> > ntlm auth = mschapv2-and-ntlmv2-only
>
> Why do you need the line above ?
This is part of security hardening, to prevent the use of NTLMv1
authentication protocol (except for MSCHAPv2 authentication scheme)
> > restrict anonymous = 2
> > disable netbios = yes
>
> I am not sure that is the correct way to do it on a DC, I do know that
> the 'nbt' server (the DC variant of nmbd) is running.
This is also part of the security hardening. Same for disabling
printing services, etc.
> There isn't anything there that should be stopping you joining
> computers, which sounds like a dns problem, so I would start by
> checking your dns.
Well, I checked all records from this list:
https://learn.microsoft.com/en-us/archive/technet-wiki/7608.srv-records-registered-by-net-logon
and all of them seem to be working.
Also, nltest /dnsgetdc:ad.example.com correctly fetches the two samba
DCs, but nltest /dsgetdc:ad.example.com fails (0x54b
ERROR_NO_SUCH_DOMAIN), like in the logs of my first message. It is
like windows was not actually using DNS to find the domain, but I
think this is the default on recent editions, right?
> The other question I should have asked is, what are the Windows clients
> ?
Clients are Windows Server 2022 or Windows 10.
> PS, please do not 'CC' me, just reply to the list.
Sorry about that :/