samba - Feb 2020 - Samba 4.11.6 cannot JOIN - 'Could not find machine account'

A small update...

I was able to remove the "Cannot reach a KDC" errors by disabling
Apparmor.

However, the original WERR_DNS_ERROR_RCODE_NAME_ERROR error remains and is 
now the first error in the log.
> Thanks for the help with this, Rowland.
> 
> > Where these 2008 DCs upgraded from an earlier version ? (2000, 2003)
> 
> Yes, the two Windows servers were migrated over the years to Server 2008
(one is 2008
> R2).
> I've now moved the _msdcs folder and made it a zone in the forest,
restarted NETLOGON,
> and set the functionality of the forest to Server 2008, then rebooted both
windows servers.
> This seems to be working fine, on the windows servers and with other
Windows client PC's.
> 
> BTW, this same Samba join error was happening before I did all that,
though, and it didn't
> seem to help to raise functionality.
> 
> But it does seem like some permission on the Windows side might be missing
for the new
> Samba DC to join the domain.
> I would think that the administrator paswd provided to samba-tool would be
enough, though.
> 
> This issue is similar:
> https://bugzilla.samba.org/show_bug.cgi?id=13298
> 
> Here is how I am attempting the join (my bash script):
> -----
> echo "Stopping Samba services..."
> service samba stop  >/dev/null || true
> service samba-ad-dc stop  >/dev/null || true
> service smbd stop  >/dev/null || true
> service nmbd stop  >/dev/null || true
> 
> echo "Deleting Samba configuration file..."
> rm  -f /etc/samba/smb.conf
> echo "Deleting Kerberos configuration file..."
> rm -f /etc/krb5.conf
> 
> echo "Clean up *.tdb and *.ldb files (samba DBs)..."
> DIRS=$(smbd -b | egrep "LOCKDIR|STATEDIR|CACHEDIR|PRIVATE_DIR" |
cut -d: -f2)
> for dir in $DIRS; do
>  echo " Clearing $dir ..."
>  find $dir \( -name "*.tdb" -or -name "*.ldb" \)
-delete || true
> done
> 
> rm -f Sambajoin.log
> samba-tool domain join OFFICE.EXAMPLE.COM DC
--server=SERVI.OFFICE.EXAMPLE.COM -U"OFFICE\\administrator"
--password=TheActualPassword --dns-backend=BIND9_DLZ -d3 >Sambajoin.log
2>&1
> samba-tool user setexpiry administrator --noexpiry
> samba-tool domain exportkeytab /etc/krb5.keytab
> ------
> 
> > Also, can we see more of the join output, what you posted is usually
the
> > fallout from a failed join and is usually meaningless, I think there 
> > will be a line similar to 'join failed', we need to see what
is above this.
> 
> There were several "Cannot reach a KDC" message prior to the 
> WERR_DNS_ERROR_RCODE_NAME_ERROR in the log.
> (Not sure if these are relevant.)
> 
> Start of JOIN log...
> --------
> GENSEC backend 'gssapi_spnego' registered
> GENSEC backend 'gssapi_krb5' registered
> GENSEC backend 'gssapi_krb5_sasl' registered
> GENSEC backend 'spnego' registered
> GENSEC backend 'schannel' registered
> GENSEC backend 'naclrpc_as_system' registered
> GENSEC backend 'sasl-EXTERNAL' registered
> GENSEC backend 'ntlmssp' registered
> GENSEC backend 'ntlmssp_resume_ccache' registered
> GENSEC backend 'http_basic' registered
> GENSEC backend 'http_ntlm' registered
> GENSEC backend 'http_negotiate' registered
> GENSEC backend 'krb5' registered
> GENSEC backend 'fake_gssapi_krb5' registered
> resolve_lmhosts: Attempting lmhosts lookup for name
SERVI.OFFICE.EXAMPLE.COM<0x20>
> resolve_lmhosts: Attempting lmhosts lookup for name
SERVI.OFFICE.EXAMPLE.COM<0x20>
> Cannot reach a KDC we require to contact (null) : kinit for administrator
at OFFICE failed (Cannot contact any KDC for requested realm)
> 
> gensec_spnego_create_negTokenInit_step: gssapi_krb5: creating
NEG_TOKEN_INIT for ldap/SERVI.OFFICE.EXAMPLE.COM failed (next[ntlmssp]):
NT_STATUS_NO_LOGON_SERVERS
> Got challenge flags:
> Got NTLMSSP neg_flags=0x62898235
> NTLMSSP: Set final flags:
> 
> ...ETC.
> -------------
> 
> Eventually the fatal WERR_DNS_ERROR_RCODE_NAME_ERROR occurs later when 
> adding the A record for the new server is attempted.
> 
> Either something very subtle (or very obvious) is going on here!
> 
>