Andrew/Tridge, I just want to close loop on this request even we already worked together and resolved the related issue. I want to make sure the document is updated properly to include the error conditions.
The first error can be returned by Windows DC handling IDL_DRSAddEntry if it is a Domain Naming FSMO role owner but its ownership canotn be validated because the DC has never been synchronized with any existing partners. This is not explicitly called out in the document. I filed a request to specify this condition. For the second error, when the nTDSDSA object is created under server object, it needs to find an existing crossRef that matches the domain name. If it cannot be found , then ERROR_DS_NO_CROSSREF_FOR_NC will be returned. The logic is specified in the subroutine CreateNtdsDsa (4.1.1.2.3 MS-DSRS),which is called by IDL_DRSAddEntry() as following: domainCR := select one v from ConfigNC() where v!nCName = domainName and crossRef in v!objectClass and FLAG_CR_NTDS_DOMAIN in v!systemFlags We need to update the error condition here mentioning if domainCR cannot be found, then ERROR_DS_NO_CROSSREF_FOR_NC will be returned. This explains that his your workaround is the correct way. I will send you the final update when it is available. Please let me know if there is any more questions regarding this issue. Thanks! Hongwei -----Original Message----- From: Andrew Bartlett [mailto:abart...@samba.org] Sent: Tuesday, August 30, 2011 11:29 PM To: Interoperability Documentation Help Cc: cifs-protocol@cifs.org Subject: Errors when doing a DsAddEntry We have been looking at DRSUAPI/DsAddEntry, and have a few questions. We are trying to implement subdomain support in Samba4 before the plugfest. We have been able to generate error cases that do not seem to be 'possible' in the docs. Can you please clarify exactly what errors this function should be able to return, and document how to avoid these: in join-s1.txt we have an error that is only listed in the docs when removing a DC from the domain. extended_err : WERR_DS_ROLE_NOT_VERIFIED This is currently blocking us. Our only theory is that we must perform a replication cycle before we do this call. in join-s1-2.txt we have another error, that we worked around by creating the partitions object before creating the server object. However, as we need to match the server-side behaviour, we need to know the undocumented circumstances that cause this error. extended_err : WERR_DS_NO_CROSSREF_FOR_NC Finally, is there any documentation of the high-level procedure for creating a subdomain? Thanks, Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org _______________________________________________ cifs-protocol mailing list cifs-protocol@cifs.org https://lists.samba.org/mailman/listinfo/cifs-protocol