[Samba] [SOLVED] replace Windows 2003 dc

Peter Beck peter at datentraeger.li
Fri Feb 22 14:22:11 MST 2013

Dustin C. Hatch <admiralnemo at gmail.com> quatschte am Fri, Feb 22, 2013 at 12:31:05PM -0600:
> On 2/22/2013 11:13, Sérgio Henrique wrote:
> >I guess the comunication beetween MS AD and Samba4 is by kerberos, i have
> >copied the /opt/samba/private/krb5.conf to /etc after joined to domain
> >
> >I have installed a windows server at 2003 forest level as PDC then
> >installed samba4.0.3
> >join domain but everytime i am getting problems with forest and domain dns
> >zones...
> >
> I have the same issue. I've tried countless times to add a Samba DC
> to my (test) AD environment, but every time, it fails to add and
> outbound connection for the DomainDnsZones and ForestDnsZones
> directory partitions. In addition, the Samba server is not listed as
> a name server for either the root zone or the _msdcs zone.

yes, the basic setup is like it's written down in the Wiki pages at

I get kerberos tickets without any issue. I think the domain forest
level is also important to raise up to 2003 (I can remember I also had
issues earlier and then I've just raised the domain operation level).
The forest operation level was something I've changed later...
After raising up the operation level I always reboot the Windows Dc. Not
sure if that is really needed...

I for one will in future raise both levels up to 2003 _before_ I start
deploying samba.

my krb.conf looks like this:

default_realm = ADLAB.LOCAL
dns_lookup_realm = true
dns_lookup_kdc = true

and this is my smb.conf, not sure if allow dns updates is need or not.

# Global parameters
	server role = active directory domain controller
	workgroup = ADLAB
	realm = adlab.local
	netbios name = LAB07
	passdb backend = samba4
	dcerpc endpoint servers = epmapper, wkssvc, rpcecho, samr, netlogon,
	lsarpc, spoolss, drsuapi, dssetup, unixinfo, browser, eventlog6,
	backupkey, dnsserver, winreg, srvsvc
	server services = rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate, smb, dns
	dns recursive queries = yes
	allow dns updates = true
        dns forwarder =

	path = /var/lib/samba/sysvol/adlab.local/scripts
	read only = No

	path = /var/lib/samba/sysvol
	read only = No

The samba server is not configured as nameserver by default. you can at
it either on windows if you right click the zone and add it to the
"nameserver" tab or if you use samba-tool dns add. I prefer the second
one. to add it for example to the zone "adlab.local" you can use
samba-tool dns add <winserver> adlab.local adlab.local NS <sambaserver>.adlab.local
this will add an ns record for the zone "adlab.local" which looks like
the existing entry for the windows dns "(same as parent folder)" and it
will also automatically add the sambaserver into the "nameserver" tab of
the zone. 

after adding these records / checking other dns records (_ldap._tcp,
_kerberos etc) I've just did

samba-tool drs replicate <samba-dc> <win-dc> dc=adlab,dc=local --local
samba-tool drs replicate <samba-dc> <win-dc> dc=forestdnszones,dc=adlab,dc=local --local
samba-tool drs replicate <samba-dc> <win-dc> dc=domaindnszones,dc=adlab,dc=local --local

if everything is well (which was the case each time I've tested it), i
moved the fsmo roles with samba-tool fsmo transfer --role=....

But as I mentioned before - I am also still testing at the moment ;-)
hope that helps


More information about the samba mailing list