On Thu Dec 14 22:49:33 2023 Mark Foley via samba <samba at lists.samba.org> wrote:> > On Thu Dec 14 19:27:29 2023 Matt Savin <matt at tegers.com> wrote: > > > > Hello Mark, > > > > When joining the domain, did you specify domain name as hprs.locl, or hprs > > only? Please try to specify hprs.locl. > > > > BR, > > Matt > > Matt - yes I did specify hprs.locl. I just tried it again and it failed again. > This time I opened the "Detail" box which says: > > ------------------- > The following error occurred when DNS was queried for the service location (SRV) resource record used to locate an Active Directory Domain Controller (AD DC) for domain "hprs.locl": > > The error was: "DNS name does not exist." > (error code 0x0000232B RCODE_NAME_ERROR) > > The query was for the SRV record for _ldap._tcp.dc._msdcs.hprs.locl > > Common causes of this error include the following: > > - The DNS SRV records required to locate a AD DC for the domain are not registered in DNS. These records are registered with a DNS server automatically when a AD DC is added to a domain. They are updated by the AD DC at set intervals. This computer is configured to use DNS servers with the following IP addresses: > > 192.168.0.1 > > - One or more of the following zones do not include delegation to its child zone: > > hprs.locl > locl > . (the root zone) > ------------------ > > This looks significant. The IP of the DC is 192.168.0.2: dc1.hprs.locl. IP > 192.168.0.1 is the Internet facing router and LAN DHCP server and is DC1's "dns > forwarder". > > I'm guessing the Windows computer should be querying 192.168.0.2, not the > router? What do you think? If so, how would I make it do that?Yay! It works! The above error gave me the clue. I set the domain member to a static IP (for now) and set the DNS to 192.168.0.2 (my DC) instead of the router/dhcp-server at 192.168.0.1. The latter is still the gateway. I then tried just joining the domain via Windows normal "Rename this PC (advanced)", which is what I tried to do below, and that worked. I then unjoined the domain and ran the ForensiT Transwiz tool to both migrate the domain user to the new DC and join the domain. That also worked!! The current/old DC uses --dns-backend=BIND9_FLATFILE so the whole DHCP and DNS resolution was a different game. With that config the Windows computer "just knew" to connect to the DC as the DNS. More experimentation needed with this new SAMBA_INTERNAL backend. When I logged in as the domain user it had some trouble because it's looking for things (e.g. Desktop) in the 'Redirected Folders' and on the NAS (not connected), but otherwise it does look like the profile migrated. Next step is to configure Group Policies, including Redirected Folders. So far so good. Thanks to all for your help thus far!!! Thanks -- Mark> > > > On Thu, Dec 14, 2023 at 5:03?PM Mark Foley via samba <samba at lists.samba.org> > > wrote: > > > [deleted] > > > > Meanwhile more woes. I decided to skip > > > the user profile migration and just join the domain. However, I tried > > > specifying > > > domains hprs.locl and hprs and in both cases I got the message: > > > > > > "The following error occured attempting to joing the domain "hprs": The > > > specified > > > domain either does not exist or could not be contacted." > > > > > > This is odd. My old 4.8.2 Samba had no trouble joining Windows members and > > > the > > > ForensiT tool Transwiz was, in fact, able to determine the domain (using > > > hprs) and contact it. > > > > > > Does anyone have any idea why I cannot join this Windows 10 computer to > > > the new 4.18.8 Domain? > > > > > > Here's my DC smb.conf. Other than the printer configs, this was generated > > > by samba-tool provision: > > > > > > [global] > > > dns forwarder = 192.168.0.1 > > > netbios name = DC1 > > > realm = HPRS.LOCL > > > server role = active directory domain controller > > > workgroup = HPRS > > > idmap_ldb:use rfc2307 = yes > > > interfaces = lo, eth0 > > > bind interfaces only = Yes > > > > > > load printers = no > > > printing = bsd > > > printcap name = /dev/null > > > disable spoolss = yes > > > > > > [sysvol] > > > path = /var/lib/samba/sysvol > > > read only = No > > > > > > [netlogon] > > > path = /var/lib/samba/sysvol/hprs.locl/scripts > > > read only = No > > > > > > Thanks --Mark > > > > > > > Le mer. 13 d?c. 2023 ? 20:55, Mark Foley via samba < > > > samba at lists.samba.org> > > > > a ?crit : > > > > > > > > > I'm attempting to join a Window 10 computer as a domain member to a > > > Samba > > > > > AC/DC. > > > > > I'm trying to use a tool from ForensiT https://www.forensit.com called > > > > > Transwiz. > > > > > This tool is supposed to join the Windows computer to the domain AND > > > > > migrate > > > > > user profiles from a different domain to the new domain. > > > > > > > > > > I created the domain user on the DC using samba-tool. Then I ran > > > transwiz > > > > > on > > > > > the Windows computer and answered the various questions as to domain > > > name > > > > > and > > > > > user, and it began the process, but ended up with the error: > > > > > > > > > > "The following error occured attempting to connect to the domain > > > > > hprs.locl: The > > > > > RPC server is unavailable." > > > > > > > > > > I started rpc on the DC and tried again, but got the same error. > > > > > > > > > > Supposedly this tool does work with Samba DCs. Any idea what the the > > > > > problem > > > > > could be? It finds the DC just fine. > > > > > > > > > > Thanks --Mark > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
Rowland Penny
2023-Dec-15 09:20 UTC
[Samba] Joining Windows 10 Domain Member to Samba AD/DC
On Fri, 15 Dec 2023 02:36:33 -0500 Mark Foley via samba <samba at lists.samba.org> wrote:> On Thu Dec 14 22:49:33 2023 Mark Foley via samba > <samba at lists.samba.org> wrote: > > > > On Thu Dec 14 19:27:29 2023 Matt Savin <matt at tegers.com> wrote: > > >I do not know who 'Matt Savin' is, but would he please reply to the list and not directly to the OP, it is awfully hard to follow a thread when you are only getting half of the conversation ;-) The nameserver that any AD client uses must be able to resolve the AD zones, that is, if you ask it for a DCs record, it can return it. If your Windows clients are pointing at a nameserver that doesn't know where your AD nameservers are, it will return NXDOMAIN. There are two ways around this, you set your external nameserver to forward all requests for your AD domain to a DC, or you use a DC as your Windows clients nameserver. Rowland