Active Directory Takeover failed

candy · March 21, 2021, 7:11am

Hello,

I would like to migrate our existing AD Server (2019) to Univention due to its simplicity and better performance.

The Domain and Forest were set to Windows2008 in order to make it work.

Import-Module -Name ActiveDirectory
Set-ADDomainMode -Identity "domain.local" -DomainMode Windows2008Domain
Set-ADForestMode -Identity "domain.local" -ForestMode Windows2008Forest

The take Takeover fails every time I try, I am looking out for help.

2021-03-21 07:52:07,294 Found account Gast with well known RID 501 (Guest)
2021-03-21 07:52:07,294 Found account krbtgt with well known RID 502 (KRBTGT)
2021-03-21 07:52:07,294 Found account Administrator with well known RID 500 (Administrator)
2021-03-21 07:52:07,298 Found group Domänencomputer with well known RID 515 (Domain Computers)
2021-03-21 07:52:07,298 Found group Zertifikatherausgeber with well known RID 517 (Cert Publishers)
2021-03-21 07:52:07,298 Found group Domänen-Gäste with well known RID 514 (Domain Guests)
2021-03-21 07:52:07,298 Found group Domänen-Admins with well known RID 512 (Domain Admins)
2021-03-21 07:52:07,298 Found group Schema-Admins with well known RID 518 (Schema Admins)
2021-03-21 07:52:07,298 Found group Organisations-Admins with well known RID 519 (Enterprise Admins)
2021-03-21 07:52:07,298 Found group Richtlinien-Ersteller-Besitzer with well known RID 520 (Group Policy Creator Owners)
2021-03-21 07:52:07,298 Found group Zulässige RODC-Kennwortreplikationsgruppe with well known RID 571 (Allowed RODC Password Replication Group)
2021-03-21 07:52:07,298 Found group Abgelehnte RODC-Kennwortreplikationsgruppe with well known RID 572 (Denied RODC Password Replication Group)
2021-03-21 07:52:07,298 Found group Schreibgeschützte Domänencontroller der Organisation with well known RID 498 (Enterprise Read-only Domain Controllers)
2021-03-21 07:52:07,298 Found group Schreibgeschützte Domänencontroller with well known RID 521 (Read-Only Domain Controllers)
2021-03-21 07:52:07,298 Found group Domänencontroller with well known RID 516 (Domain Controllers)
2021-03-21 07:52:07,299 Found group RAS- und IAS-Server with well known RID 553 (RAS and IAS Servers)
2021-03-21 07:52:07,299 Found group Domänen-Benutzer with well known RID 513 (Domain Users)
2021-03-21 07:52:07,299 Found group Klonbare Domänencontroller with well known RID 522 (Cloneable Domain Controllers)
2021-03-21 07:52:07,326 determine_license for current UCS Users: 1 of unlimited
2021-03-21 07:52:07,326   0 Systemaccounts are ignored.
2021-03-21 07:52:07,327 Found 42 Benutzer objects on the remote server.
2021-03-21 07:52:09,136 INFO: Time difference is less than 180 seconds, skipping reset of local time
2021-03-21 07:52:09,152 Starting phase I of the takeover process.
2021-03-21 07:52:09,152 Calling: univention-config-registry set hosts/static/192.168.1.200=MAIN-SRV-DC.domain.local MAIN-SRV-DC
2021-03-21 07:52:09,503 Create hosts/static/192.168.1.200
2021-03-21 07:52:09,503 Multifile: /etc/hosts
2021-03-21 07:52:09,509 Calling: /etc/init.d/univention-s4-connector stop
2021-03-21 07:52:09,577 Stopping univention-s4-connector (via systemctl): univention-s4-connector.service.
2021-03-21 07:52:09,577 Calling: /etc/init.d/samba-ad-dc stop
2021-03-21 07:52:09,738 Stopping samba-ad-dc (via systemctl): samba-ad-dc.service.
2021-03-21 07:52:09,739 Calling: univention-config-registry set nameserver1/local=192.168.0.200 nameserver1=192.168.1.200 directory/manager/web/modules/users/user/properties/username/syntax=string directory/manager/web/modules/groups/group/properties/name/syntax=string dns/backend=ldap
2021-03-21 07:52:10,458 Create nameserver1/local
2021-03-21 07:52:10,460 Setting nameserver1
2021-03-21 07:52:10,460 Setting directory/manager/web/modules/users/user/properties/username/syntax
2021-03-21 07:52:10,461 Setting directory/manager/web/modules/groups/group/properties/name/syntax
2021-03-21 07:52:10,461 Setting dns/backend
2021-03-21 07:52:10,461 File: /etc/systemd/system/bind9.service.d/10-configure-backend.conf
2021-03-21 07:52:10,462 File: /etc/init.d/bind9
2021-03-21 07:52:10,462 File: /etc/resolv.conf
2021-03-21 07:52:10,473 Calling: /etc/init.d/nscd stop
2021-03-21 07:52:10,539 Stopping nscd (via systemctl): nscd.service.
2021-03-21 07:52:10,539 Calling: /etc/init.d/bind9 restart
2021-03-21 07:52:11,700 Restarting bind9 (via systemctl): bind9.service.
2021-03-21 07:52:11,706 Starting Samba domain join.
2021-03-21 07:52:12,482 INFO 2021-03-21 07:52:12,481 pid:24700 /usr/lib/python2.7/dist-packages/samba/join.py #1528: workgroup is DOMAIN
2021-03-21 07:52:12,483 INFO 2021-03-21 07:52:12,482 pid:24700 /usr/lib/python2.7/dist-packages/samba/join.py #1531: realm is domain.local
2021-03-21 07:52:13,221 INFO 2021-03-21 07:52:13,220 pid:24700 /usr/lib/python2.7/dist-packages/samba/provision/__init__.py #2368: Looking up IPv4 addresses
2021-03-21 07:52:13,221 INFO 2021-03-21 07:52:13,221 pid:24700 /usr/lib/python2.7/dist-packages/samba/provision/__init__.py #2385: Looking up IPv6 addresses
2021-03-21 07:52:13,222 WARNING 2021-03-21 07:52:13,222 pid:24700 /usr/lib/python2.7/dist-packages/samba/provision/__init__.py #2392: No IPv6 address will be assigned
2021-03-21 07:52:13,887 INFO 2021-03-21 07:52:13,886 pid:24700 /usr/lib/python2.7/dist-packages/samba/provision/__init__.py #2558: Setting up share.ldb
2021-03-21 07:52:13,937 INFO 2021-03-21 07:52:13,936 pid:24700 /usr/lib/python2.7/dist-packages/samba/provision/__init__.py #2562: Setting up secrets.ldb
2021-03-21 07:52:13,957 INFO 2021-03-21 07:52:13,957 pid:24700 /usr/lib/python2.7/dist-packages/samba/provision/__init__.py #2568: Setting up the registry
2021-03-21 07:52:14,001 INFO 2021-03-21 07:52:14,001 pid:24700 /usr/lib/python2.7/dist-packages/samba/provision/__init__.py #2571: Setting up the privileges database
2021-03-21 07:52:14,032 INFO 2021-03-21 07:52:14,032 pid:24700 /usr/lib/python2.7/dist-packages/samba/provision/__init__.py #2574: Setting up idmap db
2021-03-21 07:52:14,062 INFO 2021-03-21 07:52:14,061 pid:24700 /usr/lib/python2.7/dist-packages/samba/provision/__init__.py #2581: Setting up SAM db
2021-03-21 07:52:14,072 INFO 2021-03-21 07:52:14,071 pid:24700 /usr/lib/python2.7/dist-packages/samba/provision/__init__.py #887: Setting up sam.ldb partitions and settings
2021-03-21 07:52:14,072 INFO 2021-03-21 07:52:14,072 pid:24700 /usr/lib/python2.7/dist-packages/samba/provision/__init__.py #899: Setting up sam.ldb rootDSE
2021-03-21 07:52:14,082 INFO 2021-03-21 07:52:14,081 pid:24700 /usr/lib/python2.7/dist-packages/samba/provision/__init__.py #1307: Pre-loading the Samba 4 and AD schema
2021-03-21 07:52:14,083 Unable to determine the DomainSID, can not enforce uniqueness constraint on local domainSIDs
2021-03-21 07:52:14,103 INFO 2021-03-21 07:52:14,102 pid:24700 /usr/lib/python2.7/dist-packages/samba/provision/__init__.py #2631: A Kerberos configuration suitable for Samba AD has been generated at /var/lib/samba/private/krb5.conf
2021-03-21 07:52:14,103 INFO 2021-03-21 07:52:14,103 pid:24700 /usr/lib/python2.7/dist-packages/samba/provision/__init__.py #2632: Merge the contents of this file with your system krb5.conf or replace it with this one. Do not create a symlink!
2021-03-21 07:52:14,277 Schema-DN[CN=Schema,CN=Configuration,DC=domain,DC=local] objects[402/1404] linked_values[0/0]
2021-03-21 07:52:14,371 Schema-DN[CN=Schema,CN=Configuration,DC=domain,DC=local] objects[804/1404] linked_values[0/0]
2021-03-21 07:52:14,466 Schema-DN[CN=Schema,CN=Configuration,DC=domain,DC=local] objects[1206/1404] linked_values[0/0]
2021-03-21 07:52:14,535 Schema-DN[CN=Schema,CN=Configuration,DC=domain,DC=local] objects[1600/1404] linked_values[0/0]
2021-03-21 07:52:14,563 Schema-DN[CN=Schema,CN=Configuration,DC=domain,DC=local] objects[1774/1404] linked_values[0/0]
2021-03-21 07:52:14,564 Analyze and apply schema objects
2021-03-21 07:52:16,245 Partition[CN=Configuration,DC=domain,DC=local] objects[402/3738] linked_values[0/67]
2021-03-21 07:52:16,446 Partition[CN=Configuration,DC=domain,DC=local] objects[804/3738] linked_values[0/67]
2021-03-21 07:52:16,630 Partition[CN=Configuration,DC=domain,DC=local] objects[1206/3738] linked_values[0/67]
2021-03-21 07:52:16,822 Partition[CN=Configuration,DC=domain,DC=local] objects[1608/3738] linked_values[0/67]
2021-03-21 07:52:17,099 Partition[CN=Configuration,DC=domain,DC=local] objects[1939/3738] linked_values[55/67]
2021-03-21 07:52:17,109 dsdb_replicated_objects_convert: Ignoring object outside partition e936a6ce-2829-49de-920b-589c9d6308d0 CN=Schema,CN=Configuration,DC=domain,DC=local: WERR_DS_ADD_REPLICA_INHIBITED
2021-03-21 07:52:17,324 Partition[CN=Configuration,DC=domain,DC=local] objects[1979/3738] linked_values[67/67]
2021-03-21 07:52:17,396 Partition[DC=domain,DC=local] objects[112/181] linked_values[295/320]
2021-03-21 07:52:17,601 Partition[DC=domain,DC=local] objects[272/3978] linked_values[60/320]
2021-03-21 07:52:17,722 Failed to commit objects: DOS code 0x000021bf
2021-03-21 07:52:17,773 Partition[DC=domain,DC=local] objects[534/3978] linked_values[118/320]
2021-03-21 07:52:17,947 Partition[DC=domain,DC=local] objects[728/3978] linked_values[151/320]
2021-03-21 07:52:17,965 dsdb_replicated_objects_convert: Ignoring object outside partition 7b6fb7bd-5cd9-4b03-9047-26b04aa37e4c CN=Configuration,DC=domain,DC=local: WERR_DS_ADD_REPLICA_INHIBITED
2021-03-21 07:52:17,966 dsdb_replicated_objects_convert: Ignoring object outside partition 4c4c0217-3751-48d7-b151-29372ebf4d85 DC=ForestDnsZones,DC=domain,DC=local: WERR_DS_ADD_REPLICA_INHIBITED
2021-03-21 07:52:17,967 dsdb_replicated_objects_convert: Ignoring object outside partition 751a832a-4820-46fd-a32f-542aa3997206 DC=DomainDnsZones,DC=domain,DC=local: WERR_DS_ADD_REPLICA_INHIBITED
2021-03-21 07:52:18,245 Partition[DC=domain,DC=local] objects[830/3978] linked_values[360/320]
2021-03-21 07:52:18,453 Partition[DC=DomainDnsZones,DC=domain,DC=local] objects[204/210] linked_values[0/0]
2021-03-21 07:52:18,720 Partition[DC=ForestDnsZones,DC=domain,DC=local] objects[8/8] linked_values[0/0]
2021-03-21 07:52:18,739 Exop on[CN=RID Manager$,CN=System,DC=domain,DC=local] objects[3] linked_values[0]
2021-03-21 07:52:29,765 INFO 2021-03-21 07:52:29,764 pid:24700 /usr/lib/python2.7/dist-packages/samba/join.py #1106: Adding 1 remote DNS records for UCS.domain.local
2021-03-21 07:52:29,903 Could not find machine account in secrets database: Failed to fetch machine account password for DOMAIN from both secrets.ldb (Could not find entry to match filter: '(&(flatname=DOMAIN)(objectclass=primaryDomain))' base: 'cn=Primary Domains': No such object: dsdb_search at ../../source4/dsdb/common/util.c:4733) and from /var/lib/samba/private/secrets.tdb: NT_STATUS_CANT_ACCESS_DOMAIN_INFO
2021-03-21 07:52:29,911 ERROR(runtime): uncaught exception - (9005, 'WERR_DNS_ERROR_RCODE_REFUSED')
2021-03-21 07:52:29,911   File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 185, in _run
2021-03-21 07:52:29,911     return self.run(*args, **kwargs)
2021-03-21 07:52:29,912   File "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py", line 700, in run
2021-03-21 07:52:29,913     backend_store=backend_store)
2021-03-21 07:52:29,913   File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1544, in join_DC
2021-03-21 07:52:29,914     ctx.do_join()
2021-03-21 07:52:29,914   File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1445, in do_join
2021-03-21 07:52:29,914     ctx.join_add_dns_records()
2021-03-21 07:52:29,915   File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1155, in join_add_dns_records
2021-03-21 07:52:29,915     del_rec_buf)
2021-03-21 07:52:29,964 Adding CN=UCS,OU=Domain Controllers,DC=domain,DC=local
2021-03-21 07:52:29,964 Adding CN=UCS,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=local
2021-03-21 07:52:29,964 Adding CN=NTDS Settings,CN=UCS,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=local
2021-03-21 07:52:29,964 Adding SPNs to CN=UCS,OU=Domain Controllers,DC=domain,DC=local
2021-03-21 07:52:29,965 Setting account password for UCS$
2021-03-21 07:52:29,965 Enabling account
2021-03-21 07:52:29,965 Calling bare provision
2021-03-21 07:52:29,965 Provision OK for domain DN DC=domain,DC=local
2021-03-21 07:52:29,965 Starting replication
2021-03-21 07:52:29,965 Replicating critical objects from the base DN of the domain
2021-03-21 07:52:29,965 Missing target object - retrying with DRS_GET_TGT
2021-03-21 07:52:29,965 Done with always replicated NC (base, config, schema)
2021-03-21 07:52:29,966 Replicating DC=DomainDnsZones,DC=domain,DC=local
2021-03-21 07:52:29,966 Replicating DC=ForestDnsZones,DC=domain,DC=local
2021-03-21 07:52:29,966 Committing SAM database
2021-03-21 07:52:29,966 Join failed - cleaning up
2021-03-21 07:52:29,966 Deleted CN=RID Set,CN=UCS,OU=Domain Controllers,DC=domain,DC=local
2021-03-21 07:52:29,966 Deleted CN=UCS,OU=Domain Controllers,DC=domain,DC=local
2021-03-21 07:52:29,966 Deleted CN=NTDS Settings,CN=UCS,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=local
2021-03-21 07:52:29,967 Deleted CN=UCS,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=local
2021-03-21 07:52:30,004 Calling: univention-config-registry unset hosts/static/192.168.1.200
2021-03-21 07:52:30,337 Unsetting hosts/static/192.168.1.200
2021-03-21 07:52:30,337 Multifile: /etc/hosts
2021-03-21 07:52:30,349 Calling: /etc/init.d/samba-ad-dc start
2021-03-21 07:52:31,256 Starting samba-ad-dc (via systemctl): samba-ad-dc.service.
2021-03-21 07:52:31,257 Calling: /etc/init.d/univention-s4-connector start
2021-03-21 07:52:32,548 Starting univention-s4-connector (via systemctl): univention-s4-connector.service.
2021-03-21 07:52:32,548 Calling: univention-config-registry set nameserver1=192.168.0.200
2021-03-21 07:52:33,149 Setting nameserver1
2021-03-21 07:52:33,149 File: /etc/resolv.conf
2021-03-21 07:52:33,169 Calling: univention-config-registry unset nameserver1/local
2021-03-21 07:52:33,615 Unsetting nameserver1/local
2021-03-21 07:52:33,615 File: /etc/resolv.conf
2021-03-21 07:52:33,629 Calling: univention-config-registry set dns/backend=samba4
2021-03-21 07:52:34,439 Setting dns/backend
2021-03-21 07:52:34,439 File: /etc/systemd/system/bind9.service.d/10-configure-backend.conf
2021-03-21 07:52:34,440 File: /etc/init.d/bind9
2021-03-21 07:52:34,449 Calling: /etc/init.d/bind9 restart
2021-03-21 07:52:35,675 Restarting bind9 (via systemctl): bind9.service.
2021-03-21 07:52:35,675 Calling: /etc/init.d/nscd restart
2021-03-21 07:52:35,742 Restarting nscd (via systemctl): nscd.service.

candy · March 21, 2021, 8:52am

Using samba-tools drs clone-cd-database seem to work.

How to perform the takeover over the cli?

root@ucs:~# samba-tool drs clone-dc-database "domain.local" --server=192.168.1.200 -UAdministrator --targetdir /var/tmp/hq-AD --include-secrets
Password for [DOMAIN\Administrator]:
INFO 2021-03-21 09:42:44,949 pid:4928 /usr/lib/python2.7/dist-packages/samba/join.py #1558: workgroup is DOMAIN
INFO 2021-03-21 09:42:44,949 pid:4928 /usr/lib/python2.7/dist-packages/samba/join.py #1561: realm is domain.local
Calling bare provision
INFO 2021-03-21 09:42:44,952 pid:4928 /usr/lib/python2.7/dist-packages/samba/provision/__init__.py #2368: Looking up IPv4 addresses
INFO 2021-03-21 09:42:44,952 pid:4928 /usr/lib/python2.7/dist-packages/samba/provision/__init__.py #2385: Looking up IPv6 addresses
WARNING 2021-03-21 09:42:44,953 pid:4928 /usr/lib/python2.7/dist-packages/samba/provision/__init__.py #2392: No IPv6 address will be assigned
INFO 2021-03-21 09:42:45,747 pid:4928 /usr/lib/python2.7/dist-packages/samba/provision/__init__.py #2558: Setting up share.ldb
INFO 2021-03-21 09:42:45,784 pid:4928 /usr/lib/python2.7/dist-packages/samba/provision/__init__.py #2562: Setting up secrets.ldb
INFO 2021-03-21 09:42:45,805 pid:4928 /usr/lib/python2.7/dist-packages/samba/provision/__init__.py #2568: Setting up the registry
INFO 2021-03-21 09:42:45,837 pid:4928 /usr/lib/python2.7/dist-packages/samba/provision/__init__.py #2571: Setting up the privileges database
INFO 2021-03-21 09:42:45,868 pid:4928 /usr/lib/python2.7/dist-packages/samba/provision/__init__.py #2574: Setting up idmap db
INFO 2021-03-21 09:42:45,897 pid:4928 /usr/lib/python2.7/dist-packages/samba/provision/__init__.py #2581: Setting up SAM db
INFO 2021-03-21 09:42:45,906 pid:4928 /usr/lib/python2.7/dist-packages/samba/provision/__init__.py #887: Setting up sam.ldb partitions and settings
INFO 2021-03-21 09:42:45,907 pid:4928 /usr/lib/python2.7/dist-packages/samba/provision/__init__.py #899: Setting up sam.ldb rootDSE
INFO 2021-03-21 09:42:45,916 pid:4928 /usr/lib/python2.7/dist-packages/samba/provision/__init__.py #1307: Pre-loading the Samba 4 and AD schema
Unable to determine the DomainSID, can not enforce uniqueness constraint on local domainSIDs

INFO 2021-03-21 09:42:45,937 pid:4928 /usr/lib/python2.7/dist-packages/samba/provision/__init__.py #2631: A Kerberos configuration suitable for Samba AD has been generated at /var/tmp/hq-AD/private/krb5.conf
INFO 2021-03-21 09:42:45,937 pid:4928 /usr/lib/python2.7/dist-packages/samba/provision/__init__.py #2632: Merge the contents of this file with your system krb5.conf or replace it with this one. Do not create a symlink!
Provision OK for domain DN DC=domain,DC=local
Starting replication
Using DS_BIND_GUID_W2K3
Schema-DN[CN=Schema,CN=Configuration,DC=domain,DC=local] objects[402/1426] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=domain,DC=local] objects[804/1426] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=domain,DC=local] objects[1206/1426] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=domain,DC=local] objects[1600/1426] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=domain,DC=local] objects[1774/1426] linked_values[0/0]
Analyze and apply schema objects
Partition[CN=Configuration,DC=domain,DC=local] objects[402/3919] linked_values[0/55]
Partition[CN=Configuration,DC=domain,DC=local] objects[804/3919] linked_values[0/55]
Partition[CN=Configuration,DC=domain,DC=local] objects[1206/3919] linked_values[0/55]
Partition[CN=Configuration,DC=domain,DC=local] objects[1608/3919] linked_values[0/55]
Partition[CN=Configuration,DC=domain,DC=local] objects[1939/3919] linked_values[55/55]
dsdb_replicated_objects_convert: Ignoring object outside partition e936a6ce-2829-49de-920b-589c9d6308d0 CN=Schema,CN=Configuration,DC=domain,DC=local: WERR_DS_ADD_REPLICA_INHIBITED
Partition[CN=Configuration,DC=domain,DC=local] objects[1988/3919] linked_values[55/55]
Replicating critical objects from the base DN of the domain
Partition[DC=domain,DC=local] objects[111/180] linked_values[295/319]
Partition[DC=domain,DC=local] objects[272/4136] linked_values[60/319]
Failed to commit objects: DOS code 0x000021bf
Missing target object - retrying with DRS_GET_TGT
Partition[DC=domain,DC=local] objects[534/4136] linked_values[118/319]
Partition[DC=domain,DC=local] objects[728/4136] linked_values[151/319]
dsdb_replicated_objects_convert: Ignoring object outside partition 7b6fb7bd-5cd9-4b03-9047-26b04aa37e4c CN=Configuration,DC=domain,DC=local: WERR_DS_ADD_REPLICA_INHIBITED
dsdb_replicated_objects_convert: Ignoring object outside partition 4c4c0217-3751-48d7-b151-29372ebf4d85 DC=ForestDnsZones,DC=domain,DC=local: WERR_DS_ADD_REPLICA_INHIBITED
dsdb_replicated_objects_convert: Ignoring object outside partition 751a832a-4820-46fd-a32f-542aa3997206 DC=DomainDnsZones,DC=domain,DC=local: WERR_DS_ADD_REPLICA_INHIBITED
Partition[DC=domain,DC=local] objects[837/4136] linked_values[360/319]
Done with always replicated NC (base, config, schema)
Replicating DC=DomainDnsZones,DC=domain,DC=local
Partition[DC=DomainDnsZones,DC=domain,DC=local] objects[207/211] linked_values[0/0]
Replicating DC=ForestDnsZones,DC=domain,DC=local
Partition[DC=ForestDnsZones,DC=domain,DC=local] objects[8/8] linked_values[0/0]
Committing SAM database
INFO 2021-03-21 09:43:01,636 pid:4928 /usr/lib/python2.7/dist-packages/samba/join.py #1652: Setting isSynchronized and dsServiceName
INFO 2021-03-21 09:43:01,637 pid:4928 /usr/lib/python2.7/dist-packages/samba/join.py #1564: Cloned domain DOMAIN (SID S-1-5-21-890141649-2263398704-4290175720)

riess82 · June 14, 2021, 2:13pm

same here.
PLUS “2021-06-14 15:57:45,101 Failed to connect host 192.168.20.20 on port 6017 - NT_STATUS_IO_TIMEOUT”
But that’s probably not the real deal, as it continues with the next error “Could not find machine account in secrets database”

riess82 · June 21, 2021, 9:35am

UPDATE:
The timeout error WAS signifcant for me. The timeout error came from the samba join trying to add the new server to the DNS, which failed for reasons (yet) unknown.
I commented out the function join_add_dns_records(ctx) and set the DNS manually. Then I restarted the takeover and it kept going. Will do more testing now.

tonci · August 23, 2021, 5:21pm

Hello,
my goal would be to takeover w2k12r2 AD (domain/forest leve w2008r2) . I’ve installed UCS-50 , and initial options seem pretty confusing.
1st screen -> I choose Join existing NON-UCS AD Domain ( Microsoft fits into …)
2nd screen -> none of the options have anything to do with Microsoft (or NON-UCS)
“ok” , I choose “Backup” one , but after that error appears saying : “The connection to the UCS Primary Directory Node was refused. Please recheck the password.” … looks like we are trying to connect to UCS and not to MS-AD which was intended …

I do only need takover option … Is it possible to enter such “mode” where I I could install take-over-App and then just make take over ? …
It seems that I have to join domain first and just then install/run takeover-app … or ?

Am I missing something ? …
I kindly ask for help/support

Thank you very much in advance
BR
Tonci

tonci · August 25, 2021, 7:50am

Now I managed to get AD takeover app (UCS44) , but just after I joined MS-AD domain . Then I started takeover, but process stuck on “join domain” , then I realized that I had to remove UCS from MS-AD and then process continued till this error

Is there any way just to takeover actual MS-AD ? … This proces I went through goes very slowly .
Why we have to “join domain” first to get started ?

Thank you very much in advance for any tip and advice

BR

Tonci

tonci · August 25, 2021, 8:14am

Please help !!! … what to choose just to takeover actual MS-AD ?

'tried 1. 2. 4. option but neither one helped …

bbassotti · August 26, 2021, 4:18am

hi, you have two options:

create a new ucs domain, install the ad-takeover component and then perform the take over
during installation perform the join as backup domain controller then transfer the FSMO roles and convert it to MASTER turning off the DC windows

tonci · August 26, 2021, 6:03am

Hi bbassoti
thank you for your reply
I finally found solution (in manual of course:)

The following requirements must be met for the takeover:

The UCS Directory Node (Primary Directory Node) needs to be installed with a unique hostname, not used in the AD domain.
The UCS Directory Node needs to be installed with the same DNS domain name, NetBIOS (pre Windows 2000) domain name and Kerberos realm as the AD domain. It is also recommended to configure the same LDAP base DN.
The UCS Directory Node needs to be installed with a unique IPv4 address in the same IP subnet as the Active Directory domain controller that is used for the takeover.

So the key step was to make new UCS domain with the same DNS name (which was pretty un-logical to me, before working with UCS ) … I thought that I must NOT make new domain with the same name …
After that everything goes straight forward , the actual MS-AD domain is taken-over correctly (roles takeover done automaticly too … through takeover-wizard…)
IP take-over was also surprise

BR
Tonci

talleyrand · December 5, 2021, 9:46am

This is not enough
I recently spent a massive amount of time on something similar, and have a fairly good hand on why the things break.(on my system)
won’t even go into how much time i have spent getting a new 5.0= 164 install to take over.

but things like this scatted throughout the code don’t help…

TODO: Imrpove error reporting

because usually most of the problems are in these exact areas…

There are a significant amount of bugs all buried by a simple message.

basically much of it is down to poor assumptions in 5.0 & samba.
That is to say, it works on a “wing & a prayer” when run against clean engineering systems, but throw a decent production server at it 2008 or pre 2008 upgraded.

some of them are beyond univentions direct control, but could be easily cleared up, with some more general coding controls.

Also… if the take over fails, IT DOES NOT correctly return everything back to how it should be prior to the attempt.

specifically the Hosts file is not always correctly returned to prior, and this can lead to no end of trouble…

Further more , I got all the way to the end and even PAST the copy SYSvol copy.

only to have it crash & lock up when it check the integrity of the files…
and for the most stupid ,non problematic causes & poor assumptions.

not every system is on utf8… guys…

User42 · May 24, 2022, 8:32am

Disabling all Exchange services helped me. after that, the takeover of the AD ran without any problems

Start, Verwaltung, Systemkonfiguration
Reiter: Dienste

deactivate everything that has to do with Exchange here
restart sbs2011 and initiate take over
(sbs2011 and ucs-4.2)

talleyrand · June 2, 2022, 8:30am

it was a bug, in the incorrect handlnig of multibyte character sets in sysvol.

this caused the process to abort