samba4 from BDC to PDC

Daniele Dario d.dario76 at
Thu Dec 29 04:18:12 MST 2011

Hi Amitay,

On Wed, 2011-12-28 at 21:12 +1100, Amitay Isaacs wrote:
> On Wed, Dec 28, 2011 at 8:41 PM, Daniele Dario <d.dario76 at> wrote:
> > I'm setting up another VM with the latest git sources of samba4.
> > When I'm done with the build, should I run the samba-tool domain join to
> > join as another DC on the domain or should I run samba-tool vampire to
> > synchronize the new DC with the other one?
> You can use samba-tool domain join.
> > On the new DC do I have to prepare also bind9+DLZ or am I supposed to
> > work only with the one on the PDC?
> You can either run two DNS servers, or a single one. As long as both DCs can
> connect to a name server that should be fine.
> Amitay.

I finished to prepare the VM and joined samba4 to the domain.
As in the past, after the domain join no dns.keytab will be present in
the private directory.

As said by Gemes Geza, I exported the keytab using
[root at kdc01:/usr/local/samba/private]# samba-tool domain exportkeytab
[root at kdc01:/usr/local/samba/private]# samba-tool user add dns-kdc02
[root at kdc01:/usr/local/samba/private]# samba-tool spn add
DNS/kdc02.saitelitalia.local dns-kdc02

At this point, if I start named
[root at kdc01:~]# named -u bind -d 10 -g -c /etc/bind/named.conf
it fails
29-Dec-2011 11:54:43.328 generating session key for dynamic DNS
29-Dec-2011 11:54:43.328 sizing zone task pool based on 5 zones
29-Dec-2011 11:54:43.329 decrement_reference: delete from rbt:
0xb6d2d548 .
29-Dec-2011 11:54:43.330 Loading 'AD DNS Zone' using driver dlopen
29-Dec-2011 11:54:43.330 Loading SDLZ driver.
29-Dec-2011 11:54:43.515 samba_dlz: Unable to get basedn
for /usr/local/samba/private/dns/sam.ldb - NULL Base DN invalid for a
base search
29-Dec-2011 11:54:43.515 dlz_dlopen of 'AD DNS Zone' failed
29-Dec-2011 11:54:43.515 SDLZ driver failed to load.
29-Dec-2011 11:54:43.515 DLZ driver failed to load.
29-Dec-2011 11:54:43.516 load_configuration: failure
29-Dec-2011 11:54:43.516 loading configuration: failure
29-Dec-2011 11:54:43.516 exiting (due to fatal error)

What am I missing?
If bind does not start I won't be able to see the AD DNS from windows (I
use XP to doublecheck what I'm doing) so I can't check if I can add the
reversed zone.


More information about the samba-technical mailing list