Reporting success this past year + new Issues Adding a new Samba 4 DC to existing Samba 4 AD

Andrew Bartlett abartlet at
Thu Dec 1 14:35:11 MST 2011

On Wed, 2011-11-30 at 12:50 -0500, Aubrey Ekstrom wrote:
> Hi Ted and everyone,
> Thanks again Ted for your help and suggestions.
> Hosts file is fine on new DC. DNS resolves both DCs fine. Same error still:
> newdc0:/usr/local/samba/sbin# ./samba-tool drs showrepl
> ERROR(runtime): DRS connection to newdc0.not.our.domain failed -
> I did not set up the Bind/DNS server on the new DC since that was not
> indicated in the join domain instructions, and the necessary files get
> generated from running the provisioning. It occurs to me though that for
> the kerberos stuff, that is probably needed, at least on the existing PDC
> DNS server if not on both. When I look at the DNS files for the current PDC
> though, there are 2 entries that look like GUIDs (the exact same format and
> number of characters), but are not the actual GUID of the server (the
> actual GUID of both servers I was able to locate in the Windows GUI):
> #1: b36cf7ca-5d1f-4720-9cc1-3034b87312c4._msdcs    IN CNAME
> #2:
>  IN SRV 0 100 389
> Does anyone know how I can find those equivalent entries (or
> generate/populate them) for the new DC? Based on the above error I am
> thinking that it may just be the kerberos and other services are not
> resolving to the new server correctly. If that is the case then it should
> be fixable by me if I can get those GUID like strings for the new server,
> whereas an ldap db corruption from replicating OS X schema, probably not
> fixable by me (if that is the problem).
> As always, any ideas or suggestion are most welcome and appriciated. Thanks!

When Samba starts it will spawn a child samba_dnsupdate which will
update DNS using kerberos, creating the entries.  If that does not work,
perhaps the DNS server on your original DC is not accepting kerberos

Andrew Bartlett

Andrew Bartlett                      
Authentication Developer, Samba Team 

More information about the samba-technical mailing list