[Samba] dcpromo on W2k8 R2 server with existing Samba AD domin fails to complete

M B mmx at exm0.net
Thu Apr 11 06:20:50 UTC 2019 

I’m attempting to stand up a Windows 2008 R2 server as a domain controller to integrate with an existing Samba AD environment with 6x Samba AD servers (4.10.1) and multiple sites. This is the first Windows DC.

I have a couple other Win2012 servers that are already domain joined, and ~ 300 Win 10 desktop/laptop hosts

I’ve followed the guide on the wiki:

https://wiki.samba.org/index.php/Joining_a_Windows_Server_2008_/_2008_R2_DC_to_a_Samba_AD <https://wiki.samba.org/index.php/Joining_a_Windows_Server_2008_/_2008_R2_DC_to_a_Samba_AD>

I reach the last step in the process and see this window
https://wiki.samba.org/index.php/File:Join_Win2008R2_Join_Process.png <https://wiki.samba.org/index.php/File:Join_Win2008R2_Join_Process.png>

I watch messages in the status window as shown in the .png file until I see this message:

“Replicating data CN=Configuration,DC=my,DC=company,DC=com:  Received 1712 out of approximately 1712 objects and 88 out of approximately 88 distinguished name (DN) values …”


The DC promotion process hangs and never progresses after this message appears.

I enabled log level 5 on the Samba DC that I chose for replication. I can’t see any obvious errors there.

The W2k8 R2 event log contains:

"Internal event: The local directory service received an exception from a remote procedure call (RPC) connection. Extended error information is not available. 
 
directory service: 
dc2.my.company.com 
 
Additional Data 
Error value: 
The remote procedure call failed. (1726)”


Also, when I view my domain info with RSAT “Active Directory Users and Computers” I don’t see any CN called “Configuration” which is the CN that the dcpromo window is displaying when it stops progressing. 

The little animation in the status window just keeps going too! It’s taunting me with the illusion of progress.

Anyone have any ideas here?

I tried removing all custom GPOs from my DC’s and that didn’t help.

I’m using BIND 9.10 backend and I’m running on Ubuntu 16.04. I compile new versions of samba on a fresh Ubuntu 16.04 container and use ‘checkinstall’ to generate a .deb package which I use to distribute the build(s) to the DCs



======

smb.conf

======


# Global parameters
[global]
        netbios name = DC1
        realm = MY.COMPANY.COM
        server role = active directory domain controller
        server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate
        workgroup = COMPANY
#       dns update command = /usr/sbin/samba_dnsupdate --use-samba-tool
        dns zone scavenging = yes
        idmap_ldb:use rfc2307 = yes
        tls enabled  = yes
        tls keyfile  = tls/cert.key
        tls certfile = tls/cert.pem
        tls cafile   = tls/int_ca.pem
        logging =  file
        log level = all:5
# rpc_parse:5 rpc_srv:5 rpc_cli:5 dns:3 dsdb_audit:4 dsdb_password_audit:4 auth_audit:4 auth:1 passdb:3 winbind:2

[netlogon]
        path = /var/lib/samba/sysvol/my.company.com/scripts
        read only = No

[sysvol]
        path = /var/lib/samba/sysvol
        read only = No

More information about the samba mailing list