SBS 2011 AD Takeover klappt selten, warum?

cpzengel · December 10, 2018, 12:37pm

Hi,

hier mal wieder Probleme beim Takeover von Small Business Server 2011
Hier mal paar Ausschnitte aus den Logs

2018-12-10 13:27:18,205 Partition[DC=domain,DC=tld] objects[1313/6830] linked_values[1/433]
2018-12-10 13:27:18,919 Partition[DC=domain,DC=tld] objects[1423/6830] linked_values[0/433]
2018-12-10 13:27:19,503 Partition[DC=DomainDnsZones,DC=domain,DC=tld] objects[42/43] linked_values[0/0]
2018-12-10 13:27:20,017 Partition[DC=ForestDnsZones,DC=domain,DC=tld] objects[5/5] linked_values[0/0]
2018-12-10 13:27:20,382 Exop on[CN=RID Manager$,CN=System,DC=domain,DC=tld] objects[3] linked_values[0]
2018-12-10 13:27:51,956 Adding 1 remote DNS records for UCS.domain.de
2018-12-10 13:27:52,081 Adding DNS A record UCS.domain.de for IPv4 IP: 192.168.0.1
2018-12-10 13:27:52,178 Could not find machine account in secrets database: Failed to fetch machine account password for DOMAIN-DE from both secrets.ldb (Could not find entry to match filter: '(&(flatname=DOMAIN-DE)(objectclass=primaryDomain))' base: 'cn=Primary Domains': No such object: dsdb_search at ../source4/dsdb/common/util.c:4636) and from /var/lib/samba/private/secrets.tdb: NT_STATUS_CANT_ACCESS_DOMAIN_INFO
2018-12-10 13:27:52,341 ERROR(runtime): uncaught exception - (9714, 'WERR_DNS_ERROR_NAME_DOES_NOT_EXIST')
2018-12-10 13:27:52,341   File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 176, in _run
2018-12-10 13:27:52,341     return self.run(*args, **kwargs)
2018-12-10 13:27:52,341   File "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py", line 668, in run
2018-12-10 13:27:52,343     keep_existing=keep_existing)
2018-12-10 13:27:52,343   File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1481, in join_DC
2018-12-10 13:27:52,344     ctx.do_join()
2018-12-10 13:27:52,345   File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1391, in do_join
2018-12-10 13:27:52,345     ctx.join_add_dns_records()
2018-12-10 13:27:52,345   File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1123, in join_add_dns_records
2018-12-10 13:27:52,345     dns_partition=domaindns_zone_dn)
2018-12-10 13:27:52,345   File "/usr/lib/python2.7/dist-packages/samba/samdb.py", line 1006, in dns_lookup
2018-12-10 13:27:52,346     dns_partition=dns_partition)
2018-12-10 13:27:52,436 Adding CN=UCS,OU=Domain Controllers,DC=domain,DC=tld
2018-12-10 13:27:52,436 Adding CN=UCS,CN=Servers,CN=Standardname-des-ersten-Standorts,CN=Sites,CN=Configuration,DC=domain,DC=tld
2018-12-10 13:27:52,437 Adding CN=NTDS Settings,CN=UCS,CN=Servers,CN=Standardname-des-ersten-Standorts,CN=Sites,CN=Configuration,DC=domain,DC=tld
2018-12-10 13:27:52,437 Adding SPNs to CN=UCS,OU=Domain Controllers,DC=domain,DC=tld
2018-12-10 13:27:52,437 Setting account password for UCS$
2018-12-10 13:27:52,437 Enabling account
2018-12-10 13:27:52,437 Calling bare provision
2018-12-10 13:27:52,437 Provision OK for domain DN DC=domain,DC=tld
2018-12-10 13:27:52,437 Starting replication
2018-12-10 13:27:52,437 Replicating critical objects from the base DN of the domain
2018-12-10 13:27:52,437 Done with always replicated NC (base, config, schema)
2018-12-10 13:27:52,438 Replicating DC=DomainDnsZones,DC=domain,DC=tld
2018-12-10 13:27:52,438 Replicating DC=ForestDnsZones,DC=domain,DC=tld
2018-12-10 13:27:52,438 Committing SAM database
2018-12-10 13:27:52,438 Join failed - cleaning up
2018-12-10 13:27:52,438 removing samaccount: CN=UCS,OU=Domain Controllers,DC=domain,DC=tld

das ist leider nicht das erste mal
wo könnte das klemmen?

Liebe Grüsse
c

cpzengel · December 10, 2018, 3:28pm

es ist absolut frustrierend
eigentlich sollte ucs das erste mittel der wahl sein
da aber so gut wieder jeder takeover erst mal fehlschläft verliert man tage über tage

cpzengel · December 10, 2018, 4:05pm

und ungefähr der 50. Versuch mit verschiedenen Konstellationen
teils mit frischem ucs, teils mit laufendem member server, nix geht

2018-12-10 17:01:48,216 Partition[DC=domain,DC=tld] objects[1460/7497] linked_values[0/433]
2018-12-10 17:01:48,417 Partition[DC=DomainDnsZones,DC=domain,DC=tld] objects[42/44] linked_values[0/0]
2018-12-10 17:01:49,012 Partition[DC=ForestDnsZones,DC=domain,DC=tld] objects[5/5] linked_values[0/0]
2018-12-10 17:01:49,414 Exop on[CN=RID Manager$,CN=System,DC=domain,DC=tld] objects[3] linked_values[0]
2018-12-10 17:02:20,071 Adding 1 remote DNS records for UCS.domain.de
2018-12-10 17:02:20,608 Adding DNS A record UCS.domain.de for IPv4 IP: 192.168.0.1
2018-12-10 17:02:20,756 Could not find machine account in secrets database: Failed to fetch machine account password for DOMAIN-DE from both secrets.ldb (Could not find entry to match filter: '(&(flatname=DOMAIN-DE)(objectclass=primaryDomain))' base: 'cn=Primary Domains': No such object: dsdb_search at ../source4/dsdb/common/util.c:4636) and from /var/lib/samba/private/secrets.tdb: NT_STATUS_CANT_ACCESS_DOMAIN_INFO
2018-12-10 17:02:21,205 ERROR(runtime): uncaught exception - (9714, 'WERR_DNS_ERROR_NAME_DOES_NOT_EXIST')
2018-12-10 17:02:21,205   File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 176, in _run
2018-12-10 17:02:21,206     return self.run(*args, **kwargs)
2018-12-10 17:02:21,206   File "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py", line 668, in run
2018-12-10 17:02:21,248     keep_existing=keep_existing)
2018-12-10 17:02:21,249   File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1481, in join_DC
2018-12-10 17:02:21,297     ctx.do_join()
2018-12-10 17:02:21,299   File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1391, in do_join
2018-12-10 17:02:21,299     ctx.join_add_dns_records()
2018-12-10 17:02:21,299   File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1123, in join_add_dns_records
2018-12-10 17:02:21,299     dns_partition=domaindns_zone_dn)
2018-12-10 17:02:21,300   File "/usr/lib/python2.7/dist-packages/samba/samdb.py", line 1006, in dns_lookup
2018-12-10 17:02:21,300     dns_partition=dns_partition)
2018-12-10 17:02:21,387 removing samaccount: CN=ucs,OU=SBSComputers,OU=Computers,OU=MyBusiness,DC=domain,DC=tld
2018-12-10 17:02:21,388 Deleted CN=ucs,OU=SBSComputers,OU=Computers,OU=MyBusiness,DC=domain,DC=tld
2018-12-10 17:02:21,388 Adding CN=UCS,OU=Domain Controllers,DC=domain,DC=tld
2018-12-10 17:02:21,388 Adding CN=UCS,CN=Servers,CN=Standardname-des-ersten-Standorts,CN=Sites,CN=Configuration,DC=domain,DC=tld
2018-12-10 17:02:21,388 Adding CN=NTDS Settings,CN=UCS,CN=Servers,CN=Standardname-des-ersten-Standorts,CN=Sites,CN=Configuration,DC=domain,DC=tld
2018-12-10 17:02:21,389 Adding SPNs to CN=UCS,OU=Domain Controllers,DC=domain,DC=tld
2018-12-10 17:02:21,389 Setting account password for UCS$
2018-12-10 17:02:21,389 Enabling account
2018-12-10 17:02:21,389 Calling bare provision
2018-12-10 17:02:21,389 Provision OK for domain DN DC=domain,DC=tld
2018-12-10 17:02:21,390 Starting replication
2018-12-10 17:02:21,390 Replicating critical objects from the base DN of the domain
2018-12-10 17:02:21,390 Done with always replicated NC (base, config, schema)
2018-12-10 17:02:21,390 Replicating DC=DomainDnsZones,DC=domain,DC=tld
2018-12-10 17:02:21,390 Replicating DC=ForestDnsZones,DC=domain,DC=tld
2018-12-10 17:02:21,391 Committing SAM database
2018-12-10 17:02:21,391 Join failed - cleaning up
2018-12-10 17:02:21,391 removing samaccount: CN=UCS,OU=Domain Controllers,DC=domain,DC=tld
2018-12-10 17:02:21,391 Deleted CN=RID Set,CN=UCS,OU=Domain Controllers,DC=domain,DC=tld
2018-12-10 17:02:21,391 Deleted CN=UCS,OU=Domain Controllers,DC=domain,DC=tld
2018-12-10 17:02:21,392 Deleted CN=NTDS Settings,CN=UCS,CN=Servers,CN=Standardname-des-ersten-Standorts,CN=Sites,CN=Configuration,DC=domain,DC=tld
2018-12-10 17:02:21,392 Deleted CN=UCS,CN=Servers,CN=Standardname-des-ersten-Standorts,CN=Sites,CN=Configuration,DC=domain,DC=tld
2018-12-10 17:02:21,484 Calling: univention-config-registry unset hosts/static/192.168.0.254
2018-12-10 17:02:21,940 Unsetting hosts/static/192.168.0.254
2018-12-10 17:02:21,966 Calling: /etc/init.d/samba-ad-dc start
2018-12-10 17:02:22,978 Starting samba-ad-dc (via systemctl): samba-ad-dc.service.
2018-12-10 17:02:22,979 Calling: /etc/init.d/univention-s4-connector start
2018-12-10 17:02:33,653 Starting univention-s4-connector (via systemctl): univention-s4-connector.service.
2018-12-10 17:02:33,654 Calling: univention-config-registry set nameserver1=192.168.0.254
2018-12-10 17:02:34,264 Setting nameserver1
2018-12-10 17:02:34,264 File: /etc/resolv.conf
2018-12-10 17:02:34,266 Calling: univention-config-registry unset nameserver1/local
2018-12-10 17:02:34,670 Unsetting nameserver1/local
2018-12-10 17:02:34,671 File: /etc/resolv.conf
2018-12-10 17:02:34,672 Calling: univention-config-registry set dns/backend=samba4
2018-12-10 17:02:35,185 Setting dns/backend
2018-12-10 17:02:35,185 File: /etc/systemd/system/bind9.service.d/10-configure-backend.conf
2018-12-10 17:02:35,187 Calling: /etc/init.d/bind9 restart
	
2018-12-10 17:03:05,420 Restarting bind9 (via systemctl): bind9.serviceJob for bind9.service failed because the control process exited with error code.
2018-12-10 17:03:05,420 See "systemctl status bind9.service" and "journalctl -xe" for details.
2018-12-10 17:03:05,422  failed!
2018-12-10 17:03:05,423 Calling: /etc/init.d/nscd restart
2018-12-10 17:03:05,515 Restarting nscd (via systemctl): nscd.service.
2018-12-10 17:03:05,516 Der Domänenbeitritt schlug fehl, die Logdatei /var/log/univention/ad-takeover.log enthält genauere Details.

cpzengel · December 10, 2018, 4:06pm

● bind9.service - BIND Domain Name Server with samba4 backend
   Loaded: loaded (/lib/systemd/system/bind9.service; enabled; vendor preset: enabled)
  Drop-In: /etc/systemd/system/bind9.service.d
           └─10-configure-backend.conf
   Active: activating (start-post) (Result: exit-code) since Mon 2018-12-10 17:06:07 CET; 5s ago
     Docs: man:named(8)
  Process: 16303 ExecStop=/usr/lib/univention-bind/samba4 stop (code=exited, status=0/SUCCESS)
  Process: 17570 ExecStart=/usr/lib/univention-bind/samba4 start (code=exited, status=1/FAILURE)
  Process: 17567 ExecStartPre=/bin/systemctl stop univention-bind-ldap.service (code=exited, status=0/SUCCESS)
 Main PID: 17570 (code=exited, status=1/FAILURE); Control PID: 17571 (samba4)
    Tasks: 4 (limit: 4915)
   Memory: 1.1M
      CPU: 371ms
   CGroup: /system.slice/bind9.service
           └─control
             ├─17571 /bin/sh /usr/lib/univention-bind/samba4 wait-for-startup
             ├─17573 /usr/bin/timeout 30 /bin/sh -c until rndc -p 953 status | grep --quiet 'server is up and running'; do sleep 1; done
             ├─17575 /bin/sh -c until rndc -p 953 status | grep --quiet 'server is up and running'; do sleep 1; done
             └─17624 sleep 1

Dez 10 17:06:07 ucs named[17570]: SDLZ driver failed to load.
Dez 10 17:06:07 ucs named[17570]: DLZ driver failed to load.
Dez 10 17:06:07 ucs named[17570]: loading configuration: failure
Dez 10 17:06:07 ucs named[17570]: exiting (due to fatal error)
Dez 10 17:06:07 ucs systemd[1]: bind9.service: Main process exited, code=exited, status=1/FAILURE
Dez 10 17:06:08 ucs samba4[17571]: rndc: connect failed: 127.0.0.1#953: connection refused
Dez 10 17:06:09 ucs samba4[17571]: rndc: connect failed: 127.0.0.1#953: connection refused
Dez 10 17:06:10 ucs samba4[17571]: rndc: connect failed: 127.0.0.1#953: connection refused
Dez 10 17:06:11 ucs samba4[17571]: rndc: connect failed: 127.0.0.1#953: connection refused
Dez 10 17:06:12 ucs samba4[17571]: rndc: connect failed: 127.0.0.1#953: connection refused

cpzengel · December 10, 2018, 4:07pm

Dez 10 17:07:07 ucs named[17925]: loading configuration from '/etc/bind/named.conf.samba4'
Dez 10 17:07:07 ucs named[17925]: reading built-in trusted keys from file '/etc/bind/bind.keys'
Dez 10 17:07:07 ucs named[17925]: GeoIP Country (IPv4) (type 1) DB not available
Dez 10 17:07:07 ucs named[17925]: GeoIP Country (IPv6) (type 12) DB not available
Dez 10 17:07:07 ucs named[17925]: GeoIP City (IPv4) (type 2) DB not available
Dez 10 17:07:07 ucs named[17925]: GeoIP City (IPv4) (type 6) DB not available
Dez 10 17:07:07 ucs named[17925]: GeoIP City (IPv6) (type 30) DB not available
Dez 10 17:07:07 ucs named[17925]: GeoIP City (IPv6) (type 31) DB not available
Dez 10 17:07:07 ucs named[17925]: GeoIP Region (type 3) DB not available
Dez 10 17:07:07 ucs named[17925]: GeoIP Region (type 7) DB not available
Dez 10 17:07:07 ucs named[17925]: GeoIP ISP (type 4) DB not available
Dez 10 17:07:07 ucs named[17925]: GeoIP Org (type 5) DB not available
Dez 10 17:07:07 ucs named[17925]: GeoIP AS (type 9) DB not available
Dez 10 17:07:07 ucs named[17925]: GeoIP Domain (type 11) DB not available
Dez 10 17:07:07 ucs named[17925]: GeoIP NetSpeed (type 10) DB not available
Dez 10 17:07:07 ucs named[17925]: using default UDP/IPv4 port range: [32768, 60999]
Dez 10 17:07:07 ucs named[17925]: using default UDP/IPv6 port range: [32768, 60999]
Dez 10 17:07:07 ucs named[17925]: listening on IPv6 interfaces, port 53
Dez 10 17:07:07 ucs named[17925]: listening on IPv4 interface lo, 127.0.0.1#53
Dez 10 17:07:07 ucs named[17925]: listening on IPv4 interface eth0, 192.168.0.1#53
Dez 10 17:07:07 ucs named[17925]: listening on IPv4 interface docker0, 172.17.42.1#53
Dez 10 17:07:07 ucs named[17925]: generating session key for dynamic DNS
Dez 10 17:07:07 ucs named[17925]: sizing zone task pool based on 1 zones
Dez 10 17:07:07 ucs named[17925]: Loading 'samba4.zone' using driver dlopen
Dez 10 17:07:07 ucs named[17925]: samba_dlz: Unable to get basedn for /var/lib/samba/private/sam.ldb - NULL Base DN invalid for a base search
Dez 10 17:07:07 ucs named[17925]: dlz_dlopen of 'samba4.zone' failed
Dez 10 17:07:07 ucs named[17925]: SDLZ driver failed to load.
Dez 10 17:07:07 ucs named[17925]: DLZ driver failed to load.
Dez 10 17:07:07 ucs named[17925]: loading configuration: failure
Dez 10 17:07:07 ucs named[17925]: exiting (due to fatal error)
Dez 10 17:07:07 ucs systemd[1]: bind9.service: Main process exited, code=exited, status=1/FAILURE
Dez 10 17:07:08 ucs samba4[17926]: rndc: connect failed: 127.0.0.1#953: connection refused
Dez 10 17:07:09 ucs samba4[17926]: rndc: connect failed: 127.0.0.1#953: connection refused
Dez 10 17:07:10 ucs samba4[17926]: rndc: connect failed: 127.0.0.1#953: connection refused
Dez 10 17:07:11 ucs samba4[17926]: rndc: connect failed: 127.0.0.1#953: connection refused
Dez 10 17:07:12 ucs samba4[17926]: rndc: connect failed: 127.0.0.1#953: connection refused
Dez 10 17:07:13 ucs samba4[17926]: rndc: connect failed: 127.0.0.1#953: connection refused

Moritz_Bunkus · December 10, 2018, 4:08pm

Der bind-Fehler ist hier nur ein Folgefehler und irrelevant. Weiter oben im Log steht schon, dass der Join felgeschlagen ist und versucht wird, die Änderungen zurückzunehmen. Dass anschließend bind nicht will, ist nicht verwunderlich und sollte nicht weiter beachtet werden.

cpzengel · December 10, 2018, 4:09pm

dann halte ich mich da nicht auf
ich komm nicht weiter

cpzengel · December 11, 2018, 8:32am

Scheint im DNS zu scheitern

stoeckigt · December 11, 2018, 9:11am

Hi Christian,

in the first log snippet it seems the visible error is already a consequential error. If you could attach the whole join.log and perhaps ad-takeover.log we probably may trace down the problem.

Kind regards

A kind reminder: https://help.univention.com/guidelines