Hi Guys,
I was thrown off by the subject and would love to know if you could ever
resolve this problem.
I'm facing the same issues.
For various $reasons I need an additional Windows DC in my domain and as
Moe described everything looks fine until you try DNS stuff.
My environment:
DC-01 (Ubuntu 12.04 LTS)
DC-02 (Ubuntu 12.04 LTS)
Samba: Version 4.1.17 (build from sources)
Forest function level: (Windows) 2008 R2
Domain function level: (Windows) 2008 R2
DNS via BIND_DLZ with bind version 9.9.5 (Extended Support Version)
The domain was created with samba3 as an NT-style domain and migrated with
samba 4.0.7(?) using classicupgrade.
Since I'm a cautios guy I tried this with a copy of my live env in an
isolated vlan first (cloned my dc VMs, added a windows vm)
Doing this allowed me a bit of testing while debugging the problem.
The windows dc I'm trying to add is running windows 2008 r2 standard
edition with the latest patches.
I tried without success:
- Going back from BIND_DLZ to internal DNS before adding the windows dc
- Upgrading Samba (to 4.2.0)
- Moving the FSMO role for domain naming to the windows dc (which made
things really worse)
And to answers Marcs questions:
* What is the error message?
Same message as Moe is seeing
* When you create a DNS entry on the Samba server, is it replicated to the
Win DC?
Yes
* Does the behaviour changes, if you temporary shutdown Samba on the first
DC while you create the record?
no
* Who build the domain? I mean: Who was first and populated the AD? Windows
or Samba?
samba
We might be facing this problem:
http://blogs.msmvps.com/acefekay/2012/06/20/steps-taken-to-resolve-an-issue-with-corrupted-application-partitions-specifically-dns-partitions-and-their-crossref-erence-objects-in-the-ad-configuration-container/
dcdiag /test:dns
Throws some errors....
I'll collect some logs and screenshots.
Regards,
Dominik
Hello Marc,>
> 1. The error message is
>
>
> "The host record test.salem.int cannot be created. Refused"
>
>
> and in the event log
>
>
> "The following application directory partition has no security
descriptor reference domain. Application directory partition:
DC=DomainDnsZones,DC=salem,DC=int The root domain will be used instead. User
Action Set the security descriptor reference domain for this application
directory partition."
>
>
>
> 2. Yes, When you create a DNS entry it is replicated to the Win DC. AND if
you modify a DNS entry it is replicated from the WIN DC to the samba DC's.
>
>
> 3. Disabling Samba on the DC before creating it on the win DC does not do
anything.
>
>
> 4. Samba first built and populated the domain.
>
>
>
>
> Thanks,
>
>
> Moe
>
>
