Rowland, thank you for answering! I have investigated this a bit, and I think that using 18.04 for the new DC will not be successful anyway. Reasons: the AD I have has been created back in the days when 14.04 LTS was fresh. The provisioning scripts worked differently. 14.04 has been upgraded to 16.04, and I think that I do not have all of the DNSes configured properly and this might be the cause of the synchronization items. I would really like to get to the bottom of this and understand the issue to fix it on the old DC. Is there a checklist on what needs to be done during the initial provisioning and what are the requirements for samba-tool to be able to join another DC to the AD? Traces: 1. running the following on the new DC starts with the following errors: # samba-tool drs showrepl SPNEGO(gssapi_krb5) creating NEG_TOKEN_INIT failed: NT_STATUS_INVALID_PARAMETER NT_STATUS_INVALID_PARAMETER is usually associated with DNS update issues. 2. I had to update "objectGUID CNAME Record" as defined here https://wiki.samba.org/index.php/Verifying_and_Creating_a_DC_DNS_Record 3. querying the domain name in the DNS shows up only the old DC # host biuro.gpm-vindexus.pl biuro.gpm-vindexus.pl has address 192.168.0.251 biuro.gpm-vindexus.pl has address 192.168.1.251 (it has 2 addresses in 2 subnets) and it should show 192.168.0.252 (qdc, the second server) as well 3. running samba_dnsupdate on the old primary DC showes a lot of errors # samba_dnsupdate --all-names ; TSIG error with server: tsig verify failure ; TSIG error with server: tsig verify failure ; TSIG error with server: tsig verify failure ; TSIG error with server: tsig verify failure ; TSIG error with server: tsig verify failure ; TSIG error with server: tsig verify failure ; TSIG error with server: tsig verify failure ; TSIG error with server: tsig verify failure ; TSIG error with server: tsig verify failure ; TSIG error with server: tsig verify failure ; TSIG error with server: tsig verify failure ; TSIG error with server: tsig verify failure ; TSIG error with server: tsig verify failure ; TSIG error with server: tsig verify failure ; TSIG error with server: tsig verify failure ; TSIG error with server: tsig verify failure ; TSIG error with server: tsig verify failure ; TSIG error with server: tsig verify failure ; TSIG error with server: tsig verify failure ; TSIG error with server: tsig verify failure ; TSIG error with server: tsig verify failure ; TSIG error with server: tsig verify failure ; TSIG error with server: tsig verify failure ; TSIG error with server: tsig verify failure Failed update of 24 entries 2018-04-25 9:41 GMT+02:00 Rowland Penny via samba <samba at lists.samba.org>:> On Tue, 24 Apr 2018 23:49:41 +0200 > Jakub Kulesza via samba <samba at lists.samba.org> wrote: > > > Hi! > > > > I want to get down to the root cause of the issue I am having with my > > new DC in my domain. I have followed some tutorials on the internet > > and basically do not get the results. > > > > I have 1 old DC, that is providing the AD domain for the whole local > > network. I wanted to add another one. Both are Ubuntus 16.04, fully > > updated. > > > > I have followed this > > https://www.tecmint.com/join-additional-ubuntu-dc-to- > > samba4-ad-dc-failover-replication/ but basically most howtos discuss > > this the same way. > > > > Yes and most of them get it wrong ;-) > In this instance, it is mostly correct, just one thing jumps out. > Adding the 'winbind' lines to smb.conf is pointless, they do nothing on > a DC. > > I suggest you read this: > > https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_ > Existing_Active_Directory > > > > > - samba-tool drs showrepl on the old, existing DC (yes, it's named > > pdc) > > Yes and it shouldn't be ;-) > > I would wait until tomorrow, download 18.04 and then use this, it will > get you Samba 4.7.6 and this should fix your problem. > > Rowland > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >-- Pozdrawiam Jakub Kulesza
On Wed, 25 Apr 2018 22:32:10 +0200 Jakub Kulesza <jakkul+samba at gmail.com> wrote:> Rowland, thank you for answering! > > I have investigated this a bit, and I think that using 18.04 for the > new DC will not be successful anyway. Reasons: the AD I have has been > created back in the days when 14.04 LTS was fresh. The provisioning > scripts worked differently. 14.04 has been upgraded to 16.04, and I > think that I do not have all of the DNSes configured properly and > this might be the cause of the synchronization items.The basic provision has always worked in the same way, it has just been tweaked.> > I would really like to get to the bottom of this and understand the > issue to fix it on the old DC. Is there a checklist on what needs to > be done during the initial provisioning and what are the requirements > for samba-tool to be able to join another DC to the AD?I take it you have read the DC join page on the wiki and followed all the hyperlinks.> > Traces: > > 1. running the following on the new DC starts with the following > errors: # samba-tool drs showrepl > SPNEGO(gssapi_krb5) creating NEG_TOKEN_INIT failed: > NT_STATUS_INVALID_PARAMETER > > NT_STATUS_INVALID_PARAMETER is usually associated with DNS update > issues. > > 2. I had to update "objectGUID CNAME Record" as defined here > https://wiki.samba.org/index.php/Verifying_and_Creating_a_DC_DNS_RecordYes, but you shouldn't have to do this with 4.7.6, it has code to create those records during the join> > 3. querying the domain name in the DNS shows up only the old DC > # host biuro.gpm-vindexus.pl > biuro.gpm-vindexus.pl has address 192.168.0.251 > biuro.gpm-vindexus.pl has address 192.168.1.251 > (it has 2 addresses in 2 subnets) > > and it should show 192.168.0.252 (qdc, the second server) as wellWhy ? you are checking one DC FQDN, to get the info for the second DC, you would have to check that DCs FQDN.> > > 3. running samba_dnsupdate on the old primary DC showes a lot of > errors # samba_dnsupdate --all-names > ; TSIG error with server: tsig verify failure > ; TSIG error with server: tsig verify failure > ; TSIG error with server: tsig verify failure > ; TSIG error with server: tsig verify failure > ; TSIG error with server: tsig verify failure > ; TSIG error with server: tsig verify failure > ; TSIG error with server: tsig verify failure > ; TSIG error with server: tsig verify failure > ; TSIG error with server: tsig verify failure > ; TSIG error with server: tsig verify failure > ; TSIG error with server: tsig verify failure > ; TSIG error with server: tsig verify failure > ; TSIG error with server: tsig verify failure > ; TSIG error with server: tsig verify failure > ; TSIG error with server: tsig verify failure > ; TSIG error with server: tsig verify failure > ; TSIG error with server: tsig verify failure > ; TSIG error with server: tsig verify failure > ; TSIG error with server: tsig verify failure > ; TSIG error with server: tsig verify failure > ; TSIG error with server: tsig verify failure > ; TSIG error with server: tsig verify failure > ; TSIG error with server: tsig verify failure > ; TSIG error with server: tsig verify failure > Failed update of 24 entriesTry 'samba_dnsupdate --all-names --use-samba-tool Rowland
yes, I tried working with samba wiki and quad-verifying what is recommended to be checked. OK, I'll try to join using 18.04. the samba_dnsupdate tool does not have the --use-samba-tool option in ubuntu 16.04 2018-04-25 22:47 GMT+02:00 Rowland Penny via samba <samba at lists.samba.org>:> On Wed, 25 Apr 2018 22:32:10 +0200 > Jakub Kulesza <jakkul+samba at gmail.com> wrote: > > > Rowland, thank you for answering! > > > > I have investigated this a bit, and I think that using 18.04 for the > > new DC will not be successful anyway. Reasons: the AD I have has been > > created back in the days when 14.04 LTS was fresh. The provisioning > > scripts worked differently. 14.04 has been upgraded to 16.04, and I > > think that I do not have all of the DNSes configured properly and > > this might be the cause of the synchronization items. > > The basic provision has always worked in the same way, it has just been > tweaked. > > > > > I would really like to get to the bottom of this and understand the > > issue to fix it on the old DC. Is there a checklist on what needs to > > be done during the initial provisioning and what are the requirements > > for samba-tool to be able to join another DC to the AD? > > I take it you have read the DC join page on the wiki and followed all > the hyperlinks. > > > > > Traces: > > > > 1. running the following on the new DC starts with the following > > errors: # samba-tool drs showrepl > > SPNEGO(gssapi_krb5) creating NEG_TOKEN_INIT failed: > > NT_STATUS_INVALID_PARAMETER > > > > NT_STATUS_INVALID_PARAMETER is usually associated with DNS update > > issues. > > > > 2. I had to update "objectGUID CNAME Record" as defined here > > https://wiki.samba.org/index.php/Verifying_and_Creating_a_DC_DNS_Record > > Yes, but you shouldn't have to do this with 4.7.6, it has code to > create those records during the join > > > > > 3. querying the domain name in the DNS shows up only the old DC > > # host biuro.gpm-vindexus.pl > > biuro.gpm-vindexus.pl has address 192.168.0.251 > > biuro.gpm-vindexus.pl has address 192.168.1.251 > > (it has 2 addresses in 2 subnets) > > > > and it should show 192.168.0.252 (qdc, the second server) as well > > Why ? you are checking one DC FQDN, to get the info for the second DC, > you would have to check that DCs FQDN. > > > > > > > 3. running samba_dnsupdate on the old primary DC showes a lot of > > errors # samba_dnsupdate --all-names > > ; TSIG error with server: tsig verify failure > > ; TSIG error with server: tsig verify failure > > ; TSIG error with server: tsig verify failure > > ; TSIG error with server: tsig verify failure > > ; TSIG error with server: tsig verify failure > > ; TSIG error with server: tsig verify failure > > ; TSIG error with server: tsig verify failure > > ; TSIG error with server: tsig verify failure > > ; TSIG error with server: tsig verify failure > > ; TSIG error with server: tsig verify failure > > ; TSIG error with server: tsig verify failure > > ; TSIG error with server: tsig verify failure > > ; TSIG error with server: tsig verify failure > > ; TSIG error with server: tsig verify failure > > ; TSIG error with server: tsig verify failure > > ; TSIG error with server: tsig verify failure > > ; TSIG error with server: tsig verify failure > > ; TSIG error with server: tsig verify failure > > ; TSIG error with server: tsig verify failure > > ; TSIG error with server: tsig verify failure > > ; TSIG error with server: tsig verify failure > > ; TSIG error with server: tsig verify failure > > ; TSIG error with server: tsig verify failure > > ; TSIG error with server: tsig verify failure > > Failed update of 24 entries > > Try 'samba_dnsupdate --all-names --use-samba-tool > > Rowland > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
Reasonably Related Threads
- 4.3.11-Ubuntu fail to add DC to a AD domain
- 4.3.11-Ubuntu fail to add DC to a AD domain
- kerberos got crazy after ubuntu upgrade from 14.04 to 16.04
- kerberos got crazy after ubuntu upgrade from 14.04 to 16.04
- kerberos got crazy after ubuntu upgrade from 14.04 to 16.04