Failure to take over AD

Hi All,

I’m new to the product and forum. I’m trying to take over AD, which is a fairly simple setup on Windows 2003 server.
My UCS is configured as VM running in VirtualBox on host windows 7. Following UCS manual I’ve created a master UCS DC and attempted AD Takeover App. Import Statistics was the last successful step, then it failed and offered to check ad-takeover.log (attached). I can’t figure out how and what to fix to make it through. Noticing that failure occurs on join I tried to rebuild image to setup system to “Join AD” and it worked just fine. I realize that for takeover I have to start from master UCS DC. I’d appreciate any guidelines.

Hi Alex,

the log file ist missing. Could you please attach it via the Upload attachment dialog? Don’t forget to hit the Add the file button :slight_smile:

Best regards,
Michael Grandjean

Here is the snapshot of ad-takeover.log:

Hi Alex,

to me, it looks like the Takeover failed, because the UCS system could not obtain a Kerberos Ticket to join the AD domain, because it was not possible to find a logon server.

Please make sure that:

  • The domain names of the MS Windows AD and the UCS server are identical:
    • DNS domain name
    • Kerberos realm (ucr get kerberos/realm)
    • Netbios domain name (ucr get windows/domain)
    • LDAP-Base (ucr get ldap/base)
  • There is no firewall blocking DNS, Kerberos, LDAP or DRS traffic between both servers
  • Check that all relevant DNS SRV records are available:
    • dig -tAXFR tafcorp.local @

Please post the output of the dig command here.

Hi Michael,

The problem with dig transfer failure was, apparently, due to a zone transfer restriction on Windows DNS server. After I lifted the restriction for UCS it produced the following output below.
However, UCS is still failing in the same fashion on take over attempt. Please, advise.
Image not available

Hi Alex,

EDIT: ah, that was some in-flight collision - I was typing my answer while you were posting yours. The zone transfer looks fine, imho.

thanks. I'm sorry, I forgot that a zone transfer must be enabled in the DNS Zone settings in your Windows Server, first. I think there is a tab called "Zone Transfer" where you can allow it (at least for testing).

But another thought: There was another case recently with the exact same error message. The problem there was that the Netbios domain name slightly differed from the one in UCS. UCS usually just derives the Netbios name from the most left part of the DNS domain name. Let's say your DNS / AD domain name is, then UCS will use foo as Netbios name. But maybe your Netbios name of your AD is actually foo0 and then things go down from there.

I don't want to annoy you, but could you please doublecheck that the Netbios domain names are correct?

Check on UCS:

ucr get windows/domain
udm settings/sambadomain list

Check on Windows:

And just for the sake of completeness: Which version of UCS are you running?

univention-app info

Hi Michael,

Thank you for sticking with me through this ordeal :slight_smile:
Windows domain name: tafcorp.local
Netbios: TAFCORP

Image not available

So names seem to match, but the take over still fails. What can I do to fix it?

Hi Alex, I'm running out of ideas, sorry. :confused:
There is a reason why the Kerberos authentication fails (NT_STATUS_NO_LOGON_SERVERS), but I don't know why no logonservers can be found.

Are pdcbackup and zbank still running?
Does Kerberos authentication work on your Windows systems?

Hi Michael,

pdcbackup is down, zbank is running. Kerberos works on Windows and I can kinit and klist from another CentOs machine, but not from UCS and it seems that UCS attempts to request tickets from local (UCS based) KDC, which fails.

Yes, by default UCS asks its own DNS server for Kerberos servers and the local DNS server returns the UCS server itself as Kerberos server. But one the very first steps of the takeover ist to change the nameserver to the Windows AD DC. From the logfile:

2017-03-13 15:12:34,489 Calling: univention-config-registry set [...] nameserver1= [...]

Then some services are restarted/stopped and then Samba attempts to join the Windows AD domain. That fails because of the known problem. The Takeover process then detects the failure and rolls back the nameserver settings:

2017-03-13 15:13:16,591 Join failed - cleaning up
2017-03-13 15:13:32,162 Calling: univention-config-registry set nameserver1=

You could try this manually, though:

service univention-s4-connector stop
service samba-ad-dc stop
ucr set nameserver1=
service nscd stop
service bind9 restart
kinit Administrator

Can you obtain a kerberos ticket then?
Afterwards, you can simply revert the steps:

ucr set nameserver1=
service bind9 restart
service nscd start
service samba-ad-dc start
service univention-s4-connector start

It might be sheer bad luck, but maybe the AD Takeover always tried to use pdcbackup as Logon/Kerberos server. At least, the DNS records are still there and allow this.

Yes, I can do it manually, with one caveat. I recall reading somewhere that bind9 restart often is not enough and requires also samba restart after it, so simply following the steps you outlined kinit fails, but if I add samba-ad-dc restart after bind9 restart then it works and I can klist proper ticket.
What shall I do next?

Is this a 2003 Server or a 2003R2 Server? My experience has shown you can't do anything with just 2003. R2 is the lowest compatible AD.

Windows 2003 R2 it is.

Michael, Is takeover app a script? May I edit it and execute manually step by step?

Hi Alex,

well, kind of. It's in Python, but has some dependencies, so you probably won't be able to simply execute it on the commandline. However, you can have a look at it to understand what is going on in detail. The file is named and has a function named join_AD - that's the part where the error happens. The file is located at /usr/share/pyshared/univention/management/console/modules/adtakeover/