[Samba] Windows 2008R2 DC Problems

Samba Maile dominik.mailinglist at gmail.com
Tue Mar 31 01:46:28 MDT 2015 

Hi Guys,

I was thrown off by the subject and would love to know if you could ever
resolve this problem.
I'm facing the same issues.
For various $reasons I need an additional Windows DC in my domain and as
Moe described everything looks fine until you try DNS stuff.

My environment:
DC-01 (Ubuntu 12.04 LTS)
DC-02 (Ubuntu 12.04 LTS)

Samba: Version 4.1.17 (build from sources)
Forest function level: (Windows) 2008 R2
Domain function level: (Windows) 2008 R2

DNS via BIND_DLZ with bind version 9.9.5 (Extended Support Version)

The domain was created with samba3 as an NT-style domain and migrated with
samba 4.0.7(?) using classicupgrade.

Since I'm a cautios guy I tried this with a copy of my live env in an
isolated vlan first (cloned my dc VMs, added a windows vm)
Doing this allowed me a bit of testing while debugging the problem.

The windows dc I'm trying to add is running windows 2008 r2 standard
edition with the latest patches.

I tried without success:

- Going back from BIND_DLZ to internal DNS before adding the windows dc
- Upgrading Samba (to 4.2.0)
- Moving the FSMO role for domain naming to the windows dc (which made
things really worse)

And to answers Marcs questions:

* What is the error message?
Same message as Moe is seeing

* When you create a DNS entry on the Samba server, is it replicated to the
Win DC?
Yes

* Does the behaviour changes, if you temporary shutdown Samba on the first
DC while you create the record?
no

* Who build the domain? I mean: Who was first and populated the AD? Windows
or Samba?
samba

We might be facing this problem:
http://blogs.msmvps.com/acefekay/2012/06/20/steps-taken-to-resolve-an-issue-with-corrupted-application-partitions-specifically-dns-partitions-and-their-crossref-erence-objects-in-the-ad-configuration-container/

dcdiag /test:dns

Throws some errors....

I'll collect some logs and screenshots.

Regards,

Dominik


Hello Marc,
>
> 1. The error message is
>
>
> "The host record test.salem.int cannot be created. Refused"
>
>
> and in the event log
>
>
> "The following application directory partition has no security descriptor reference domain.   Application directory partition: DC=DomainDnsZones,DC=salem,DC=int  The root domain will be used instead.   User Action  Set the security descriptor reference domain for this application directory partition."
>
>
>
> 2. Yes, When you create a DNS entry it is replicated to the Win DC. AND if you modify a DNS entry it is replicated from the WIN DC to the samba DC's.
>
>
> 3. Disabling Samba on the DC before creating it on the win DC does not do anything.
>
>
> 4. Samba first built and populated the domain.
>
>
>
>
> Thanks,
>
>
> Moe
>
>

More information about the samba mailing list