[Samba] Can't add new DC

Denis Cardon denis.cardon at tranquil-it-systems.fr
Thu Mar 10 08:39:14 UTC 2016 

Hi Jordi,

> I'm trying to add new DC to my existent domain (18 Samba4 DC) but this time, domain join stuck after setting account password.
> I have tried so many things but at this point, i really don't know what to do.
>
> I can see the new dc111 computer object on smb4dc serveur but the object is disable.
> If someone have an idea...

Could you try to see if it gets better if you don't use auto-discovery 
in /etc/krb5.conf. That is to say, you point krb5.conf kdc to itself and 
the kdc on the main site.

this is one issue I had once on a project in Africa with about 24 sites, 
and after setting up 12-13 DCs, I started to have timeout on join. 
Indeed during the join, it looks like the process tries to contact all 
the kdc referenced in the /etc/krb5.conf file (which is all DCs if you 
use auto-discovery), even if you have already configured "sites and 
services" properly.

In that case, the VPN had a star topology, with no icmp-unreachable 
reply (ie. DROP rules) when a branch tries to contact another branch, 
added 500ms latency through sat link.

Changing the /etc/krb5.conf file did the trick. Something like this 
should to it:

[libdefaults]
	default_realm = TRANQUILIT.LAN
         dns_lookup_realm=false
[realms]
	TRANQUILIT.LAN = {
         kdc = 10.100.0.11  # itself
	kdc = 10.0.0.11    # hub site kdc
	}

[domain_realms]
	.tranquilit.lan = TRANQUILIT.LAN
	tranquilit.lan = TRANQUILIT.LAN

Once the DC is up and running, it should take into account the "site and 
services" topology definition and only try to contact the hub site DCs 
(if that is what is configured).

By the way, are you using the Douglas new KCC? It is a must when you 
have a larger topology!

Cheers,

Denis


>
> Best regards
>
>
> root at dc111:~# samba-tool domain join pr.educationetformation.fr DC -U administrator --realm=PR.EDUCATIONETFORMATION.FR -W PR --dns-backend=BIND9_DLZ --site=PetitQuevilly --server=smb4dc.pr.educationetformation.fr
> Password for [PR\administrator]:
> workgroup is PR
> realm is pr.educationetformation.fr
> checking sAMAccountName
> Adding CN=DC111,OU=Domain Controllers,DC=pr,DC=educationetformation,DC=fr
> Adding CN=DC111,CN=Servers,CN=PetitQuevilly,CN=Sites,CN=Configuration,DC=pr,DC=educationetformation,DC=fr
> Adding CN=NTDS Settings,CN=DC111,CN=Servers,CN=PetitQuevilly,CN=Sites,CN=Configuration,DC=pr,DC=educationetformation,DC=fr
> Adding SPNs to CN=DC111,OU=Domain Controllers,DC=pr,DC=educationetformation,DC=fr
> Setting account password for DC111$
>
>
> ________________________________
> This email was scanned by Bitdefender
>

-- 
Denis Cardon
Tranquil IT Systems
Les Espaces Jules Verne, bâtiment A
12 avenue Jules Verne
44230 Saint SĂ©bastien sur Loire
tel : +33 (0) 2.40.97.57.55
http://www.tranquil-it-systems.fr

More information about the samba mailing list