[Samba] Failed to find a writeable DC

Rowland Penny rpenny at samba.org
Thu Oct 9 11:57:58 UTC 2025 

On Thu, 9 Oct 2025 13:13:46 +0200 (CEST)
Fabrizio Rompani <fabrizio.rompani at yetopen.com> wrote:

> 
> thank's for your answer . 
> see below . 
> 
> 
> ----- Messaggio originale -----
> Da: "Rowland Penny via samba" <samba at lists.samba.org>
> A: "samba" <samba at lists.samba.org>
> Cc: "Rowland Penny" <rpenny at samba.org>
> Inviato: Giovedì, 9 ottobre 2025 10:44:17
> Oggetto: Re: [Samba] Failed to find a writeable DC
> 
> On Wed, 8 Oct 2025 22:44:19 +0200 (CEST)
> Fabrizio Rompani via samba <samba at lists.samba.org> wrote:
> 
> > hi all 
> > I have a DC used to manage user authentication to nextcloud app
> > installed on the same server. I moved NC to a new server leaving
> > samba-ad-dc on the old one ( appropriate firewall rules exits ) Now
> > I want to move samba to new VM so I can shutdown the old one. 
> > 
> > To do so ,I'm trying to join a second DC installed to the new
> > machine and then , after move all roles , I can demote and switch
> > off the old VM. 
> > 
> > BUT : when I try to join the second DC 
> > I got this : 
> > root at grants-dc:~# samba-tool domain join s4ad.domain.org DC -U
> > administrator --realm=S4AD.DOMAIN.ORG -W S4AD INFO 2025-10-08
> 
> Either that is bad sanitisation or that is your problem there,
> 's4ad.domain.org' != S4AD.DOMAIN.ORG' (and I am discounting the case)
> 
> yes , my fault : bad sanitisation!
> 
> 
> You also do not need the '-W' switch
> 
> ok
> 
> 
> > 22:29:30,946 pid:3292 /usr/lib/python3/dist-packages/samba/join.py
> > #106: Finding a writeable DC for domain 's4ad.domain.org' ERROR:
> > Failed to find a writeable DC for domain 's4ad.domain.org': The
> > object was not found. 
> > 
> > 
> > Here my config files: 
> > 
> > 
> > 
> >     * Actual (unique) DC : Ubuntu 20.04 , samba 4.15.13 
> > 
> > hosts: 
> > xx.xx.xx.xx grants.s4ad.domain.org 
> > 
> > krb5.conf: 
> > [libdefaults] 
> > default_realm = S4AD.DOMAIN.ORG 
> > dns_lookup_kdc = true 
> > dns_lookup_realm = false 
> > 
> > smb.conf 
> > [global] 
> > dns forwarder = 127.0.0.1 
> 
> That dns forwarder isn't going to work, you are forwarding the DC to
> itself.
> 
> OK . changed in 9.9.9.9 
> ALso : I use bind9 

While concentrating on the dns forwarder, I missed that, so I will
change my answer to:

You should remove the 'dns forwarder' line, your dns forwarders should
be declared in the named conf files.

> 
> > netbios name = GRANTS 
> > realm = S4AD.DOMAIN.ORG 
> > server role = active directory domain controller 
> > workgroup = S4AD 
> > server services = -dns 
> > interfaces = eth0 lo 
> > bind interfaces only = yes 
> > 
> > 
> > 
> >     * New DC Ubuntu 24.04 samba 4.23 
> > 
> > hosts: 
> > yy.yy.yy.yy grants-dc.s4ad.domain.org 
> > 
> > /etc/netplan/ 
> > 
> > network: 
> > version: 2 
> > ethernets: 
> > ens18: 
> > addresses: 
> > - "yy.yy.yy.yy/24" 
> > nameservers: 
> > addresses: 
> > - xx.xx.xx.xx 
> > search: [] 
> > 
> > 
> > 
> > 
> > 
> > 
> >     * dig grants.s4ad.domain.org 
> > 
> > grants.s4ad.domain.org. 0 IN A xx.xx.xx.xx 
> > 
> > 
> > 
> > 
> > 
> >     * root at grants-dc:~# host -t SRV
> > _ldap._tcp.dc._msdcs.s4ad.domain.org 
> > 
> > _ldap._tcp.dc._msdcs.s4ad.domain.org has SRV record 0 100 389
> > grants.s4ad.domain.org. 
> > 
> > 
> > 
> > 
> >     * root at grants-dc:~# ping grants.s4ad.domain.org 
> > 
> > PING grants.s4ad.domain.org (89.116.29.118) 56(84) bytes of data. 
> > 64 bytes from grants.s4ad.domain.org (xx.xx.xx.xx): icmp_seq=1
> > ttl=53 time=280 ms 64 bytes from grants.s4ad.domain.org
> > (xx.xx.xx.xx): icmp_seq=2 ttl=53 time=290 ms ^C 

There isn't much point in sanitising something, if you do not do all of
them.

> 
> What is in the /etc/resolv.conf on the new DC ?
> 
> 
> 
> search s4ad.domain.org
> nameserver xx.xx.xx.xx     ( old DC server IP  ) 
> 
> 
> also : 
> 
> dig grants.s4ad.domain.org
> grants.s4ad.domain.org.  900     IN      A       xx.xx.xx.xx
> 
> 
> host -t SRV _ldap._tcp.s4ad.domain.org
> _ldap._tcp.s4ad.domain.org has SRV record 0 100 389
> grants.s4ad.domain.org.
> 
> 
> 
> 
> 
> I still have same error: 
> ERROR: Failed to find a writeable DC for domain 's4ad.domain.org':
> The object was not found

Could there be a firewall stopping connection ?

> 
> 
> 
> What about a different approach : 
> backup the online DC  ( samba 4.15 ) and restore into new samba 4.23 .
> change resolv.conf and Nextcloud ldap to point itself : grants-dc
> 
> what do you think about ? 

Not much.
Joining a new DC should be effortless, when it doesn't work it is
usually down to a DNS problem.

Rowland

More information about the samba mailing list