Am 07.02.2018 um 16:21 schrieb Rowland Penny via samba:> On Wed, 7 Feb 2018 15:55:49 +0100
> Andreas Heinlein via samba <samba at lists.samba.org> wrote:
>
>> Hello,
>>
>> this is now my second attempt to join a Windows Server 2008R2 DC to a
>> samba AD domain. I had to forcibly remove the first 2k8 DC from the
>> domain after I messed it up completely in the first try. I followed
>> "Demoting an Offline Domain Controller" from the wiki here.
>>
>> This time joining fails right during running dcpromo. I get the error
>> that it could not replicate
"cn=Configuration,dc=domain,dc=com"
>> because "The DSA operation is unable to proceed because of a DNS
>> lookup failure". I have set the first DNS on the 2k8 machine to
its
>> own external address (not 127.0.0.1) and the second to the samba DC.
>>
> Wrong way round ;-)
> The computer to be joined should be pointing at the original DC, not
> itself.
>
> Rowland
>
Thanks a lot. This worked now, to some extent. dcpromo finished without
errors. But things are not quite right yet.
First, I found out that I had to manually create DNS entries for
dc2008.domain.com and <GUID_of_DC2008>._msdcs.domain.com. After that,
'samba-tool drs showrepl' and 'repadmin /showrepl' show
everything is fine.
Now, dcdiag on the Windows machine still has several things to complain.
I couldn't find out how to make dcdiag output in english, so I will post
my own translation from german:
- Starting test: Advertising
Warning: While trying to reach DC2008, DsGetDcName returned
information for \\samba.domain.com
THE SERVER IS NOT RESPONDING or IS NOT SUITABLE
DC2008 has failed Test Advertising
...
Starting test: NetLogons
Unable to connect to the NETLOGON share! (\\DC2008\netlogon)
[DC2008] An net use or LsaPolicy operation failed with error 67, The
network name cannot be found.
MAINSERVER failed test NetLogons
...
Starting test: VerifyReferences
Some objects for the domain controller DC2008 had problems:
[1] Problem: Expected value not found
Base object:
CN=NTDS
Settings,CN=DC2008,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=com
Description of base object: "DSA-Objekt"
Attribute Name of value object: serverReferenceBL
Description of value object: "SYSVOL-FRS-memberobject"
Recommended Action: Knowledge Base-Artikel "Q312862"
[1] Problem: Expected value not found
base object:
CN=DC2008,OU=Domain Controllers,DC=vvv,DC=lan
Description of base object: "DC-Kontoobjekt"
Attribute name of value object: frsComputerReferenceBL
Description: "SYSVOL FRS-Mitgliedsobjekt"
Recommended Action: Knowledge Base-Artikel "Q312862"
DC2008 failed Test VerifyReferences
...
Partition tests being run on: DomainDnsZones
Starting test: CheckSDRefDom
The application directory partition
DC=DomainDnsZones,DC=domain,DC=com is missing a security reference domain.
The msDS-SD-reference domain attribute of the reference object
CN=502bc072-4236-4a52-8ce5-02618209e475,CN=Partitions,CN=Configuration,DC=domain,DC=com
must be set to the DN of a domain by the administrator
DomainDnsZones failed Test CheckSDRefDom
...
Partition test being run on: ForestDnsZones
Starting test: CheckSDRefDom
The application directory partition
DC=ForestDnsZones,DC=domain,DC=com is missing a security reference domain.
The msDS-SD-reference domain attribute of the reference object
CN=f837d58f-2f42-409e-8d50-8a7e3a1b9af5,CN=Partitions,CN=Configuration,DC=domain,DC=com
must be set to the DN of a domain by the administrator.
ForestDnsZones failed Test CheckSDRefDom
I guess that the first one is indicating another missing DNS entry. The
things about SYSVOL FRS might be normal because samba doesn't support
sysvol replication. But I am unsure about the missing netlogon. I have
created a manual sysvol workaround using robocopy, how do I create the
missing netlogon and sysvol shares?
The latter two failed tests from dcdiag, I have no idea what these are
about and if they are important.
Thank you again,
Andreas