[Samba] 4.3.11-Ubuntu fail to add DC to a AD domain

Jakub Kulesza jakkul+samba at gmail.com
Tue Apr 24 21:49:41 UTC 2018 

Hi!

I want to get down to the root cause of the issue I am having with my new
DC in my domain. I have followed some tutorials on the internet and
basically do not get the results.

I have 1 old DC, that is providing the AD domain for the whole local
network. I wanted to add another one. Both are Ubuntus 16.04, fully
updated.

I have followed this https://www.tecmint.com/join-additional-ubuntu-dc-to-
samba4-ad-dc-failover-replication/ but basically most howtos discuss this
the same way.


   - samba-tool drs showrepl on the old, existing DC (yes, it's named pdc)

Default-First-Site-Name\PDC
DSA Options: 0x00000001
DSA object GUID: 0b562545-29f5-4d2f-a6d9-81e4359fc6b1
DSA invocationId: 2c0b1f12-f0c5-40a0-8de1-a562a93b7839

==== INBOUND NEIGHBORS ====

DC=ForestDnsZones,DC=biuro,DC=gpm-vindexus,DC=pl
Default-First-Site-Name\QDC via RPC
DSA object GUID: 8d384b11-053d-486b-bfb6-3e00ff8d3d34
Last attempt @ Tue Apr 24 23:36:05 2018 CEST failed, result 2 (WERR_BADFILE)
10695 consecutive failure(s).
Last success @ NTTIME(0)

DC=DomainDnsZones,DC=biuro,DC=gpm-vindexus,DC=pl
Default-First-Site-Name\QDC via RPC
DSA object GUID: 8d384b11-053d-486b-bfb6-3e00ff8d3d34
Last attempt @ Tue Apr 24 23:36:06 2018 CEST failed, result 2 (WERR_BADFILE)
10695 consecutive failure(s).
Last success @ NTTIME(0)

DC=biuro,DC=gpm-vindexus,DC=pl
Default-First-Site-Name\QDC via RPC
DSA object GUID: 8d384b11-053d-486b-bfb6-3e00ff8d3d34
Last attempt @ Tue Apr 24 23:36:07 2018 CEST failed, result 2 (WERR_BADFILE)
10698 consecutive failure(s).
Last success @ NTTIME(0)

CN=Schema,CN=Configuration,DC=biuro,DC=gpm-vindexus,DC=pl
Default-First-Site-Name\QDC via RPC
DSA object GUID: 8d384b11-053d-486b-bfb6-3e00ff8d3d34
Last attempt @ Tue Apr 24 23:36:08 2018 CEST failed, result 2 (WERR_BADFILE)
10701 consecutive failure(s).
Last success @ NTTIME(0)

CN=Configuration,DC=biuro,DC=gpm-vindexus,DC=pl
Default-First-Site-Name\QDC via RPC
DSA object GUID: 8d384b11-053d-486b-bfb6-3e00ff8d3d34
Last attempt @ Tue Apr 24 23:36:09 2018 CEST failed, result 2 (WERR_BADFILE)
10695 consecutive failure(s).
Last success @ NTTIME(0)

==== OUTBOUND NEIGHBORS ====

DC=ForestDnsZones,DC=biuro,DC=gpm-vindexus,DC=pl
Default-First-Site-Name\QDC via RPC
DSA object GUID: 8d384b11-053d-486b-bfb6-3e00ff8d3d34
Last attempt @ Tue Apr 24 23:36:36 2018 CEST failed, result 2 (WERR_BADFILE)
17 consecutive failure(s).
Last success @ NTTIME(0)

DC=DomainDnsZones,DC=biuro,DC=gpm-vindexus,DC=pl
Default-First-Site-Name\QDC via RPC
DSA object GUID: 8d384b11-053d-486b-bfb6-3e00ff8d3d34
Last attempt @ Tue Apr 24 23:36:37 2018 CEST failed, result 2 (WERR_BADFILE)
16 consecutive failure(s).
Last success @ NTTIME(0)

DC=biuro,DC=gpm-vindexus,DC=pl
Default-First-Site-Name\QDC via RPC
DSA object GUID: 8d384b11-053d-486b-bfb6-3e00ff8d3d34
Last attempt @ Tue Apr 24 23:36:38 2018 CEST failed, result 2 (WERR_BADFILE)
16 consecutive failure(s).
Last success @ NTTIME(0)

CN=Schema,CN=Configuration,DC=biuro,DC=gpm-vindexus,DC=pl
Default-First-Site-Name\QDC via RPC
DSA object GUID: 8d384b11-053d-486b-bfb6-3e00ff8d3d34
Last attempt @ Tue Apr 24 23:36:39 2018 CEST failed, result 2 (WERR_BADFILE)
16 consecutive failure(s).
Last success @ NTTIME(0)

CN=Configuration,DC=biuro,DC=gpm-vindexus,DC=pl
Default-First-Site-Name\QDC via RPC
DSA object GUID: 8d384b11-053d-486b-bfb6-3e00ff8d3d34
Last attempt @ Tue Apr 24 23:36:40 2018 CEST failed, result 2 (WERR_BADFILE)
16 consecutive failure(s).
Last success @ NTTIME(0)

==== KCC CONNECTION OBJECTS ====

Connection --
Connection name: 68561cc1-c436-4276-8b11-1077a40ea1da
Enabled        : TRUE
Server DNS name : qdc.biuro.gpm-vindexus.pl
Server DN name  : CN=NTDS Settings,CN=QDC,CN=Servers,CN=
Default-First-Site-Name,CN=Sites,CN=Configuration,DC=
biuro,DC=gpm-vindexus,DC=pl
TransportType: RPC
options: 0x00000001
Warning: No NC replicated for Connection!


   - samba-tool drs showrepl on the new DC (named QDC)

# samba-tool drs showrepl
SPNEGO(gssapi_krb5) creating NEG_TOKEN_INIT failed:
NT_STATUS_INVALID_PARAMETER
SPNEGO(gssapi_krb5) creating NEG_TOKEN_INIT failed:
NT_STATUS_INVALID_PARAMETER
Default-First-Site-Name\QDC
DSA Options: 0x00000001
DSA object GUID: 8d384b11-053d-486b-bfb6-3e00ff8d3d34
DSA invocationId: 9a82eb7f-0215-48f4-92be-c5708ff9acf3

==== INBOUND NEIGHBORS ====

CN=Configuration,DC=biuro,DC=gpm-vindexus,DC=pl
Default-First-Site-Name\PDC via RPC
DSA object GUID: 0b562545-29f5-4d2f-a6d9-81e4359fc6b1
Last attempt @ Tue Apr 24 23:35:13 2018 CEST was successful
0 consecutive failure(s).
Last success @ Tue Apr 24 23:35:13 2018 CEST

DC=ForestDnsZones,DC=biuro,DC=gpm-vindexus,DC=pl
Default-First-Site-Name\PDC via RPC
DSA object GUID: 0b562545-29f5-4d2f-a6d9-81e4359fc6b1
Last attempt @ Tue Apr 24 23:35:13 2018 CEST was successful
0 consecutive failure(s).
Last success @ Tue Apr 24 23:35:13 2018 CEST

CN=Schema,CN=Configuration,DC=biuro,DC=gpm-vindexus,DC=pl
Default-First-Site-Name\PDC via RPC
DSA object GUID: 0b562545-29f5-4d2f-a6d9-81e4359fc6b1
Last attempt @ Tue Apr 24 23:35:13 2018 CEST was successful
0 consecutive failure(s).
Last success @ Tue Apr 24 23:35:13 2018 CEST

DC=biuro,DC=gpm-vindexus,DC=pl
Default-First-Site-Name\PDC via RPC
DSA object GUID: 0b562545-29f5-4d2f-a6d9-81e4359fc6b1
Last attempt @ Tue Apr 24 23:35:14 2018 CEST was successful
0 consecutive failure(s).
Last success @ Tue Apr 24 23:35:14 2018 CEST

DC=DomainDnsZones,DC=biuro,DC=gpm-vindexus,DC=pl
Default-First-Site-Name\PDC via RPC
DSA object GUID: 0b562545-29f5-4d2f-a6d9-81e4359fc6b1
Last attempt @ Tue Apr 24 23:35:13 2018 CEST was successful
0 consecutive failure(s).
Last success @ Tue Apr 24 23:35:13 2018 CEST

==== OUTBOUND NEIGHBORS ====

==== KCC CONNECTION OBJECTS ====

Connection --
Connection name: 971792df-8fbe-4b10-b2e7-4a51c376cd47
Enabled        : TRUE
Server DNS name : pdc.biuro.gpm-vindexus.pl
Server DN name  : CN=NTDS Settings,CN=PDC,CN=Servers,CN=
Default-First-Site-Name,CN=Sites,CN=Configuration,DC=
biuro,DC=gpm-vindexus,DC=pl
TransportType: RPC
options: 0x00000001
Warning: No NC replicated for Connection!


   - the DNS queries

# host –t SRV _ldap._tcp.biuro.gpm-vindexus.pl
host: couldn't get address for 'SRV': not found
# host biuro.gpm-vindexus.pl
biuro.gpm-vindexus.pl has address 192.168.0.251

So I guess something is not working with the DNS settings right. I also had
to add these records by hand: https://wiki.samba.org/
index.php/Verifying_and_Creating_a_DC_DNS_Record but the SRV above still is
empty. I can manually add this, but if this will solve the issue - don't
know, whould prefer to read about the next steps.

I guess that what I need is some manual on how to add a DC to the AD by
hand, so I don't miss any part of the process and I'll find what went bad
during the joining procedure.

More information about the samba mailing list