[Samba] Problem joining a Win2008R2 DC

Andreas Heinlein aheinlein at gmx.com
Thu Feb 8 17:30:54 UTC 2018

Am 07.02.2018 um 16:21 schrieb Rowland Penny via samba:
> On Wed, 7 Feb 2018 15:55:49 +0100
> Andreas Heinlein via samba <samba at lists.samba.org> wrote:
>> Hello,
>> this is now my second attempt to join a Windows Server 2008R2 DC to a
>> samba AD domain. I had to forcibly remove the first 2k8 DC from the
>> domain after I messed it up completely in the first try. I followed
>> "Demoting an Offline Domain Controller" from the wiki here.
>> This time joining fails right during running dcpromo. I get the error
>> that it could not replicate "cn=Configuration,dc=domain,dc=com"
>> because "The DSA operation is unable to proceed because of a DNS
>> lookup failure". I have set the first DNS on the 2k8 machine to its
>> own external address (not and the second to the samba DC.
> Wrong way round ;-)
> The computer to be joined should be pointing at the original DC, not
> itself.
> Rowland
Thanks a lot. This worked now, to some extent. dcpromo finished without
errors. But things are not quite right yet.

First, I found out that I had to manually create DNS entries for
dc2008.domain.com and <GUID_of_DC2008>._msdcs.domain.com. After that,
'samba-tool drs showrepl' and 'repadmin /showrepl' show everything is fine.

Now, dcdiag on the Windows machine still has several things to complain.
I couldn't find out how to make dcdiag output in english, so I will post
my own translation from german:

- Starting test: Advertising
  Warning: While trying to reach DC2008, DsGetDcName returned
information for \\samba.domain.com
  DC2008 has failed Test Advertising


Starting test: NetLogons
  Unable to connect to the NETLOGON share! (\\DC2008\netlogon)
  [DC2008] An net use or LsaPolicy operation failed with error 67, The
network name cannot be found.
  MAINSERVER failed test NetLogons


Starting test: VerifyReferences
Some objects for the domain controller DC2008 had problems:
[1] Problem: Expected value not found
Base object:
Description of base object: "DSA-Objekt"
Attribute Name of value object: serverReferenceBL
Description of value object: "SYSVOL-FRS-memberobject"
Recommended Action: Knowledge Base-Artikel "Q312862"
[1] Problem: Expected value not found
base object:
CN=DC2008,OU=Domain Controllers,DC=vvv,DC=lan
Description of base object: "DC-Kontoobjekt"
Attribute name of value object: frsComputerReferenceBL
Description: "SYSVOL FRS-Mitgliedsobjekt"
Recommended Action: Knowledge Base-Artikel "Q312862"
DC2008 failed Test VerifyReferences 


Partition tests being run on: DomainDnsZones
Starting test: CheckSDRefDom
The application directory partition
DC=DomainDnsZones,DC=domain,DC=com is missing a security reference domain.
The msDS-SD-reference domain attribute of the reference object
must be set to the DN of a domain by the administrator
DomainDnsZones failed Test CheckSDRefDom

Partition test being run on: ForestDnsZones
Starting test: CheckSDRefDom
The application directory partition
DC=ForestDnsZones,DC=domain,DC=com is missing a security reference domain.
The msDS-SD-reference domain attribute of the reference object
must be set to the DN of a domain by the administrator.
ForestDnsZones failed Test CheckSDRefDom

I guess that the first one is indicating another missing DNS entry. The
things about SYSVOL FRS might be normal because samba doesn't support
sysvol replication. But I am unsure about the missing netlogon. I have
created a manual sysvol workaround using robocopy, how do I create the
missing netlogon and sysvol shares?

The latter two failed tests from dcdiag, I have no idea what these are
about and if they are important.

Thank you again,


More information about the samba mailing list