[Samba] Failed to find a writeable DC

Rowland Penny rpenny at samba.org
Thu Oct 9 08:44:17 UTC 2025 

On Wed, 8 Oct 2025 22:44:19 +0200 (CEST)
Fabrizio Rompani via samba <samba at lists.samba.org> wrote:

> hi all 
> I have a DC used to manage user authentication to nextcloud app
> installed on the same server. I moved NC to a new server leaving
> samba-ad-dc on the old one ( appropriate firewall rules exits ) Now I
> want to move samba to new VM so I can shutdown the old one. 
> 
> To do so ,I'm trying to join a second DC installed to the new machine
> and then , after move all roles , I can demote and switch off the old
> VM. 
> 
> BUT : when I try to join the second DC 
> I got this : 
> root at grants-dc:~# samba-tool domain join s4ad.domain.org DC -U
> administrator --realm=S4AD.CESVI.ORG -W S4AD INFO 2025-10-08

Either that is bad sanitisation or that is your problem there,
's4ad.domain.org' != S4AD.CESVI.ORG' (and I am discounting the case)

You also do not need the '-W' switch

> 22:29:30,946 pid:3292 /usr/lib/python3/dist-packages/samba/join.py
> #106: Finding a writeable DC for domain 's4ad.domain.org' ERROR:
> Failed to find a writeable DC for domain 's4ad.domain.org': The
> object was not found. 
> 
> 
> Here my config files: 
> 
> 
> 
>     * Actual (unique) DC : Ubuntu 20.04 , samba 4.15.13 
> 
> hosts: 
> xx.xx.xx.xx grants.s4ad.domain.org 
> 
> krb5.conf: 
> [libdefaults] 
> default_realm = S4AD.DOMAIN.ORG 
> dns_lookup_kdc = true 
> dns_lookup_realm = false 
> 
> smb.conf 
> [global] 
> dns forwarder = 127.0.0.1 

That dns forwarder isn't going to work, you are forwarding the DC to
itself.

> netbios name = GRANTS 
> realm = S4AD.DOMAIN.ORG 
> server role = active directory domain controller 
> workgroup = S4AD 
> server services = -dns 
> interfaces = eth0 lo 
> bind interfaces only = yes 
> 
> 
> 
>     * New DC Ubuntu 24.04 samba 4.23 
> 
> hosts: 
> yy.yy.yy.yy grants-dc.s4ad.domain.org 
> 
> /etc/netplan/ 
> 
> network: 
> version: 2 
> ethernets: 
> ens18: 
> addresses: 
> - "yy.yy.yy.yy/24" 
> nameservers: 
> addresses: 
> - xx.xx.xx.xx 
> search: [] 
> 
> 
> 
> 
> 
> 
>     * dig grants.s4ad.domain.org 
> 
> grants.s4ad.domain.org. 0 IN A xx.xx.xx.xx 
> 
> 
> 
> 
> 
>     * root at grants-dc:~# host -t SRV
> _ldap._tcp.dc._msdcs.s4ad.domain.org 
> 
> _ldap._tcp.dc._msdcs.s4ad.domain.org has SRV record 0 100 389
> grants.s4ad.domain.org. 
> 
> 
> 
> 
>     * root at grants-dc:~# ping grants.s4ad.domain.org 
> 
> PING grants.s4ad.domain.org (89.116.29.118) 56(84) bytes of data. 
> 64 bytes from grants.s4ad.domain.org (xx.xx.xx.xx): icmp_seq=1 ttl=53
> time=280 ms 64 bytes from grants.s4ad.domain.org (xx.xx.xx.xx):
> icmp_seq=2 ttl=53 time=290 ms ^C 

What is in the /etc/resolv.conf on the new DC ?

Rowland

More information about the samba mailing list