On Wed, 21 Aug 2024 13:46:05 +0200
L?o via samba <samba at lists.samba.org> wrote:
> Hello,
>
> I come to you after several days of research about my problem: I
> cannot make windows clients join my Samba AD domain anymore.
>
> My domain is built with two Samba AD DCs, dc1 and dc2, that are both
> debian 12.6 up to date and use the debian samba packages
> (4.17.12+dfsg-0+deb12u1). dc1 has all FSMO roles.
>
> When I try to make a Windows computer join the domain, I get an error
> saying the domain could not be contacted. Logs are:
>
>
> C:\Windows\debug\dcdiag.txt:
> ---
> DNS was successfully queried for the service location (SRV) resource
> record used to locate a domain controller for domain
"ad.example.com":
>
> The query was for the SRV record for
> _ldap._tcp.dc._msdcs.ad.example.com
>
> The following domain controllers were identified by the query:
> dc2.ad.example.com
> dc1.ad.example.com
>
>
> However no domain controllers could be contacted.
>
> Common causes of this error include:
>
> - Host (A) or (AAAA) records that map the names of the domain
> controllers to their IP addresses are missing or contain incorrect
> addresses.
>
> - Domain controllers registered in DNS are not connected to the
> network or are not running.
> ---
>
>
> C:\Windows\debug\NetSetup.LOG:
> ---
> 08/21/2024 00:18:10:477
> -----------------------------------------------------------------
> 08/21/2024 00:18:10:477 NetpValidateName: checking to see if 'PC11'
is
> valid as type 1 name
> 08/21/2024 00:18:10:477 NetpCheckNetBiosNameNotInUse for 'PC11'
> [MACHINE] returned 0x0
> 08/21/2024 00:18:10:477 NetpValidateName: name 'PC11' is valid for
> type 1 08/21/2024 00:18:10:477
> -----------------------------------------------------------------
> 08/21/2024 00:18:10:477 NetpValidateName: checking to see if 'PC11'
is
> valid as type 5 name
> 08/21/2024 00:18:10:477 NetpValidateName: name 'PC11' is valid for
> type 5 08/21/2024 00:18:10:477
> -----------------------------------------------------------------
> 08/21/2024 00:18:10:477 NetpValidateName: checking to see if
> 'ad.example.com' is valid as type 3 name
> 08/21/2024 00:18:10:477 NetpValidateName: 'ad.example.com' is not a
> valid NetBIOS domain name: 0x7b
> 08/21/2024 00:18:25:477 NetpCheckDomainNameIsValid for ad.example.com
> returned 0x54b, last error is 0x0
> 08/21/2024 00:18:25:477 NetpCheckDomainNameIsValid [ Exists ] for '
> ad.example.com' returned 0x54b
> ---
>
> Most resources online say this can come from:
> - connectivity issues: I removed all firewall rules, on DC hosts and
> on the network, no change
> - name resolution issues: I checked the windows PC is correctly
> using both DC as DNS resolvers, I also used the samba_dnsupdate to
> make sure DNS records are correct, and also manually checked these
> records from the windows PC, I could not find any problem in them.
>
> I also ran other diagnostic commands:
> - samba-tool drs showrepl: no sync issues between both DCs,
> - samba-tool dbcheck --cross-ncs --fix: no fixes required
>
> On Linux clients, I noticed that they can join the domain when using
> sssd, but have the same problem as windows client when trying to join
> with samba-tool or net ads join commands.
>
> I hope someone can help figuring this out!
>
> Thank you!
>
> Leo
Can we start by seeing the smb.conf file from one of the DCs (I take
they are similar).
Rowland