AD-Takeover failed - can´t copy ForestDnsZones

UCS - Univention Corporate Server
, , , ,
#1

Hello everyone,

I’m getting desperate trying to replace my Windows AD Server with UCS and hope that someone has had similar problems and can help me.

For about 3 weeks now I have been trying to perform an AD takeover in various ways.

From joining the AD as a backup node or via a new domain and via ad-takeover.

In the beginning it failed because of the function and domain level. Easy fix and AD downgraded from 2016 to 2008R2.

But now comes my desperation error:

2024-12-07 01:02:23,581 Using selector: EpollSelector
2024-12-07 01:02:23,835 INFO: Time difference is less than 180 seconds, skipping reset of local time
2024-12-07 01:02:23,864 Starting phase I of the takeover process.
2024-12-07 01:02:23,864 Calling: univention-config-registry set hosts/static/192.168.0.250=dc01.mydomain.local DC01
2024-12-07 01:02:24,520 Create hosts/static/192.168.0.250
2024-12-07 01:02:24,520 Multifile: /etc/hosts
2024-12-07 01:02:24,533 Calling: /etc/init.d/univention-s4-connector stop
2024-12-07 01:02:24,606 Stopping univention-s4-connector (via systemctl): univention-s4-connector.service.
2024-12-07 01:02:24,607 Calling: /etc/init.d/samba-ad-dc stop
2024-12-07 01:02:26,070 Stopping samba-ad-dc (via systemctl): samba-ad-dc.service.
2024-12-07 01:02:26,071 Calling: univention-config-registry set nameserver1/local=192.168.0.250 nameserver1=192.168.0.250 directory/manager/web/modules/users/user/properties/username/syntax=string directory/manager/web/modules/groups/group/properties/name/syntax=string dns/backend=ldap
2024-12-07 01:02:26,910 Create nameserver1/local
2024-12-07 01:02:26,910 Setting nameserver1
2024-12-07 01:02:26,910 Setting directory/manager/web/modules/users/user/properties/username/syntax
2024-12-07 01:02:26,910 Setting directory/manager/web/modules/groups/group/properties/name/syntax
2024-12-07 01:02:26,910 Setting dns/backend
2024-12-07 01:02:26,910 File: /etc/systemd/system/bind9.service.d/10-configure-backend.conf
2024-12-07 01:02:26,910 File: /etc/resolv.conf
2024-12-07 01:02:26,929 Calling: /etc/init.d/nscd stop
2024-12-07 01:02:26,987 Stopping nscd (via systemctl): nscd.service.
2024-12-07 01:02:26,988 Calling: /etc/init.d/bind9 restart
2024-12-07 01:02:29,217 Restarting bind9 (via systemctl): bind9.service.
2024-12-07 01:02:29,219 Starting Samba domain join.
2024-12-07 01:02:29,517 INFO 2024-12-07 01:02:29,517 pid:16001 /usr/lib/python3/dist-packages/samba/join.py #1582: workgroup is mydomain
2024-12-07 01:02:29,518 INFO 2024-12-07 01:02:29,517 pid:16001 /usr/lib/python3/dist-packages/samba/join.py #1585: realm is mydomain.local
2024-12-07 01:02:29,920 INFO 2024-12-07 01:02:29,920 pid:16001 /usr/lib/python3/dist-packages/samba/provision/__init__.py #2389: Looking up IPv4 addresses
2024-12-07 01:02:29,920 INFO 2024-12-07 01:02:29,920 pid:16001 /usr/lib/python3/dist-packages/samba/provision/__init__.py #2406: Looking up IPv6 addresses
2024-12-07 01:02:29,921 WARNING 2024-12-07 01:02:29,921 pid:16001 /usr/lib/python3/dist-packages/samba/provision/__init__.py #2413: No IPv6 address will be assigned
2024-12-07 01:02:30,226 INFO 2024-12-07 01:02:30,226 pid:16001 /usr/lib/python3/dist-packages/samba/provision/__init__.py #2555: Setting up share.ldb
2024-12-07 01:02:30,264 INFO 2024-12-07 01:02:30,263 pid:16001 /usr/lib/python3/dist-packages/samba/provision/__init__.py #2559: Setting up secrets.ldb
2024-12-07 01:02:30,290 INFO 2024-12-07 01:02:30,289 pid:16001 /usr/lib/python3/dist-packages/samba/provision/__init__.py #2564: Setting up the registry
2024-12-07 01:02:30,382 INFO 2024-12-07 01:02:30,381 pid:16001 /usr/lib/python3/dist-packages/samba/provision/__init__.py #2567: Setting up the privileges database
2024-12-07 01:02:30,427 INFO 2024-12-07 01:02:30,426 pid:16001 /usr/lib/python3/dist-packages/samba/provision/__init__.py #2570: Setting up idmap db
2024-12-07 01:02:30,456 INFO 2024-12-07 01:02:30,456 pid:16001 /usr/lib/python3/dist-packages/samba/provision/__init__.py #2577: Setting up SAM db
2024-12-07 01:02:30,465 INFO 2024-12-07 01:02:30,464 pid:16001 /usr/lib/python3/dist-packages/samba/provision/__init__.py #885: Setting up sam.ldb partitions and settings
2024-12-07 01:02:30,465 INFO 2024-12-07 01:02:30,465 pid:16001 /usr/lib/python3/dist-packages/samba/provision/__init__.py #897: Setting up sam.ldb rootDSE
2024-12-07 01:02:30,471 INFO 2024-12-07 01:02:30,471 pid:16001 /usr/lib/python3/dist-packages/samba/provision/__init__.py #1310: Pre-loading the Samba 4 and AD schema
2024-12-07 01:02:30,473 Unable to determine the DomainSID, can not enforce uniqueness constraint on local domainSIDs
2024-12-07 01:02:30,505 INFO 2024-12-07 01:02:30,504 pid:16001 /usr/lib/python3/dist-packages/samba/provision/__init__.py #2630: A Kerberos configuration suitable for Samba AD has been generated at /var/lib/samba/private/krb5.conf
2024-12-07 01:02:30,505 INFO 2024-12-07 01:02:30,505 pid:16001 /usr/lib/python3/dist-packages/samba/provision/__init__.py #2631: Merge the contents of this file with your system krb5.conf or replace it with this one. Do not create a symlink!
2024-12-07 01:02:30,513 INFO 2024-12-07 01:02:30,512 pid:16001 /usr/lib/python3/dist-packages/samba/join.py #940: Starting replication
2024-12-07 01:02:30,720 Schema-DN[CN=Schema,CN=Configuration,DC=mydomain,DC=local] objects[402/1589] linked_values[0/0]
2024-12-07 01:02:30,833 Schema-DN[CN=Schema,CN=Configuration,DC=mydomain,DC=local] objects[804/1589] linked_values[0/0]
2024-12-07 01:02:30,920 Schema-DN[CN=Schema,CN=Configuration,DC=mydomain,DC=local] objects[1206/1589] linked_values[0/0]
2024-12-07 01:02:31,015 Schema-DN[CN=Schema,CN=Configuration,DC=mydomain,DC=local] objects[1608/1589] linked_values[0/0]
2024-12-07 01:02:31,063 Schema-DN[CN=Schema,CN=Configuration,DC=mydomain,DC=local] objects[1774/1589] linked_values[0/0]
2024-12-07 01:02:31,063 Analyze and apply schema objects
2024-12-07 01:02:32,659 Partition[CN=Configuration,DC=mydomain,DC=local] objects[402/2620] linked_values[0/354]
2024-12-07 01:02:33,144 Partition[CN=Configuration,DC=mydomain,DC=local] objects[804/2620] linked_values[0/354]
2024-12-07 01:02:33,418 Partition[CN=Configuration,DC=mydomain,DC=local] objects[1206/2620] linked_values[0/354]
2024-12-07 01:02:33,829 Partition[CN=Configuration,DC=mydomain,DC=local] objects[1608/2620] linked_values[10/354]
2024-12-07 01:02:34,089 Partition[CN=Configuration,DC=mydomain,DC=local] objects[1771/2620] linked_values[354/354]
2024-12-07 01:02:34,096 dsdb_replicated_objects_convert: Ignoring object outside partition bd9942bb-0590-4a7d-bf5a-aa09b3f56263 CN=Schema,CN=Configuration,DC=mydomain,DC=local: WERR_DS_ADD_REPLICA_INHIBITED
2024-12-07 01:02:34,310 Failed to commit objects: WERR_DS_DRA_RECYCLED_TARGET
2024-12-07 01:02:34,379 Partition[CN=Configuration,DC=mydomain,DC=local] objects[1938/2620] linked_values[698/354]
2024-12-07 01:02:34,385 dsdb_replicated_objects_convert: Ignoring object outside partition bd9942bb-0590-4a7d-bf5a-aa09b3f56263 CN=Schema,CN=Configuration,DC=mydomain,DC=local: WERR_DS_ADD_REPLICA_INHIBITED
2024-12-07 01:02:34,631 Partition[DC=mydomain,DC=local] objects[138/145] linked_values[70/132]
2024-12-07 01:02:34,899 Partition[DC=mydomain,DC=local] objects[343/4056] linked_values[61/132]
2024-12-07 01:02:34,913 dsdb_replicated_objects_convert: Ignoring object outside partition b09114c4-4a6a-40d3-84b9-4ee1af5ba2b1 CN=Configuration,DC=mydomain,DC=local: WERR_DS_ADD_REPLICA_INHIBITED
2024-12-07 01:02:34,914 dsdb_replicated_objects_convert: Ignoring object outside partition e5ba8f1e-4d20-47a2-b4d6-d05ae6974ccc DC=DomainDnsZones,DC=mydomain,DC=local: WERR_DS_ADD_REPLICA_INHIBITED
2024-12-07 01:02:34,914 dsdb_replicated_objects_convert: Ignoring object outside partition bbfb5a99-78a2-4395-aec8-7a88ca7919b4 DC=ForestDnsZones,DC=mydomain,DC=local: WERR_DS_ADD_REPLICA_INHIBITED
2024-12-07 01:02:35,094 Failed to commit objects: WERR_DS_DRA_RECYCLED_TARGET
2024-12-07 01:02:35,173 Partition[DC=mydomain,DC=local] objects[679/4056] linked_values[120/132]
2024-12-07 01:02:35,188 dsdb_replicated_objects_convert: Ignoring object outside partition b09114c4-4a6a-40d3-84b9-4ee1af5ba2b1 CN=Configuration,DC=mydomain,DC=local: WERR_DS_ADD_REPLICA_INHIBITED
2024-12-07 01:02:35,189 dsdb_replicated_objects_convert: Ignoring object outside partition e5ba8f1e-4d20-47a2-b4d6-d05ae6974ccc DC=DomainDnsZones,DC=mydomain,DC=local: WERR_DS_ADD_REPLICA_INHIBITED
2024-12-07 01:02:35,189 dsdb_replicated_objects_convert: Ignoring object outside partition bbfb5a99-78a2-4395-aec8-7a88ca7919b4 DC=ForestDnsZones,DC=mydomain,DC=local: WERR_DS_ADD_REPLICA_INHIBITED
2024-12-07 01:02:35,497 Partition[DC=mydomain,DC=local] objects[895/4056] linked_values[174/132]
2024-12-07 01:02:36,051 Partition[DC=DomainDnsZones,DC=mydomain,DC=local] objects[291/102] linked_values[0/0]
2024-12-07 01:02:36,511 Partition[DC=ForestDnsZones,DC=mydomain,DC=local] objects[12/12] linked_values[0/0]
2024-12-07 01:02:36,542 Exop on[CN=RID Manager$,CN=System,DC=mydomain,DC=local] objects[3] linked_values[0]
2024-12-07 01:02:36,547 INFO 2024-12-07 01:02:36,546 pid:16001 /usr/lib/python3/dist-packages/samba/join.py #1060: Committing SAM database - this may take some time
2024-12-07 01:02:39,632 replmd_allow_missing_target: CN=NTDS Settings\0ADEL:99a47907-6853-4950-a0a0-7fbda1303ead,CN=UCS-MASTER\0ADEL:9af31df3-411c-413a-85fd-0a9d31ec4df1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=local is Deleted but up to date. Ignoring link from CN=5182957a-a22c-4541-804f-8195b660cea9,CN=Partitions,CN=Configuration,DC=mydomain,DC=local
...
...
2024-12-07 01:02:39,682 replmd_allow_missing_target: CN=NTDS Settings\0ADEL:b2dd9feb-9341-4a60-b60a-34f4407c4678,CN=UCS-MASTER\0ADEL:295a61c5-302e-4721-8fdc-8e9f14da0532,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=local is Deleted but up to date. Ignoring link from CN=9277011f-ec57-4674-9225-777ef095f30a,CN=Partitions,CN=Configuration,DC=mydomain,DC=local
2024-12-07 01:02:39,777 replmd_allow_missing_target: CN=DC02\0ADEL:12980fed-44b3-4b3f-bd2c-de5d44545839,CN=Deleted Objects,DC=mydomain,DC=local is Deleted but up to date. Ignoring link from CN=Zertifikatherausgeber,CN=Users,DC=mydomain,DC=local
2024-12-07 01:02:39,790 replmd_allow_missing_target: CN=DC02\0ADEL:12980fed-44b3-4b3f-bd2c-de5d44545839,CN=Deleted Objects,DC=mydomain,DC=local is Deleted but up to date. Ignoring link from CN=Prä-Windows 2000 kompatibler Zugriff,CN=Builtin,DC=mydomain,DC=local
2024-12-07 01:02:39,876 Repacking database from v1 to v2 format (first record CN=ms-DS-Value-Type-Reference-BL,CN=Schema,CN=Configuration,DC=mydomain,DC=local)
2024-12-07 01:02:39,913 Repack: re-packed 10000 records so far
2024-12-07 01:02:39,964 Repacking database from v1 to v2 format (first record CN=pKICertificateTemplate-Display,CN=407,CN=DisplaySpecifiers,CN=Configuration,DC=mydomain,DC=local)
2024-12-07 01:02:40,016 Repacking database from v1 to v2 format (first record DC=photos\0ADEL:94f71a9e-b852-4f94-a2eb-b4aa3e580b58,CN=Deleted Objects,DC=DomainDnsZones,DC=mydomain,DC=local)
2024-12-07 01:02:40,030 Repacking database from v1 to v2 format (first record DC=@,DC=_msdcs.mydomain.de,CN=MicrosoftDNS,DC=ForestDnsZones,DC=mydomain,DC=local)
2024-12-07 01:02:40,056 Repacking database from v1 to v2 format (first record CN=User,CN={F00B2D56-E636-4D08-8023-CCEFCA5683AC},CN=Policies,CN=System,DC=mydomain,DC=local)
2024-12-07 01:02:40,206 INFO 2024-12-07 01:02:40,206 pid:16001 /usr/lib/python3/dist-packages/samba/join.py #1080: Committed SAM database
2024-12-07 01:02:40,211 INFO 2024-12-07 01:02:40,211 pid:16001 /usr/lib/python3/dist-packages/samba/join.py #1157: Adding 1 remote DNS records for UCS-MASTER.mydomain.local
2024-12-07 01:02:40,405 INFO 2024-12-07 01:02:40,405 pid:16001 /usr/lib/python3/dist-packages/samba/join.py #1219: Adding DNS A record UCS-MASTER.mydomain.local for IPv4 IP: 192.168.0.245
2024-12-07 01:02:40,523 INFO 2024-12-07 01:02:40,523 pid:16001 /usr/lib/python3/dist-packages/samba/join.py #1247: Adding DNS CNAME record b2e9d6b0-e960-4e16-8d41-a6b01357e8fc._msdcs.mydomain.local for UCS-MASTER.mydomain.local
2024-12-07 01:02:40,529 Could not find machine account in secrets database: Failed to fetch machine account password for mydomain from both secrets.ldb (Could not find entry to match filter: '(&(flatname=mydomain)(objectclass=primaryDomain))' base: 'cn=Primary Domains': No such object: dsdb_search at ../../source4/dsdb/common/util.c:5157) and from /var/lib/samba/private/secrets.tdb: NT_STATUS_CANT_ACCESS_DOMAIN_INFO
2024-12-07 01:02:40,617 ERROR(runtime): uncaught exception - (9601, 'WERR_DNS_ERROR_ZONE_DOES_NOT_EXIST')
2024-12-07 01:02:40,618   File "/usr/lib/python3/dist-packages/samba/netcmd/__init__.py", line 230, in _run
2024-12-07 01:02:40,618     return self.run(*args, **kwargs)
2024-12-07 01:02:40,618   File "/usr/lib/python3/dist-packages/samba/netcmd/domain.py", line 753, in run
2024-12-07 01:02:40,618     backend_store_size=backend_store_size)
2024-12-07 01:02:40,618   File "/usr/lib/python3/dist-packages/samba/join.py", line 1598, in join_DC
2024-12-07 01:02:40,618     ctx.do_join()
2024-12-07 01:02:40,618   File "/usr/lib/python3/dist-packages/samba/join.py", line 1495, in do_join
2024-12-07 01:02:40,618     ctx.join_add_dns_records()
2024-12-07 01:02:40,618   File "/usr/lib/python3/dist-packages/samba/join.py", line 1258, in join_add_dns_records
2024-12-07 01:02:40,618     None)
2024-12-07 01:02:40,618 Adding CN=UCS-MASTER,OU=Domain Controllers,DC=mydomain,DC=local
2024-12-07 01:02:40,618 Adding CN=UCS-MASTER,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=local
2024-12-07 01:02:40,619 Adding CN=NTDS Settings,CN=UCS-MASTER,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=local
2024-12-07 01:02:40,619 Adding SPNs to CN=UCS-MASTER,OU=Domain Controllers,DC=mydomain,DC=local
2024-12-07 01:02:40,619 Setting account password for UCS-MASTER$
2024-12-07 01:02:40,619 Enabling account
2024-12-07 01:02:40,619 Calling bare provision
2024-12-07 01:02:40,619 Provision OK for domain DN DC=mydomain,DC=local
2024-12-07 01:02:40,619 Missing target object - retrying with DRS_GET_TGT
2024-12-07 01:02:40,619 Replicating critical objects from the base DN of the domain
2024-12-07 01:02:40,619 Missing target object - retrying with DRS_GET_TGT
2024-12-07 01:02:40,619 Done with always replicated NC (base, config, schema)
2024-12-07 01:02:40,619 Replicating DC=DomainDnsZones,DC=mydomain,DC=local
2024-12-07 01:02:40,620 Replicating DC=ForestDnsZones,DC=mydomain,DC=local
2024-12-07 01:02:40,620 Join failed - cleaning up
2024-12-07 01:02:40,620 Deleted CN=RID Set,CN=UCS-MASTER,OU=Domain Controllers,DC=mydomain,DC=local
2024-12-07 01:02:40,620 Deleted CN=UCS-MASTER,OU=Domain Controllers,DC=mydomain,DC=local
2024-12-07 01:02:40,620 Deleted CN=NTDS Settings,CN=UCS-MASTER,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=local
2024-12-07 01:02:40,620 Deleted CN=UCS-MASTER,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=local
2024-12-07 01:02:40,620 Deleted DC=UCS-MASTER,DC=mydomain.local,CN=MicrosoftDNS,DC=DomainDnsZones,DC=mydomain,DC=local
2024-12-07 01:02:40,653 Calling: univention-config-registry unset hosts/static/192.168.0.250
2024-12-07 01:02:41,024 Unsetting hosts/static/192.168.0.250
2024-12-07 01:02:41,024 Multifile: /etc/hosts
2024-12-07 01:02:41,047 Calling: /etc/init.d/samba-ad-dc start
2024-12-07 01:02:42,364 Starting samba-ad-dc (via systemctl): samba-ad-dc.service.
2024-12-07 01:02:42,365 Calling: /etc/init.d/univention-s4-connector start
2024-12-07 01:02:43,161 Starting univention-s4-connector (via systemctl): univention-s4-connector.service.
2024-12-07 01:02:43,161 Calling: univention-config-registry set nameserver1=192.168.0.250
2024-12-07 01:02:43,696 Setting nameserver1
2024-12-07 01:02:43,696 File: /etc/resolv.conf
2024-12-07 01:02:43,710 Calling: univention-config-registry unset nameserver1/local
2024-12-07 01:02:43,994 Unsetting nameserver1/local
2024-12-07 01:02:43,994 File: /etc/resolv.conf
2024-12-07 01:02:44,006 Calling: univention-config-registry set dns/backend=samba4
2024-12-07 01:02:44,816 Setting dns/backend
2024-12-07 01:02:44,817 File: /etc/systemd/system/bind9.service.d/10-configure-backend.conf
2024-12-07 01:02:44,831 Calling: /etc/init.d/bind9 restart
2024-12-07 01:02:45,960 Restarting bind9 (via systemctl): bind9.service.
2024-12-07 01:02:45,960 Calling: /etc/init.d/nscd restart
2024-12-07 01:02:46,009 Restarting nscd (via systemctl): nscd.service.
2024-12-07 01:02:46,010 Der Domänenbeitritt schlug fehl, die Logdatei /var/log/univention/ad-takeover.log enthält genauere Details.

I am slowly at the end of my IT latin.

Since it has something to do with my DNS entries and also always fails at the part “Copy DC=ForestDnsZones” during ad-takeover, I have already tried to enter every single entry manually as far as possible in advance, but without any success…

Due to various gimmicks on the UCS server, this is already my 7th installation and I am using the KVM image.

Thank you for any help you can provide.

Mastodon