samba - Feb 2019 - Windows client still tries to connect to old AD after replacement

Thanks Rowland,

OK, sorry about this...

Note that the "Old AD" has some errors in their config files, but 
everything sort of work so I'm not going to fix those errors - my 
concern is obviously just the "New AD".  I've not set up printing
in the
new AD yet as it doesn't work in the old one anyway, and that's a 
discussion in a future thread.  Note "domain" is a replacement for the
actual domain name.  Nothing is internet facing, and shouldn't be apart 
from DNS (well, I hope!).

---------------------------------------------------------------------
Old AD

Name - ad.domain.intranet
IP - 192.168.0.17
Operating System: Debian GNU/Linux 9 (stretch)
Kernel: Linux 4.9.0-8-amd64
Samba version: 4.5.12-Debian

/etc/hostname:
ad

/etc/hosts:
127.0.0.1       localhost
192.168.0.17    ad.domain.intranet ad
192.168.0.21    domain-ad.domain.intranet     domain-ad

# The following lines are desirable for IPv6 capable hosts

::1     localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

/etc/resolv.conf:
domain Hitronhub.home
search Hitronhub.home
nameserver 192.168.0.1

/etc/krb5.conf
[libdefaults]
         default_realm = DOMAIN.INTRANET
         dns_lookup_realm = false
         dns_lookup_kdc = true

/etc/samba/smb.conf
# Global parameters
[global]
         netbios name = AD
         realm = DOMAIN.INTRANET
         workgroup = DOMAIN
         dns forwarder = 192.168.0.1
         server role = active directory domain controller
         rpc_server:spoolss = external
         rpc_daemon:spoolssd = fork
         printing = CUPS
         spoolss: architecture = Windows x64

[netlogon]
         path = /var/lib/samba/sysvol/cfd.intranet/scripts
         read only = No
[sysvol]
         path = /var/lib/samba/sysvol
         read only = No
[Profiles]
         path = /home/samba/Profiles
         read only = no
         veto files = /*sync*/
[users]
         path = /home/samba/users
         read only = no
[printers]
         path = /var/spool/samba
         printable = yes
[print$]
         path = /srv/samba/printer_drivers/
         read only = no

---------------------------------------------------------------------
New AD

Name - domain-ad.domain.intranet
IP - 192.168.0.11
Operating System: Debian GNU/Linux 9 (stretch)
Kernel: Linux 4.9.0-8-amd64
Samba version: 4.5.12-Debian

/etc/hostname:
domain-ad

/etc/hosts:
127.0.0.1       localhost
192.168.0.11    domain-ad.domain.intranet     domain-ad

# The following lines are desirable for IPv6 capable hosts

::1     localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

/etc/resolv.conf

domain domain.intranet
search domain-ad.domain.intranet
nameserver 192.168.0.11

/etc/krb5.conf
[libdefaults]
         default_realm = DOMAIN.INTRANET
         dns_lookup_realm = false
         dns_lookup_kdc = true

/etc/samba/smb.conf
# Global parameters
[global]
         netbios name = DOMAIN-AD
         realm = DOMAIN.INTRANET
         workgroup = DOMAIN
         dns forwarder = 192.168.0.1
         server role = active directory domain controller
         vfs objects = acl_xattr
         map acl inherit = yes
         store dos attributes = yes
[netlogon]
         path = /var/lib/samba/sysvol/domain.intranet/scripts
         read only = No
[sysvol]
         path = /var/lib/samba/sysvol
         read only = No
[Profiles]
         path = /home/samba/Profiles
         read only = no
         veto files = /*sync*/
[users]
         path = /home/samba/users
         read only = no

---------------------------------------------------------------------
 > I see that they are both subdomains of the 'domain.intranet' dns
 > domain, but have you used a new workgroup name for the new AD domain ?

Wasn't aware workgroups were used?  The workgroup is blanked out in the 
"Computer Name\Domain Changes" box?

 > Have your clients left the old domain and joined the new domain ?

Yes - I just used one client - disconnected it from the old domain, 
joined the workgroup "WORKGROUP", changed the DNS settings as per the 
how-to page here:

https://wiki.samba.org/index.php/Windows_DNS_Configuration

so it points to 192.168.0.11.  Then I turned off the old server and 
rebooted the test client, connected it to the new AD server, and then 
followed the following how-to pages here to point them all to the new 
server:

https://wiki.samba.org/index.php/User_Home_Folders
https://wiki.samba.org/index.php/Roaming_Windows_User_Profiles

but I get the issues I spoke about earlier.  I'm sure I'm missing 
something.  Many thanks again for your time!

With kind regards - Piers

See inline comments:

On Mon, 4 Feb 2019 18:32:49 +0000
Piers Kittel via samba <samba at lists.samba.org> wrote:
> Thanks Rowland,
> 
> OK, sorry about this...
> 
> Note that the "Old AD" has some errors in their config files, but
> everything sort of work so I'm not going to fix those errors - my 
> concern is obviously just the "New AD".  I've not set up
printing in
> the new AD yet as it doesn't work in the old one anyway, and that's
a
> discussion in a future thread.  Note "domain" is a replacement
for
> the actual domain name.  Nothing is internet facing, and shouldn't be
> apart from DNS (well, I hope!).
> 
> ---------------------------------------------------------------------
> Old AD
> 
> Name - ad.domain.intranet
> IP - 192.168.0.17
> Operating System: Debian GNU/Linux 9 (stretch)
> Kernel: Linux 4.9.0-8-amd64
> Samba version: 4.5.12-Debian
> 
> /etc/hostname:
> ad
> 
> /etc/hosts:
> 127.0.0.1       localhost
> 192.168.0.17    ad.domain.intranet ad
> 192.168.0.21    domain-ad.domain.intranet     domain-ad
Remove the line above, this is the old AD domain and shouldn't have
anything pointing to the new one.
> 
> /etc/resolv.conf:
> domain Hitronhub.home
> search Hitronhub.home
> nameserver 192.168.0.1
This is a DC, it should be pointing to itself as a nameserver.

> 
> /etc/samba/smb.conf
> # Global parameters
> [global]
>          netbios name = AD
>          realm = DOMAIN.INTRANET
>          workgroup = DOMAIN
What did you say about workgroups ?
I do hope that 'DOMAIN' in the above line isn't the same as on the
new
AD DC.
>          dns forwarder = 192.168.0.1
>          server role = active directory domain controller
>          rpc_server:spoolss = external
>          rpc_daemon:spoolssd = fork
>          printing = CUPS
>          spoolss: architecture = Windows x64
> 
> ---------------------------------------------------------------------
> New AD
> 
> Name - domain-ad.domain.intranet
> IP - 192.168.0.11
> Operating System: Debian GNU/Linux 9 (stretch)
> Kernel: Linux 4.9.0-8-amd64
> Samba version: 4.5.12-Debian
> 
> /etc/hostname:
> domain-ad
> 
> /etc/hosts:
> 127.0.0.1       localhost
> 192.168.0.11    domain-ad.domain.intranet     domain-ad
> 
> # The following lines are desirable for IPv6 capable hosts
> 
> /etc/resolv.conf
> 
> domain domain.intranet
> search domain-ad.domain.intranet
> nameserver 192.168.0.11
Hmm, that looks like you are trying to search the DC hostname instead
of the dns domain name, remove 'domain-ad' from the search line.
This does of course raise another problem, even though you claim you
have set up a new domain, you haven't. Both your DC's use the same ip
range, dns domain and presumably, the same workgroup name.

> 
> /etc/samba/smb.conf
> # Global parameters
> [global]
>          netbios name = DOMAIN-AD
>          realm = DOMAIN.INTRANET
>          workgroup = DOMAIN
>          dns forwarder = 192.168.0.1
>          server role = active directory domain controller
>          vfs objects = acl_xattr
>          map acl inherit = yes
>          store dos attributes = yes
> [netlogon]
>          path = /var/lib/samba/sysvol/domain.intranet/scripts
>          read only = No
> [sysvol]
>          path = /var/lib/samba/sysvol
>          read only = No
> [Profiles]
>          path = /home/samba/Profiles
>          read only = no
>          veto files = /*sync*/
> [users]
>          path = /home/samba/users
>          read only = no
> 
> ---------------------------------------------------------------------
>  > I see that they are both subdomains of the 'domain.intranet'
dns
>  > domain, but have you used a new workgroup name for the new AD
>  > domain ?
> 
> Wasn't aware workgroups were used?  The workgroup is blanked out in
> the "Computer Name\Domain Changes" box?
It might be, but they are still used

Rowland