba4 Domain

Samba - General mailing list
I am not able to join a second domain controller to the domain, though. Is this a samba bug, or is there something I can do to fix the WERR_DS_DRA_MISSING_PARENT error?

Daniel McFeeters


----- Original Message -----
> From: "samba" <[hidden email]>
> To: "samba" <[hidden email]>
> Sent: Thursday, December 21, 2017 11:34:09 AM
> Subject: Re: [Samba] WERR_DS_DRA_MISSING_PARENT while Joining Samba4 DC to Samba4 Domain

> On Thu, 21 Dec 2017 11:04:22 -0500 (EST)
> Daniel McFeeters via samba <[hidden email]> wrote:

> > I have a Samba4 Domain Controller, which we have run in production
> > since ~2009 (early alpha). It's had a few issues over the years which
> > we've managed to recover from. I'm trying to join a second Samba4 DC
> > to the domain, but having trouble when I issue the join. I have run
> > dbcheck on the existing DC, which found and fixed some errors. There
> > are still about 60+ errors like this:

> > # samba-tool dbcheck --cross-ncs
> > ...
> > ERROR: no target object found for GUID component for
> > objectCategory in object DC=... Not removing dangling forward link

> > I'm running the same Samba version on both systems. Just upgraded to
> > 4.7.3 (Ubuntu 18.04 beta) in attempting to resolve this problem. (I
> > attempted with earlier versions with the same problem.)

> > Any suggestions would be greatly appreciated!


> You can ignore these, they seemingly have always been there, but until
> a fix for something was added, nobody knew they were there. A fix is
> being worked on, but until it is released, you can safely ignore the
> 'dangling forward links'

> Rowland

> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: WERR_DS_DRA_MISSING_PARENT while Joining Samba4 DC to Samba4 Domain

Samba - General mailing list
On Thu, 21 Dec 2017 12:16:23 -0500 (EST)
Daniel McFeeters <[hidden email]> wrote:

> I am not able to join a second domain controller to the domain,
> though. Is this a samba bug, or is there something I can do to fix
> the WERR_DS_DRA_MISSING_PARENT error?
>
> Daniel McFeeters
>

Can you post the join command you are using and the the command output.

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: WERR_DS_DRA_MISSING_PARENT while Joining Samba4 DC to Samba4 Domain

Samba - General mailing list
I thought I had posted already, but my first message may have been confusing. Here is the output of the domain join:

$ sudo samba-tool domain join redacted.domain.local DC -U"REDACTED\my.domain.admin"  --dns-backend=SAMBA_INTERNAL
Finding a writeable DC for domain 'redacted.domain.local'
Found DC samba4dom.redacted.domain.local
Password for [REDACTED\my.domain.admin]:
NO DNS zone information found in source domain, not replicating DNS
workgroup is REDACTED
realm is redacted.domain.local
Adding CN=SAMBA4DC2,OU=Domain Controllers,DC=redacted,DC=domain,DC=local
Adding CN=SAMBA4DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=redacted,DC=domain,DC=local
Adding CN=NTDS Settings,CN=SAMBA4DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=redacted,DC=domain,DC=local
Adding SPNs to CN=SAMBA4DC2,OU=Domain Controllers,DC=redacted,DC=domain,DC=local
Setting account password for SAMBA4DC2$
Enabling account
Calling bare provision
Looking up IPv4 addresses
Looking up IPv6 addresses
No IPv6 address will be assigned
Setting up secrets.ldb
Setting up the registry
Setting up the privileges database
Setting up idmap db
Setting up SAM db
Setting up sam.ldb partitions and settings
Setting up sam.ldb rootDSE
Pre-loading the Samba 4 and AD schema
A Kerberos configuration suitable for Samba AD has been generated at /var/lib/samba/private/krb5.conf
Provision OK for domain DN DC=redacted,DC=domain,DC=local
Starting replication
Schema-DN[CN=Schema,CN=Configuration,DC=redacted,DC=domain,DC=local] objects[402/1550] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=redacted,DC=domain,DC=local] objects[804/1550] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=redacted,DC=domain,DC=local] objects[1206/1550] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=redacted,DC=domain,DC=local] objects[1550/1550] linked_values[0/0]
Analyze and apply schema objects
Partition[CN=Configuration,DC=redacted,DC=domain,DC=local] objects[402/1606] linked_values[0/0]
Partition[CN=Configuration,DC=redacted,DC=domain,DC=local] objects[804/1606] linked_values[0/0]
Partition[CN=Configuration,DC=redacted,DC=domain,DC=local] objects[1206/1606] linked_values[0/0]
Partition[CN=Configuration,DC=redacted,DC=domain,DC=local] objects[1605/1606] linked_values[22/22]
Replicating critical objects from the base DN of the domain
Partition[DC=redacted,DC=domain,DC=local] objects[76/74] linked_values[21/21]
Partition[DC=redacted,DC=domain,DC=local] objects[478/19960] linked_values[0/0]
Failed to commit objects: WERR_DS_DRA_MISSING_PARENT
Join failed - cleaning up
Deleted CN=SAMBA4DC2,OU=Domain Controllers,DC=redacted,DC=domain,DC=local
Deleted CN=NTDS Settings,CN=SAMBA4DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=redacted,DC=domain,DC=local
Deleted CN=SAMBA4DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=redacted,DC=domain,DC=local
ERROR(runtime): uncaught exception - (8460, "Failed to process 'chunk' of DRS replicated objects: WERR_DS_DRA_MISSING_PARENT")
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 176, in _run
    return self.run(*args, **kwargs)
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py", line 661, in run
    machinepass=machinepass, use_ntvfs=use_ntvfs, dns_backend=dns_backend)
  File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1474, in join_DC
    ctx.do_join()
  File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1377, in do_join
    ctx.join_replicate()
  File "/usr/lib/python2.7/dist-packages/samba/join.py", line 936, in join_replicate
    replica_flags=ctx.domain_replica_flags)
  File "/usr/lib/python2.7/dist-packages/samba/drs_utils.py", line 295, in replicate
    schema=schema, req_level=req_level, req=req)
$

Daniel McFeeters


----- Original Message -----
> From: "samba" <[hidden email]>
> To: "samba" <[hidden email]>
> Sent: Thursday, December 21, 2017 12:43:07 PM
> Subject: Re: [Samba] WERR_DS_DRA_MISSING_PARENT while Joining Samba4 DC to Samba4 Domain

> On Thu, 21 Dec 2017 12:16:23 -0500 (EST)
> Daniel McFeeters <[hidden email]> wrote:

> > I am not able to join a second domain controller to the domain,
> > though. Is this a samba bug, or is there something I can do to fix
> > the WERR_DS_DRA_MISSING_PARENT error?

> > Daniel McFeeters


> Can you post the join command you are using and the the command output.

> Rowland

> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: WERR_DS_DRA_MISSING_PARENT while Joining Samba4 DC to Samba4 Domain

Samba - General mailing list
On Thu, 21 Dec 2017 13:16:05 -0500 (EST)
Daniel McFeeters <[hidden email]> wrote:

> I thought I had posted already, but my first message may have been
> confusing. Here is the output of the domain join:
>
> $ sudo samba-tool domain join redacted.domain.local DC
> -U"REDACTED\my.domain.admin"  --dns-backend=SAMBA_INTERNAL Finding a
> writeable DC for domain 'redacted.domain.local' Found DC
> samba4dom.redacted.domain.local Password for
> [REDACTED\my.domain.admin]: NO DNS zone information found in source

Are you not running a dns server on the original DC ?

> domain, not replicating DNS workgroup is REDACTED
> realm is redacted.domain.local
> Adding CN=SAMBA4DC2,OU=Domain
> Controllers,DC=redacted,DC=domain,DC=local Adding
> CN=SAMBA4DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=redacted,DC=domain,DC=local
> Adding CN=NTDS
> Settings,CN=SAMBA4DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=redacted,DC=domain,DC=local
> Adding SPNs to CN=SAMBA4DC2,OU=Domain
> Controllers,DC=redacted,DC=domain,DC=local Setting account password
> for SAMBA4DC2$ Enabling account Calling bare provision Looking up
> IPv4 addresses Looking up IPv6 addresses
> No IPv6 address will be assigned
> Setting up secrets.ldb
> Setting up the registry
> Setting up the privileges database
> Setting up idmap db
> Setting up SAM db
> Setting up sam.ldb partitions and settings
> Setting up sam.ldb rootDSE
> Pre-loading the Samba 4 and AD schema
> A Kerberos configuration suitable for Samba AD has been generated
> at /var/lib/samba/private/krb5.conf Provision OK for domain DN
> DC=redacted,DC=domain,DC=local Starting replication
> Schema-DN[CN=Schema,CN=Configuration,DC=redacted,DC=domain,DC=local]
> objects[402/1550] linked_values[0/0]
> Schema-DN[CN=Schema,CN=Configuration,DC=redacted,DC=domain,DC=local]
> objects[804/1550] linked_values[0/0]
> Schema-DN[CN=Schema,CN=Configuration,DC=redacted,DC=domain,DC=local]
> objects[1206/1550] linked_values[0/0]
> Schema-DN[CN=Schema,CN=Configuration,DC=redacted,DC=domain,DC=local]
> objects[1550/1550] linked_values[0/0] Analyze and apply schema
> objects Partition[CN=Configuration,DC=redacted,DC=domain,DC=local]
> objects[402/1606] linked_values[0/0]
> Partition[CN=Configuration,DC=redacted,DC=domain,DC=local]
> objects[804/1606] linked_values[0/0]
> Partition[CN=Configuration,DC=redacted,DC=domain,DC=local]
> objects[1206/1606] linked_values[0/0]
> Partition[CN=Configuration,DC=redacted,DC=domain,DC=local]
> objects[1605/1606] linked_values[22/22] Replicating critical objects
> from the base DN of the domain
> Partition[DC=redacted,DC=domain,DC=local] objects[76/74]
> linked_values[21/21] Partition[DC=redacted,DC=domain,DC=local]
> objects[478/19960] linked_values[0/0] Failed to commit objects:
> WERR_DS_DRA_MISSING_PARENT Join failed - cleaning up Deleted
> CN=SAMBA4DC2,OU=Domain Controllers,DC=redacted,DC=domain,DC=local
> Deleted CN=NTDS
> Settings,CN=SAMBA4DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=redacted,DC=domain,DC=local
> Deleted
> CN=SAMBA4DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=redacted,DC=domain,DC=local
> ERROR(runtime): uncaught exception - (8460, "Failed to process
> 'chunk' of DRS replicated objects: WERR_DS_DRA_MISSING_PARENT") File
> "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line
> 176, in _run return self.run(*args, **kwargs) File
> "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py", line 661,
> in run machinepass=machinepass, use_ntvfs=use_ntvfs,
> dns_backend=dns_backend) File
> "/usr/lib/python2.7/dist-packages/samba/join.py", line 1474, in
> join_DC ctx.do_join() File
> "/usr/lib/python2.7/dist-packages/samba/join.py", line 1377, in
> do_join ctx.join_replicate() File
> "/usr/lib/python2.7/dist-packages/samba/join.py", line 936, in
> join_replicate replica_flags=ctx.domain_replica_flags) File
> "/usr/lib/python2.7/dist-packages/samba/drs_utils.py", line 295, in
> replicate schema=schema, req_level=req_level, req=req) $
>

Two thoughts here, are you using the ntvfs backend on the first DC ?
this has now been deprecated and is only used in the Samba test.

Does your admin user have all the required permissions ? Have you tried
using 'Administrator' ?

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: WERR_DS_DRA_MISSING_PARENT while Joining Samba4 DC to Samba4 Domain

Samba - General mailing list
In reply to this post by Samba - General mailing list
On Thu, 2017-12-21 at 11:04 -0500, Daniel McFeeters via samba wrote:

> I have a Samba4 Domain Controller, which we have run in production since ~2009 (early alpha). It's had a few issues over the years which we've managed to recover from. I'm trying to join a second Samba4 DC to the domain, but having trouble when I issue the join. I have run dbcheck on the existing DC, which found and fixed some errors. There are still about 60+ errors like this:
>
>     # samba-tool dbcheck --cross-ncs
>     ...
>     ERROR: no target object found for GUID component for objectCategory in object DC=...
>     Not removing dangling forward link
>
> I'm running the same Samba version on both systems. Just upgraded to 4.7.3 (Ubuntu 18.04 beta) in attempting to resolve this problem. (I attempted with earlier versions with the same problem.)
>
> Any suggestions would be greatly appreciated!
>
> Here is the output from the second DC when I attempt to join:
>
> $ samba --version
>     Version 4.7.3-Ubuntu

So both versions servers run Samba 4.7.3?  I would normally expect this
only if the existing server was much older.

Thanks,

Andrew Bartlett


--
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: WERR_DS_DRA_MISSING_PARENT while Joining Samba4 DC to Samba4 Domain

Samba - General mailing list
In reply to this post by Samba - General mailing list
On Thu, 2017-12-21 at 18:39 +0000, Rowland Penny via samba wrote:

>
> Two thoughts here, are you using the ntvfs backend on the first DC ?
> this has now been deprecated and is only used in the Samba test.
>
> Does your admin user have all the required permissions ? Have you tried
> using 'Administrator' ?

G'Day Rowland,

Just to avoid running down rat-holes, neither of these factors would
cause this particular error.  

Thanks,

Andrew Bartlett
--
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: WERR_DS_DRA_MISSING_PARENT while Joining Samba4 DC to Samba4 Domain

Samba - General mailing list
In reply to this post by Samba - General mailing list
Yes, I am running 4.7.3 on both servers. One has been upgraded (many times). The new one, obviously, is freshly installed.

I am running DNS on the domain controller. In fact, I'm running all the default "server services". As I said, I have had some problems in the past, and for a while the DNS was not working (perhaps due to some database corruption) and I had to switch it off in smb.conf. DNS seems to be working fine now. However, I am wondering if there are still some inconsistencies in the database which would cause this?

Here is my smb.conf file:

[global]
        workgroup = REDACTED
        realm = redacted.domain.local
        netbios name = SAMBA4DOM
        server role = active directory domain controller
        log level = 2
        allow dns updates = signed
        encrypt passwords = yes
        lanman auth = No
        client ntlmv2 auth = Yes
        ntlm auth = Yes
        client lanman auth = No
        client plaintext auth = No
        client min protocol = SMB2
        client signing = mandatory
        server signing = mandatory

[netlogon]
        path = /var/lib/samba/sysvol/redacted.domain.local/scripts
        read only = No

[sysvol]
        path = /var/lib/samba/sysvol
        read only = No


Daniel McFeeters

----- Original Message -----
> From: "samba" <[hidden email]>
> To: "Daniel McFeeters" <[hidden email]>, "samba" <[hidden email]>
> Sent: Thursday, December 21, 2017 1:44:41 PM
> Subject: Re: [Samba] WERR_DS_DRA_MISSING_PARENT while Joining Samba4 DC to Samba4 Domain

> On Thu, 2017-12-21 at 11:04 -0500, Daniel McFeeters via samba wrote:
>> I have a Samba4 Domain Controller, which we have run in production since ~2009
>> (early alpha). It's had a few issues over the years which we've managed to
>> recover from. I'm trying to join a second Samba4 DC to the domain, but having
>> trouble when I issue the join. I have run dbcheck on the existing DC, which
> > found and fixed some errors. There are still about 60+ errors like this:

> > # samba-tool dbcheck --cross-ncs
> > ...
>> ERROR: no target object found for GUID component for objectCategory in object
> > DC=...
> > Not removing dangling forward link

>> I'm running the same Samba version on both systems. Just upgraded to 4.7.3
>> (Ubuntu 18.04 beta) in attempting to resolve this problem. (I attempted with
> > earlier versions with the same problem.)

> > Any suggestions would be greatly appreciated!

> > Here is the output from the second DC when I attempt to join:

> > $ samba --version
> > Version 4.7.3-Ubuntu

> So both versions servers run Samba 4.7.3? I would normally expect this
> only if the existing server was much older.

> Thanks,

> Andrew Bartlett

> --
> Andrew Bartlett http://samba.org/~abartlet/
> Authentication Developer, Samba Team http://samba.org
> Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba

> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: WERR_DS_DRA_MISSING_PARENT while Joining Samba4 DC to Samba4 Domain

Samba - General mailing list
Hi,

If you slowly turn up the debug level for the join, there may be some
clues as to which object is causing the issues. Do note, that these logs
can contain sensitive data.

Cheers,

Garming


On 22/12/17 08:51, Daniel McFeeters via samba wrote:

> Yes, I am running 4.7.3 on both servers. One has been upgraded (many times). The new one, obviously, is freshly installed.
>
> I am running DNS on the domain controller. In fact, I'm running all the default "server services". As I said, I have had some problems in the past, and for a while the DNS was not working (perhaps due to some database corruption) and I had to switch it off in smb.conf. DNS seems to be working fine now. However, I am wondering if there are still some inconsistencies in the database which would cause this?
>
> Here is my smb.conf file:
>
> [global]
>         workgroup = REDACTED
>         realm = redacted.domain.local
>         netbios name = SAMBA4DOM
>         server role = active directory domain controller
>         log level = 2
>         allow dns updates = signed
>         encrypt passwords = yes
>         lanman auth = No
>         client ntlmv2 auth = Yes
>         ntlm auth = Yes
>         client lanman auth = No
>         client plaintext auth = No
>         client min protocol = SMB2
>         client signing = mandatory
>         server signing = mandatory
>
> [netlogon]
>         path = /var/lib/samba/sysvol/redacted.domain.local/scripts
>         read only = No
>
> [sysvol]
>         path = /var/lib/samba/sysvol
>         read only = No
>
>
> Daniel McFeeters
>
> ----- Original Message -----
>> From: "samba" <[hidden email]>
>> To: "Daniel McFeeters" <[hidden email]>, "samba" <[hidden email]>
>> Sent: Thursday, December 21, 2017 1:44:41 PM
>> Subject: Re: [Samba] WERR_DS_DRA_MISSING_PARENT while Joining Samba4 DC to Samba4 Domain
>> On Thu, 2017-12-21 at 11:04 -0500, Daniel McFeeters via samba wrote:
>>> I have a Samba4 Domain Controller, which we have run in production since ~2009
>>> (early alpha). It's had a few issues over the years which we've managed to
>>> recover from. I'm trying to join a second Samba4 DC to the domain, but having
>>> trouble when I issue the join. I have run dbcheck on the existing DC, which
>>> found and fixed some errors. There are still about 60+ errors like this:
>>> # samba-tool dbcheck --cross-ncs
>>> ...
>>> ERROR: no target object found for GUID component for objectCategory in object
>>> DC=...
>>> Not removing dangling forward link
>>> I'm running the same Samba version on both systems. Just upgraded to 4.7.3
>>> (Ubuntu 18.04 beta) in attempting to resolve this problem. (I attempted with
>>> earlier versions with the same problem.)
>>> Any suggestions would be greatly appreciated!
>>> Here is the output from the second DC when I attempt to join:
>>> $ samba --version
>>> Version 4.7.3-Ubuntu
>> So both versions servers run Samba 4.7.3? I would normally expect this
>> only if the existing server was much older.
>> Thanks,
>> Andrew Bartlett
>> --
>> Andrew Bartlett http://samba.org/~abartlet/
>> Authentication Developer, Samba Team http://samba.org
>> Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: WERR_DS_DRA_MISSING_PARENT while Joining Samba4 DC to Samba4 Domain

Samba - General mailing list
OK, we're getting closer here I think. I repeated with -d 2 without much help. Here is -d 3, which may point us in the right direction. As I suspected, it seems to point to some corruption in the DNS still, perhaps?

The key line seems to be here:
Missing parent while attempting to apply records: No parent with GUID 60e25dda-6d35-4aab-bfa5-6137cb271e27 found for object remotely known as CN=MicrosoftDNS,DC=DomainDnsZones,DC=redacted,DC=domain,DC=local
Failed to commit objects: WERR_DS_DRA_MISSING_PARENT

Here is the full output in context:

$ sudo samba-tool domain join redacted.domain.local DC -U"REDACTED\my.domain.admin"  --dns-backend=SAMBA_INTERNAL -d 3
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
Finding a writeable DC for domain 'redacted.domain.local'
resolve_lmhosts: Attempting lmhosts lookup for name _ldap._tcp.redacted.domain.local<0x0>
Found DC samba4dom.redacted.domain.local
resolve_lmhosts: Attempting lmhosts lookup for name samba4dom.redacted.domain.local<0x20>
cli_credentials(REDACTED\my.domain.admin) without realm, cannot use kerberos for this connection ldap/samba4dom.redacted.domain.local
Got challenge flags:
Got NTLMSSP neg_flags=0x62898235
Password for [REDACTED\my.domain.admin]:
NTLMSSP: Set final flags:
Got NTLMSSP neg_flags=0x62088235
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x62088235
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x62088235
NO DNS zone information found in source domain, not replicating DNS
workgroup is REDACTED
realm is redacted.domain.local
Adding CN=SAMBA4DC2,OU=Domain Controllers,DC=redacted,DC=domain,DC=local
Adding CN=SAMBA4DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=redacted,DC=domain,DC=local
Adding CN=NTDS Settings,CN=SAMBA4DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=redacted,DC=domain,DC=local
Using binding ncacn_ip_tcp:samba4dom.redacted.domain.local[,seal]
resolve_lmhosts: Attempting lmhosts lookup for name samba4dom.redacted.domain.local<0x20>
resolve_lmhosts: Attempting lmhosts lookup for name samba4dom.redacted.domain.local<0x20>
cli_credentials(REDACTED\my.domain.admin) without realm, cannot use kerberos for this connection ldap/SAMBA4DOM.REDACTED.DOMAIN.LOCAL
Got challenge flags:
Got NTLMSSP neg_flags=0x62898235
NTLMSSP: Set final flags:
Got NTLMSSP neg_flags=0x62088235
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x62088235
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x62088235
Adding SPNs to CN=SAMBA4DC2,OU=Domain Controllers,DC=redacted,DC=domain,DC=local
Setting account password for SAMBA4DC2$
Enabling account
Calling bare provision
lpcfg_load: refreshing parameters from /etc/samba/smb.conf
lpcfg_load: refreshing parameters from /etc/samba/smb.conf
Looking up IPv4 addresses
Looking up IPv6 addresses
No IPv6 address will be assigned
Setting up share.ldb
Setting up secrets.ldb
Setting up the registry
ldb_wrap open of hklm.ldb
Key 'key=SOFTWARE,hive=NONE' not found
key added: key=SOFTWARE,hive=NONE
Key 'key=Microsoft,key=SOFTWARE,hive=NONE' not found
key added: key=Microsoft,key=SOFTWARE,hive=NONE
Key 'key=Windows NT,key=Microsoft,key=SOFTWARE,hive=NONE' not found
key added: key=Windows NT,key=Microsoft,key=SOFTWARE,hive=NONE
Key 'key=CurrentVersion,key=Windows NT,key=Microsoft,key=SOFTWARE,hive=NONE' not found
key added: key=CurrentVersion,key=Windows NT,key=Microsoft,key=SOFTWARE,hive=NONE
Key 'key=SYSTEM,hive=NONE' not found
key added: key=SYSTEM,hive=NONE
Key 'key=CurrentControlSet,key=SYSTEM,hive=NONE' not found
key added: key=CurrentControlSet,key=SYSTEM,hive=NONE
Key 'key=Control,key=CurrentControlSet,key=SYSTEM,hive=NONE' not found
key added: key=Control,key=CurrentControlSet,key=SYSTEM,hive=NONE
Key 'key=ProductOptions,key=Control,key=CurrentControlSet,key=SYSTEM,hive=NONE' not found
key added: key=ProductOptions,key=Control,key=CurrentControlSet,key=SYSTEM,hive=NONE
Key 'key=Print,key=Control,key=CurrentControlSet,key=SYSTEM,hive=NONE' not found
key added: key=Print,key=Control,key=CurrentControlSet,key=SYSTEM,hive=NONE
Key 'key=Terminal Server,key=Control,key=CurrentControlSet,key=SYSTEM,hive=NONE' not found
key added: key=Terminal Server,key=Control,key=CurrentControlSet,key=SYSTEM,hive=NONE
Key 'key=Services,key=CurrentControlSet,key=SYSTEM,hive=NONE' not found
key added: key=Services,key=CurrentControlSet,key=SYSTEM,hive=NONE
Key 'key=Netlogon,key=Services,key=CurrentControlSet,key=SYSTEM,hive=NONE' not found
key added: key=Netlogon,key=Services,key=CurrentControlSet,key=SYSTEM,hive=NONE
Key 'key=Parameters,key=Netlogon,key=Services,key=CurrentControlSet,key=SYSTEM,hive=NONE' not found
key added: key=Parameters,key=Netlogon,key=Services,key=CurrentControlSet,key=SYSTEM,hive=NONE
Key 'key=Alerter,key=Services,key=CurrentControlSet,key=SYSTEM,hive=NONE' not found
key added: key=Alerter,key=Services,key=CurrentControlSet,key=SYSTEM,hive=NONE
Key 'key=Parameters,key=Alerter,key=Services,key=CurrentControlSet,key=SYSTEM,hive=NONE' not found
key added: key=Parameters,key=Alerter,key=Services,key=CurrentControlSet,key=SYSTEM,hive=NONE
Setting up the privileges database
Setting up idmap db
Setting up SAM db
Setting up sam.ldb partitions and settings
Setting up sam.ldb rootDSE
Pre-loading the Samba 4 and AD schema
partition_metadata: Migrating partition metadata: open of metadata.tdb gave: (null)
A Kerberos configuration suitable for Samba AD has been generated at /var/lib/samba/private/krb5.conf
Provision OK for domain DN DC=redacted,DC=domain,DC=local
Starting replication
Using binding ncacn_ip_tcp:samba4dom.redacted.domain.local[,seal]
resolve_lmhosts: Attempting lmhosts lookup for name samba4dom.redacted.domain.local<0x20>
resolve_lmhosts: Attempting lmhosts lookup for name samba4dom.redacted.domain.local<0x20>
cli_credentials(REDACTED\my.domain.admin) without realm, cannot use kerberos for this connection ldap/SAMBA4DOM.REDACTED.DOMAIN.LOCAL
Got challenge flags:
Got NTLMSSP neg_flags=0x62898235
NTLMSSP: Set final flags:
Got NTLMSSP neg_flags=0x62088235
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x62088235
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x62088235
Schema-DN[CN=Schema,CN=Configuration,DC=redacted,DC=domain,DC=local] objects[402/1550] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=redacted,DC=domain,DC=local] objects[804/1550] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=redacted,DC=domain,DC=local] objects[1206/1550] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=redacted,DC=domain,DC=local] objects[1550/1550] linked_values[0/0]
Analyze and apply schema objects
Replicated 1550 objects (0 linked attributes) for CN=Schema,CN=Configuration,DC=redacted,DC=domain,DC=local
Partition[CN=Configuration,DC=redacted,DC=domain,DC=local] objects[402/1610] linked_values[0/0]
Replicated 402 objects (0 linked attributes) for CN=Configuration,DC=redacted,DC=domain,DC=local
Partition[CN=Configuration,DC=redacted,DC=domain,DC=local] objects[804/1610] linked_values[0/0]
Replicated 402 objects (0 linked attributes) for CN=Configuration,DC=redacted,DC=domain,DC=local
Partition[CN=Configuration,DC=redacted,DC=domain,DC=local] objects[1206/1610] linked_values[0/0]
Replicated 402 objects (0 linked attributes) for CN=Configuration,DC=redacted,DC=domain,DC=local
Partition[CN=Configuration,DC=redacted,DC=domain,DC=local] objects[1608/1610] linked_values[0/15]
Replicated 402 objects (0 linked attributes) for CN=Configuration,DC=redacted,DC=domain,DC=local
Partition[CN=Configuration,DC=redacted,DC=domain,DC=local] objects[1609/1610] linked_values[22/22]
Replicated 1 objects (22 linked attributes) for CN=Configuration,DC=redacted,DC=domain,DC=local
Replicating critical objects from the base DN of the domain
Partition[DC=redacted,DC=domain,DC=local] objects[76/74] linked_values[21/21]
Replicated 76 objects (21 linked attributes) for DC=redacted,DC=domain,DC=local
Partition[DC=redacted,DC=domain,DC=local] objects[478/19962] linked_values[0/0]
Missing parent while attempting to apply records: No parent with GUID 60e25dda-6d35-4aab-bfa5-6137cb271e27 found for object remotely known as CN=MicrosoftDNS,DC=DomainDnsZones,DC=redacted,DC=domain,DC=local
Failed to commit objects: WERR_DS_DRA_MISSING_PARENT
Join failed - cleaning up
ldb_wrap open of secrets.ldb
Could not find machine account in secrets database: Failed to fetch machine account password for REDACTED from both secrets.ldb (Could not find entry to match filter: '(&(flatname=REDACTED)(objectclass=primaryDomain))' base: 'cn=Primary Domains': No such object: dsdb_search at ../source4/dsdb/common/util.c:4636) and from /var/lib/samba/private/secrets.tdb: NT_STATUS_CANT_ACCESS_DOMAIN_INFO
Deleted CN=SAMBA4DC2,OU=Domain Controllers,DC=redacted,DC=domain,DC=local
Deleted CN=NTDS Settings,CN=SAMBA4DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=redacted,DC=domain,DC=local
Deleted CN=SAMBA4DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=redacted,DC=domain,DC=local
ERROR(runtime): uncaught exception - (8460, "Failed to process 'chunk' of DRS replicated objects: WERR_DS_DRA_MISSING_PARENT")
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 176, in _run
    return self.run(*args, **kwargs)
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py", line 661, in run
    machinepass=machinepass, use_ntvfs=use_ntvfs, dns_backend=dns_backend)
  File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1474, in join_DC
    ctx.do_join()
  File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1377, in do_join
    ctx.join_replicate()
  File "/usr/lib/python2.7/dist-packages/samba/join.py", line 936, in join_replicate
    replica_flags=ctx.domain_replica_flags)
  File "/usr/lib/python2.7/dist-packages/samba/drs_utils.py", line 295, in replicate
    schema=schema, req_level=req_level, req=req)
$




Daniel McFeeters

----- Original Message -----
> From: "samba" <[hidden email]>
> To: "Daniel McFeeters" <[hidden email]>, "Andrew Bartlett" <[hidden email]>
> Cc: "samba" <[hidden email]>
> Sent: Thursday, December 21, 2017 4:47:46 PM
> Subject: Re: [Samba] WERR_DS_DRA_MISSING_PARENT while Joining Samba4 DC to Samba4 Domain

> Hi,

> If you slowly turn up the debug level for the join, there may be some
> clues as to which object is causing the issues. Do note, that these logs
> can contain sensitive data.

> Cheers,

> Garming

> On 22/12/17 08:51, Daniel McFeeters via samba wrote:
>> Yes, I am running 4.7.3 on both servers. One has been upgraded (many times). The
> > new one, obviously, is freshly installed.

>> I am running DNS on the domain controller. In fact, I'm running all the default
>> "server services". As I said, I have had some problems in the past, and for a
>> while the DNS was not working (perhaps due to some database corruption) and I
>> had to switch it off in smb.conf. DNS seems to be working fine now. However, I
>> am wondering if there are still some inconsistencies in the database which
> > would cause this?

> > Here is my smb.conf file:

> > [global]
> > workgroup = REDACTED
> > realm = redacted.domain.local
> > netbios name = SAMBA4DOM
> > server role = active directory domain controller
> > log level = 2
> > allow dns updates = signed
> > encrypt passwords = yes
> > lanman auth = No
> > client ntlmv2 auth = Yes
> > ntlm auth = Yes
> > client lanman auth = No
> > client plaintext auth = No
> > client min protocol = SMB2
> > client signing = mandatory
> > server signing = mandatory

> > [netlogon]
> > path = /var/lib/samba/sysvol/redacted.domain.local/scripts
> > read only = No

> > [sysvol]
> > path = /var/lib/samba/sysvol
> > read only = No


> > Daniel McFeeters

> > ----- Original Message -----
> >> From: "samba" <[hidden email]>
>>> To: "Daniel McFeeters" <[hidden email]>, "samba"
> >> <[hidden email]>
> >> Sent: Thursday, December 21, 2017 1:44:41 PM
>>> Subject: Re: [Samba] WERR_DS_DRA_MISSING_PARENT while Joining Samba4 DC to
> >> Samba4 Domain
> >> On Thu, 2017-12-21 at 11:04 -0500, Daniel McFeeters via samba wrote:
> >>> I have a Samba4 Domain Controller, which we have run in production since ~2009
> >>> (early alpha). It's had a few issues over the years which we've managed to
> >>> recover from. I'm trying to join a second Samba4 DC to the domain, but having
> >>> trouble when I issue the join. I have run dbcheck on the existing DC, which
> >>> found and fixed some errors. There are still about 60+ errors like this:
> >>> # samba-tool dbcheck --cross-ncs
> >>> ...
> >>> ERROR: no target object found for GUID component for objectCategory in object
> >>> DC=...
> >>> Not removing dangling forward link
> >>> I'm running the same Samba version on both systems. Just upgraded to 4.7.3
> >>> (Ubuntu 18.04 beta) in attempting to resolve this problem. (I attempted with
> >>> earlier versions with the same problem.)
> >>> Any suggestions would be greatly appreciated!
> >>> Here is the output from the second DC when I attempt to join:
> >>> $ samba --version
> >>> Version 4.7.3-Ubuntu
> >> So both versions servers run Samba 4.7.3? I would normally expect this
> >> only if the existing server was much older.
> >> Thanks,
> >> Andrew Bartlett
> >> --
> >> Andrew Bartlett http://samba.org/~abartlet/
> >> Authentication Developer, Samba Team http://samba.org
> >> Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
> >> --
> >> To unsubscribe from this list go to the following URL and read the
> >> instructions: https://lists.samba.org/mailman/options/samba

> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: WERR_DS_DRA_MISSING_PARENT while Joining Samba4 DC to Samba4 Domain

Samba - General mailing list
Perhaps I'm rooting around at a lower level than I should be, and somewhat beyond what I can understand, but here is a bit of info I dug up. It might be helpful? The GUID in the first search matches the one referred to in the error message.

$ sudo ldbsearch -H /var/lib/samba/private/sam.ldb.d/DC\=DOMAINDNSZONES\,DC\=REDACTED\,DC\=DOMAIN\,DC\=LOCAL.ldb "(DC=DomainDnsZones)"
# record 1
dn: DC=DomainDnsZones,DC=redacted,DC=domain,DC=local
objectClass: top
objectClass: domain
objectClass: domainDNS
description: Microsoft DNS Directory
instanceType: 13
whenCreated: 20171218211518.0Z
whenChanged: 20171218211518.0Z
uSNCreated: 3620
nTSecurityDescriptor: REDACTED
name: DomainDnsZones
objectGUID: 60e25dda-6d35-4aab-bfa5-6137cb271e27
objectCategory: <GUID=b7263211-731a-43fe-a2f4-b522bf2d1a9d>;CN=Domain-DNS,CN=Schema,CN=Configuration,DC=redacted,DC=domain,DC=local
msDS-NcType: 0
dc: DomainDnsZones
wellKnownObjects: B:32:6227F0AF1FC2410D8E3BB10615BB5B0F:<GUID=ff815094-bd8e-49
 08-ac71-c62beeb47896>;CN=NTDS Quotas,DC=DomainDnsZones,DC=redacted,DC=domain,DC=local
wellKnownObjects: B:32:18E2EA80684F11D2B9AA00C04F79F805:<GUID=d3806832-94c6-41
 3b-9406-0f512a8a6cd5>;CN=Deleted Objects,DC=DomainDnsZones,DC=redacted,DC=domain,DC=local
wellKnownObjects: B:32:2FBAC1870ADE11D297C400C04FD8D5CD:<GUID=e72f6718-5cb2-45
 35-9410-c1fc3e4ea084>;CN=Infrastructure,DC=DomainDnsZones,DC=redacted,DC=domain,DC=local
wellKnownObjects: B:32:AB8153B7768811D1ADED00C04FD8D5CD:<GUID=5e3f945f-a07e-4d
 5a-bf69-6d191f5a6bc2>;CN=LostAndFound,DC=DomainDnsZones,DC=redacted,DC=domain,DC=local
replPropertyMetaData:: REDACTED
uSNChanged: 3627
distinguishedName: DC=DomainDnsZones,DC=redacted,DC=domain,DC=local

# record 2
dn: DC=DomainDnsZones,DC=lc.lcdhd.org,CN=MicrosoftDNS,DC=DomainDnsZones,DC=redacted,DC=domain,DC=local
objectClass: top
objectClass: dnsNode
instanceType: 4
whenCreated: 20171218211518.0Z
whenChanged: 20171218211518.0Z
uSNCreated: 3672
uSNChanged: 3672
showInAdvancedViewOnly: TRUE
name: DomainDnsZones
objectGUID: 4f08c35a-d330-4e01-8cd7-7a6790397b3a
replPropertyMetaData:: REDACTED
dnsRecord:: BAABAAXwAAABAAAAAAADhAAAAAAAAAAACmMAFQ==
objectCategory: <GUID=30c12cc0-3c1f-43d6-9498-5ca8856a6156>;CN=Dns-Node,CN=Sch
 ema,CN=Configuration,DC=redacted,DC=domain,DC=local
dc: DomainDnsZones
nTSecurityDescriptor: REDACTED
distinguishedName: DC=DomainDnsZones,DC=lc.lcdhd.org,CN=MicrosoftDNS,DC=Domain
 DnsZones,DC=redacted,DC=domain,DC=local

# returned 2 records
# 2 entries
# 0 referrals

$ sudo ldbsearch -H /var/lib/samba/private/sam.ldb.d/DC\=DOMAINDNSZONES\,DC\=REDACTED\,DC\=DOMAIN\,DC\=LOCAL.ldb "(CN=MicrosoftDNS)"
# record 1
dn: CN=MicrosoftDNS,DC=DomainDnsZones,DC=redacted,DC=domain,DC=local
objectClass: top
objectClass: container
cn: MicrosoftDNS
instanceType: 4
whenCreated: 20171218211518.0Z
uSNCreated: 3638
showInAdvancedViewOnly: TRUE
name: MicrosoftDNS
objectGUID: 249ac0c0-b3fd-4998-84b7-950066285b78
nTSecurityDescriptor: REDACTED
objectCategory: <GUID=591defdf-e2f7-4c9e-9b5a-d6c2d0744b44>;CN=Container,CN=Sc
 hema,CN=Configuration,DC=redacted,DC=domain,DC=local
replPropertyMetaData:: REDACTED
whenChanged: 20171220011156.0Z
uSNChanged: 887580
distinguishedName: CN=MicrosoftDNS,DC=DomainDnsZones,DC=redacted,DC=domain,DC=local

# returned 1 records
# 1 entries
# 0 referrals


$ sudo ldbsearch -H /var/lib/samba/private/sam.ldb.d/DC\=REDACTED\,DC\=DOMAIN\,DC\=LOCAL.ldb "(CN=MicrosoftDNS)"
# record 1
dn: CN=MicrosoftDNS,DC=DomainDnsZones,DC=redacted,DC=domain,DC=local
objectClass: top
objectClass: container
cn: MicrosoftDNS
instanceType: 4
whenCreated: 20100113175618.0Z
whenChanged: 20121217022721.0Z
displayName: DNS Servers
uSNCreated: 3330
uSNChanged: 3330
showInAdvancedViewOnly: TRUE
name: MicrosoftDNS
objectGUID: 6e2ba870-34a5-494c-82a9-ab06f109c3dd
replPropertyMetaData:: REDACTED
objectCategory: <GUID=591defdf-e2f7-4c9e-9b5a-d6c2d0744b44>;CN=Container,CN=Sc
 hema,CN=Configuration,DC=redacted,DC=domain,DC=local
nTSecurityDescriptor: REDACTED
distinguishedName: CN=MicrosoftDNS,DC=DomainDnsZones,DC=redacted,DC=domain,DC=local

# returned 1 records
# 1 entries
# 0 referrals


Daniel McFeeters


----- Original Message -----
> From: "samba" <[hidden email]>
> To: "Garming Sam" <[hidden email]>
> Cc: "samba" <[hidden email]>, "Andrew Bartlett" <[hidden email]>
> Sent: Thursday, December 21, 2017 5:20:30 PM
> Subject: Re: [Samba] WERR_DS_DRA_MISSING_PARENT while Joining Samba4 DC to Samba4 Domain

> OK, we're getting closer here I think. I repeated with -d 2 without much help.
> Here is -d 3, which may point us in the right direction. As I suspected, it
> seems to point to some corruption in the DNS still, perhaps?

> The key line seems to be here:
> Missing parent while attempting to apply records: No parent with GUID
> 60e25dda-6d35-4aab-bfa5-6137cb271e27 found for object remotely known as
> CN=MicrosoftDNS,DC=DomainDnsZones,DC=redacted,DC=domain,DC=local
> Failed to commit objects: WERR_DS_DRA_MISSING_PARENT

> Here is the full output in context:

> $ sudo samba-tool domain join redacted.domain.local DC
> -U"REDACTED\my.domain.admin" --dns-backend=SAMBA_INTERNAL -d 3
> GENSEC backend 'gssapi_spnego' registered
> GENSEC backend 'gssapi_krb5' registered
> GENSEC backend 'gssapi_krb5_sasl' registered
> GENSEC backend 'spnego' registered
> GENSEC backend 'schannel' registered
> GENSEC backend 'naclrpc_as_system' registered
> GENSEC backend 'sasl-EXTERNAL' registered
> GENSEC backend 'ntlmssp' registered
> GENSEC backend 'ntlmssp_resume_ccache' registered
> GENSEC backend 'http_basic' registered
> GENSEC backend 'http_ntlm' registered
> GENSEC backend 'krb5' registered
> GENSEC backend 'fake_gssapi_krb5' registered
> Finding a writeable DC for domain 'redacted.domain.local'
> resolve_lmhosts: Attempting lmhosts lookup for name
> _ldap._tcp.redacted.domain.local<0x0>
> Found DC samba4dom.redacted.domain.local
> resolve_lmhosts: Attempting lmhosts lookup for name
> samba4dom.redacted.domain.local<0x20>
> cli_credentials(REDACTED\my.domain.admin) without realm, cannot use kerberos for
> this connection ldap/samba4dom.redacted.domain.local
> Got challenge flags:
> Got NTLMSSP neg_flags=0x62898235
> Password for [REDACTED\my.domain.admin]:
> NTLMSSP: Set final flags:
> Got NTLMSSP neg_flags=0x62088235
> NTLMSSP Sign/Seal - Initialising with flags:
> Got NTLMSSP neg_flags=0x62088235
> NTLMSSP Sign/Seal - Initialising with flags:
> Got NTLMSSP neg_flags=0x62088235
> NO DNS zone information found in source domain, not replicating DNS
> workgroup is REDACTED
> realm is redacted.domain.local
> Adding CN=SAMBA4DC2,OU=Domain Controllers,DC=redacted,DC=domain,DC=local
> Adding
> CN=SAMBA4DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=redacted,DC=domain,DC=local
> Adding CN=NTDS
> Settings,CN=SAMBA4DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=redacted,DC=domain,DC=local
> Using binding ncacn_ip_tcp:samba4dom.redacted.domain.local[,seal]
> resolve_lmhosts: Attempting lmhosts lookup for name
> samba4dom.redacted.domain.local<0x20>
> resolve_lmhosts: Attempting lmhosts lookup for name
> samba4dom.redacted.domain.local<0x20>
> cli_credentials(REDACTED\my.domain.admin) without realm, cannot use kerberos for
> this connection ldap/SAMBA4DOM.REDACTED.DOMAIN.LOCAL
> Got challenge flags:
> Got NTLMSSP neg_flags=0x62898235
> NTLMSSP: Set final flags:
> Got NTLMSSP neg_flags=0x62088235
> NTLMSSP Sign/Seal - Initialising with flags:
> Got NTLMSSP neg_flags=0x62088235
> NTLMSSP Sign/Seal - Initialising with flags:
> Got NTLMSSP neg_flags=0x62088235
> Adding SPNs to CN=SAMBA4DC2,OU=Domain Controllers,DC=redacted,DC=domain,DC=local
> Setting account password for SAMBA4DC2$
> Enabling account
> Calling bare provision
> lpcfg_load: refreshing parameters from /etc/samba/smb.conf
> lpcfg_load: refreshing parameters from /etc/samba/smb.conf
> Looking up IPv4 addresses
> Looking up IPv6 addresses
> No IPv6 address will be assigned
> Setting up share.ldb
> Setting up secrets.ldb
> Setting up the registry
> ldb_wrap open of hklm.ldb
> Key 'key=SOFTWARE,hive=NONE' not found
> key added: key=SOFTWARE,hive=NONE
> Key 'key=Microsoft,key=SOFTWARE,hive=NONE' not found
> key added: key=Microsoft,key=SOFTWARE,hive=NONE
> Key 'key=Windows NT,key=Microsoft,key=SOFTWARE,hive=NONE' not found
> key added: key=Windows NT,key=Microsoft,key=SOFTWARE,hive=NONE
> Key 'key=CurrentVersion,key=Windows NT,key=Microsoft,key=SOFTWARE,hive=NONE' not
> found
> key added: key=CurrentVersion,key=Windows
> NT,key=Microsoft,key=SOFTWARE,hive=NONE
> Key 'key=SYSTEM,hive=NONE' not found
> key added: key=SYSTEM,hive=NONE
> Key 'key=CurrentControlSet,key=SYSTEM,hive=NONE' not found
> key added: key=CurrentControlSet,key=SYSTEM,hive=NONE
> Key 'key=Control,key=CurrentControlSet,key=SYSTEM,hive=NONE' not found
> key added: key=Control,key=CurrentControlSet,key=SYSTEM,hive=NONE
> Key 'key=ProductOptions,key=Control,key=CurrentControlSet,key=SYSTEM,hive=NONE'
> not found
> key added:
> key=ProductOptions,key=Control,key=CurrentControlSet,key=SYSTEM,hive=NONE
> Key 'key=Print,key=Control,key=CurrentControlSet,key=SYSTEM,hive=NONE' not found
> key added: key=Print,key=Control,key=CurrentControlSet,key=SYSTEM,hive=NONE
> Key 'key=Terminal Server,key=Control,key=CurrentControlSet,key=SYSTEM,hive=NONE'
> not found
> key added: key=Terminal
> Server,key=Control,key=CurrentControlSet,key=SYSTEM,hive=NONE
> Key 'key=Services,key=CurrentControlSet,key=SYSTEM,hive=NONE' not found
> key added: key=Services,key=CurrentControlSet,key=SYSTEM,hive=NONE
> Key 'key=Netlogon,key=Services,key=CurrentControlSet,key=SYSTEM,hive=NONE' not
> found
> key added: key=Netlogon,key=Services,key=CurrentControlSet,key=SYSTEM,hive=NONE
> Key
> 'key=Parameters,key=Netlogon,key=Services,key=CurrentControlSet,key=SYSTEM,hive=NONE'
> not found
> key added:
> key=Parameters,key=Netlogon,key=Services,key=CurrentControlSet,key=SYSTEM,hive=NONE
> Key 'key=Alerter,key=Services,key=CurrentControlSet,key=SYSTEM,hive=NONE' not
> found
> key added: key=Alerter,key=Services,key=CurrentControlSet,key=SYSTEM,hive=NONE
> Key
> 'key=Parameters,key=Alerter,key=Services,key=CurrentControlSet,key=SYSTEM,hive=NONE'
> not found
> key added:
> key=Parameters,key=Alerter,key=Services,key=CurrentControlSet,key=SYSTEM,hive=NONE
> Setting up the privileges database
> Setting up idmap db
> Setting up SAM db
> Setting up sam.ldb partitions and settings
> Setting up sam.ldb rootDSE
> Pre-loading the Samba 4 and AD schema
> partition_metadata: Migrating partition metadata: open of metadata.tdb gave:
> (null)
> A Kerberos configuration suitable for Samba AD has been generated at
> /var/lib/samba/private/krb5.conf
> Provision OK for domain DN DC=redacted,DC=domain,DC=local
> Starting replication
> Using binding ncacn_ip_tcp:samba4dom.redacted.domain.local[,seal]
> resolve_lmhosts: Attempting lmhosts lookup for name
> samba4dom.redacted.domain.local<0x20>
> resolve_lmhosts: Attempting lmhosts lookup for name
> samba4dom.redacted.domain.local<0x20>
> cli_credentials(REDACTED\my.domain.admin) without realm, cannot use kerberos for
> this connection ldap/SAMBA4DOM.REDACTED.DOMAIN.LOCAL
> Got challenge flags:
> Got NTLMSSP neg_flags=0x62898235
> NTLMSSP: Set final flags:
> Got NTLMSSP neg_flags=0x62088235
> NTLMSSP Sign/Seal - Initialising with flags:
> Got NTLMSSP neg_flags=0x62088235
> NTLMSSP Sign/Seal - Initialising with flags:
> Got NTLMSSP neg_flags=0x62088235
> Schema-DN[CN=Schema,CN=Configuration,DC=redacted,DC=domain,DC=local]
> objects[402/1550] linked_values[0/0]
> Schema-DN[CN=Schema,CN=Configuration,DC=redacted,DC=domain,DC=local]
> objects[804/1550] linked_values[0/0]
> Schema-DN[CN=Schema,CN=Configuration,DC=redacted,DC=domain,DC=local]
> objects[1206/1550] linked_values[0/0]
> Schema-DN[CN=Schema,CN=Configuration,DC=redacted,DC=domain,DC=local]
> objects[1550/1550] linked_values[0/0]
> Analyze and apply schema objects
> Replicated 1550 objects (0 linked attributes) for
> CN=Schema,CN=Configuration,DC=redacted,DC=domain,DC=local
> Partition[CN=Configuration,DC=redacted,DC=domain,DC=local] objects[402/1610]
> linked_values[0/0]
> Replicated 402 objects (0 linked attributes) for
> CN=Configuration,DC=redacted,DC=domain,DC=local
> Partition[CN=Configuration,DC=redacted,DC=domain,DC=local] objects[804/1610]
> linked_values[0/0]
> Replicated 402 objects (0 linked attributes) for
> CN=Configuration,DC=redacted,DC=domain,DC=local
> Partition[CN=Configuration,DC=redacted,DC=domain,DC=local] objects[1206/1610]
> linked_values[0/0]
> Replicated 402 objects (0 linked attributes) for
> CN=Configuration,DC=redacted,DC=domain,DC=local
> Partition[CN=Configuration,DC=redacted,DC=domain,DC=local] objects[1608/1610]
> linked_values[0/15]
> Replicated 402 objects (0 linked attributes) for
> CN=Configuration,DC=redacted,DC=domain,DC=local
> Partition[CN=Configuration,DC=redacted,DC=domain,DC=local] objects[1609/1610]
> linked_values[22/22]
> Replicated 1 objects (22 linked attributes) for
> CN=Configuration,DC=redacted,DC=domain,DC=local
> Replicating critical objects from the base DN of the domain
> Partition[DC=redacted,DC=domain,DC=local] objects[76/74] linked_values[21/21]
> Replicated 76 objects (21 linked attributes) for DC=redacted,DC=domain,DC=local
> Partition[DC=redacted,DC=domain,DC=local] objects[478/19962] linked_values[0/0]
> Missing parent while attempting to apply records: No parent with GUID
> 60e25dda-6d35-4aab-bfa5-6137cb271e27 found for object remotely known as
> CN=MicrosoftDNS,DC=DomainDnsZones,DC=redacted,DC=domain,DC=local
> Failed to commit objects: WERR_DS_DRA_MISSING_PARENT
> Join failed - cleaning up
> ldb_wrap open of secrets.ldb
> Could not find machine account in secrets database: Failed to fetch machine
> account password for REDACTED from both secrets.ldb (Could not find entry to
> match filter: '(&(flatname=REDACTED)(objectclass=primaryDomain))' base:
> 'cn=Primary Domains': No such object: dsdb_search at
> ../source4/dsdb/common/util.c:4636) and from
> /var/lib/samba/private/secrets.tdb: NT_STATUS_CANT_ACCESS_DOMAIN_INFO
> Deleted CN=SAMBA4DC2,OU=Domain Controllers,DC=redacted,DC=domain,DC=local
> Deleted CN=NTDS
> Settings,CN=SAMBA4DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=redacted,DC=domain,DC=local
> Deleted
> CN=SAMBA4DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=redacted,DC=domain,DC=local
> ERROR(runtime): uncaught exception - (8460, "Failed to process 'chunk' of DRS
> replicated objects: WERR_DS_DRA_MISSING_PARENT")
> File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 176, in
> _run
> return self.run(*args, **kwargs)
> File "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py", line 661, in run
> machinepass=machinepass, use_ntvfs=use_ntvfs, dns_backend=dns_backend)
> File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1474, in join_DC
> ctx.do_join()
> File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1377, in do_join
> ctx.join_replicate()
> File "/usr/lib/python2.7/dist-packages/samba/join.py", line 936, in
> join_replicate
> replica_flags=ctx.domain_replica_flags)
> File "/usr/lib/python2.7/dist-packages/samba/drs_utils.py", line 295, in
> replicate
> schema=schema, req_level=req_level, req=req)
> $

> Daniel McFeeters

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: WERR_DS_DRA_MISSING_PARENT while Joining Samba4 DC to Samba4 Domain

Samba - General mailing list
On Thu, 21 Dec 2017 17:58:54 -0500 (EST)
Daniel McFeeters via samba <[hidden email]> wrote:

> Perhaps I'm rooting around at a lower level than I should be, and
> somewhat beyond what I can understand, but here is a bit of info I
> dug up. It might be helpful? The GUID in the first search matches the
> one referred to in the error message.
>
> $ sudo ldbsearch
> -H /var/lib/samba/private/sam.ldb.d/DC\=DOMAINDNSZONES\,DC\=REDACTED\,DC\=DOMAIN\,DC\=LOCAL.ldb
> "(DC=DomainDnsZones)" # record 1 dn:
> DC=DomainDnsZones,DC=redacted,DC=domain,DC=local objectClass: top
> objectClass: domain
> objectClass: domainDNS
> description: Microsoft DNS Directory
> instanceType: 13
> whenCreated: 20171218211518.0Z
> whenChanged: 20171218211518.0Z
> uSNCreated: 3620
> nTSecurityDescriptor: REDACTED
> name: DomainDnsZones
> objectGUID: 60e25dda-6d35-4aab-bfa5-6137cb271e27
> objectCategory:
> <GUID=b7263211-731a-43fe-a2f4-b522bf2d1a9d>;CN=Domain-DNS,CN=Schema,CN=Configuration,DC=redacted,DC=domain,DC=local
> msDS-NcType: 0 dc: DomainDnsZones
> wellKnownObjects:
> B:32:6227F0AF1FC2410D8E3BB10615BB5B0F:<GUID=ff815094-bd8e-49
> 08-ac71-c62beeb47896>;CN=NTDS
> Quotas,DC=DomainDnsZones,DC=redacted,DC=domain,DC=local
> wellKnownObjects:
> B:32:18E2EA80684F11D2B9AA00C04F79F805:<GUID=d3806832-94c6-41
> 3b-9406-0f512a8a6cd5>;CN=Deleted
> Objects,DC=DomainDnsZones,DC=redacted,DC=domain,DC=local
> wellKnownObjects:
> B:32:2FBAC1870ADE11D297C400C04FD8D5CD:<GUID=e72f6718-5cb2-45
> 35-9410-c1fc3e4ea084>;CN=Infrastructure,DC=DomainDnsZones,DC=redacted,DC=domain,DC=local
> wellKnownObjects:
> B:32:AB8153B7768811D1ADED00C04FD8D5CD:<GUID=5e3f945f-a07e-4d
> 5a-bf69-6d191f5a6bc2>;CN=LostAndFound,DC=DomainDnsZones,DC=redacted,DC=domain,DC=local
> replPropertyMetaData:: REDACTED uSNChanged: 3627 distinguishedName:
> DC=DomainDnsZones,DC=redacted,DC=domain,DC=local
>
> # record 2
> dn:
> DC=DomainDnsZones,DC=lc.lcdhd.org,CN=MicrosoftDNS,DC=DomainDnsZones,DC=redacted,DC=domain,DC=local
> objectClass: top objectClass: dnsNode
> instanceType: 4
> whenCreated: 20171218211518.0Z
> whenChanged: 20171218211518.0Z
> uSNCreated: 3672
> uSNChanged: 3672
> showInAdvancedViewOnly: TRUE
> name: DomainDnsZones
> objectGUID: 4f08c35a-d330-4e01-8cd7-7a6790397b3a
> replPropertyMetaData:: REDACTED
> dnsRecord:: BAABAAXwAAABAAAAAAADhAAAAAAAAAAACmMAFQ==
> objectCategory:
> <GUID=30c12cc0-3c1f-43d6-9498-5ca8856a6156>;CN=Dns-Node,CN=Sch
> ema,CN=Configuration,DC=redacted,DC=domain,DC=local dc: DomainDnsZones
> nTSecurityDescriptor: REDACTED
> distinguishedName:
> DC=DomainDnsZones,DC=lc.lcdhd.org,CN=MicrosoftDNS,DC=Domain
> DnsZones,DC=redacted,DC=domain,DC=local
>
> # returned 2 records
> # 2 entries
> # 0 referrals
>
> $ sudo ldbsearch
> -H /var/lib/samba/private/sam.ldb.d/DC\=DOMAINDNSZONES\,DC\=REDACTED\,DC\=DOMAIN\,DC\=LOCAL.ldb
> "(CN=MicrosoftDNS)" # record 1 dn:
> CN=MicrosoftDNS,DC=DomainDnsZones,DC=redacted,DC=domain,DC=local
> objectClass: top objectClass: container
> cn: MicrosoftDNS
> instanceType: 4
> whenCreated: 20171218211518.0Z
> uSNCreated: 3638
> showInAdvancedViewOnly: TRUE
> name: MicrosoftDNS
> objectGUID: 249ac0c0-b3fd-4998-84b7-950066285b78
> nTSecurityDescriptor: REDACTED
> objectCategory:
> <GUID=591defdf-e2f7-4c9e-9b5a-d6c2d0744b44>;CN=Container,CN=Sc
> hema,CN=Configuration,DC=redacted,DC=domain,DC=local
> replPropertyMetaData:: REDACTED whenChanged: 20171220011156.0Z
> uSNChanged: 887580
> distinguishedName:
> CN=MicrosoftDNS,DC=DomainDnsZones,DC=redacted,DC=domain,DC=local
>
> # returned 1 records
> # 1 entries
> # 0 referrals
>
>
> $ sudo ldbsearch
> -H /var/lib/samba/private/sam.ldb.d/DC\=REDACTED\,DC\=DOMAIN\,DC\=LOCAL.ldb
> "(CN=MicrosoftDNS)" # record 1 dn:
> CN=MicrosoftDNS,DC=DomainDnsZones,DC=redacted,DC=domain,DC=local
> objectClass: top objectClass: container
> cn: MicrosoftDNS
> instanceType: 4
> whenCreated: 20100113175618.0Z
> whenChanged: 20121217022721.0Z
> displayName: DNS Servers
> uSNCreated: 3330
> uSNChanged: 3330
> showInAdvancedViewOnly: TRUE
> name: MicrosoftDNS
> objectGUID: 6e2ba870-34a5-494c-82a9-ab06f109c3dd
> replPropertyMetaData:: REDACTED
> objectCategory:
> <GUID=591defdf-e2f7-4c9e-9b5a-d6c2d0744b44>;CN=Container,CN=Sc
> hema,CN=Configuration,DC=redacted,DC=domain,DC=local
> nTSecurityDescriptor: REDACTED distinguishedName:
> CN=MicrosoftDNS,DC=DomainDnsZones,DC=redacted,DC=domain,DC=local
>
> # returned 1 records
> # 1 entries
> # 0 referrals
>
>
> Daniel McFeeters
>
>
> ----- Original Message -----
> > From: "samba" <[hidden email]>
> > To: "Garming Sam" <[hidden email]>
> > Cc: "samba" <[hidden email]>, "Andrew Bartlett"
> > <[hidden email]> Sent: Thursday, December 21, 2017 5:20:30 PM
> > Subject: Re: [Samba] WERR_DS_DRA_MISSING_PARENT while Joining
> > Samba4 DC to Samba4 Domain
>
> > OK, we're getting closer here I think. I repeated with -d 2 without
> > much help. Here is -d 3, which may point us in the right direction.
> > As I suspected, it seems to point to some corruption in the DNS
> > still, perhaps?
>
> > The key line seems to be here:
> > Missing parent while attempting to apply records: No parent with
> > GUID 60e25dda-6d35-4aab-bfa5-6137cb271e27 found for object remotely
> > known as
> > CN=MicrosoftDNS,DC=DomainDnsZones,DC=redacted,DC=domain,DC=local
> > Failed to commit objects: WERR_DS_DRA_MISSING_PARENT
>
> > Here is the full output in context:
>
> > $ sudo samba-tool domain join redacted.domain.local DC
> > -U"REDACTED\my.domain.admin" --dns-backend=SAMBA_INTERNAL -d 3
> > GENSEC backend 'gssapi_spnego' registered
> > GENSEC backend 'gssapi_krb5' registered
> > GENSEC backend 'gssapi_krb5_sasl' registered
> > GENSEC backend 'spnego' registered
> > GENSEC backend 'schannel' registered
> > GENSEC backend 'naclrpc_as_system' registered
> > GENSEC backend 'sasl-EXTERNAL' registered
> > GENSEC backend 'ntlmssp' registered
> > GENSEC backend 'ntlmssp_resume_ccache' registered
> > GENSEC backend 'http_basic' registered
> > GENSEC backend 'http_ntlm' registered
> > GENSEC backend 'krb5' registered
> > GENSEC backend 'fake_gssapi_krb5' registered
> > Finding a writeable DC for domain 'redacted.domain.local'
> > resolve_lmhosts: Attempting lmhosts lookup for name
> > _ldap._tcp.redacted.domain.local<0x0>
> > Found DC samba4dom.redacted.domain.local
> > resolve_lmhosts: Attempting lmhosts lookup for name
> > samba4dom.redacted.domain.local<0x20>
> > cli_credentials(REDACTED\my.domain.admin) without realm, cannot use
> > kerberos for this connection ldap/samba4dom.redacted.domain.local
> > Got challenge flags:
> > Got NTLMSSP neg_flags=0x62898235
> > Password for [REDACTED\my.domain.admin]:
> > NTLMSSP: Set final flags:
> > Got NTLMSSP neg_flags=0x62088235
> > NTLMSSP Sign/Seal - Initialising with flags:
> > Got NTLMSSP neg_flags=0x62088235
> > NTLMSSP Sign/Seal - Initialising with flags:
> > Got NTLMSSP neg_flags=0x62088235
> > NO DNS zone information found in source domain, not replicating DNS
> > workgroup is REDACTED
> > realm is redacted.domain.local
> > Adding CN=SAMBA4DC2,OU=Domain
> > Controllers,DC=redacted,DC=domain,DC=local Adding
> > CN=SAMBA4DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=redacted,DC=domain,DC=local
> > Adding CN=NTDS
> > Settings,CN=SAMBA4DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=redacted,DC=domain,DC=local
> > Using binding ncacn_ip_tcp:samba4dom.redacted.domain.local[,seal]
> > resolve_lmhosts: Attempting lmhosts lookup for name
> > samba4dom.redacted.domain.local<0x20>
> > resolve_lmhosts: Attempting lmhosts lookup for name
> > samba4dom.redacted.domain.local<0x20>
> > cli_credentials(REDACTED\my.domain.admin) without realm, cannot use
> > kerberos for this connection ldap/SAMBA4DOM.REDACTED.DOMAIN.LOCAL
> > Got challenge flags:
> > Got NTLMSSP neg_flags=0x62898235
> > NTLMSSP: Set final flags:
> > Got NTLMSSP neg_flags=0x62088235
> > NTLMSSP Sign/Seal - Initialising with flags:
> > Got NTLMSSP neg_flags=0x62088235
> > NTLMSSP Sign/Seal - Initialising with flags:
> > Got NTLMSSP neg_flags=0x62088235
> > Adding SPNs to CN=SAMBA4DC2,OU=Domain
> > Controllers,DC=redacted,DC=domain,DC=local Setting account password
> > for SAMBA4DC2$ Enabling account
> > Calling bare provision
> > lpcfg_load: refreshing parameters from /etc/samba/smb.conf
> > lpcfg_load: refreshing parameters from /etc/samba/smb.conf
> > Looking up IPv4 addresses
> > Looking up IPv6 addresses
> > No IPv6 address will be assigned
> > Setting up share.ldb
> > Setting up secrets.ldb
> > Setting up the registry
> > ldb_wrap open of hklm.ldb
> > Key 'key=SOFTWARE,hive=NONE' not found
> > key added: key=SOFTWARE,hive=NONE
> > Key 'key=Microsoft,key=SOFTWARE,hive=NONE' not found
> > key added: key=Microsoft,key=SOFTWARE,hive=NONE
> > Key 'key=Windows NT,key=Microsoft,key=SOFTWARE,hive=NONE' not found
> > key added: key=Windows NT,key=Microsoft,key=SOFTWARE,hive=NONE
> > Key 'key=CurrentVersion,key=Windows
> > NT,key=Microsoft,key=SOFTWARE,hive=NONE' not found
> > key added: key=CurrentVersion,key=Windows
> > NT,key=Microsoft,key=SOFTWARE,hive=NONE
> > Key 'key=SYSTEM,hive=NONE' not found
> > key added: key=SYSTEM,hive=NONE
> > Key 'key=CurrentControlSet,key=SYSTEM,hive=NONE' not found
> > key added: key=CurrentControlSet,key=SYSTEM,hive=NONE
> > Key 'key=Control,key=CurrentControlSet,key=SYSTEM,hive=NONE' not
> > found key added:
> > key=Control,key=CurrentControlSet,key=SYSTEM,hive=NONE Key
> > 'key=ProductOptions,key=Control,key=CurrentControlSet,key=SYSTEM,hive=NONE'
> > not found key added:
> > key=ProductOptions,key=Control,key=CurrentControlSet,key=SYSTEM,hive=NONE
> > Key
> > 'key=Print,key=Control,key=CurrentControlSet,key=SYSTEM,hive=NONE'
> > not found key added:
> > key=Print,key=Control,key=CurrentControlSet,key=SYSTEM,hive=NONE
> > Key 'key=Terminal
> > Server,key=Control,key=CurrentControlSet,key=SYSTEM,hive=NONE' not
> > found key added: key=Terminal
> > Server,key=Control,key=CurrentControlSet,key=SYSTEM,hive=NONE Key
> > 'key=Services,key=CurrentControlSet,key=SYSTEM,hive=NONE' not found
> > key added: key=Services,key=CurrentControlSet,key=SYSTEM,hive=NONE
> > Key
> > 'key=Netlogon,key=Services,key=CurrentControlSet,key=SYSTEM,hive=NONE'
> > not found key added:
> > key=Netlogon,key=Services,key=CurrentControlSet,key=SYSTEM,hive=NONE
> > Key
> > 'key=Parameters,key=Netlogon,key=Services,key=CurrentControlSet,key=SYSTEM,hive=NONE'
> > not found key added:
> > key=Parameters,key=Netlogon,key=Services,key=CurrentControlSet,key=SYSTEM,hive=NONE
> > Key
> > 'key=Alerter,key=Services,key=CurrentControlSet,key=SYSTEM,hive=NONE'
> > not found key added:
> > key=Alerter,key=Services,key=CurrentControlSet,key=SYSTEM,hive=NONE
> > Key
> > 'key=Parameters,key=Alerter,key=Services,key=CurrentControlSet,key=SYSTEM,hive=NONE'
> > not found key added:
> > key=Parameters,key=Alerter,key=Services,key=CurrentControlSet,key=SYSTEM,hive=NONE
> > Setting up the privileges database Setting up idmap db Setting up
> > SAM db Setting up sam.ldb partitions and settings
> > Setting up sam.ldb rootDSE
> > Pre-loading the Samba 4 and AD schema
> > partition_metadata: Migrating partition metadata: open of
> > metadata.tdb gave: (null)
> > A Kerberos configuration suitable for Samba AD has been generated at
> > /var/lib/samba/private/krb5.conf
> > Provision OK for domain DN DC=redacted,DC=domain,DC=local
> > Starting replication
> > Using binding ncacn_ip_tcp:samba4dom.redacted.domain.local[,seal]
> > resolve_lmhosts: Attempting lmhosts lookup for name
> > samba4dom.redacted.domain.local<0x20>
> > resolve_lmhosts: Attempting lmhosts lookup for name
> > samba4dom.redacted.domain.local<0x20>
> > cli_credentials(REDACTED\my.domain.admin) without realm, cannot use
> > kerberos for this connection ldap/SAMBA4DOM.REDACTED.DOMAIN.LOCAL
> > Got challenge flags:
> > Got NTLMSSP neg_flags=0x62898235
> > NTLMSSP: Set final flags:
> > Got NTLMSSP neg_flags=0x62088235
> > NTLMSSP Sign/Seal - Initialising with flags:
> > Got NTLMSSP neg_flags=0x62088235
> > NTLMSSP Sign/Seal - Initialising with flags:
> > Got NTLMSSP neg_flags=0x62088235
> > Schema-DN[CN=Schema,CN=Configuration,DC=redacted,DC=domain,DC=local]
> > objects[402/1550] linked_values[0/0]
> > Schema-DN[CN=Schema,CN=Configuration,DC=redacted,DC=domain,DC=local]
> > objects[804/1550] linked_values[0/0]
> > Schema-DN[CN=Schema,CN=Configuration,DC=redacted,DC=domain,DC=local]
> > objects[1206/1550] linked_values[0/0]
> > Schema-DN[CN=Schema,CN=Configuration,DC=redacted,DC=domain,DC=local]
> > objects[1550/1550] linked_values[0/0]
> > Analyze and apply schema objects
> > Replicated 1550 objects (0 linked attributes) for
> > CN=Schema,CN=Configuration,DC=redacted,DC=domain,DC=local
> > Partition[CN=Configuration,DC=redacted,DC=domain,DC=local]
> > objects[402/1610] linked_values[0/0]
> > Replicated 402 objects (0 linked attributes) for
> > CN=Configuration,DC=redacted,DC=domain,DC=local
> > Partition[CN=Configuration,DC=redacted,DC=domain,DC=local]
> > objects[804/1610] linked_values[0/0]
> > Replicated 402 objects (0 linked attributes) for
> > CN=Configuration,DC=redacted,DC=domain,DC=local
> > Partition[CN=Configuration,DC=redacted,DC=domain,DC=local]
> > objects[1206/1610] linked_values[0/0]
> > Replicated 402 objects (0 linked attributes) for
> > CN=Configuration,DC=redacted,DC=domain,DC=local
> > Partition[CN=Configuration,DC=redacted,DC=domain,DC=local]
> > objects[1608/1610] linked_values[0/15]
> > Replicated 402 objects (0 linked attributes) for
> > CN=Configuration,DC=redacted,DC=domain,DC=local
> > Partition[CN=Configuration,DC=redacted,DC=domain,DC=local]
> > objects[1609/1610] linked_values[22/22]
> > Replicated 1 objects (22 linked attributes) for
> > CN=Configuration,DC=redacted,DC=domain,DC=local
> > Replicating critical objects from the base DN of the domain
> > Partition[DC=redacted,DC=domain,DC=local] objects[76/74]
> > linked_values[21/21] Replicated 76 objects (21 linked attributes)
> > for DC=redacted,DC=domain,DC=local
> > Partition[DC=redacted,DC=domain,DC=local] objects[478/19962]
> > linked_values[0/0] Missing parent while attempting to apply
> > records: No parent with GUID 60e25dda-6d35-4aab-bfa5-6137cb271e27
> > found for object remotely known as
> > CN=MicrosoftDNS,DC=DomainDnsZones,DC=redacted,DC=domain,DC=local
> > Failed to commit objects: WERR_DS_DRA_MISSING_PARENT Join failed -
> > cleaning up ldb_wrap open of secrets.ldb Could not find machine
> > account in secrets database: Failed to fetch machine account
> > password for REDACTED from both secrets.ldb (Could not find entry
> > to match filter:
> > '(&(flatname=REDACTED)(objectclass=primaryDomain))' base:
> > 'cn=Primary Domains': No such object: dsdb_search
> > at ../source4/dsdb/common/util.c:4636) and
> > from /var/lib/samba/private/secrets.tdb:
> > NT_STATUS_CANT_ACCESS_DOMAIN_INFO Deleted CN=SAMBA4DC2,OU=Domain
> > Controllers,DC=redacted,DC=domain,DC=local Deleted CN=NTDS
> > Settings,CN=SAMBA4DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=redacted,DC=domain,DC=local
> > Deleted
> > CN=SAMBA4DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=redacted,DC=domain,DC=local
> > ERROR(runtime): uncaught exception - (8460, "Failed to process
> > 'chunk' of DRS replicated objects: WERR_DS_DRA_MISSING_PARENT")
> > File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py",
> > line 176, in _run return self.run(*args, **kwargs) File
> > "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py", line
> > 661, in run machinepass=machinepass, use_ntvfs=use_ntvfs,
> > dns_backend=dns_backend) File
> > "/usr/lib/python2.7/dist-packages/samba/join.py", line 1474, in
> > join_DC ctx.do_join() File
> > "/usr/lib/python2.7/dist-packages/samba/join.py", line 1377, in
> > do_join ctx.join_replicate() File
> > "/usr/lib/python2.7/dist-packages/samba/join.py", line 936, in
> > join_replicate replica_flags=ctx.domain_replica_flags) File
> > "/usr/lib/python2.7/dist-packages/samba/drs_utils.py", line 295, in
> > replicate schema=schema, req_level=req_level, req=req)
> > $
>
> > Daniel McFeeters
>

As I said, you do not seem to have a dns server, what you could try is:
Backup the DC, then run 'samba_upgradedns', this should recreate the
dns.

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba