Univention AD-Takeover Fails

maxTim · May 29, 2019, 9:48pm

Hello,

I am having trouble with the ad-takeover process. I will attach my logs below. I thought the issue had to do with two windows servers that had been decommissioned without being demoted on the Windows 2003 server. So I worked to remove them, change the FSMO settings so that all five roles point to the win03, build a Global Catalog, and finally remove all entries for the other two from the DNS module. At least I’m now getting to about 10 or 12 percent rather than 3 or 4 like before. Any help or insight would greatly be appreciated. Thank you.

2019-05-29 17:25:51,256 Found account Guest with well known RID 501 (Guest)
2019-05-29 17:25:51,258 Found account krbtgt with well known RID 502 (KRBTGT)
2019-05-29 17:25:51,258 Found account Administrator with well known RID 500 (Administrator)
2019-05-29 17:25:51,272 Found group Domain Computers with well known RID 515 (Domain Computers)
2019-05-29 17:25:51,272 Found group Domain Users with well known RID 513 (Domain Users)
2019-05-29 17:25:51,272 Found group Domain Guests with well known RID 514 (Domain Guests)
2019-05-29 17:25:51,272 Found group RAS and IAS Servers with well known RID 553 (RAS and IAS Servers)
2019-05-29 17:25:51,272 Found group Domain Admins with well known RID 512 (Domain Admins)
2019-05-29 17:25:51,273 Found group Schema Admins with well known RID 518 (Schema Admins)
2019-05-29 17:25:51,273 Found group Enterprise Admins with well known RID 519 (Enterprise Admins)
2019-05-29 17:25:51,273 Found group Group Policy Creator Owners with well known RID 520 (Group Policy Creator Owners)
2019-05-29 17:25:51,273 Found group Allowed RODC Password Replication Group with well known RID 571 (Allowed RODC Password Replication Group)
2019-05-29 17:25:51,273 Found group Denied RODC Password Replication Group with well known RID 572 (Denied RODC Password Replication Group)
2019-05-29 17:25:51,273 Found group Enterprise Read-only Domain Controllers with well known RID 498 (Enterprise Read-only Domain Controllers)
2019-05-29 17:25:51,273 Found group Cert Publishers with well known RID 517 (Cert Publishers)
2019-05-29 17:25:51,273 Found group Read-only Domain Controllers with well known RID 521 (Read-Only Domain Controllers)
2019-05-29 17:25:51,273 Found group Domain Controllers with well known RID 516 (Domain Controllers)
2019-05-29 17:25:51,341 determine_license for current UCS Users: 1 of unlimited
2019-05-29 17:25:51,341 0 Systemaccounts are ignored.
2019-05-29 17:25:51,341 Found 96 users objects on the remote server.
2019-05-29 17:25:55,569 INFO: Time difference is less than 180 seconds, skipping reset of local time
2019-05-29 17:25:55,610 Starting phase I of the takeover process.
2019-05-29 17:25:55,611 Calling: univention-config-registry set hosts/static/10.10.3.2=sav-dispatch.camel.local SAV-DISPATCH
2019-05-29 17:25:56,018 Create hosts/static/10.10.3.2
2019-05-29 17:25:56,019 Multifile: /etc/hosts
2019-05-29 17:25:56,020 Calling: /etc/init.d/univention-s4-connector stop
2019-05-29 17:25:56,099 Stopping univention-s4-connector (via systemctl): univention-s4-connector.service.
2019-05-29 17:25:56,099 Calling: /etc/init.d/samba-ad-dc stop
2019-05-29 17:25:56,275 Stopping samba-ad-dc (via systemctl): samba-ad-dc.service.
2019-05-29 17:25:56,276 Calling: univention-config-registry set nameserver1/local=127.0.0.1 nameserver1=10.10.3.2 directory/manager/web/modules/users/user/properties/username/syntax=string directory/manager/web/modules/groups/group/properties/name/syntax=string dns/backend=ldap
2019-05-29 17:25:56,827 Create nameserver1/local
2019-05-29 17:25:56,828 Setting nameserver1
2019-05-29 17:25:56,828 Setting directory/manager/web/modules/users/user/properties/username/syntax
2019-05-29 17:25:56,828 Setting directory/manager/web/modules/groups/group/properties/name/syntax
2019-05-29 17:25:56,828 Setting dns/backend
2019-05-29 17:25:56,829 File: /etc/systemd/system/bind9.service.d/10-configure-backend.conf
2019-05-29 17:25:56,829 File: /etc/init.d/bind9
2019-05-29 17:25:56,829 File: /etc/resolv.conf
2019-05-29 17:25:56,843 Calling: /etc/init.d/nscd stop
2019-05-29 17:25:56,937 Stopping nscd (via systemctl): nscd.service.
2019-05-29 17:25:56,937 Calling: /etc/init.d/bind9 restart
2019-05-29 17:25:58,068 Restarting bind9 (via systemctl): bind9.service.
2019-05-29 17:25:58,068 Starting Samba domain join.
2019-05-29 17:25:58,854 INFO 2019-05-29 17:25:58,854 pid:8646 /usr/lib/python2.7/dist-packages/samba/join.py #1519: workgroup is camel
2019-05-29 17:25:58,855 INFO 2019-05-29 17:25:58,854 pid:8646 /usr/lib/python2.7/dist-packages/samba/join.py #1522: realm is camel.local
2019-05-29 17:26:00,582 INFO 2019-05-29 17:26:00,582 pid:8646 /usr/lib/python2.7/dist-packages/samba/provision/init.py #2346: Looking up IPv4 addresses
2019-05-29 17:26:00,582 INFO 2019-05-29 17:26:00,582 pid:8646 /usr/lib/python2.7/dist-packages/samba/provision/init.py #2363: Looking up IPv6 addresses
2019-05-29 17:26:00,583 WARNING 2019-05-29 17:26:00,583 pid:8646 /usr/lib/python2.7/dist-packages/samba/provision/init.py #2370: No IPv6 address will be assigned
2019-05-29 17:26:01,818 INFO 2019-05-29 17:26:01,818 pid:8646 /usr/lib/python2.7/dist-packages/samba/provision/init.py #2536: Setting up share.ldb
2019-05-29 17:26:02,446 INFO 2019-05-29 17:26:02,445 pid:8646 /usr/lib/python2.7/dist-packages/samba/provision/init.py #2540: Setting up secrets.ldb
2019-05-29 17:26:02,803 INFO 2019-05-29 17:26:02,803 pid:8646 /usr/lib/python2.7/dist-packages/samba/provision/init.py #2546: Setting up the registry
2019-05-29 17:26:04,021 INFO 2019-05-29 17:26:04,020 pid:8646 /usr/lib/python2.7/dist-packages/samba/provision/init.py #2549: Setting up the privileges database
2019-05-29 17:26:05,158 INFO 2019-05-29 17:26:05,158 pid:8646 /usr/lib/python2.7/dist-packages/samba/provision/init.py #2552: Setting up idmap db
2019-05-29 17:26:05,651 INFO 2019-05-29 17:26:05,650 pid:8646 /usr/lib/python2.7/dist-packages/samba/provision/init.py #2559: Setting up SAM db
2019-05-29 17:26:05,784 INFO 2019-05-29 17:26:05,784 pid:8646 /usr/lib/python2.7/dist-packages/samba/provision/init.py #887: Setting up sam.ldb partitions and settings
2019-05-29 17:26:05,785 INFO 2019-05-29 17:26:05,785 pid:8646 /usr/lib/python2.7/dist-packages/samba/provision/init.py #899: Setting up sam.ldb rootDSE
2019-05-29 17:26:05,993 INFO 2019-05-29 17:26:05,993 pid:8646 /usr/lib/python2.7/dist-packages/samba/provision/init.py #1302: Pre-loading the Samba 4 and AD schema
2019-05-29 17:26:05,994 Unable to determine the DomainSID, can not enforce uniqueness constraint on local domainSIDs
2019-05-29 17:26:06,185 INFO 2019-05-29 17:26:06,184 pid:8646 /usr/lib/python2.7/dist-packages/samba/provision/init.py #2609: A Kerberos configuration suitable for Samba AD has been generated at /var/lib/samba/private/krb5.conf
2019-05-29 17:26:06,185 INFO 2019-05-29 17:26:06,185 pid:8646 /usr/lib/python2.7/dist-packages/samba/provision/init.py #2610: Merge the contents of this file with your system krb5.conf or replace it with this one. Do not create a symlink!
2019-05-29 17:26:06,516 Schema-DN[CN=Schema,CN=Configuration,DC=camel,DC=local] objects[402/2097] linked_values[0/0]
2019-05-29 17:26:06,674 Schema-DN[CN=Schema,CN=Configuration,DC=camel,DC=local] objects[804/2097] linked_values[0/0]
2019-05-29 17:26:06,820 Schema-DN[CN=Schema,CN=Configuration,DC=camel,DC=local] objects[1206/2097] linked_values[0/0]
2019-05-29 17:26:06,988 Schema-DN[CN=Schema,CN=Configuration,DC=camel,DC=local] objects[1600/2097] linked_values[0/0]
2019-05-29 17:26:07,142 Schema-DN[CN=Schema,CN=Configuration,DC=camel,DC=local] objects[2002/2097] linked_values[0/0]
2019-05-29 17:26:07,280 Schema-DN[CN=Schema,CN=Configuration,DC=camel,DC=local] objects[2404/2097] linked_values[0/0]
2019-05-29 17:26:07,433 Schema-DN[CN=Schema,CN=Configuration,DC=camel,DC=local] objects[2806/2097] linked_values[0/0]
2019-05-29 17:26:07,581 Schema-DN[CN=Schema,CN=Configuration,DC=camel,DC=local] objects[3208/2097] linked_values[0/0]
2019-05-29 17:26:07,747 Schema-DN[CN=Schema,CN=Configuration,DC=camel,DC=local] objects[3610/2097] linked_values[0/0]
2019-05-29 17:26:07,919 Schema-DN[CN=Schema,CN=Configuration,DC=camel,DC=local] objects[3962/2097] linked_values[0/0]
2019-05-29 17:26:07,919 Analyze and apply schema objects
2019-05-29 17:26:12,827 Partition[CN=Configuration,DC=camel,DC=local] objects[402/6735] linked_values[0/486]
2019-05-29 17:26:13,629 Partition[CN=Configuration,DC=camel,DC=local] objects[804/6735] linked_values[0/486]
2019-05-29 17:26:14,277 Partition[CN=Configuration,DC=camel,DC=local] objects[1206/6735] linked_values[0/486]
2019-05-29 17:26:14,814 Partition[CN=Configuration,DC=camel,DC=local] objects[1608/6735] linked_values[0/486]
2019-05-29 17:26:15,213 Partition[CN=Configuration,DC=camel,DC=local] objects[1820/6735] linked_values[0/486]
2019-05-29 17:26:15,528 Partition[CN=Configuration,DC=camel,DC=local] objects[1916/6735] linked_values[0/486]
2019-05-29 17:26:15,776 Partition[CN=Configuration,DC=camel,DC=local] objects[2013/6735] linked_values[0/486]
2019-05-29 17:26:16,047 Partition[CN=Configuration,DC=camel,DC=local] objects[2113/6735] linked_values[4/486]
2019-05-29 17:26:16,314 Partition[CN=Configuration,DC=camel,DC=local] objects[2212/6735] linked_values[4/486]
2019-05-29 17:26:16,695 Partition[CN=Configuration,DC=camel,DC=local] objects[2310/6735] linked_values[4/486]
2019-05-29 17:26:17,077 Partition[CN=Configuration,DC=camel,DC=local] objects[2406/6735] linked_values[4/486]
2019-05-29 17:26:17,442 Partition[CN=Configuration,DC=camel,DC=local] objects[2503/6735] linked_values[4/486]
2019-05-29 17:26:17,845 Partition[CN=Configuration,DC=camel,DC=local] objects[2596/6735] linked_values[4/486]
2019-05-29 17:26:18,235 Partition[CN=Configuration,DC=camel,DC=local] objects[2688/6735] linked_values[4/486]
2019-05-29 17:26:18,467 Partition[CN=Configuration,DC=camel,DC=local] objects[2855/6735] linked_values[4/486]
2019-05-29 17:26:18,818 Partition[CN=Configuration,DC=camel,DC=local] objects[3008/6735] linked_values[187/486]
2019-05-29 17:26:19,133 Partition[CN=Configuration,DC=camel,DC=local] objects[3165/6735] linked_values[330/486]
2019-05-29 17:26:19,220 Failed to commit objects: DOS code 0x000021bf
2019-05-29 17:26:19,319 Could not find machine account in secrets database: Failed to fetch machine account password for camel from both secrets.ldb (Could not find entry to match filter: ‘(&(flatname=camel)(objectclass=primaryDomain))’ base: ‘cn=Primary Domains’: No such object: dsdb_search at …/…/source4/dsdb/common/util.c:4712) and from /var/lib/samba/private/secrets.tdb: NT_STATUS_CANT_ACCESS_DOMAIN_INFO
2019-05-29 17:26:19,446 ERROR(runtime): uncaught exception - (8639, “Failed to process ‘chunk’ of DRS replicated objects: DOS code 0x000021bf”)
2019-05-29 17:26:19,447 File “/usr/lib/python2.7/dist-packages/samba/netcmd/init.py”, line 185, in _run
2019-05-29 17:26:19,447 return self.run(*args, **kwargs)
2019-05-29 17:26:19,447 File “/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py”, line 699, in run
2019-05-29 17:26:19,448 backend_store=backend_store)
2019-05-29 17:26:19,448 File “/usr/lib/python2.7/dist-packages/samba/join.py”, line 1535, in join_DC
2019-05-29 17:26:19,449 ctx.do_join()
2019-05-29 17:26:19,449 File “/usr/lib/python2.7/dist-packages/samba/join.py”, line 1429, in do_join
2019-05-29 17:26:19,449 ctx.join_replicate()
2019-05-29 17:26:19,449 File “/usr/lib/python2.7/dist-packages/samba/join.py”, line 965, in join_replicate
2019-05-29 17:26:19,449 replica_flags=ctx.replica_flags)
2019-05-29 17:26:19,450 File “/usr/lib/python2.7/dist-packages/samba/drs_utils.py”, line 356, in replicate
2019-05-29 17:26:19,450 raise e
2019-05-29 17:26:19,512 Adding CN=UCS-DISPATCH,OU=Domain Controllers,DC=camel,DC=local
2019-05-29 17:26:19,512 Adding CN=UCS-DISPATCH,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=camel,DC=local
2019-05-29 17:26:19,512 Adding CN=NTDS Settings,CN=UCS-DISPATCH,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=camel,DC=local
2019-05-29 17:26:19,512 Adding SPNs to CN=UCS-DISPATCH,OU=Domain Controllers,DC=camel,DC=local
2019-05-29 17:26:19,512 Setting account password for UCS-DISPATCH$
2019-05-29 17:26:19,513 Enabling account
2019-05-29 17:26:19,513 Calling bare provision
2019-05-29 17:26:19,513 Provision OK for domain DN DC=camel,DC=local
2019-05-29 17:26:19,513 Starting replication
2019-05-29 17:26:19,513 Join failed - cleaning up
2019-05-29 17:26:19,513 Deleted CN=UCS-DISPATCH,OU=Domain Controllers,DC=camel,DC=local
2019-05-29 17:26:19,513 Deleted CN=NTDS Settings,CN=UCS-DISPATCH,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=camel,DC=local
2019-05-29 17:26:19,513 Deleted CN=UCS-DISPATCH,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=camel,DC=local
2019-05-29 17:26:19,563 Calling: univention-config-registry unset hosts/static/10.10.3.2
2019-05-29 17:26:19,974 Unsetting hosts/static/10.10.3.2
2019-05-29 17:26:19,975 Multifile: /etc/hosts
2019-05-29 17:26:19,982 Calling: /etc/init.d/samba-ad-dc start
2019-05-29 17:26:20,851 Starting samba-ad-dc (via systemctl): samba-ad-dc.service.
2019-05-29 17:26:20,851 Calling: /etc/init.d/univention-s4-connector start
2019-05-29 17:26:29,204 Starting univention-s4-connector (via systemctl): univention-s4-connector.service.
2019-05-29 17:26:29,205 Calling: univention-config-registry set nameserver1=127.0.0.1
2019-05-29 17:26:29,567 Setting nameserver1
2019-05-29 17:26:29,567 File: /etc/resolv.conf
2019-05-29 17:26:29,568 Calling: univention-config-registry unset nameserver1/local
2019-05-29 17:26:29,974 Unsetting nameserver1/local
2019-05-29 17:26:29,975 File: /etc/resolv.conf
2019-05-29 17:26:29,976 Calling: univention-config-registry set dns/backend=samba4
2019-05-29 17:26:30,674 Setting dns/backend
2019-05-29 17:26:30,674 File: /etc/systemd/system/bind9.service.d/10-configure-backend.conf
2019-05-29 17:26:30,674 File: /etc/init.d/bind9
2019-05-29 17:26:30,675 Calling: /etc/init.d/bind9 restart
2019-05-29 17:26:31,856 Restarting bind9 (via systemctl): bind9.service.
2019-05-29 17:26:31,856 Calling: /etc/init.d/nscd restart
2019-05-29 17:26:31,907 Restarting nscd (via systemctl): nscd.service.
2019-05-29 17:26:31,908 The domain join failed. See /var/log/univention/ad-takeover.log for details.