Problem: AD Takeover Fails With Error DSID-030A0AE6

ad-takeover
problem

#1

Problem

The AD takeover fails. The logfile /var/log/univention/ad-takeover.log states:

2018-11-18 16:12:53,285 realm is domain.com
2018-11-18 16:12:53,682 Could not find machine account in secrets database: Failed to fetch machine account password from secrets.ldb: Could not find entry to match filter: '(&(flatname=DOMAIN)(objectclass=primaryDomain))' base: 'cn=Primary Domains': No such object: dsdb_search at ../source4/dsdb/common/util.c:4636 and failed to open /var/lib/samba/private/secrets.tdb: NT_STATUS_CANT_ACCESS_DOMAIN_INFO
2018-11-18 16:12:54,362 Could not find machine account in secrets database: Failed to fetch machine account password from secrets.ldb: Could not find entry to match filter: '(&(flatname=DOMAIN)(objectclass=primaryDomain))' base: 'cn=Primary Domains': No such object: dsdb_search at ../source4/dsdb/common/util.c:4636 and failed to open /var/lib/samba/private/secrets.tdb: NT_STATUS_CANT_ACCESS_DOMAIN_INFO
2018-11-18 16:12:54,402 ERROR(ldb): uncaught exception - LDAP error 1 LDAP_OPERATIONS_ERROR -  <000021A2: SvcErr: DSID-030A0AE6, problem 5012 (DIR_ERROR), data 8610
2018-11-18 16:12:54,402 > <>
2018-11-18 16:12:54,402   File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 176, in _run

Solution

During the takeover a (re-)join of the UCS server is performed but AD refuses the join of an DC when not all configured DCs are online.

Option 1

Make sure all configured MS AD domaincontrollers are online.

Option 2

Remove the entries in AD of the missing/ powered off DCs before starting the takeover.


#2