Problem: AD-Takeover fails

Hi,

I have a problem with ad-takeover. Would like to migrate all the users from a windows active directory domain to UCS, but the process fails no matter how i try to run it. I’ve tried to run the script as a memberserver, or as a standalone domain controller, it failed every time. Below you can find the ad-takeover.log, I hope someone could help me solve the problem.

2021-05-12 11:15:26,029 INFO: Time difference is less than 180 seconds, skipping reset of local time
2021-05-12 11:15:27,677 Calling: univention-config-registry unset connector/s4/listener/disabled
2021-05-12 11:15:27,857 Unsetting connector/s4/listener/disabled
2021-05-12 11:15:27,858 Calling: univention-config-registry set connector/ad/autostart=no connector/s4/autostart=yes samba4/ignore/mixsetup=yes
2021-05-12 11:15:30,914 Setting connector/ad/autostart
2021-05-12 11:15:30,915 Setting connector/s4/autostart
2021-05-12 11:15:30,915 Create samba4/ignore/mixsetup
2021-05-12 11:15:30,915 Module: autostart
2021-05-12 11:15:30,915 Multifile: /etc/samba/smb.conf
2021-05-12 11:15:30,916 Calling: /etc/init.d/univention-ad-connector stop
2021-05-12 11:15:30,934 Calling: /etc/init.d/univention-directory-listener crestart
2021-05-12 11:15:37,067 Restarting univention-directory-listener (via systemctl): univention-directory-listener.service.
2021-05-12 11:15:37,067 Calling: /usr/lib/univention-install/96univention-samba4.inst
2021-05-12 11:15:37,089 2021-05-12 11:15:37.088789000+03:00 (in joinscript_init)
2021-05-12 11:15:40,009 Create samba4/role
2021-05-12 11:15:40,009 File: /etc/samba/base.conf
2021-05-12 11:15:40,009 Multifile: /etc/samba/smb.conf
2021-05-12 11:15:45,691 Restarting univention-directory-listener (via systemctl): univention-directory-listener.service.
2021-05-12 11:15:47,244 Multifile: /etc/samba/smb.conf
2021-05-12 11:15:48,926 Setting samba/quota/command
2021-05-12 11:15:48,927 Multifile: /etc/samba/smb.conf
2021-05-12 11:15:49,309 Stopping smbd (via systemctl): smbd.service.
2021-05-12 11:15:50,349 Stopping nmbd (via systemctl): nmbd.service.
2021-05-12 11:15:50,753 Stopping winbind (via systemctl): winbind.service.
2021-05-12 11:15:50,881 Synchronizing state of heimdal-kdc.service with SysV service script with /lib/systemd/systemd-sysv-install.
2021-05-12 11:15:50,882 Executing: /lib/systemd/systemd-sysv-install disable heimdal-kdc
2021-05-12 11:15:54,313 Create samba/autostart
2021-05-12 11:15:54,314 Create winbind/autostart
2021-05-12 11:15:54,314 Setting kerberos/autostart
2021-05-12 11:15:54,314 Module: autostart
2021-05-12 11:15:54,314 Multifile: /etc/samba/smb.conf
2021-05-12 11:15:56,904 Setting samba4/autostart
2021-05-12 11:15:56,904 Module: autostart
2021-05-12 11:15:56,905 Multifile: /etc/samba/smb.conf
2021-05-12 11:15:58,657 Create samba4/ldap/base
2021-05-12 11:15:58,658 Multifile: /etc/samba/smb.conf
2021-05-12 11:15:58,759 Object created: cn=Builtin,dc=DOMAIN,dc=ro
2021-05-12 11:15:59,359 Object created: cn=Authenticated Users,cn=Builtin,dc=DOMAIN,dc=ro
2021-05-12 11:15:59,436 modifying entry "cn=Authenticated Users,cn=Builtin,dc=DOMAIN,dc=ro"
2021-05-12 11:15:59,601 Object modified: cn=Authenticated Users,cn=Builtin,dc=DOMAIN,dc=ro
2021-05-12 11:16:00,145 Object created: cn=World Authority,cn=Builtin,dc=DOMAIN,dc=ro
2021-05-12 11:16:00,222 modifying entry "cn=World Authority,cn=Builtin,dc=DOMAIN,dc=ro"
2021-05-12 11:16:00,772 Object created: cn=Everyone,cn=Builtin,dc=DOMAIN,dc=ro
2021-05-12 11:16:00,857 modifying entry "cn=Everyone,cn=Builtin,dc=DOMAIN,dc=ro"
2021-05-12 11:16:01,386 Object created: cn=Null Authority,cn=Builtin,dc=DOMAIN,dc=ro
2021-05-12 11:16:01,460 modifying entry "cn=Null Authority,cn=Builtin,dc=DOMAIN,dc=ro"
2021-05-12 11:16:01,997 Object created: cn=Nobody,cn=Builtin,dc=DOMAIN,dc=ro
2021-05-12 11:16:02,077 modifying entry "cn=Nobody,cn=Builtin,dc=DOMAIN,dc=ro"
2021-05-12 11:16:02,622 Object created: cn=Enterprise Domain Controllers,cn=groups,dc=DOMAIN,dc=ro
2021-05-12 11:16:02,704 modifying entry "cn=Enterprise Domain Controllers,cn=groups,dc=DOMAIN,dc=ro"
2021-05-12 11:16:02,803 Object modified: cn=Enterprise Domain Controllers,cn=groups,dc=DOMAIN,dc=ro
2021-05-12 11:16:02,899 Object modified: cn=Enterprise Domain Controllers,cn=groups,dc=DOMAIN,dc=ro
2021-05-12 11:16:03,436 Object created: cn=Remote Interactive Logon,cn=Builtin,dc=DOMAIN,dc=ro
2021-05-12 11:16:03,512 modifying entry "cn=Remote Interactive Logon,cn=Builtin,dc=DOMAIN,dc=ro"
2021-05-12 11:16:04,068 Object created: cn=SChannel Authetication,cn=Builtin,dc=DOMAIN,dc=ro
2021-05-12 11:16:04,151 modifying entry "cn=SChannel Authentication,cn=Builtin,dc=DOMAIN,dc=ro"
2021-05-12 11:16:04,681 Object created: cn=Digest Authentication,cn=Builtin,dc=,dc=ro
2021-05-12 11:16:04,757 modifying entry "cn=Digest Authentication,cn=Builtin,dc=DOMAIN,dc=ro"
2021-05-12 11:16:05,317 Object created: cn=Terminal Server User,cn=Builtin,dc=DOMAIN,dc=ro
2021-05-12 11:16:05,397 modifying entry "cn=Terminal Server User,cn=Builtin,dc=DOMAIN,dc=ro"
2021-05-12 11:16:05,925 Object created: cn=NTLM Authentication,cn=Builtin,dc=DOMAIN,dc=ro
2021-05-12 11:16:05,998 modifying entry "cn=NTLM Authentication,cn=Builtin,dc=DOMAIN,dc=ro"
2021-05-12 11:16:06,538 Object created: cn=Other Organization,cn=Builtin,dc=DOMAIN,dc=ro
2021-05-12 11:16:06,612 modifying entry "cn=Other Organization,cn=Builtin,dc=DOMAIN,dc=ro"
2021-05-12 11:16:07,172 Object created: cn=This Organization,cn=Builtin,dc=DOMAIN,dc=ro
2021-05-12 11:16:07,245 modifying entry "cn=This Organization,cn=Builtin,dc=DOMAIN,dc=ro"
2021-05-12 11:16:07,769 Object created: cn=Anonymous Logon,cn=Builtin,dc=DOMAIN,dc=ro
2021-05-12 11:16:07,843 modifying entry "cn=Anonymous Logon,cn=Builtin,dc=DOMAIN,dc=ro"
2021-05-12 11:16:08,392 Object created: cn=Network Service,cn=Builtin,dc=DOMAIN,dc=ro
2021-05-12 11:16:08,468 modifying entry "cn=Network Service,cn=Builtin,dc=DOMAIN,dc=ro"
2021-05-12 11:16:09,013 Object created: cn=Creator Group,cn=Builtin,dc=DOMAIN,dc=ro
2021-05-12 11:16:09,089 modifying entry "cn=Creator Group,cn=Builtin,dc=DOMAIN,dc=ro"
2021-05-12 11:16:09,655 Object created: cn=Creator Owner,cn=Builtin,dc=DOMAIN,dc=ro
2021-05-12 11:16:09,743 modifying entry "cn=Creator Owner,cn=Builtin,dc=DOMAIN,dc=ro"
2021-05-12 11:16:10,303 Object created: cn=Local Service,cn=Builtin,dc=DOMAIN,dc=ro
2021-05-12 11:16:10,380 modifying entry "cn=Local Service,cn=Builtin,dc=DOMAIN,dc=ro"
2021-05-12 11:16:10,919 Object created: cn=Owner Rights,cn=Builtin,dc=DOMAIN,dc=ro
2021-05-12 11:16:10,997 modifying entry "cn=Owner Rights,cn=Builtin,dc=DOMAIN,dc=ro"
2021-05-12 11:16:11,553 Object created: cn=Interactive,cn=Builtin,dc=DOMAIN,dc=ro
2021-05-12 11:16:11,632 modifying entry "cn=Interactive,cn=Builtin,dc=DOMAIN,dc=ro"
2021-05-12 11:16:12,162 Object created: cn=Restricted,cn=Builtin,dc=DOMAIN,dc=ro
2021-05-12 11:16:12,235 modifying entry "cn=Restricted,cn=Builtin,dc=DOMAIN,dc=ro"
2021-05-12 11:16:12,774 Object created: cn=Network,cn=Builtin,dc=DOMAIN,dc=ro
2021-05-12 11:16:12,852 modifying entry "cn=Network,cn=Builtin,dc=DOMAIN,dc=ro"
2021-05-12 11:16:13,398 Object created: cn=Service,cn=Builtin,dc=DOMAIN,dc=ro
2021-05-12 11:16:13,473 modifying entry "cn=Service,cn=Builtin,dc=DOMAIN,dc=ro"
2021-05-12 11:16:14,022 Object created: cn=Dialup,cn=Builtin,dc=DOMAIN,dc=ro
2021-05-12 11:16:14,098 modifying entry "cn=Dialup,cn=Builtin,dc=DOMAIN,dc=ro"
2021-05-12 11:16:14,653 Object created: cn=System,cn=Builtin,dc=DOMAIN,dc=ro
2021-05-12 11:16:14,729 modifying entry "cn=System,cn=Builtin,dc=DOMAIN,dc=ro"
2021-05-12 11:16:15,261 Object created: cn=Batch,cn=Builtin,dc=DOMAIN,dc=ro
2021-05-12 11:16:15,335 modifying entry "cn=Batch,cn=Builtin,dc=DOMAIN,dc=ro"
2021-05-12 11:16:15,864 Object created: cn=Proxy,cn=Builtin,dc=DOMAIN,dc=ro
2021-05-12 11:16:15,948 modifying entry "cn=Proxy,cn=Builtin,dc=DOMAIN,dc=ro"
2021-05-12 11:16:16,517 Object created: cn=IUSR,cn=Builtin,dc=DOMAIN,dc=ro
2021-05-12 11:16:16,596 modifying entry "cn=IUSR,cn=Builtin,dc=DOMAIN,dc=ro"
2021-05-12 11:16:17,144 Object created: cn=Self,cn=Builtin,dc=DOMAIN,dc=ro
2021-05-12 11:16:17,222 modifying entry "cn=Self,cn=Builtin,dc=DOMAIN,dc=ro"
2021-05-12 11:16:17,765 Object created: cn=Console Logon,cn=Builtin,dc=DOMAIN,dc=ro
2021-05-12 11:16:17,841 modifying entry "cn=Console Logon,cn=Builtin,dc=DOMAIN,dc=ro"
2021-05-12 11:16:17,843 INFO: Detected adtakeover state start
2021-05-12 11:16:25,334 Setting slapd/port
2021-05-12 11:16:25,334 File: /etc/init.d/slapd
2021-05-12 11:16:25,334 Multifile: /etc/ldap/slapd.conf
2021-05-12 11:16:32,781 Setting slapd/port/ldaps
2021-05-12 11:16:32,782 File: /etc/init.d/slapd
2021-05-12 11:16:32,782 Multifile: /etc/ldap/slapd.conf
2021-05-12 11:16:32,912 Restarting slapd (via systemctl): slapd.serviceWarning: slapd.service changed on disk. Run 'systemctl daemon-reload' to reload units.
2021-05-12 11:16:33,174 .
2021-05-12 11:16:34,176 INFO: Stopping univention-samba4 joinscript for AD-Takeover
2021-05-12 11:16:34,179 2021-05-12 11:16:34.178537669+03:00 (in joinscript_save_current_version)
2021-05-12 11:16:34,185 Calling: univention-run-join-scripts --run-scripts 97univention-s4-connector.inst
2021-05-12 11:16:34,832 univention-run-join-scripts: runs all join scripts existing on local computer.
2021-05-12 11:16:34,833 copyright (c) 2001-2020 Univention GmbH, Germany
2021-05-12 11:16:35,529 Running pre-joinscripts hook(s):   done
2021-05-12 11:19:34,506 Running 97univention-s4-connector.ifailed (exitcode: 1)
2021-05-12 11:19:35,178 Running post-joinscripts hook(s):  done
2021-05-12 11:19:35,182 Starting phase I of the takeover process.
2021-05-12 11:19:35,182 Calling: univention-config-registry set hosts/static/10.0.1.51=BDC.DOMAIN.intern BDC
2021-05-12 11:19:35,582 Setting hosts/static/10.0.1.51
2021-05-12 11:19:35,583 Multifile: /etc/hosts
2021-05-12 11:19:35,583 Calling: /etc/init.d/univention-s4-connector stop
2021-05-12 11:19:35,617 Stopping univention-s4-connector (via systemctl): univention-s4-connector.service.
2021-05-12 11:19:35,618 Calling: /etc/init.d/samba-ad-dc stop
2021-05-12 11:19:35,649 Stopping samba-ad-dc (via systemctl): samba-ad-dc.service.
2021-05-12 11:19:35,651 Calling: univention-config-registry set nameserver1/local=10.0.1.51 nameserver1=10.0.1.51 directory/manager/web/modules/users/user/properties/username/syntax=string directory/manager/web/modules/groups/group/properties/name/syntax=string dns/backend=ldap
2021-05-12 11:19:36,245 Create nameserver1/local
2021-05-12 11:19:36,246 Setting nameserver1
2021-05-12 11:19:36,246 Setting directory/manager/web/modules/users/user/properties/username/syntax
2021-05-12 11:19:36,256 Calling: /etc/init.d/nscd stop
2021-05-12 11:19:36,359 Stopping nscd (via systemctl): nscd.service.
2021-05-12 11:19:36,360 Calling: /etc/init.d/bind9 restart
2021-05-12 11:19:37,509 Restarting bind9 (via systemctl): bind9.service.
2021-05-12 11:19:37,509 Starting Samba domain join.
2021-05-12 11:19:38,285 INFO 2021-05-12 11:19:38,284 pid:21181 /usr/lib/python2.7/dist-packages/samba/join.py #1528: workgroup is DOMAINxyz
2021-05-12 11:19:38,286 INFO 2021-05-12 11:19:38,285 pid:21181 /usr/lib/python2.7/dist-packages/samba/join.py #1531: realm is DOMAIN.ro
2021-05-12 11:19:38,301 Could not find machine account in secrets database: Failed to fetch machine account password from secrets.ldb: Could not find entry to match filter: '(&(flatname=DOMAINxyz)(objectclass=primaryDomain))' base: 'cn=Primary Domains': No such object: dsdb_search at ../../source4/dsdb/common/util.c:4733 and failed to open /var/lib/samba/private/secrets.tdb: NT_STATUS_CANT_ACCESS_DOMAIN_INFO
2021-05-12 11:19:39,731 INFO 2021-05-12 11:19:39,730 pid:21181 /usr/lib/python2.7/dist-packages/samba/provision/__init__.py #2368: Looking up IPv4 addresses
2021-05-12 11:19:39,732 INFO 2021-05-12 11:19:39,731 pid:21181 /usr/lib/python2.7/dist-packages/samba/provision/__init__.py #2385: Looking up IPv6 addresses
2021-05-12 11:19:39,732 WARNING 2021-05-12 11:19:39,732 pid:21181 /usr/lib/python2.7/dist-packages/samba/provision/__init__.py #2392: No IPv6 address will be assigned
2021-05-12 11:19:40,705 INFO 2021-05-12 11:19:40,705 pid:21181 /usr/lib/python2.7/dist-packages/samba/provision/__init__.py #2558: Setting up share.ldb
2021-05-12 11:19:40,742 INFO 2021-05-12 11:19:40,741 pid:21181 /usr/lib/python2.7/dist-packages/samba/provision/__init__.py #2562: Setting up secrets.ldb
2021-05-12 11:19:40,778 INFO 2021-05-12 11:19:40,777 pid:21181 /usr/lib/python2.7/dist-packages/samba/provision/__init__.py #2568: Setting up the registry
2021-05-12 11:19:40,832 INFO 2021-05-12 11:19:40,831 pid:21181 /usr/lib/python2.7/dist-packages/samba/provision/__init__.py #2571: Setting up the privileges database
2021-05-12 11:19:40,889 INFO 2021-05-12 11:19:40,889 pid:21181 /usr/lib/python2.7/dist-packages/samba/provision/__init__.py #2574: Setting up idmap db
2021-05-12 11:19:40,926 INFO 2021-05-12 11:19:40,925 pid:21181 /usr/lib/python2.7/dist-packages/samba/provision/__init__.py #2581: Setting up SAM db
2021-05-12 11:19:40,947 INFO 2021-05-12 11:19:40,947 pid:21181 /usr/lib/python2.7/dist-packages/samba/provision/__init__.py #887: Setting up sam.ldb partitions and settings
2021-05-12 11:19:40,949 INFO 2021-05-12 11:19:40,948 pid:21181 /usr/lib/python2.7/dist-packages/samba/provision/__init__.py #899: Setting up sam.ldb rootDSE
2021-05-12 11:19:40,960 INFO 2021-05-12 11:19:40,960 pid:21181 /usr/lib/python2.7/dist-packages/samba/provision/__init__.py #1307: Pre-loading the Samba 4 and AD schema
2021-05-12 11:19:40,962 Unable to determine the DomainSID, can not enforce uniqueness constraint on local domainSIDs
2021-05-12 11:19:40,992 INFO 2021-05-12 11:19:40,991 pid:21181 /usr/lib/python2.7/dist-packages/samba/provision/__init__.py #2631: A Kerberos configuration suitable for Samba AD has been generated at /var/lib/samba/private/krb5.conf
2021-05-12 11:19:40,993 INFO 2021-05-12 11:19:40,992 pid:21181 /usr/lib/python2.7/dist-packages/samba/provision/__init__.py #2632: Merge the contents of this file with your system krb5.conf or replace it with this one. Do not create a symlink!
2021-05-12 11:19:41,282 Could not find machine account in secrets database: Failed to fetch machine account password for DOMAINxyz from both secrets.ldb (Could not find entry to match filter: '(&(flatname=DOMAINxyz)(objectclass=primaryDomain))' base: 'cn=Primary Domains': No such object: dsdb_search at ../../source4/dsdb/common/util.c:4733) and from /var/lib/samba/private/secrets.tdb: NT_STATUS_CANT_ACCESS_DOMAIN_INFO
2021-05-12 11:19:41,294 ERROR(runtime): uncaught exception - (8593, 'WERR_DS_DIFFERENT_REPL_EPOCHS')
2021-05-12 11:19:41,294   File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 185, in _run
2021-05-12 11:19:41,295     return self.run(*args, **kwargs)
2021-05-12 11:19:41,295   File "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py", line 700, in run
2021-05-12 11:19:41,318     backend_store=backend_store)
2021-05-12 11:19:41,318   File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1544, in join_DC
2021-05-12 11:19:41,339     ctx.do_join()
2021-05-12 11:19:41,340   File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1438, in do_join
2021-05-12 11:19:41,340     ctx.join_replicate()
2021-05-12 11:19:41,340   File "/usr/lib/python2.7/dist-packages/samba/join.py", line 971, in join_replicate
2021-05-12 11:19:41,341     replica_flags=ctx.replica_flags)
2021-05-12 11:19:41,341   File "/usr/lib/python2.7/dist-packages/samba/drs_utils.py", line 338, in replicate
2021-05-12 11:19:41,342     (level, ctr) = self.drs.DsGetNCChanges(self.drs_handle, req_level, req)
2021-05-12 11:19:41,348 Deleted CN=ucs,CN=Computers,DC=DOMAIN,DC=ro
2021-05-12 11:19:41,348 Deleted CN=UCS,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=DOMAIN,DC=ro
2021-05-12 11:19:41,349 Adding CN=UCS,OU=Domain Controllers,DC=DOMAIN,DC=ro
2021-05-12 11:19:41,349 Adding CN=UCS,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=DOMAIN,DC=ro
2021-05-12 11:19:41,349 Adding CN=NTDS Settings,CN=UCS,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=DOMAIN,DC=ro
2021-05-12 11:19:41,349 Adding SPNs to CN=UCS,OU=Domain Controllers,DC=DOMAIN,DC=ro
2021-05-12 11:19:41,350 Setting account password for UCS$
2021-05-12 11:19:41,350 Enabling account
2021-05-12 11:19:41,350 Calling bare provision
2021-05-12 11:19:41,350 Provision OK for domain DN DC=DOMAIN,DC=ro
2021-05-12 11:19:41,350 Starting replication
2021-05-12 11:19:41,351 Join failed - cleaning up
2021-05-12 11:19:41,351 Deleted CN=UCS,OU=Domain Controllers,DC=DOMAIN,DC=ro
2021-05-12 11:19:41,351 Deleted CN=NTDS Settings,CN=UCS,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=DOMAIN,DC=ro
2021-05-12 11:19:41,352 Deleted CN=UCS,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=DOMAIN,DC=ro
2021-05-12 11:19:41,381 Calling: univention-config-registry unset hosts/static/10.0.1.51
2021-05-12 11:19:41,768 Unsetting hosts/static/10.0.1.51
2021-05-12 11:19:41,769 Multifile: /etc/hosts
2021-05-12 11:19:41,771 Calling: /etc/init.d/samba-ad-dc start
2021-05-12 11:19:42,544 Starting samba-ad-dc (via systemctl): samba-ad-dc.service.
2021-05-12 11:19:42,545 Calling: /etc/init.d/univention-s4-connector start
2021-05-12 11:19:43,420 Starting univention-s4-connector (via systemctl): univention-s4-connector.service.
2021-05-12 11:19:43,420 Calling: univention-config-registry set nameserver1=10.0.1.51
2021-05-12 11:19:43,768 Setting nameserver1
2021-05-12 11:19:43,769 Calling: univention-config-registry unset nameserver1/local
2021-05-12 11:19:44,055 Unsetting nameserver1/local
2021-05-12 11:19:44,056 File: /etc/resolv.conf
2021-05-12 11:19:44,064 Calling: univention-config-registry set dns/backend=samba4
2021-05-12 11:19:44,556 Setting dns/backend
2021-05-12 11:19:44,557 File: /etc/systemd/system/bind9.service.d/10-configure-backend.conf
2021-05-12 11:19:44,557 File: /etc/init.d/bind9
2021-05-12 11:19:44,558 Calling: /etc/init.d/bind9 restart
2021-05-12 11:20:14,688 Restarting bind9 (via systemctl): bind9.serviceJob for bind9.service failed because the control process exited with error code.
2021-05-12 11:20:14,690 Calling: /etc/init.d/nscd restart
2021-05-12 11:20:14,741 Restarting nscd (via systemctl): nscd.service.
2021-05-12 11:20:14,742 The domain join failed. See /var/log/univention/ad-takeover.log for details.

Thank you in advance,
Raymond

Mastodon