[Samba] 4.3.11-Ubuntu fail to add DC to a AD domain

Jakub Kulesza jakkul+samba at gmail.com
Wed Apr 25 20:32:10 UTC 2018 

Rowland, thank you for answering!

I have investigated this a bit, and I think that using 18.04 for the new DC
will not be successful anyway. Reasons: the AD I have has been created back
in the days when 14.04 LTS was fresh. The provisioning scripts worked
differently. 14.04 has been upgraded to 16.04, and I think that I do not
have all of the DNSes configured properly and this might be the cause of
the synchronization items.

I would really like to get to the bottom of this and understand the issue
to fix it on the old DC. Is there a checklist on what needs to be done
during the initial provisioning and what are the requirements for
samba-tool to be able to join another DC to the AD?

Traces:

1. running the following on the new DC starts with the following errors:
# samba-tool drs showrepl
SPNEGO(gssapi_krb5) creating NEG_TOKEN_INIT failed:
NT_STATUS_INVALID_PARAMETER

NT_STATUS_INVALID_PARAMETER is usually associated with DNS update issues.

2. I had to update "objectGUID CNAME Record" as defined here
https://wiki.samba.org/index.php/Verifying_and_Creating_a_DC_DNS_Record

3. querying the domain name in the DNS shows up only the old DC
# host biuro.gpm-vindexus.pl
biuro.gpm-vindexus.pl has address 192.168.0.251
biuro.gpm-vindexus.pl has address 192.168.1.251
(it has 2 addresses in 2 subnets)

and it should show 192.168.0.252 (qdc, the second server) as well


3. running samba_dnsupdate on the old primary DC showes a lot of errors
# samba_dnsupdate --all-names
; TSIG error with server: tsig verify failure
; TSIG error with server: tsig verify failure
; TSIG error with server: tsig verify failure
; TSIG error with server: tsig verify failure
; TSIG error with server: tsig verify failure
; TSIG error with server: tsig verify failure
; TSIG error with server: tsig verify failure
; TSIG error with server: tsig verify failure
; TSIG error with server: tsig verify failure
; TSIG error with server: tsig verify failure
; TSIG error with server: tsig verify failure
; TSIG error with server: tsig verify failure
; TSIG error with server: tsig verify failure
; TSIG error with server: tsig verify failure
; TSIG error with server: tsig verify failure
; TSIG error with server: tsig verify failure
; TSIG error with server: tsig verify failure
; TSIG error with server: tsig verify failure
; TSIG error with server: tsig verify failure
; TSIG error with server: tsig verify failure
; TSIG error with server: tsig verify failure
; TSIG error with server: tsig verify failure
; TSIG error with server: tsig verify failure
; TSIG error with server: tsig verify failure
Failed update of 24 entries



2018-04-25 9:41 GMT+02:00 Rowland Penny via samba <samba at lists.samba.org>:

> On Tue, 24 Apr 2018 23:49:41 +0200
> Jakub Kulesza via samba <samba at lists.samba.org> wrote:
>
> > Hi!
> >
> > I want to get down to the root cause of the issue I am having with my
> > new DC in my domain. I have followed some tutorials on the internet
> > and basically do not get the results.
> >
> > I have 1 old DC, that is providing the AD domain for the whole local
> > network. I wanted to add another one. Both are Ubuntus 16.04, fully
> > updated.
> >
> > I have followed this
> > https://www.tecmint.com/join-additional-ubuntu-dc-to-
> > samba4-ad-dc-failover-replication/ but basically most howtos discuss
> > this the same way.
> >
>
> Yes and most of them get it wrong ;-)
> In this instance, it is mostly correct, just one thing jumps out.
> Adding the 'winbind' lines to smb.conf is pointless, they do nothing on
> a DC.
>
> I suggest you read this:
>
> https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_
> Existing_Active_Directory
>
> >
> >    - samba-tool drs showrepl on the old, existing DC (yes, it's named
> > pdc)
>
> Yes and it shouldn't be ;-)
>
> I would wait until tomorrow, download 18.04 and then use this, it will
> get you Samba 4.7.6 and this should fix your problem.
>
> Rowland
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>



-- 
Pozdrawiam
Jakub Kulesza

More information about the samba mailing list