[Samba] Samba Active Directory Domain Controller

Anantha Raghava raghav at exzatechconsulting.com
Thu May 4 07:37:59 UTC 2017 

Hello James,

Thanks for your quick response.

Find attached smb.conf file from DC1 and DC2. Also attached the screen 
shot of the event viewer from the workstation.

At the moment, we have brought down the DC3 and DC4 in another location 
and observed that DC2 is unable to replicate get the information from 
DC1 or send the information to DC1. It appears replication is working in 
background but it is taking a long time. When try to use samba-tool drs 
command, it throws errors.

Also, randomly, users are not allowed to change their password. It 
throws error like "either your password does not meet complexity, length 
or history requirement". "Workstation relationship with Domain is not 
trusted" is another error message that occasionally throws up.

Another observation is even though PDC emulator and all FSMO roles are 
with DC1, users are logged into DC2. Any change made to user credential, 
above error is thrown. Output of FSMO role display from DC1 is attached 
for your information.

In our group policy, we have disabled complexity requirements, length is 
set to 7 characters.

There is no clear pattern to its behavior, making it difficult to 
analyse the issue and fix them.

Look forward for your assistance in figuring out what is happening and 
fixing it.

7000 People from nearly 700 location use these domain controllers. This 
is turning out be very critical issue.

-- 

Thanks & Regards,


Anantha Raghava

eXzaTech Consulting And Services Pvt. Ltd.

DISCLAIMER:

This e-mail communication and any attachments may be privileged and 
confidential to eXza Technology Consulting & Services, and are intended 
only for the use of the recipients named above If you are not the 
addressee you may not copy, forward, disclose or use any part of it. If 
you have received this message in error, please delete it and all copies 
from your system and notify the sender immediately by return e-mail. 
Internet communications cannot be guaranteed to be timely, secure, error 
or virus-free. The sender does not accept liability for any errors or 
omissions.


Do not print this e-mail unless required. Save Paper & trees.

On Thursday 04 May 2017 01:27 AM, lingpanda101 via samba wrote:
> On 5/3/2017 2:00 PM, Anantha Raghava via samba wrote:
>> Hello,
>>
>> I have implemented Samba as Active Directory Domain Controller with 
>> Version 4.6.3 on CentOS 7.3, el-514. We have 4 domain controllers 
>> named as DC1, DC2, DC3 and DC4. DC1 & 2 are in one location and DC3 & 
>> 4 are in a different location. DNS is SAMBA INTERNAL. All 4 servers 
>> are properly synchronizing and even GPO updates are working properly 
>> with rsync process.
>>
>> However, off late we have been noticing that on some Windows XP with 
>> Service Pack 3 and Windows 7 with Service Pack 1, after joining 
>> domain, when user is logging in for the first time, as per policy, 
>> the DC will force the user to change their password. When user 
>> changes password, PC reports, cannot reach domain or your 
>> relationship with DC is not trusted and it happens randomly for some 
>> users.
>> We are unable to figure out what's happenning.
>>
>> Can some one guide us in figuring out and fixing this issue?
>>
>> Thanks in advance.
>
> Can you provide your smb.conf on one of your DC's? Are you able to 
> look through event viewer on the workstation exhibiting the issue and 
> see anything relevant?
>

-------------- next part --------------
SchemaMasterRole owner: CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ktkbankltd,DC=com
InfrastructureMasterRole owner: CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ktkbankltd,DC=com
RidAllocationMasterRole owner: CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ktkbankltd,DC=com
PdcEmulationMasterRole owner: CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ktkbankltd,DC=com
DomainNamingMasterRole owner: CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ktkbankltd,DC=com
DomainDnsZonesMasterRole owner: CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ktkbankltd,DC=com
ForestDnsZonesMasterRole owner: CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ktkbankltd,DC=com
-------------- next part --------------
SchemaMasterRole owner: CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ktkbankltd,DC=com
InfrastructureMasterRole owner: CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ktkbankltd,DC=com
RidAllocationMasterRole owner: CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ktkbankltd,DC=com
PdcEmulationMasterRole owner: CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ktkbankltd,DC=com
DomainNamingMasterRole owner: CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ktkbankltd,DC=com
DomainDnsZonesMasterRole owner: CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ktkbankltd,DC=com
ForestDnsZonesMasterRole owner: CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ktkbankltd,DC=com
-------------- next part --------------
# Global parameters
[global]
	netbios name = DC2
	realm = KTKBANKLTD.COM
	workgroup = KTKBANKLTD
	server role = active directory domain controller

[netlogon]
	path = /usr/local/samba/var/locks/sysvol/ktkbankltd.com/scripts
	read only = No

[sysvol]
	path = /usr/local/samba/var/locks/sysvol
	read only = No
-------------- next part --------------
# Global parameters
[global]
	netbios name = DC1
	realm = KTKBANKLTD.COM
	workgroup = KTKBANKLTD
#interfaces = 127.0.0.1 172.20.107.30
	dns forwarder = 172.16.202.10
	server role = active directory domain controller
	idmap_ldb:use rfc2307 = yes
#Parameter added to set eventlog
eventlog list = Application System Security SyslogLinux

[netlogon]
	path = /usr/local/samba/var/locks/sysvol/ktkbankltd.com/scripts
	read only = No

[sysvol]
	path = /usr/local/samba/var/locks/sysvol
	read only = No

More information about the samba mailing list