[Samba] Problem after join Windows Server 2022 DC to Samba AD
Rowland Penny
rpenny at samba.org
Fri Dec 20 13:31:37 UTC 2024
On Fri, 20 Dec 2024 14:02:05 +0100
Programnet via samba <samba at lists.samba.org> wrote:
> Thanks for you replay.
>
> W dniu 20.12.2024 o 13:27, Rowland Penny via samba pisze:
> > On Fri, 20 Dec 2024 12:18:45 +0100
> > Programnet via samba<samba at lists.samba.org> wrote:
> >
> >> I am testing the addition of a Windows Server 2022 DC to an AD
> >> based on a Samba DC according to
> >> https://samba.tranquil.it/doc/en/samba_advanced_methods/samba_add_windows_active_directory.html#samba-add-windows-active-directory
> > What version of Samba are you using and on what OS ?
> 4.21.2
> > Have you raised the functional level to 2016 ?
> My level: 2016
> >> . It seems to be added to the domain correctly. When I check with
> >> the command: nslookup -type=SRV _ldap._tcp.wenus.local, it shows
> >> all DCs,
> > Please do not use '.local' as a TLD, not even in sanitisation, it is
> > confusing because '.local' is reserved for mdns.
>
> I am aware of the .local domain. However, my implementation is over
> 15 years old, and back then, some guides recommended it. Changing it
> now is very difficult.
Not difficult, impossible to change.
I blame Microsoft, they did, for a very short time, recommend using
'.local', until it was found to be reserved for Apple's Bonjour (now
also Linux Avahi).
>
>
> >
> >> including the new one. However, when I query using the command:
> >> Get-ADDomainController -Filter * | Select-Object Name, HostName, I
> >> don’t see the new controller.
> > What does 'samba-tool computer show $DC_HOSTNAME
> > --attributes=name,dNSHostName' display ?
> # samba-tool computer show DC2022 --attributes=name,dNSHostName
> dn: CN=DC2022,OU=Domain Controllers,DC=wenus,DC=local
> name: DC2022
> dNSHostName: dc2022.wenus.local
> >
> >> I also noticed that the SPN DNS/dc2022.wenus.local for the new DC
> >> hasn’t been created.
> > I wouldn't worry about that. none of my DCs have that SPN
>
> But you have acount eq dns-dc1 with SPN dns. I have this user account
> for DC Samba
>
> # Get-ADUser -Filter {ServicePrincipalName -ne "$null"} -Property
> ServicePrincipalName | Select Name, ServicePrincipalName
>
> Name ServicePrincipalName
>
> krbtgt {kadmin/changepw}
> dns-DC1 {DNS/dc1.wenus.local}
> dns-DC2 {DNS/dc2.wenus.local}
Yes, I run bind9 on one of my DCs:
samba-tool user show dns-tmpdc1 --attributes=name,servicePrincipalName
dn: CN=dns-tmpdc1,CN=Users,DC=samdom,DC=example,DC=com
name: dns-tmpdc1
servicePrincipalName: DNS/tmpdc1.samdom.example.com
It sounds like from the Samba side that everything is correct, but
Windows is missing something, unless it was just slow replication.
The problem is, even though Samba will now say it is 2016, it isn't a
complete 2016 (yet), what you have may be as good as it gets at the
present.
Rowland
More information about the samba
mailing list