Hello all. Please help me with my problem.
I have organization with branches connected through internet by VPN. First
branch (B00) have two Dc's in 172.16.0.0/16 network and second branch (B01)
have one DC in 172.17.0.0/16 network.
All three Dc's built from sources (4.10.2) on freshly installed Debian
Stretch. I am using BIND9_DLZ backend.
So, 2 Dc's located in one building (B00) works flawless: DDNS updates, drs
repl and so on. But when I join new DC at second building, nothing works on this
new DC. I can't connect to it from RSAT, cannot make drs replication.
When I try samba-tool drs showrepl -d 3, I've got this message:
Server ldap/B01DC01.CORP.COMPANY.RU at CORP.COMPANY.RU is not registered with
our KDC: Miscellaneous failure (see text): Server (ldap/B01DC01.CORP.COMPANY.RU
at CORP.COMPANY.RU) unknown
gensec_spnego_create_negTokenInit_step: gssapi_krb5: creating NEG_TOKEN_INIT for
ldap/B01DC01.CORP.COMPANY.RU failed (next[ntlmssp]): NT_STATUS_INVALID_PARAMETER
When I try to ldbsearch -H ldap://b00dc01
servicePrincipalName=ldap/B01DC01.corp.company.ru, I've got zero search
results.
My smb.conf is pretty simple on all nodes:
[global]
hosts allow = ALL
server min protocol = NT1
lanman auth = Yes
ntlm auth = Yes
netbios name = B00DC01
realm = CORP.COMPANY.RU
server role = active directory domain controller
server services = -dns
workgroup = CORP
idmap_ldb:use rfc2307 = yes
[sysvol]
path = /usr/local/samba/var/locks/sysvol
read only = No
[netlogon]
path = /usr/local/samba/var/locks/sysvol/corp.company.ru/scripts
read only = No
Please help me to fix this issue and finally join remote DC corretly.
