Univention Bugzilla – Bug 54469
AD-Takeover fails with Failed to commit objects: DOS code 0x000021bf
Last modified: 2022-03-04 14:01:52 CET
When an existing Exchange Server was part of the environment, the AD-Takeover is not possible. A customer made some progress with the following steps, but it is unclear if this is a good and supported solution: The takeover fails when creating the DNS records at the AD-DC during samba join. The following errors can be found in the log: "Failed to commit objects: DOS code 0x000021bf" and a little bit further "ERROR(runtime): uncaught exception - (9003, 'WERR_DNS_ERROR_RCODE_NAME_ERROR')". Progress: 1.) Removing the Exchange and all objects created for it in AD (except for the schema extensions, since these can apparently no longer be removed). → Unfortunately this did not solve the problem. 2.) Investigationg in this command output: ------ samba-tool drs clone-dc-database "schein.ig" --server=<**NAME or IP of the AD DC**> -UAdministrator --targetdir /var/tmp/hq-AD --include-secrets ------ the error seems to occur when trying to synchronize a group and take over its members. However, the members have not been synchronized yet and therefore the error appears. 3.) The customer went through the whole thing several times and always removed the affected group members until finally there were actually only accounts with Well-Known SIDs in the groups. Then the error no longer occurred and the DRS sync could apparently be performed successfully. 4.) Then there was an error again when creating the DNS entries of the new DC on the old DC, so the function to create the DNS entries was disabled 5.) Finally the login with domain users on a joined Windows client worked, but the access to network shares (SYSVOL) did not, samba reported an error with the Kerberos keytab file. → so last step was reprovisioning samba which hopefully also removes the Exchange schema entries.
Some Additions from the customer: 1 - Berechtigungen der Exchange-Objekte auf die Domain. After cleaning up the Exchange Server (according to https://www.alitajran.com/how-to-remove-exchange-from-active-directory/) from the Windows DC, I still noticed that there are permissions directly on the domain still pointing to (at this point meanwhile deleted) Exchange objects. The existence of these permissions leads to another problem during the drs clone-dc-database process. During drs clone-dc-database a samba-panic is triggered, here are only groups involved. However, in my PoC system there was also a permission that pointed to an unknown object even before the Exchange objects were cleaned up, so I can't say for sure if it's actually the Exchange permissions that are the problem here, or permissions that point to objects that no longer exist in general. The whole thing can be solved either by deleting the mentioned permissions on domain level, or interestingly also by removing all members of the affected group 2 - The group memberships Here the permissions are one problem And contrary to my initial assumption, not all group memberships are problematic, but only some (in the case of my PoC environment there were 242, out of ~850), it just seems that at least one was affected in each group. ----- Still problems with th DNS entries but no problems with sysvol and the MSSQL Database authentication
Version: univention-app info UCS: 4.4-8 errata1184 Installed: adtakeover=5.0 dhcp-server=12.0 samba4=4.10