Hello,
I have successfully joined a SBS 2003 (SRVACMPDC01) domain with two
additional Samba 4 DCs (SAMBA4PDC and SAMBA4DEDI, currently both
4.0.4-GIT-9899851). Everything worked fine: DNS / AD replication etc.
The windows server was still responsible for DNS / DHCP / all FSMO
roles. Now the original SBS 2003 crashed and refuses to start again
(long story).
In order to get a temporary workaround going I did...
- point all clients to the SAMBA DNS servers only
- get a DCHP Server running on one SAMBA4PDC and forced all clients to reboot
- seize all FSMO roles to SAMBA4PDC (naming role failed. See Bug 9461)
- Add allow dns updates to dns conf.
- Edit server services in smb.conf to: s3fs, rpc, nbt, wrepl, ldap,
cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate, dns (which
originally has been empty after joining)
But I currently strugle with some issues:
1. Overall network seems completely broken. Countless connection
interrupts / timeouts. Strange IP conflicts on clients.
2 . We use the internal DNS server on both Samba machines, but it does
not do any dynamic updates (nslookup for client computers still points
to the IPs which had been assigned by the no longer running SBS).
3. AD replication stopped completely (see samba-tool drs showrepl output below)
4. DNS lookups for LDAP / Kerberos still deliver the old SBS entry and
in addition the other Samba machine:
samba4pdc:~$ host -t SRV _ldap._tcp.office.local
_ldap._tcp.office.local has SRV record 0 100 389 srvacmpdc01.office.local.
_ldap._tcp.office.local has SRV record 0 100 389 samba4dedi.office.local.
5. User login on Windows desktops can take up to 10 minutes
Any help is highly appreciated, as this is not a lab testing environment.
Nevertheless, many thanks to the Samba developers - without Samba we
would not have the possibility to still allow user to log into their
accounts and offer them basic filesharing.
Best Regards
Chris
============================================================
samba-tool drs showrepl output:
Standardname-des-ersten-Standorts\SAMBA4PDC
DSA Options: 0x00000001
DSA object GUID: 3cc2f4b8-9f6d-4d80-863c-208053444982
DSA invocationId: 3dafab35-13c4-496a-8543-5b2ed86caa23
==== INBOUND NEIGHBORS ===
DC=ForestDnsZones,DC=office,DC=local
Standardname-des-ersten-Standorts\SRVACMPDC01 via RPC
DSA object GUID: 805e09e9-375f-498a-a842-d7d20f174f8b
Last attempt @ Sun Mar 10 15:38:24 2013 CET failed, result 1232
(WERR_HOST_UNREACHABLE)
4283 consecutive failure(s).
Last success @ Sat Feb 23 12:19:57 2013 CET
DC=DomainDnsZones,DC=office,DC=local
Standardname-des-ersten-Standorts\SRVACMPDC01 via RPC
DSA object GUID: 805e09e9-375f-498a-a842-d7d20f174f8b
Last attempt @ Sun Mar 10 15:38:27 2013 CET failed, result 1232
(WERR_HOST_UNREACHABLE)
4283 consecutive failure(s).
Last success @ Sat Feb 23 12:19:57 2013 CET
==== OUTBOUND NEIGHBORS ===
==== KCC CONNECTION OBJECTS ===
Connection --
Connection name: 7653ea37-51ff-41e3-88a2-e5263b205169
Enabled : TRUE
Server DNS name : SAMBA4DEDI.office.local
Server DN name : CN=NTDS
Settings,CN=SAMBA4DEDI,CN=Servers,CN=Standardname-
des-ersten-Standorts,CN=Sites,CN=Configuration,DC=office,DC=local
TransportType: RPC
options: 0x00000001
Warning: No NC replicated for Connection!
Connection --
Connection name: 170a1e3b-c722-49cd-a0cd-70c73dcc9fdd
Enabled : TRUE
Server DNS name : SRVACMPDC01.office.local
Server DN name : CN=NTDS
Settings,CN=SRVACMPDC01,CN=Servers,CN=Standardname-
des-ersten-Standorts,CN=Sites,CN=Configuration,DC=office,DC=local
TransportType: RPC
options: 0x00000001
Warning: No NC replicated for Connection!
============================================================
samba_dnsupdate --verbose --all-names
IPs: ['192.168.180.5']
Calling nsupdate for A office.local 192.168.180.5
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
office.local. 900 IN A 192.168.180.5
; Communication with 192.168.180.8#53 failed: operation canceled
could not find enclosing zone
Failed nsupdate: 1
Calling nsupdate for A samba4pdc.office.local 192.168.180.5
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
samba4pdc.office.local. 900 IN A 192.168.180.5
...
============================================================
testparm -v
Load smb config files from /usr/local/samba/etc/smb.conf
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[netlogon]"
Processing section "[sysvol]"
Processing section "[printers]"
Processing section "[print$]"
Loaded services file OK.
Server role: ROLE_ACTIVE_DIRECTORY_DC
Press enter to see a dump of your service definitions
afs token lifetime = 604800
log nt token command NIS homedir = No
registry shares = No
usershare allow guests = No
usershare max shares = 0
usershare owner only = Yes
usershare path = /usr/local/samba/var/locks/usershares
usershare prefix allow list usershare prefix deny list
usershare template share allow insecure wide links = No
async smb echo handler = No
panic action perfcount module host msdfs = Yes
passdb expand explicit = No
idmap backend = tdb
idmap cache time = 604800
idmap negative cache time = 120
idmap uid idmap gid template homedir = /home/%D/%U
template shell = /bin/false
winbind separator = \
winbind cache time = 300
winbind reconnect delay = 30
winbind max clients = 200
winbind enum users = No
winbind enum groups = No
winbind use default domain = No
winbind trusted domains only = No
winbind nested groups = Yes
winbind expand groups = 1
winbind nss info = template
winbind refresh tickets = No
winbind offline logon = No
winbind normalize names = No
winbind rpc only = No
create krb5 conf = Yes
ncalrpc dir = /usr/local/samba/var/run/ncalrpc
winbind max domain connections = 1
winbindd socket directory winbindd privileged socket directory
winbind sealed pipes = No
allow dns updates = nonsecure and secure
dns forwarder = 8.8.8.8
dns update command nsupdate command rndc command
multicast dns register = Yes
samba kcc command server services = s3fs, rpc, nbt, wrepl, ldap,
cldap, kdc,
drepl, winbind,
ntp_signd, kcc, dnsupdate, dns
dcerpc endpoint servers spn update command share backend
tls enabled = No
tls keyfile tls certfile tls cafile tls crlfile
tls dh params file rpc_server:tcpip = no
rpc_daemon:spoolssd = embedded
rpc_server:spoolss = embedded
rpc_server:winreg = embedded
rpc_server:ntsvcs = embedded
rpc_server:eventlog = embedded
rpc_server:srvsvc = embedded
rpc_server:svcctl = embedded
rpc_server:default = external
idmap config * : backend = tdb
comment path username invalid users
valid users admin users read list write list
force user force group read only = Yes
acl check permissions = Yes
acl group control = No
acl map full control = Yes
create mask = 0777
force create mode = 00
directory mask = 0777
force directory mode = 00
force unknown acl user = No
inherit permissions = No
inherit acls = No
inherit owner = No
guest only = No
administrative share = No
guest ok = No
only user = No
hosts allow hosts deny allocation roundup size = 1048576
aio read size = 0
aio write size = 0
aio write behind ea support = No
nt acl support = Yes
profile acls = No
map acl inherit = No
afs share = No
smb encrypt = default
durable handles = Yes
block size = 1024
change notify = Yes
directory name cache size = 100
kernel change notify = Yes
max connections = 0
min print space = 0
strict allocate = No
strict sync = No
sync always = No
use sendfile = No
write cache size = 0
max reported print jobs = 0
max print jobs = 1000
printable = No
print notify backchannel = Yes
print ok = No
printing = bsd
cups options print command = lpr -r -P'%p' %s
lpq command = lpq -P'%p'
lprm command = lprm -P'%p' %j
lppause command lpresume command queuepause command
queueresume command printer name use client driver = No
default devmode = Yes
force printername = No
printjob username = %U
default case = lower
case sensitive = Auto
preserve case = Yes
short preserve case = Yes
mangling char = ~
hide dot files = Yes
hide special files = No
hide unreadable = No
hide unwriteable files = No
delete veto files = No
veto files hide files veto oplock files map
archive = No
map hidden = No
map system = No
map readonly = no
mangled names = Yes
store dos attributes = Yes
dmapi support = No
browseable = Yes
access based share enum = No
blocking locks = Yes
csc policy = manual
fake oplocks = No
kernel oplocks = No
kernel share modes = Yes
locking = Yes
oplocks = Yes
level2 oplocks = Yes
oplock contention limit = 2
posix locking = Yes
strict locking = Auto
dfree cache time = 0
dfree command copy preexec preexec close = No
postexec root preexec root preexec close = No
root postexec available = Yes
volume fstype = NTFS
set directory = No
wide links = No
follow symlinks = Yes
dont descend magic script magic output delete
readonly = No
dos filemode = No
dos filetimes = Yes
dos filetime resolution = No
fake directory create times = No
vfs objects = dfs_samba4, acl_xattr
msdfs root = No
msdfs proxy ntvfs handler =
