[Samba] 4.3.11-Ubuntu fail to add DC to a AD domain

Rowland Penny rpenny at samba.org
Wed Apr 25 20:47:00 UTC 2018 

On Wed, 25 Apr 2018 22:32:10 +0200
Jakub Kulesza <jakkul+samba at gmail.com> wrote:

> Rowland, thank you for answering!
> 
> I have investigated this a bit, and I think that using 18.04 for the
> new DC will not be successful anyway. Reasons: the AD I have has been
> created back in the days when 14.04 LTS was fresh. The provisioning
> scripts worked differently. 14.04 has been upgraded to 16.04, and I
> think that I do not have all of the DNSes configured properly and
> this might be the cause of the synchronization items.

The basic provision has always worked in the same way, it has just been
tweaked.
 
> 
> I would really like to get to the bottom of this and understand the
> issue to fix it on the old DC. Is there a checklist on what needs to
> be done during the initial provisioning and what are the requirements
> for samba-tool to be able to join another DC to the AD?

I take it you have read the DC join page on the wiki and followed all
the hyperlinks.

> 
> Traces:
> 
> 1. running the following on the new DC starts with the following
> errors: # samba-tool drs showrepl
> SPNEGO(gssapi_krb5) creating NEG_TOKEN_INIT failed:
> NT_STATUS_INVALID_PARAMETER
> 
> NT_STATUS_INVALID_PARAMETER is usually associated with DNS update
> issues.
> 
> 2. I had to update "objectGUID CNAME Record" as defined here
> https://wiki.samba.org/index.php/Verifying_and_Creating_a_DC_DNS_Record

Yes, but you shouldn't have to do this with 4.7.6, it has code to
create those records during the join

> 
> 3. querying the domain name in the DNS shows up only the old DC
> # host biuro.gpm-vindexus.pl
> biuro.gpm-vindexus.pl has address 192.168.0.251
> biuro.gpm-vindexus.pl has address 192.168.1.251
> (it has 2 addresses in 2 subnets)
> 
> and it should show 192.168.0.252 (qdc, the second server) as well

Why ? you are checking one DC FQDN, to get the info for the second DC,
you would have to check that DCs FQDN.

> 
> 
> 3. running samba_dnsupdate on the old primary DC showes a lot of
> errors # samba_dnsupdate --all-names
> ; TSIG error with server: tsig verify failure
> ; TSIG error with server: tsig verify failure
> ; TSIG error with server: tsig verify failure
> ; TSIG error with server: tsig verify failure
> ; TSIG error with server: tsig verify failure
> ; TSIG error with server: tsig verify failure
> ; TSIG error with server: tsig verify failure
> ; TSIG error with server: tsig verify failure
> ; TSIG error with server: tsig verify failure
> ; TSIG error with server: tsig verify failure
> ; TSIG error with server: tsig verify failure
> ; TSIG error with server: tsig verify failure
> ; TSIG error with server: tsig verify failure
> ; TSIG error with server: tsig verify failure
> ; TSIG error with server: tsig verify failure
> ; TSIG error with server: tsig verify failure
> ; TSIG error with server: tsig verify failure
> ; TSIG error with server: tsig verify failure
> ; TSIG error with server: tsig verify failure
> ; TSIG error with server: tsig verify failure
> ; TSIG error with server: tsig verify failure
> ; TSIG error with server: tsig verify failure
> ; TSIG error with server: tsig verify failure
> ; TSIG error with server: tsig verify failure
> Failed update of 24 entries

Try 'samba_dnsupdate --all-names --use-samba-tool

Rowland

More information about the samba mailing list