[Samba] Unable to join Windows 2008 R2 server DC to Samba DC

Wed Apr 25 15:43:07 UTC 2018

I have identified and fixed the problem!

The wellKnownObject for the default computer container was missing! I’m wondering if this was a bug from an old version of Samba, as we provisioned the domain with Samba 4.0.3.

I used ldbedit to manually modify the directory and add CN=Computers as the wellKnownObject default computer container. Windows 2008 R2 now joins successfully.

Thanks,
Justin

> On Apr 3, 2018, at 11:05 PM, Justin Foreman <jforeman at dignitastechnologies.com> wrote:
> 
> I’m unable to successfully join a Windows 2008 R2 server DC to my Samba4 domain.
> 
> I’ve followed the steps on the wiki of joining a Server 2008 R2 DC to a Samba domain. After I reboot the domain controller, I receive a blue screen in regards to a corrupt AD database. I’ve tried Samba v4.6.7 and Samba 4.9.0pre1.
> 
> Prior to the reboot, I see the following three events on the Windows DC:
> ----- 
> Attempt to update DNS Host Name of the computer object in Active Directory failed. The updated value was 'DC8.us.dignitastech.com'. The following error occurred:
> Access is denied.
> ----- 
> Attempt to update HOST Service Principal Names (SPNs) of the computer object in Active Directory failed. The updated values were 'RestrictedKrbHost/DC8.us.dignitastech.com' and 'RestrictedKrbHost/DC8'. The following error occurred:
> Access is denied.
> ----- 
> Internal error: An Active Directory Domain Services error has occurred.
> 
> Additional Data
> Error value (decimal):
> 8374
> Error value (hex):
> 20b6
> Internal ID:
> 30d07c5
> —— 
> 
> On the samba server, the only error that I can pick out in the log.samba (at debug 4) is the following DNS update failure:
> 
>  ../source4/dsdb/dns/dns_update.c:330: Failed DNS update - with error code 110
> 
> Any assistance is greatly appreciated as we have an (unfortunate) impending organizational requirement to use Windows domain controllers.
> 
> Thanks,
> Justin