samba - Apr 2019 - dcpromo on W2k8 R2 server with existing Samba AD domin fails to complete

I’m attempting to stand up a Windows 2008 R2 server as a domain controller to
integrate with an existing Samba AD environment with 6x Samba AD servers
(4.10.1) and multiple sites. This is the first Windows DC.

I have a couple other Win2012 servers that are already domain joined, and ~ 300
Win 10 desktop/laptop hosts

I’ve followed the guide on the wiki:

https://wiki.samba.org/index.php/Joining_a_Windows_Server_2008_/_2008_R2_DC_to_a_Samba_AD
<https://wiki.samba.org/index.php/Joining_a_Windows_Server_2008_/_2008_R2_DC_to_a_Samba_AD>

I reach the last step in the process and see this window
https://wiki.samba.org/index.php/File:Join_Win2008R2_Join_Process.png
<https://wiki.samba.org/index.php/File:Join_Win2008R2_Join_Process.png>

I watch messages in the status window as shown in the .png file until I see this
message:

“Replicating data CN=Configuration,DC=my,DC=company,DC=com:  Received 1712 out
of approximately 1712 objects and 88 out of approximately 88 distinguished name
(DN) values …”


The DC promotion process hangs and never progresses after this message appears.

I enabled log level 5 on the Samba DC that I chose for replication. I can’t see
any obvious errors there.

The W2k8 R2 event log contains:

"Internal event: The local directory service received an exception from a
remote procedure call (RPC) connection. Extended error information is not
available.
 
directory service: 
dc2.my.company.com 
 
Additional Data 
Error value: 
The remote procedure call failed. (1726)”


Also, when I view my domain info with RSAT “Active Directory Users and
Computers” I don’t see any CN called “Configuration” which is the CN that the
dcpromo window is displaying when it stops progressing.

The little animation in the status window just keeps going too! It’s taunting me
with the illusion of progress.

Anyone have any ideas here?

I tried removing all custom GPOs from my DC’s and that didn’t help.

I’m using BIND 9.10 backend and I’m running on Ubuntu 16.04. I compile new
versions of samba on a fresh Ubuntu 16.04 container and use ‘checkinstall’ to
generate a .deb package which I use to distribute the build(s) to the DCs



=====
smb.conf

=====

# Global parameters
[global]
        netbios name = DC1
        realm = MY.COMPANY.COM
        server role = active directory domain controller
        server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
winbindd, ntp_signd, kcc, dnsupdate
        workgroup = COMPANY
#       dns update command = /usr/sbin/samba_dnsupdate --use-samba-tool
        dns zone scavenging = yes
        idmap_ldb:use rfc2307 = yes
        tls enabled  = yes
        tls keyfile  = tls/cert.key
        tls certfile = tls/cert.pem
        tls cafile   = tls/int_ca.pem
        logging =  file
        log level = all:5
# rpc_parse:5 rpc_srv:5 rpc_cli:5 dns:3 dsdb_audit:4 dsdb_password_audit:4
auth_audit:4 auth:1 passdb:3 winbind:2

[netlogon]
        path = /var/lib/samba/sysvol/my.company.com/scripts
        read only = No

[sysvol]
        path = /var/lib/samba/sysvol
        read only = No

Hi,

On 11/04/19 6:20 PM, M B via samba wrote:
> Also, when I view my domain info with RSAT “Active Directory Users and
Computers” I don’t see any CN called “Configuration” which is the CN that the
dcpromo window is displaying when it stops progressing.
Users and computers only shows a few select containers, and not the
entire LDAP tree.
> The little animation in the status window just keeps going too! It’s
taunting me with the illusion of progress.
If you had a wireshark trace and could pick out the (RPC) error from it,
perhaps you could learn something more from that. Windows is pretty
awful with error messages and debugging this kind of thing.

It doesn't sound like your directory is all that large (a few thousand
users, computers or other objects maybe?). Have you run a 'samba-tool
dbcheck' on your domain? If you've been upgrading from older versions,
there might be minor inconsistencies that Windows doesn't like and
dbcheck might be able to fix. I would probably try that first.

Cheers,

Garming