samba - Mar 2018 - NT_STATUS_CONNECTION_REFUSED Joining Domain - Desperately need help

I am desperately in need of help. I have a Centos 7.2 server running Samba
4.6.13 as an active directory domain controller. I am trying to join a new
Centos 7.4 server running Samba 4.6.13 to the domain. The domain command will
not connect to the other server.

I have firewalld and selinux disabled on both servers, I can ping both ways.
From the new server I was able to do a kinit -U administrator and get a kerberos
ticket which shows with a klist, however when I go to join the domain, I get:

ERROR(ldb): uncaught exception - LDAP client internal error:
NT_STATUS_CONNECTION_REFUSED
File "/usr/lib64/python2.7/site-packages/samba/netcmd/__init__.py",
line 176, in _run
return self.run(*args, **kwargs) 
File "/usr/lib64/python2.7/site-packages/samba/netcmd/domain.py", line
661, in run
machinepass=machinepass, use_ntvfs=use_ntvfs, dns_backend=dns_backend) 
File "/usr/lib64/python2.7/site-packages/samba/join.py", line 1455, in
join_DC
machinepass, use_ntvfs, dns_backend, promote_existing) 
File "/usr/lib64/python2.7/site-packages/samba/join.py", line 89, in
__init__
credentials=ctx.creds, lp=ctx.lp) 
File "/usr/lib64/python2.7/site-packages/samba/samdb.py", line 57, in
__init__
options=options) 
File "/usr/lib64/python2.7/site-packages/samba/__init__.py", line 114,
in __init__
self.connect(url, flags, options) 
File "/usr/lib64/python2.7/site-packages/samba/samdb.py", line 72, in
connect
options=options) 

I have been unable to find any details in the logs on the existing server when I
run this command.

The join command I'm using is: 

samba-tool domain join redacteddomain.redacted.com DC
-U"REDACTEDDOMAIN\administrator" --dns-backend=SAMBA_DLZ
--option='idmap_ldb:use rfc2307 = yes' -d 10

How this problem started: 
I originally had two domain controllers, both of which were running Samba 4.5. I
was troubleshooting a time sync issue between Windows 10 workstations and the
server that appeared to come from a bug in the older Samba 4.5 version. I update
the secondary domain controller to Samba 4.6.13 and that appeared to go fine, so
I switched over to the primary domain controller and tried to upgrade it to
4.6.13. Something went wrong, and users were no longer able to access the
domain. I switched to the backup domain controller and promoted it to primary
and all was well again, so I took the original primary off-line and tried to
solve the issue. After taking the old primary off-line, DNS stopped resolving
for the network. Things get a bit murky at this part because my phone was runing
off the hook, but I managed to wipe out the /var/lib/samba/private folder from
one of the servers. Since my backups were of the old 4.5 database versions and I
was unable to roll back the Samba version, I had to copy the
/var/lib/samba/private folder from one server to the other, then remove the
server entries for the non-working server.

After that point I had to go into each machine on the network and re-join the
domain because the trust relationships were no longer valid. (A domain SID
changed somewhere along the way.) All but 5 machines were able to rejoin the
network, and then suddenly no more could join.

An additional issue is that if I do a samba_dnsupdate --verbose on the
"working" server, it completes with no errors. However if I do a
samba_dnsupdate --verbose --all-names I receive a ton of "TKEY
Unacceptable" messages. I have worked through all the options on the
wiki.samba.org "TKEY is Unacceptable" page and have not made any
progress.



I've got about 60 hours into troubleshooting this problem in the last 4 days
and I am banging my head against a wall here. I can't seem to find anything
on google about "join" returning the NT_STATUS_CONNECTION_REFUSED
error, just smbclient connect attempts, and have exhausted every result returned
by google on the TKEY problem.

Does anyone have any ideas? 

Here's the extended debugging from the join command: 

[root at new-dc ~]#samba-tool domain join redacteddomain.redacted.com DC
-U"REDACTEDDOMAIN\administrator" --dns-backend=SAMBA_INTERNAL
--option='idmap_ldb:use rfc2307 = yes' -d 10 INFO: Current debug levels:
all: 10 
tdb: 10 
printdrivers: 10 
lanman: 10 
smb: 10 
rpc_parse: 10 
rpc_srv: 10 
rpc_cli: 10 
passdb: 10 
sam: 10 
auth: 10 
winbind: 10 
vfs: 10 
idmap: 10 
quota: 10 
acls: 10 
locking: 10 
msdfs: 10 
dmapi: 10 
registry: 10 
scavenger: 10 
dns: 10 
ldb: 10 
tevent: 10 
auth_audit: 10 
auth_json_audit: 10 
kerberos: 10 
drs_repl: 10 
GENSEC backend 'gssapi_spnego' registered 
GENSEC backend 'gssapi_krb5' registered 
GENSEC backend 'gssapi_krb5_sasl' registered 
GENSEC backend 'spnego' registered 
GENSEC backend 'schannel' registered 
GENSEC backend 'naclrpc_as_system' registered 
GENSEC backend 'sasl-EXTERNAL' registered 
GENSEC backend 'ntlmssp' registered 
GENSEC backend 'ntlmssp_resume_ccache' registered 
GENSEC backend 'http_basic' registered 
GENSEC backend 'http_ntlm' registered 
GENSEC backend 'krb5' registered 
GENSEC backend 'fake_gssapi_krb5' registered 
added interface enp3s0 ip=10.10.9.20 bcast=10.10.11.255 netmask=255.255.252.0 
added interface enp3s0 ip=10.10.9.20 bcast=10.10.11.255 netmask=255.255.252.0 
added interface enp3s0 ip=10.10.9.20 bcast=10.10.11.255 netmask=255.255.252.0 
added interface enp3s0 ip=10.10.9.20 bcast=10.10.11.255 netmask=255.255.252.0 
Finding a writeable DC for domain 'redacteddomain.redacted.com' 
added interface enp3s0 ip=10.10.9.20 bcast=10.10.11.255 netmask=255.255.252.0 
added interface enp3s0 ip=10.10.9.20 bcast=10.10.11.255 netmask=255.255.252.0 
finddcs: searching for a DC by DNS domain redacteddomain.redacted.com 
finddcs: looking for SRV records for _ldap._tcp.redacteddomain.redacted.com 
resolve_lmhosts: Attempting lmhosts lookup for name
_ldap._tcp.redacteddomain.redacted.com<0x0>
getlmhostsent: lmhost entry: 127.0.0.1 localhost 
getlmhostsent: lmhost entry: 10.10.11.4 old-dc.redacteddomain.redacted.com 
ads_dns_lookup_srv: 2 records returned in the answer section. 
ads_dns_parse_rr_srv: Parsed old-dc.redacteddomain.redacted.com [100, 389, 0] 
ads_dns_parse_rr_srv: Parsed old-dc.redacteddomain.redacted.com [0, 100, 389] 
finddcs: DNS SRV response 0 at '10.10.11.4' 
finddcs: DNS SRV response 1 at '10.10.11.4' 
finddcs: performing CLDAP query on 10.10.11.4 
&response->data.nt5_ex: struct NETLOGON_SAM_LOGON_RESPONSE_EX 
command : LOGON_SAM_LOGON_RESPONSE_EX (23) 
sbz : 0x0000 (0) 
server_type : 0x000013fd (5117) 
1: NBT_SERVER_PDC 
1: NBT_SERVER_GC 
1: NBT_SERVER_LDAP 
1: NBT_SERVER_DS 
1: NBT_SERVER_KDC 
1: NBT_SERVER_TIMESERV 
1: NBT_SERVER_CLOSEST 
1: NBT_SERVER_WRITABLE 
1: NBT_SERVER_GOOD_TIMESERV 
0: NBT_SERVER_NDNC 
0: NBT_SERVER_SELECT_SECRET_DOMAIN_6 
1: NBT_SERVER_FULL_SECRET_DOMAIN_6 
0: NBT_SERVER_ADS_WEB_SERVICE 
0: NBT_SERVER_DS_8 
0: NBT_SERVER_HAS_DNS_NAME 
0: NBT_SERVER_IS_DEFAULT_NC 
0: NBT_SERVER_FOREST_ROOT 
domain_uuid : 5b3dff07-e3e8-4ef7-956d-e076f01f31b7 
forest : 'redacteddomain.redacted.com' 
dns_domain : 'redacteddomain.redacted.com' 
pdc_dns_name : 'old-dc.redacteddomain.redacted.com' 
domain_name : 'REDACTEDDOMAIN' 
pdc_name : 'OLD-DC' 
user_name : '' 
server_site : 'Default-First-Site-Name' 
client_site : 'Default-First-Site-Name' 
sockaddr_size : 0x00 (0) 
sockaddr: struct nbt_sockaddr 
sockaddr_family : 0x00000000 (0) 
pdc_ip : (null) 
remaining : DATA_BLOB length=0 
next_closest_site : NULL 
nt_version : 0x00000005 (5) 
1: NETLOGON_NT_VERSION_1 
0: NETLOGON_NT_VERSION_5 
1: NETLOGON_NT_VERSION_5EX 
0: NETLOGON_NT_VERSION_5EX_WITH_IP 
0: NETLOGON_NT_VERSION_WITH_CLOSEST_SITE 
0: NETLOGON_NT_VERSION_AVOID_NT4EMUL 
0: NETLOGON_NT_VERSION_PDC 
0: NETLOGON_NT_VERSION_IP 
0: NETLOGON_NT_VERSION_LOCAL 
0: NETLOGON_NT_VERSION_GC 
lmnt_token : 0xffff (65535) 
lm20_token : 0xffff (65535) 
finddcs: Found matching DC 10.10.11.4 with server_type=0x000013fd 
Found DC old-dc.redacteddomain.redacted.com 
Security token SIDs (1): 
SID[ 0]: S-1-5-18 
Privileges (0xFFFFFFFFFFFFFFFF): 
Privilege[ 0]: SeMachineAccountPrivilege 
Privilege[ 1]: SeTakeOwnershipPrivilege 
Privilege[ 2]: SeBackupPrivilege 
Privilege[ 3]: SeRestorePrivilege 
Privilege[ 4]: SeRemoteShutdownPrivilege 
Privilege[ 5]: SePrintOperatorPrivilege 
Privilege[ 6]: SeAddUsersPrivilege 
Privilege[ 7]: SeDiskOperatorPrivilege 
Privilege[ 8]: SeSecurityPrivilege 
Privilege[ 9]: SeSystemtimePrivilege 
Privilege[ 10]: SeShutdownPrivilege 
Privilege[ 11]: SeDebugPrivilege 
Privilege[ 12]: SeSystemEnvironmentPrivilege 
Privilege[ 13]: SeSystemProfilePrivilege 
Privilege[ 14]: SeProfileSingleProcessPrivilege 
Privilege[ 15]: SeIncreaseBasePriorityPrivilege 
Privilege[ 16]: SeLoadDriverPrivilege 
Privilege[ 17]: SeCreatePagefilePrivilege 
Privilege[ 18]: SeIncreaseQuotaPrivilege 
Privilege[ 19]: SeChangeNotifyPrivilege 
Privilege[ 20]: SeUndockPrivilege 
Privilege[ 21]: SeManageVolumePrivilege 
Privilege[ 22]: SeImpersonatePrivilege 
Privilege[ 23]: SeCreateGlobalPrivilege 
Privilege[ 24]: SeEnableDelegationPrivilege 
Rights (0x 0): 
lpcfg_servicenumber: couldn't find ldb 
added interface enp3s0 ip=10.10.9.20 bcast=10.10.11.255 netmask=255.255.252.0 
added interface enp3s0 ip=10.10.9.20 bcast=10.10.11.255 netmask=255.255.252.0 
resolve_lmhosts: Attempting lmhosts lookup for name
old-dc.redacteddomain.redacted.com<0x20>
getlmhostsent: lmhost entry: 127.0.0.1 localhost 
getlmhostsent: lmhost entry: 10.10.11.4 old-dc.redacteddomain.redacted.com 
Failed to connect to ldap URL
'ldap://old-dc.redacteddomain.redacted.com' - LDAP client internal
error: NT_STATUS_CONNECTION_REFUSED
Failed to connect to 'ldap://old-dc.redacteddomain.redacted.com' with
backend 'ldap': LDAP client internal error: NT_STATUS_CONNECTION_REFUSED
ERROR(ldb): uncaught exception - LDAP client internal error:
NT_STATUS_CONNECTION_REFUSED
File "/usr/lib64/python2.7/site-packages/samba/netcmd/__init__.py",
line 176, in _run
return self.run(*args, **kwargs) 
File "/usr/lib64/python2.7/site-packages/samba/netcmd/domain.py", line
661, in run
machinepass=machinepass, use_ntvfs=use_ntvfs, dns_backend=dns_backend) 
File "/usr/lib64/python2.7/site-packages/samba/join.py", line 1455, in
join_DC
machinepass, use_ntvfs, dns_backend, promote_existing) 
File "/usr/lib64/python2.7/site-packages/samba/join.py", line 89, in
__init__
credentials=ctx.creds, lp=ctx.lp) 
File "/usr/lib64/python2.7/site-packages/samba/samdb.py", line 57, in
__init__
options=options) 
File "/usr/lib64/python2.7/site-packages/samba/__init__.py", line 114,
in __init__
self.connect(url, flags, options) 
File "/usr/lib64/python2.7/site-packages/samba/samdb.py", line 72, in
connect
options=options) 

WARNING-FRAUDULENT FUNDING INSTRUCTIONS



Email hacking and fraud are on the rise to fraudulently misdirect funds. Please
call your escrow officer immediately using contract information found from an
independent source, such as the sales contract or internet, to verify any
funding instructions received. We are not responsible for any wires sent by you
to an incorrect bank account.

On Thu, 8 Mar 2018 15:58:43 -0600 (CST)
Brent Davidson via samba <samba at lists.samba.org> wrote:
> I am desperately in need of help. I have a Centos 7.2 server running
> Samba 4.6.13 as an active directory domain controller. I am trying to
> join a new Centos 7.4 server running Samba 4.6.13 to the domain. The
> domain command will not connect to the other server. 
> 
> How this problem started: 
> I originally had two domain controllers, both of which were running
> Samba 4.5. I was troubleshooting a time sync issue between Windows 10
> workstations and the server that appeared to come from a bug in the
> older Samba 4.5 version. I update the secondary domain controller to
> Samba 4.6.13 and that appeared to go fine, so I switched over to the
> primary domain controller and tried to upgrade it to 4.6.13.
> Something went wrong, and users were no longer able to access the
> domain. I switched to the backup domain controller and promoted it to
> primary and all was well again, so I took the original primary
> off-line and tried to solve the issue. After taking the old primary
> off-line, DNS stopped resolving for the network. Things get a bit
> murky at this part because my phone was runing off the hook, but I
> managed to wipe out the /var/lib/samba/private folder from one of the
> servers. Since my backups were of the old 4.5 database versions and I
> was unable to roll back the Samba version, I had to copy
> the /var/lib/samba/private folder from one server to the other, then
> remove the server entries for the non-working server. 
> 
I don't know what your original problem was, but you made it a
magnitude times worse when you copied /var/lib/samba/private from one
DC to another. Whilst DCs replicate between one another, not everything
is replicated and some things are specific to each DC.

Do you have a backup of the original 4.5 DC that held all the FSMO
roles (note, you didn't have a primary domain controller or a secondary
domain controller or a backup domain controller, you just had DCs. All
DCs are equal except for the FSMO roles). If you do have this backup, I
would suggest you turn off all your DCS and reinstall the DC from the
backup and start again.

Rowland

On 3/9/2018 4:06 AM, Rowland Penny via samba wrote:
> On Thu, 8 Mar 2018 15:58:43 -0600 (CST)
> Brent Davidson via samba <samba at lists.samba.org> wrote:
>
>> I am desperately in need of help. I have a Centos 7.2 server running
>> Samba 4.6.13 as an active directory domain controller. I am trying to
>> join a new Centos 7.4 server running Samba 4.6.13 to the domain. The
>> domain command will not connect to the other server.
>>
>> How this problem started:
>> I originally had two domain controllers, both of which were running
>> Samba 4.5. I was troubleshooting a time sync issue between Windows 10
>> workstations and the server that appeared to come from a bug in the
>> older Samba 4.5 version. I update the secondary domain controller to
>> Samba 4.6.13 and that appeared to go fine, so I switched over to the
>> primary domain controller and tried to upgrade it to 4.6.13.
>> Something went wrong, and users were no longer able to access the
>> domain. I switched to the backup domain controller and promoted it to
>> primary and all was well again, so I took the original primary
>> off-line and tried to solve the issue. After taking the old primary
>> off-line, DNS stopped resolving for the network. Things get a bit
>> murky at this part because my phone was runing off the hook, but I
>> managed to wipe out the /var/lib/samba/private folder from one of the
>> servers. Since my backups were of the old 4.5 database versions and I
>> was unable to roll back the Samba version, I had to copy
>> the /var/lib/samba/private folder from one server to the other, then
>> remove the server entries for the non-working server.
>>
> I don't know what your original problem was, but you made it a
> magnitude times worse when you copied /var/lib/samba/private from one
> DC to another. Whilst DCs replicate between one another, not everything
> is replicated and some things are specific to each DC.
>
> Do you have a backup of the original 4.5 DC that held all the FSMO
> roles (note, you didn't have a primary domain controller or a secondary
> domain controller or a backup domain controller, you just had DCs. All
> DCs are equal except for the FSMO roles). If you do have this backup, I
> would suggest you turn off all your DCS and reinstall the DC from the
> backup and start again.
>
> Rowland
>
Not much more I can say outside of what Rowland has suggested. I did 
find this interesting with regards to your DNS problems.

getlmhostsent: lmhost entry: 127.0.0.1 localhost
getlmhostsent: lmhost entry: 10.10.11.4 old-dc.redacteddomain.redacted.com

I wouldn't normally expect to see lmhost entries unless explicitly 
created. I would allow DNS to find your domain.

--

James

Found the solution shortly after I sent this e-mail.  Needed to add "tls 
enabled = no" to the working server to get the other server to restore 
functionality.
On 3/8/2018 3:58 PM, Brent Davidson via samba wrote:
> I am desperately in need of help. I have a Centos 7.2 server running Samba
>   4.6.13 as an active directory domain controller. I am trying to join a
new
>   Centos 7.4 server running Samba 4.6.13 to the domain. The domain command
>   will
>   not connect to the other server.
>
> I have firewalld and selinux disabled on both servers, I can ping both
ways.
>   From the new server I was able to do a kinit -U administrator and get a
>   kerberos ticket which shows with a klist, however when I go to join the
>   domain,
>   I get:
>
> ERROR(ldb): uncaught exception - LDAP client internal error:
>   NT_STATUS_CONNECTION_REFUSED
> File
"/usr/lib64/python2.7/site-packages/samba/netcmd/__init__.py", line
>   176, in _run
> return self.run(*args, **kwargs)
> File "/usr/lib64/python2.7/site-packages/samba/netcmd/domain.py",
line 661,
>   in run
> machinepass=machinepass, use_ntvfs=use_ntvfs, dns_backend=dns_backend)
> File "/usr/lib64/python2.7/site-packages/samba/join.py", line
1455, in
>   join_DC
> machinepass, use_ntvfs, dns_backend, promote_existing)
> File "/usr/lib64/python2.7/site-packages/samba/join.py", line 89,
in
>   __init__
> credentials=ctx.creds, lp=ctx.lp)
> File "/usr/lib64/python2.7/site-packages/samba/samdb.py", line
57, in
>   __init__
> options=options)
> File "/usr/lib64/python2.7/site-packages/samba/__init__.py", line
114, in
>   __init__
> self.connect(url, flags, options)
> File "/usr/lib64/python2.7/site-packages/samba/samdb.py", line
72, in
>   connect
> options=options)
>
> I have been unable to find any details in the logs on the existing server
>   when I run this command.
>
> The join command I'm using is:
>
> samba-tool domain join redacteddomain.redacted.com DC
>   -U"REDACTEDDOMAIN\administrator" --dns-backend=SAMBA_DLZ
>   --option='idmap_ldb:use rfc2307 = yes' -d
>   10
>
> How this problem started:
> I originally had two domain controllers, both of which were running Samba
>   4.5. I was troubleshooting a time sync issue between Windows 10
>   workstations
>   and the server that appeared to come from a bug in the older Samba 4.5
>   version. I update the secondary domain controller to Samba 4.6.13 and
that
>   appeared to go fine, so I switched over to the primary domain controller
>   and tried
>   to upgrade it to 4.6.13. Something went wrong, and users were no longer
>   able
>   to access the domain. I switched to the backup domain controller and
>   promoted it to primary and all was well again, so I took the original
>   primary
>   off-line and tried to solve the issue. After taking the old primary
>   off-line,
>   DNS stopped resolving for the network. Things get a bit murky at this
part
>   because my phone was runing off the hook, but I managed to wipe out the
>   /var/lib/samba/private folder from one of the servers. Since my backups
>   were of the
>   old 4.5 database versions and I was unable to roll back the Samba
version,
>   I had to c
>   opy the /var/lib/samba/private folder from one server to the other, then
>   remove the server entries for the non-working server.
>
> After that point I had to go into each machine on the network and re-join
>   the domain because the trust relationships were no longer valid. (A
domain
>   SID
>   changed somewhere along the way.) All but 5 machines were able to rejoin
>   the network, and then suddenly no more could join.
>
> An additional issue is that if I do a samba_dnsupdate --verbose on the
>   "working" server, it completes with no errors. However if I do
a
>   samba_dnsupdate
>   --verbose --all-names I receive a ton of "TKEY Unacceptable"
messages. I
>   have worked through all the options on the wiki.samba.org "TKEY is
>   Unacceptable" page and have not made any progress.
>
>
>
> I've got about 60 hours into troubleshooting this problem in the last 4
days
>   and I am banging my head against a wall here. I can't seem to find
anything
>   on google about "join" returning the
NT_STATUS_CONNECTION_REFUSED error,
>   just smbclient connect attempts, and have exhausted every result returned
>   by
>   google on the TKEY problem.
>
> Does anyone have any ideas?
>
> Here's the extended debugging from the join command:
>
> [root at new-dc ~]#samba-tool domain join redacteddomain.redacted.com DC
>   -U"REDACTEDDOMAIN\administrator" --dns-backend=SAMBA_INTERNAL
>   --option='idmap_ldb:use rfc2307 = yes' -d 10 INFO: Current debug
levels:
> all: 10
> tdb: 10
> printdrivers: 10
> lanman: 10
> smb: 10
> rpc_parse: 10
> rpc_srv: 10
> rpc_cli: 10
> passdb: 10
> sam: 10
> auth: 10
> winbind: 10
> vfs: 10
> idmap: 10
> quota: 10
> acls: 10
> locking: 10
> msdfs: 10
> dmapi: 10
> registry: 10
> scavenger: 10
> dns: 10
> ldb: 10
> tevent: 10
> auth_audit: 10
> auth_json_audit: 10
> kerberos: 10
> drs_repl: 10
> GENSEC backend 'gssapi_spnego' registered
> GENSEC backend 'gssapi_krb5' registered
> GENSEC backend 'gssapi_krb5_sasl' registered
> GENSEC backend 'spnego' registered
> GENSEC backend 'schannel' registered
> GENSEC backend 'naclrpc_as_system' registered
> GENSEC backend 'sasl-EXTERNAL' registered
> GENSEC backend 'ntlmssp' registered
> GENSEC backend 'ntlmssp_resume_ccache' registered
> GENSEC backend 'http_basic' registered
> GENSEC backend 'http_ntlm' registered
> GENSEC backend 'krb5' registered
> GENSEC backend 'fake_gssapi_krb5' registered
> added interface enp3s0 ip=10.10.9.20 bcast=10.10.11.255
>   netmask=255.255.252.0
> added interface enp3s0 ip=10.10.9.20 bcast=10.10.11.255
>   netmask=255.255.252.0
> added interface enp3s0 ip=10.10.9.20 bcast=10.10.11.255
>   netmask=255.255.252.0
> added interface enp3s0 ip=10.10.9.20 bcast=10.10.11.255
>   netmask=255.255.252.0
> Finding a writeable DC for domain 'redacteddomain.redacted.com'
> added interface enp3s0 ip=10.10.9.20 bcast=10.10.11.255
>   netmask=255.255.252.0
> added interface enp3s0 ip=10.10.9.20 bcast=10.10.11.255
>   netmask=255.255.252.0
> finddcs: searching for a DC by DNS domain redacteddomain.redacted.com
> finddcs: looking for SRV records for _ldap._tcp.redacteddomain.redacted.com
> resolve_lmhosts: Attempting lmhosts lookup for name
>   _ldap._tcp.redacteddomain.redacted.com<0x0>
> getlmhostsent: lmhost entry: 127.0.0.1 localhost
> getlmhostsent: lmhost entry: 10.10.11.4 old-dc.redacteddomain.redacted.com
> ads_dns_lookup_srv: 2 records returned in the answer section.
> ads_dns_parse_rr_srv: Parsed old-dc.redacteddomain.redacted.com [100, 389,
>   0]
> ads_dns_parse_rr_srv: Parsed old-dc.redacteddomain.redacted.com [0, 100,
>   389]
> finddcs: DNS SRV response 0 at '10.10.11.4'
> finddcs: DNS SRV response 1 at '10.10.11.4'
> finddcs: performing CLDAP query on 10.10.11.4
> &response->data.nt5_ex: struct NETLOGON_SAM_LOGON_RESPONSE_EX
> command : LOGON_SAM_LOGON_RESPONSE_EX (23)
> sbz : 0x0000 (0)
> server_type : 0x000013fd (5117)
> 1: NBT_SERVER_PDC
> 1: NBT_SERVER_GC
> 1: NBT_SERVER_LDAP
> 1: NBT_SERVER_DS
> 1: NBT_SERVER_KDC
> 1: NBT_SERVER_TIMESERV
> 1: NBT_SERVER_CLOSEST
> 1: NBT_SERVER_WRITABLE
> 1: NBT_SERVER_GOOD_TIMESERV
> 0: NBT_SERVER_NDNC
> 0: NBT_SERVER_SELECT_SECRET_DOMAIN_6
> 1: NBT_SERVER_FULL_SECRET_DOMAIN_6
> 0: NBT_SERVER_ADS_WEB_SERVICE
> 0: NBT_SERVER_DS_8
> 0: NBT_SERVER_HAS_DNS_NAME
> 0: NBT_SERVER_IS_DEFAULT_NC
> 0: NBT_SERVER_FOREST_ROOT
> domain_uuid : 5b3dff07-e3e8-4ef7-956d-e076f01f31b7
> forest : 'redacteddomain.redacted.com'
> dns_domain : 'redacteddomain.redacted.com'
> pdc_dns_name : 'old-dc.redacteddomain.redacted.com'
> domain_name : 'REDACTEDDOMAIN'
> pdc_name : 'OLD-DC'
> user_name : ''
> server_site : 'Default-First-Site-Name'
> client_site : 'Default-First-Site-Name'
> sockaddr_size : 0x00 (0)
> sockaddr: struct nbt_sockaddr
> sockaddr_family : 0x00000000 (0)
> pdc_ip : (null)
> remaining : DATA_BLOB length=0
> next_closest_site : NULL
> nt_version : 0x00000005 (5)
> 1: NETLOGON_NT_VERSION_1
> 0: NETLOGON_NT_VERSION_5
> 1: NETLOGON_NT_VERSION_5EX
> 0: NETLOGON_NT_VERSION_5EX_WITH_IP
> 0: NETLOGON_NT_VERSION_WITH_CLOSEST_SITE
> 0: NETLOGON_NT_VERSION_AVOID_NT4EMUL
> 0: NETLOGON_NT_VERSION_PDC
> 0: NETLOGON_NT_VERSION_IP
> 0: NETLOGON_NT_VERSION_LOCAL
> 0: NETLOGON_NT_VERSION_GC
> lmnt_token : 0xffff (65535)
> lm20_token : 0xffff (65535)
> finddcs: Found matching DC 10.10.11.4 with server_type=0x000013fd
> Found DC old-dc.redacteddomain.redacted.com
> Security token SIDs (1):
> SID[ 0]: S-1-5-18
> Privileges (0xFFFFFFFFFFFFFFFF):
> Privilege[ 0]: SeMachineAccountPrivilege
> Privilege[ 1]: SeTakeOwnershipPrivilege
> Privilege[ 2]: SeBackupPrivilege
> Privilege[ 3]: SeRestorePrivilege
> Privilege[ 4]: SeRemoteShutdownPrivilege
> Privilege[ 5]: SePrintOperatorPrivilege
> Privilege[ 6]: SeAddUsersPrivilege
> Privilege[ 7]: SeDiskOperatorPrivilege
> Privilege[ 8]: SeSecurityPrivilege
> Privilege[ 9]: SeSystemtimePrivilege
> Privilege[ 10]: SeShutdownPrivilege
> Privilege[ 11]: SeDebugPrivilege
> Privilege[ 12]: SeSystemEnvironmentPrivilege
> Privilege[ 13]: SeSystemProfilePrivilege
> Privilege[ 14]: SeProfileSingleProcessPrivilege
> Privilege[ 15]: SeIncreaseBasePriorityPrivilege
> Privilege[ 16]: SeLoadDriverPrivilege
> Privilege[ 17]: SeCreatePagefilePrivilege
> Privilege[ 18]: SeIncreaseQuotaPrivilege
> Privilege[ 19]: SeChangeNotifyPrivilege
> Privilege[ 20]: SeUndockPrivilege
> Privilege[ 21]: SeManageVolumePrivilege
> Privilege[ 22]: SeImpersonatePrivilege
> Privilege[ 23]: SeCreateGlobalPrivilege
> Privilege[ 24]: SeEnableDelegationPrivilege
> Rights (0x 0):
> lpcfg_servicenumber: couldn't find ldb
> added interface enp3s0 ip=10.10.9.20 bcast=10.10.11.255
>   netmask=255.255.252.0
> added interface enp3s0 ip=10.10.9.20 bcast=10.10.11.255
>   netmask=255.255.252.0
> resolve_lmhosts: Attempting lmhosts lookup for name
>   old-dc.redacteddomain.redacted.com<0x20>
> getlmhostsent: lmhost entry: 127.0.0.1 localhost
> getlmhostsent: lmhost entry: 10.10.11.4 old-dc.redacteddomain.redacted.com
> Failed to connect to ldap URL
'ldap://old-dc.redacteddomain.redacted.com' -
>   LDAP client internal error: NT_STATUS_CONNECTION_REFUSED
> Failed to connect to 'ldap://old-dc.redacteddomain.redacted.com'
with
>   backend 'ldap': LDAP client internal error:
NT_STATUS_CONNECTION_REFUSED
> ERROR(ldb): uncaught exception - LDAP client internal error:
>   NT_STATUS_CONNECTION_REFUSED
> File
"/usr/lib64/python2.7/site-packages/samba/netcmd/__init__.py", line
>   176, in _run
> return self.run(*args, **kwargs)
> File "/usr/lib64/python2.7/site-packages/samba/netcmd/domain.py",
line 661,
>   in run
> machinepass=machinepass, use_ntvfs=use_ntvfs, dns_backend=dns_backend)
> File "/usr/lib64/python2.7/site-packages/samba/join.py", line
1455, in
>   join_DC
> machinepass, use_ntvfs, dns_backend, promote_existing)
> File "/usr/lib64/python2.7/site-packages/samba/join.py", line 89,
in
>   __init__
> credentials=ctx.creds, lp=ctx.lp)
> File "/usr/lib64/python2.7/site-packages/samba/samdb.py", line
57, in
>   __init__
> options=options)
> File "/usr/lib64/python2.7/site-packages/samba/__init__.py", line
114, in
>   __init__
> self.connect(url, flags, options)
> File "/usr/lib64/python2.7/site-packages/samba/samdb.py", line
72, in
>   connect
> options=options)
>
> WARNING-FRAUDULENT FUNDING INSTRUCTIONS
>
>
>
> Email hacking and fraud are on the rise to fraudulently misdirect funds.
>   Please call your escrow officer immediately using contract information
>   found
>   from an independent source, such as the sales contract or internet, to
>   verify
>   any funding instructions received. We are not responsible for any wires
>   sent
>   by you to an incorrect bank account.
>
WARNING-FRAUDULENT FUNDING INSTRUCTIONS

Email hacking and fraud are on the rise to fraudulently misdirect funds. Please
call your escrow officer immediately using contract information found from an
independent source, such as the sales contract or internet, to verify any
funding instructions received. We are not responsible for any wires sent by you
to an incorrect bank account.

On Fri, 9 Mar 2018 10:57:44 -0600
Brent Davidson via samba <samba at lists.samba.org> wrote:
> Found the solution shortly after I sent this e-mail.  Needed to add
> "tls enabled = no" to the working server to get the other server
to
> restore functionality.
I have never had to add that line to any DC to get another DC to join,
come to think of it, I have never had to add that line at all.

I still stand by what I posted earlier, copying /var/lib/samba to
another DC is not a good idea.

Rowland