Problem

Joining a replica or backup node into a UCS domain with Samba/AD fails when using sites to structure the domain and the Default-First-Site-Name has been removed:

Adding CN=REPLICANAME,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ucs,DC=domain
Join failed - cleaning up
ldb: Unable to open tdb '/var/lib/samba/private/secrets.ldb': No such file or directory
ldb: Failed to connect to '/var/lib/samba/private/secrets.ldb' with backend 'tdb': Unable to open tdb '/var/lib/samba/private/secrets.ldb': No such file or directory
Could not find machine account in secrets database: Failed to fetch machine account password from secrets.ldb: Could not open secrets.ldb and failed to open /var/lib/sam
ba/private/secrets.tdb: NT_STATUS_CANT_ACCESS_DOMAIN_INFO
Deleted CN=REPLICANAME,OU=Domain Controllers,DC=ucs,DC=domain
ERROR(ldb): uncaught exception - LDAP error 32 LDAP_NO_SUCH_OBJECT -  <00002030: objectclass: Cannot add CN=REPLICANAME,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ucs,DC=domain, parent does not exist!> <>

Solution

The error message indicates that the Microsoft standard site Default-First-Site-Name has been removed by one of the domain admins and no configurative steps have been taken to indicate to the joining system which site to join to.

UCS offers a UCR variable samba4/join/site that can be set on the joining system to point it to the desired Active Directory site. The site needs to be created in advance, either using samba-tool or /usr/share/univention-samba4/scripts/univention-samba4-site-tool.py or via the Microsoft Windows GUI Sites and Services. When using sites to structure the Samba/AD domain it’s also advisable to create so called subnet objects in Samba/AD and associate them with the desired sites. See samba-tool sites --help for example.