Joining second Samba4 DC

Aaron E. ssureshot at gmail.com
Wed May 30 12:35:05 MDT 2012 

Come to think of it I had to add the entry in the flatfile configuration 
also..

On 05/30/2012 02:22 PM, Aaron E. wrote:
> I'm using the flatfile right now but in my testing of this in the past I
> did have to create the entry in dns manually, Once I created it would
> start working right away..
>
> It isn't a standard A record though, if you look through the dns
> management console you'll fine where the primary is defined and add the
> secondary just the same..
>
> Sorry I don't have exact directions and there may be an easier way..
> This is just how I corrected the scenario..
>
> On 05/30/2012 01:43 PM, Ryan Whelan wrote:
>> I can't figure out how to completely add a second samba4 DC to a first
>> samba4 domain. When I follow the how-to to create a samba4 domain, it
>> goes
>> as i would expect. I can add windows clients and dynamic DNS updates
>> work. However, when I follow the howto add a second DC, DNS never gets
>> updated and replication only looks like it is getting setup in a single
>> direction.
>>
>> On first host I provision with:
>> provision --realm=CNGTEST.LOCAL --domain=cngtest
>> --adminpass=somethingsimple --server-role="domain controller"
>>
>> Once thats done and I start samba, I can verify the DNS zone with:
>> dig cngtest.local axfr @127.0.0.1
>> (im not an AD expert, but it looks ok. I can see all the SRV and A
>> records)
>>
>> On the second machine (the machine to add as a second DC) I try to join
>> with:
>> samba-tool domain join cngtest.local DC --realm=CNGTEST.LOCAL
>> -Uadministrator
>>
>> the join seems to work fine. As soon as i start samba on the second
>> machine, and run a `samba-tool drs showrepl`, all I see are connections
>> under the 'Inbound header'
>>
>>
>> Default-First-Site-Name\SMB2
>> DSA Options: 0x00000001
>> DSA object GUID: 38296f7a-5964-4e85-94d6-47cedd5adffc
>> DSA invocationId: e2e50339-a7af-47f4-810b-e85627efc750
>>
>> ==== INBOUND NEIGHBORS ====
>>
>> CN=Configuration,DC=cngtest,DC=local
>> Default-First-Site-Name\SMB1 via RPC
>> DSA object GUID: bd37bcf3-9d3d-48c4-b008-8aad5b99f887
>> Last attempt @ Wed May 30 13:14:23 2012 EDT was successful
>> 0 consecutive failure(s).
>> Last success @ Wed May 30 13:14:23 2012 EDT
>>
>> CN=Schema,CN=Configuration,DC=cngtest,DC=local
>> Default-First-Site-Name\SMB1 via RPC
>> DSA object GUID: bd37bcf3-9d3d-48c4-b008-8aad5b99f887
>> Last attempt @ Wed May 30 13:14:23 2012 EDT was successful
>> 0 consecutive failure(s).
>> Last success @ Wed May 30 13:14:23 2012 EDT
>>
>> DC=cngtest,DC=local
>> Default-First-Site-Name\SMB1 via RPC
>> DSA object GUID: bd37bcf3-9d3d-48c4-b008-8aad5b99f887
>> Last attempt @ Wed May 30 13:14:24 2012 EDT was successful
>> 0 consecutive failure(s).
>> Last success @ Wed May 30 13:14:24 2012 EDT
>>
>> ==== OUTBOUND NEIGHBORS ====
>>
>> ==== KCC CONNECTION OBJECTS ====
>>
>> Connection --
>> Connection name: 611dcc37-8acc-4a16-8fa1-94eb673aa45a
>> Enabled : TRUE
>> Server DNS name : SMB2.cngtest.local
>> Server DN name : CN=NTDS
>> Settings,CN=SMB1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=cngtest,DC=local
>>
>> TransportType: RPC
>> options: 0x00000001
>> Warning: No NC replicated for Connection!
>>
>>
>> Looking back at the first machine (SMB1) it is filling its logs with an
>> error that is cant resolve the GUID of the second machine:
>> dns child failed to find name
>> '38296f7a-5964-4e85-94d6-47cedd5adffc._msdcs.cngtest.local' of type A
>> dns child failed to find name
>> '38296f7a-5964-4e85-94d6-47cedd5adffc._msdcs.cngtest.local' of type A
>> dns child failed to find name
>> '38296f7a-5964-4e85-94d6-47cedd5adffc._msdcs.cngtest.local' of type A
>> dns child failed to find name
>> '38296f7a-5964-4e85-94d6-47cedd5adffc._msdcs.cngtest.local' of type A
>>
>> Not a surprise I suppose since it never updated the DNS zone. I tried
>> running samba_dnsupdate and restarting bind- the second host never shows
>> up. I tried adding the record with `samba-tool dns`:
>> samba-tool dns add -Uadministrator smb1 cngtest.local
>> 38296f7a-5964-4e85-94d6-47cedd5adffc._msdcs A 192.168.0.202
>>
>> This reports no issue and I can see the record if I do a zone transfer:
>> dig cngtest.local axfr @127.0.0.1
>> ....
>> 38296f7a-5964-4e85-94d6-47cedd5adffc._msdcs.cngtest.local. 900 IN A
>> 192.168.0.202
>> ....
>>
>> however, if i try to do a resolution on that address, it fails!
>> dig 38296f7a-5964-4e85-94d6-47cedd5adffc._msdcs.cngtest.local
>> (status: NXDOMAIN)
>>
>> Also when I do run 'showrepl' on the secondary, the primary generates the
>> following errors:
>>
>> Kerberos: AS-REQ SMB2$@CNGTEST.LOCAL from ipv4:192.168.0.202:45982 for
>> krbtgt/CNGTEST.LOCAL at CNGTEST.LOCAL
>> Kerberos: No preauth found, returning PREAUTH-REQUIRED --
>> SMB2$@CNGTEST.LOCAL
>> Kerberos: AS-REQ SMB2$@CNGTEST.LOCAL from ipv4:192.168.0.202:33123 for
>> krbtgt/CNGTEST.LOCAL at CNGTEST.LOCAL
>> Kerberos: Client sent patypes: encrypted-timestamp
>> Kerberos: Looking for PKINIT pa-data -- SMB2$@CNGTEST.LOCAL
>> Kerberos: Looking for ENC-TS pa-data -- SMB2$@CNGTEST.LOCAL
>> Kerberos: ENC-TS Pre-authentication succeeded -- SMB2$@CNGTEST.LOCAL
>> using
>> arcfour-hmac-md5
>> Kerberos: AS-REQ authtime: 2012-05-30T13:20:12 starttime: unset endtime:
>> 2012-05-30T23:20:12 renew till: unset
>> Kerberos: Client supported enctypes: aes256-cts-hmac-sha1-96,
>> aes128-cts-hmac-sha1-96, des3-cbc-sha1, des3-cbc-md5, arcfour-hmac-md5,
>> using arcfour-hmac-md5/arcfour-hmac-md5
>> Kerberos: Requested flags: forwardable
>> Kerberos: TGS-REQ SMB2$@CNGTEST.LOCAL from ipv4:192.168.0.202:52989 for
>> ldap/SMB2.CNGTEST.LOCAL at CNGTEST.LOCAL [canonicalize]
>> Kerberos: Searching referral for SMB2.CNGTEST.LOCAL
>> Kerberos: Server not found in database:
>> ldap/SMB2.CNGTEST.LOCAL at CNGTEST.LOCAL: no such entry found in hdb
>> Kerberos: Failed building TGS-REP to ipv4:192.168.0.202:52989
>> Kerberos: TGS-REQ SMB2$@CNGTEST.LOCAL from ipv4:192.168.0.202:59067 for
>> ldap/SMB2.CNGTEST.LOCAL at CNGTEST.LOCAL
>> Kerberos: Server not found in database:
>> ldap/SMB2.CNGTEST.LOCAL at CNGTEST.LOCAL: no such entry found in hdb
>> Kerberos: Failed building TGS-REP to ipv4:192.168.0.202:59067
>> Kerberos: TGS-REQ SMB2$@CNGTEST.LOCAL from ipv4:192.168.0.202:49944 for
>> ldap/SMB2.CNGTEST.LOCAL at CNGTEST.LOCAL [canonicalize]
>> Kerberos: Searching referral for SMB2.CNGTEST.LOCAL
>> Kerberos: Server not found in database:
>> ldap/SMB2.CNGTEST.LOCAL at CNGTEST.LOCAL: no such entry found in hdb
>> Kerberos: Failed building TGS-REP to ipv4:192.168.0.202:49944
>> Kerberos: TGS-REQ SMB2$@CNGTEST.LOCAL from ipv4:192.168.0.202:49478 for
>> ldap/SMB2.CNGTEST.LOCAL at CNGTEST.LOCAL
>> Kerberos: Server not found in database:
>> ldap/SMB2.CNGTEST.LOCAL at CNGTEST.LOCAL: no such entry found in hdb
>> Kerberos: Failed building TGS-REP to ipv4:192.168.0.202:49478
>> Kerberos: TGS-REQ SMB2$@CNGTEST.LOCAL from ipv4:192.168.0.202:60929 for
>> ldap/smb2.cngtest.local at CNGTEST.LOCAL [canonicalize]
>> Kerberos: Searching referral for smb2.cngtest.local
>> Kerberos: Server not found in database:
>> ldap/smb2.cngtest.local at CNGTEST.LOCAL: no such entry found in hdb
>> Kerberos: Failed building TGS-REP to ipv4:192.168.0.202:60929
>> Kerberos: TGS-REQ SMB2$@CNGTEST.LOCAL from ipv4:192.168.0.202:47690 for
>> ldap/smb2.cngtest.local at CNGTEST.LOCAL
>> Kerberos: Server not found in database:
>> ldap/smb2.cngtest.local at CNGTEST.LOCAL: no such entry found in hdb
>> Kerberos: Failed building TGS-REP to ipv4:192.168.0.202:47690
>> Kerberos: TGS-REQ SMB2$@CNGTEST.LOCAL from ipv4:192.168.0.202:41658 for
>> ldap/smb2.cngtest.local at CNGTEST.LOCAL [canonicalize]
>> Kerberos: Searching referral for smb2.cngtest.local
>> Kerberos: Server not found in database:
>> ldap/smb2.cngtest.local at CNGTEST.LOCAL: no such entry found in hdb
>> Kerberos: Failed building TGS-REP to ipv4:192.168.0.202:41658
>> Kerberos: TGS-REQ SMB2$@CNGTEST.LOCAL from ipv4:192.168.0.202:42830 for
>> ldap/smb2.cngtest.local at CNGTEST.LOCAL
>> Kerberos: Server not found in database:
>> ldap/smb2.cngtest.local at CNGTEST.LOCAL: no such entry found in hdb
>> Kerberos: Failed building TGS-REP to ipv4:192.168.0.202:42830
>>
>> I followed the how-tos by the letter, Ive tried a few times now and Im
>> starting to really loose hope- What is wrong? What am I missing? We
>> really would like to start testing Samba as a replacement for MS AD!
>>
>> ryan
>>
>
>
>

More information about the samba-technical mailing list