[Samba] Windows 2008R2 DC Problems

Samba Maile dominik.mailinglist at gmail.com
Tue Mar 31 01:46:28 MDT 2015

Hi Guys,

I was thrown off by the subject and would love to know if you could ever
resolve this problem.
I'm facing the same issues.
For various $reasons I need an additional Windows DC in my domain and as
Moe described everything looks fine until you try DNS stuff.

My environment:
DC-01 (Ubuntu 12.04 LTS)
DC-02 (Ubuntu 12.04 LTS)

Samba: Version 4.1.17 (build from sources)
Forest function level: (Windows) 2008 R2
Domain function level: (Windows) 2008 R2

DNS via BIND_DLZ with bind version 9.9.5 (Extended Support Version)

The domain was created with samba3 as an NT-style domain and migrated with
samba 4.0.7(?) using classicupgrade.

Since I'm a cautios guy I tried this with a copy of my live env in an
isolated vlan first (cloned my dc VMs, added a windows vm)
Doing this allowed me a bit of testing while debugging the problem.

The windows dc I'm trying to add is running windows 2008 r2 standard
edition with the latest patches.

I tried without success:

- Going back from BIND_DLZ to internal DNS before adding the windows dc
- Upgrading Samba (to 4.2.0)
- Moving the FSMO role for domain naming to the windows dc (which made
things really worse)

And to answers Marcs questions:

* What is the error message?
Same message as Moe is seeing

* When you create a DNS entry on the Samba server, is it replicated to the
Win DC?

* Does the behaviour changes, if you temporary shutdown Samba on the first
DC while you create the record?

* Who build the domain? I mean: Who was first and populated the AD? Windows
or Samba?

We might be facing this problem:

dcdiag /test:dns

Throws some errors....

I'll collect some logs and screenshots.



Hello Marc,
> 1. The error message is
> "The host record test.salem.int cannot be created. Refused"
> and in the event log
> "The following application directory partition has no security descriptor reference domain.   Application directory partition: DC=DomainDnsZones,DC=salem,DC=int  The root domain will be used instead.   User Action  Set the security descriptor reference domain for this application directory partition."
> 2. Yes, When you create a DNS entry it is replicated to the Win DC. AND if you modify a DNS entry it is replicated from the WIN DC to the samba DC's.
> 3. Disabling Samba on the DC before creating it on the win DC does not do anything.
> 4. Samba first built and populated the domain.
> Thanks,
> Moe

More information about the samba mailing list