Reporting success this past year + new Issues Adding a new Samba 4 DC to existing Samba 4 AD

[Aubrey Ekstrom]

Hi Andrew,

Thanks for the fast reply!

Unfortunately my previous boss told me specifically not to set up dynamic
DNS on the Samba 4 PDC, despite my objections. He had some strange ideas
about security, that being one of them... but he is gone now. That was why
I suspected that maybe DNS & Kerberos was the issue here. I think I need to
update Bind9 on the PDC to get DDNS working though. I don't mind working on
that and then building another DC, but either way it would be nice if I
could delete the bad DC(s) from A/D. Any ideas on that? (see the thread for
what we tried to do deleting the orphaned DC server from A/D).

Pretty soon my new boss is going to tell me not to spend any more time on
this and just use Windows A/D :^(. I really don't mind doing that, but I do
enjoy running an alpha Samba 4 on Debian Linux for our Active Directory,
and having it be 1000X more stable than any Windows Server I have ever
worked with, even if it doesn't have 100% functionality... yet :).

Cheers,*

Aubrey Ekstrom | *Systems Administrator
Proclivity Systems
22 West 19th St., Ninth Floor
New York, NY 10011
p 646.380.2416
aekstrom at proclivitysystems.com
www.proclivitysystems.com

*Proclivity® | We Value Your Customers™*


This message is the property of Proclivity Systems, Inc. and is intended
only for the use of the addressee(s), and may contain material that is
confidential and privileged for the sole use of the intended recipient.  If
you are not the intended recipient, reliance or forwarding without express
permission is strictly prohibited; please contact the sender and delete all
copies.







On Thu, Dec 1, 2011 at 4:35 PM, Andrew Bartlett <abartlet at samba.org> wrote:

> On Wed, 2011-11-30 at 12:50 -0500, Aubrey Ekstrom wrote:
> > Hi Ted and everyone,
> >
> > Thanks again Ted for your help and suggestions.
> >
> > Hosts file is fine on new DC. DNS resolves both DCs fine. Same error
> still:
> >
> > newdc0:/usr/local/samba/sbin# ./samba-tool drs showrepl
> > ERROR(runtime): DRS connection to newdc0.not.our.domain failed -
> > (-1073741772, 'NT_STATUS_OBJECT_NAME_NOT_FOUND')
> >
> > I did not set up the Bind/DNS server on the new DC since that was not
> > indicated in the join domain instructions, and the necessary files get
> > generated from running the provisioning. It occurs to me though that for
> > the kerberos stuff, that is probably needed, at least on the existing PDC
> > DNS server if not on both. When I look at the DNS files for the current
> PDC
> > though, there are 2 entries that look like GUIDs (the exact same format
> and
> > number of characters), but are not the actual GUID of the server (the
> > actual GUID of both servers I was able to locate in the Windows GUI):
> >
> > #1: b36cf7ca-5d1f-4720-9cc1-3034b87312c4._msdcs    IN CNAME
> > #2: _ldap._tcp.a3d53761-ad10-49af-9c68-9f08ebf3fb88.domains._msdcs
> >  IN SRV 0 100 389
> >
> > Does anyone know how I can find those equivalent entries (or
> > generate/populate them) for the new DC? Based on the above error I am
> > thinking that it may just be the kerberos and other services are not
> > resolving to the new server correctly. If that is the case then it should
> > be fixable by me if I can get those GUID like strings for the new server,
> > whereas an ldap db corruption from replicating OS X schema, probably not
> > fixable by me (if that is the problem).
> >
> > As always, any ideas or suggestion are most welcome and appriciated.
> Thanks!
>
> When Samba starts it will spawn a child samba_dnsupdate which will
> update DNS using kerberos, creating the entries.  If that does not work,
> perhaps the DNS server on your original DC is not accepting kerberos
> updates.
>
> Andrew Bartlett
>
> --
> Andrew Bartlett                                http://samba.org/~abartlet/
> Authentication Developer, Samba Team           http://samba.org
>
>