Having trouble with a takeover and domain join to sbs2003

Hi there,

I have finally gotten around to prepping a sandbox to do a dry run of an AD takeover of a Server 2003 Small Biz edition and I have hit a wall before I even begin. I cannot get the ucs host to join the domain, and the error I get doesn’t make a whole lot of sense to me, so here is my log and some comments.

Win2003 host: DENALI
ip: 192.168.10.1 (not my choice)
domain: allforkids.local
UCS host: ucs
ip: 192.168.10.10

Expected steps: Install UCS, choose member of AD, select top option (backup AD), join to AD, test and make sure I can login to the domain, proceed with the installation and execution of AD takeover.

What I get is a failure to join. What I don’t quite get is where it is failing. When I run through the wizard at initial install, and choose the domain, it kicks me back asking to set the ip info because the DHCP server is NOT giving the DC as the DNS server, so I set a static IP (which I need to do anyway and don’t know if I can change it later) and DNS and then it finds the domain controller just fine on the second pass. So now it lets me put in the Domain Admin user/pass and proceeds with the install but fails in joining and lets me go to the UCS console and try again.

So… is the join process trying to ssh into UCS (self) and then process the join? The username and password help prompts say the domain administrator user/pass and the Domain Controller Master which I assume must be the DENALI host. I don’t think it is expecting to be able to ssh into DENALI, it has no sshd.

I am at a loss. I have this in hyper-v and have a checkpoint at the point where you join the domain, so I can roll back to that configuration step (after disk format) as many times as I need. Any help would be much appreciated… it must be something dumb I just can’t see, something super obvious.

root@ucs:/var/log/univention# cat join.log Sat Jun 11 20:01:18 AKDT 2016: starting /usr/share/univention-join/univention-join -dcaccount Administrator -dcpwd /tmp/tmp.trsKOWRhID ssh: connect to host ucs.allforkids.local port 22: Connection refused Sat Jun 11 20:01:18 AKDT 2016: finish /usr/share/univention-join/univention-join Sat Jun 11 20:08:02 AKDT 2016: starting /usr/sbin/univention-join -dcname ucs.allforkids.local -dcaccount Administrator -dcpwd /tmp/tmpGjiVbw Warning: Permanently added 'ucs.allforkids.local,192.168.10.10' (ECDSA) to the list of known hosts. Permission denied (publickey,gssapi-keyex,gssapi-with-mic,keyboard-interactive). Sat Jun 11 20:08:07 AKDT 2016: finish /usr/sbin/univention-join Sat Jun 11 20:08:21 AKDT 2016: starting /usr/sbin/univention-join -dcname ucs.allforkids.local -dcaccount root -dcpwd /tmp/tmpSXSIfr running version check OK: UCS version on ucs.allforkids.local is higher or equal (4.10) to the local version (4.10). Stopping ldap server(s): slapd ...done. Starting ldap server(s): slapd ...done. Sat Jun 11 20:08:29 AKDT 2016: finish /usr/sbin/univention-join Sat Jun 11 20:08:46 AKDT 2016: starting /usr/sbin/univention-join -dcname denali.allforkids.local -dcaccount administrator -dcpwd /tmp/tmpVGUzSM ssh: connect to host denali.allforkids.local port 22: Connection refused Sat Jun 11 20:08:46 AKDT 2016: finish /usr/sbin/univention-join Sat Jun 11 20:08:56 AKDT 2016: starting /usr/sbin/univention-join -dcname denali.allforkids.local -dcaccount administrator -dcpwd /tmp/tmpalRX9m ssh: connect to host denali.allforkids.local port 22: Connection refused Sat Jun 11 20:08:56 AKDT 2016: finish /usr/sbin/univention-join Sat Jun 11 20:18:14 AKDT 2016: starting /usr/sbin/univention-join Sat Jun 11 20:18:24 AKDT 2016: finish /usr/sbin/univention-join Sat Jun 11 20:26:24 AKDT 2016: starting /usr/sbin/univention-join -dcname ucs.allforkids.local -dcaccount root -dcpwd /tmp/tmpF6_sMn running version check OK: UCS version on ucs.allforkids.local is higher or equal (4.10) to the local version (4.10). Stopping ldap server(s): slapd ...done. Starting ldap server(s): slapd ...done. Sat Jun 11 20:26:31 AKDT 2016: finish /usr/sbin/univention-join root@ucs:/var/log/univention# cat join.log Sat Jun 11 20:01:18 AKDT 2016: starting /usr/share/univention-join/univention-join -dcaccount Administrator -dcpwd /tmp/tmp.trsKOWRhID ssh: connect to host ucs.allforkids.local port 22: Connection refused Sat Jun 11 20:01:18 AKDT 2016: finish /usr/share/univention-join/univention-join Sat Jun 11 20:08:02 AKDT 2016: starting /usr/sbin/univention-join -dcname ucs.allforkids.local -dcaccount Administrator -dcpwd /tmp/tmpGjiVbw Warning: Permanently added 'ucs.allforkids.local,192.168.10.10' (ECDSA) to the list of known hosts. Permission denied (publickey,gssapi-keyex,gssapi-with-mic,keyboard-interactive). Sat Jun 11 20:08:07 AKDT 2016: finish /usr/sbin/univention-join Sat Jun 11 20:08:21 AKDT 2016: starting /usr/sbin/univention-join -dcname ucs.allforkids.local -dcaccount root -dcpwd /tmp/tmpSXSIfr running version check OK: UCS version on ucs.allforkids.local is higher or equal (4.10) to the local version (4.10). Stopping ldap server(s): slapd ...done. Starting ldap server(s): slapd ...done. Sat Jun 11 20:08:29 AKDT 2016: finish /usr/sbin/univention-join Sat Jun 11 20:08:46 AKDT 2016: starting /usr/sbin/univention-join -dcname denali.allforkids.local -dcaccount administrator -dcpwd /tmp/tmpVGUzSM ssh: connect to host denali.allforkids.local port 22: Connection refused Sat Jun 11 20:08:46 AKDT 2016: finish /usr/sbin/univention-join Sat Jun 11 20:08:56 AKDT 2016: starting /usr/sbin/univention-join -dcname denali.allforkids.local -dcaccount administrator -dcpwd /tmp/tmpalRX9m ssh: connect to host denali.allforkids.local port 22: Connection refused Sat Jun 11 20:08:56 AKDT 2016: finish /usr/sbin/univention-join Sat Jun 11 20:18:14 AKDT 2016: starting /usr/sbin/univention-join Sat Jun 11 20:18:24 AKDT 2016: finish /usr/sbin/univention-join Sat Jun 11 20:26:24 AKDT 2016: starting /usr/sbin/univention-join -dcname ucs.allforkids.local -dcaccount root -dcpwd /tmp/tmpF6_sMn running version check OK: UCS version on ucs.allforkids.local is higher or equal (4.10) to the local version (4.10). Stopping ldap server(s): slapd ...done. Starting ldap server(s): slapd ...done. Sat Jun 11 20:26:31 AKDT 2016: finish /usr/sbin/univention-join Sat Jun 11 20:27:41 AKDT 2016: starting /usr/sbin/univention-join -dcname denali.allforkids.local -dcaccount administrator -dcpwd /tmp/tmpi0vnQk ssh: connect to host denali.allforkids.local port 22: Connection refused Sat Jun 11 20:27:41 AKDT 2016: finish /usr/sbin/univention-join

A UCS Backup DC requieres always a UCS Master DC. So the first UCS system must be always a DC Master.

Ok, I get that the first ucs system must be a dc master. Does the first UCS system in an existing windows domain automatically become a UCS master? I guess the system role selection is a little vague coming from a windows domain management standpoint, I really thought I had this all figured out, I have had a UCS domain and a member-server in production for over a year, but this is the first time integrating it with a windows domain in a lab.

So, which System Role should I choose for an intended AD Takeover? “Domain controller backup”, “Domain controller slave” or “Member server”?

Here are the steps so far…


oops, took a screenshot on the wrong button… I didn’t choose no domain, just fyi



needed to set a static IP and dns here



Here is where I am not sure what option to choose

I think choosing the second point is correct, but are still remains of older tries in the DNS. How often did you tried it yet?

Oh man, half a dozen times at least.

I looked in the DNS of the SBS server and there is only the A/ptr for the ucs.allforkids.local record I created. I added that record later on in the process of restarting this VM and trying again.

What would you suggest I do to prep for a clean UCS install and starting over?

I am thinking I should set the primary DNS by the DHCP server to be the SBS server, and set a DHCP static lease for the UCS server so I don’t have to change it’s IP address later, and then start over with a clean install. I downloaded a fresh copy of the UCS iso, the one I used was from feb or march, so I might have to more updates rolling into that iso… but I can’t quite tell since the iso doesn’t include any build/version info that I can see (I suppose there is a readme inside I could look at).

I have about 4 of this exact scenario I need to accomplish over the next 4 or 5 months… so I really want to get this process down to a science so I can do it in a weekend and not stretch it over a week.

Thanks for your help!

Hello,

yoo should look for service records like _domaincontroller_master._tcp

sdb.univention.de/content/20/279 … n-ucs.html

Yahtzee, there was a record in there. I deleted the dcmaster record that was in the DNS on the SBS server. I am embarrassed, I am supposed to be a DNS admin for a large org but I don’t know the savageries of AD DNS, I am an external public DNS guy. :frowning:

I cleaned out the DNS, snapshotted the SBS vm, recreated the UCS vm and will snapshot it once it is fired up at first boot. I will report back as I go. But… as far as I can tell, I just choose join and existing AD, and then choose the Backup AD option, and the wizard should take me through the rest.

Thanks again for your input!

Eureka, I am joined to the domain. I think in my haste the first time I selected the AD takeover component and it failed, but it did enough that there was cleanup Ineeded to do before trying again. With your help, I cleared the DNS record, joined as a backup DC, and have signed in A-OK.

Now, on to the ad-takeover after some testing and verifying. Thanks a TON!

Thanks for the help, the takeover was successful. I am pretty sure the first one failed because of a dns issue in the sandbox firewall (handing out primary dns to a non-authoritative server), and the dns entry that was created was preventing joining from that point forward. After removing the dns entry that was suggested, and a reinstall of the base UCS system and setting a static IP at the beginning, it processed through to the end with no issues.

Again, thank you a ton!

I’m glad to hear that everything is ok now :slight_smile:

Mastodon