[Samba] Samba AD DC through VPN. No DRS replication

[Andrey Zvorygin]

Hello all. Please help me with my problem.
I have organization with branches connected through internet by VPN. First branch (B00) have two Dc's in 172.16.0.0/16 network and second branch (B01) have one DC in 172.17.0.0/16 network.
All three Dc's built from sources (4.10.2) on freshly installed Debian Stretch. I am using BIND9_DLZ backend.
So, 2 Dc's located in one building (B00) works flawless: DDNS updates, drs repl and so on. But when I join new DC at second building, nothing works on this new DC. I can't connect to it from RSAT, cannot make drs replication.

When I try samba-tool drs showrepl -d 3, I've got this message:
Server ldap/B01DC01.CORP.COMPANY.RU at CORP.COMPANY.RU is not registered with our KDC: Miscellaneous failure (see text): Server (ldap/B01DC01.CORP.COMPANY.RU at CORP.COMPANY.RU) unknown
gensec_spnego_create_negTokenInit_step: gssapi_krb5: creating NEG_TOKEN_INIT for ldap/B01DC01.CORP.COMPANY.RU failed (next[ntlmssp]): NT_STATUS_INVALID_PARAMETER

When I try to ldbsearch -H ldap://b00dc01 servicePrincipalName=ldap/B01DC01.corp.company.ru, I've got zero search results.

My smb.conf is pretty simple on all nodes:
[global]
        hosts allow = ALL
        server min protocol = NT1
        lanman auth = Yes
        ntlm auth = Yes
        netbios name = B00DC01
        realm = CORP.COMPANY.RU
        server role = active directory domain controller
        server services = -dns
        workgroup = CORP
        idmap_ldb:use rfc2307 = yes

[sysvol]
        path = /usr/local/samba/var/locks/sysvol
        read only = No

[netlogon]
        path = /usr/local/samba/var/locks/sysvol/corp.company.ru/scripts
        read only = No

Please help me to fix this issue and finally join remote DC corretly.