Andrew, > in join-s1.txt we have an error that is only listed in the docs when > removing a DC from the domain. >extended_err : WERR_DS_ROLE_NOT_VERIFIED >This is currently blocking us. Our only theory is that we must perform a >replication cycle before we do this call.
Answer: This error means that "the FSMO role ownership could not be verified because its directory partition has not replicated successfully with at least one replication partner." When adding or modifying certain objects through LDL_DRSAddEntry, certain FSMO roles will be checked and verified, if the partition is never replicated , this check will fail and the error will be returned. Some of the functions called by LDL_DRSAddEntry such as CreateCrossRef() or PerformModifyEntInf() imply returning this error status by referencing the constraints in MS-ADTS. Looking at the objects added, it is CN=S2,CN=Partitions,CN=Configuration,DC=v2,DC=tridgell,DC=net. It requires Domain Naming Master FSMO role to write to the Partitions container or its children. A trace may tell the condition more easily. But your solution makes sense. Once the replication is done at least once, then the FSMO role can be verified. >Finally, is there any documentation of the high-level procedure for creating a >subdomain? Answer: The following links maybe helpful for you. Also MS-ADSO 3.1.1.1 has some description about the structures of parent and child domains. Please let us know if you need more information. http://technet.microsoft.com/en-us/library/cc787706(WS.10).aspx http://technet.microsoft.com/en-us/library/bb726976.aspx I am looking at the second error. Thanks! Hongwei -----Original Message----- From: Andrew Bartlett [mailto:[email protected]] Sent: Wednesday, August 31, 2011 4:55 PM To: Hongwei Sun Cc: [email protected]; [email protected] Subject: RE: Errors when doing a DsAddEntry On Wed, 2011-08-31 at 15:22 +0000, Hongwei Sun wrote: > Andrew, > > Can you give the information about your configuration ? Are you joining > Samba DC to a Windows DC ? We were attempting to create a subdomain using Samba4 as the new domain. > If so, what is the version of Windows DC ? Are you referring to the > section "4.1.1.3 Server Behavior of the IDL_DRSAddEntry Method" of MS-DRSR > for the "impossible" error case ? The only occurrences of these error constants in the docs were for calls other than AddEntry. > Is it possible for you to capture a TTT trace for Windows server when > error is returned so I can analyze the behavior ? If so , I can create a > FTP workspace for you to upload the trace captured ? Tridge may be able to help with that (it was on his systems). We are also continuing to work on the issues, harmonising our behaviour with the example Windows packet trace I took. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org _______________________________________________ cifs-protocol mailing list [email protected] https://lists.samba.org/mailman/listinfo/cifs-protocol
