[Samba] Problems adding DC to Samba 4.1.6 AD

Tue Apr 4 21:19:48 UTC 2017

I inherited an AD "domain" which is running Ubuntu 14.04, with Samba 4.1.6
with "built-in" AD-DNS. The network has only one AD server, which runs on
KVM as a guest - (convenient so I can make backups and test stuff without
breaking my network.

We have around 500 users on the system, and I'm trying to upgrade to 16.04
and a more current version of Samba without making all my users create new
passwords...

The problem I have run into is that when I try and upgrade Ubuntu to the
latest version of 14.04 (required to get to 16.04), samba breaks badly. I
have chased the errors for hours, searching forums, and haven't gotten
anywhere... - At one point I did finally get to where samba would actually
*start* but my shares wouldn't mount - "bad credentials"... - and I was
concerned about carrying along issues from this AD server which might
plague me in the future - so I decided to migrate to a new AD server
instead.

I created a new Ubuntu 14.04 server, installed latest updates, (Samba
4.3.11) and tried to join it as a DC to the existing "domain", following
this howto
https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory
It appeared to join fine - did give Warning: No NC replicated for
Connection!, but everything else appeared normal - INBOUND and OUTBOUND
neighbors show successful, 0 failures - however - the only thing which
appeared to have replicated is the DNS. I can go into DNS manager from a
windows box, and switch to the new DC, and DNS appears to be there - but
USERS did NOT replicate. when I go into AD Users and Computers, and try to
change Directory Servers to the new Samba server, it says could not be
contacted: The RPC server is unavailable.

I then added a 16.04 server, and tried to join it as a DC, and had the same
result - Active Directory Users and Computers says DC could not be
contacted, RPC server is unavailable.

So, I restored a fresh copy of my original AD Server, and started again -
this time, trying to join join a 2k8 server to the AD as an AD server, it
joins just fine - EXCEPT it will not join/synchronize the DNS. It gives an
error - A delegation for this DNS server cannot be created because the
authoritative parent zone cannot be found or it does not run Windows DNS
server. If you are integrating with an existing DNS infrastructure you
should manually create a delegation to this DNS server in the parent
zone...", When I go into AD DNS manager, there's an error which says "DNS
server was unable to initialize Active Directory security interfaces. Check
that AD is functioning properly..." For this test, I had used this howto -
https://wiki.samba.org/index.php/Joi..._to_a_Samba_AD
<https://wiki.samba.org/index.php/Joining_a_Windows_Server_2008_/_2008_R2_DC_to_a_Samba_AD>

Next I tried running RecoveryManager Plus from ManageEngine - to make a
full AD backup - hoping to restore to a fresh AD server - it backs up all
the AD users/groups/containers, but when it hits the DNS, it crashes - and
SAMBA does a KERNEL PANIC. INTERNAL ERROR: Signal 11
/lib/util/fault.c:75*fault_report) and (smb_panic_default)

Of course when I temporarily shut down the samba server (which is the
*only* existing DNS), the w2k8 server won't even start AD - and I'm dead.

I tried to manually create my DNS zone in 2k8 DNS, but it won't let me use
the existing domain...

(sorry for the LONG post!)