When you join Samba as an additional Domain Controller to an Active Directory, neither the A record for the new DC isn't added, nor the CNAME of the objectGUID pointing to the hostname: # host -t A {DCHostname}.samdom.example.com. Host {DCHostname}.samdom.example.com. not found: 3(NXDOMAIN) # host -t CNAME {objectGUID}._msdcs.samdom.example.com. Host {objectGUID}._msdcs.samdom.example.com. not found: 3(NXDOMAIN) Currently users have to add these two DNS records manually. See https://wiki.samba.org/index.php/Join_a_domain_as_a_DC#Check_DNS_entries We should do this automatically during the domain join.
I can confirm what Marc Found . today updated to sernet-samba latest 4.1.14-10 on Centos 6.5 and 6. with bind9.9 build from https://github.com/remsnet/CentOS-Bind-DLZ with create the new ( freshly ) installed sernet-samba deployment using at ad1 DC master at subnet 192.168.0 and ad2 DC 192.168.1 samba-tool domain provision --use-rfc2307 \ --dns-backend=BIND9_DLZ \ --workgroup=ADS \ --function-level=2008_R2 \ --site=master \ --domain=ADS \ --sid=S-1-5-21-974500379-1975925619-3590964749 \ --host-name=ad1 \ --host-ip=192.168.0.20 \ --realm=SAMPLE.DOM\ --adminpass=<pwd> \ --ldapadminpass=<pwd> \ --krbtgtpass=<pwd> then Join second new freshly setup ad2 with samba-tool domain join SAMPLE.DOMDC -Uadministrator \ --realm=SAMPLE.DOM\ --dns-backend=BIND9_DLZ \ --workgroup=ADS \ --site=master \ --server=ad1.SAMPLE.DOM\ --password=<pwd> Both , the domain create and the domain join as DC "reported" with sucess. Error symtoms seen: - the ad2 dns entrys A resulted only resobable localy on ad2 - samba-tool drs kcc fail saying that our ldap kcc been not registered with the realm due failed dns, error : Server ldap/AD2.@SAMPLE.DOMis not registered with our KDC: Miscellaneous failure (see text): Server (ldap/AD2.ADS.SOFTWAREENERGIE.EU@ADS.SOFTWAREENERGIE.EU) unknown SPNEGO(gssapi_krb5) creating NEG_TOKEN_INIT failed: NT_STATUS_INVALID_PARAMETER - samba-tool drs bind fail - samba_dnsupdate --all-names fail on dc2 - samba_dnsupdate --all-names works on dc1 - samba_dnsupdate --all-names on dc2 works only if /etc/resolv.conf first nameserver IP points to ad1 - samba-tool dns zonecreate ad2.ADS.SOFTWAREENERGIE.EU 0.168.192.in-addr.arpa with KRB works , been replicated to ad1, but any samba-tool dns add/update fail on ad2 using that new subzone. - samba-tool drs showrepl fail with drsException (8, 'WERR_NOMEM') ... resulted in "raise drsException("DRS connection to %s failed: %s" % (server, e))" # samba-tool dns update ad1.SAMPLE.DOM SAMPLE.DOM ad1.SAMPLE.DOM A 192.168.1.20 192.168.1.20 Unknown parameter encountered: "send spnego principal" Ignoring unknown parameter "send spnego principal" Processing section "[netlogon]" Processing section "[sysvol]" Processing section "[home]" Processing section "[homes]" Processing section "[profiles]" Processing section "[users]" Processing section "[groups]" Processing section "[srv]" Processing section "[testsmb]" pm_process() returned Yes GENSEC backend 'gssapi_spnego' registered GENSEC backend 'gssapi_krb5' registered GENSEC backend 'gssapi_krb5_sasl' registered GENSEC backend 'sasl-DIGEST-MD5' registered GENSEC backend 'schannel' registered GENSEC backend 'spnego' registered GENSEC backend 'ntlmssp' registered GENSEC backend 'krb5' registered GENSEC backend 'fake_gssapi_krb5' registered Using binding ncacn_ip_tcp:ad1.SAMPLE.DOM[,sign] Mapped to DCERPC endpoint 135 added interface lo ip=127.0.0.1 bcast=127.255.255.255 netmask=255.0.0.0 added interface eth0 ip=192.168.1.20 bcast=192.168.26.255 netmask=255.255.255.0 added interface lo ip=127.0.0.1 bcast=127.255.255.255 netmask=255.0.0.0 added interface eth0 ip=192.168.1.20 bcast=192.168.26.255 netmask=255.255.255.0 Mapped to DCERPC endpoint 1024 added interface lo ip=127.0.0.1 bcast=127.255.255.255 netmask=255.0.0.0 added interface eth0 ip=192.168.1.20 bcast=192.168.26.255 netmask=255.255.255.0 added interface lo ip=127.0.0.1 bcast=127.255.255.255 netmask=255.0.0.0 added interface eth0 ip=192.168.1.20 bcast=192.168.26.255 netmask=255.255.255.0 ERROR: Record does not exist within the BIND-DLZ usage of DC Join , "samba-tool domai join" shuold: 1- test if <SAMPLE.DOM> exist - if so create the dns A for ad2 within given realm and domain. 2- test if ad2 been ldap member if not , force correct that after dns A created 3- test if ad2 been kdc member if not , force correct that after dns A created 4- publish updated krb5.conf sample that adds new line kdc = ad2 at [realms] SAMPLE.DOM = { kdc = ad1.SAMPLE.DOM kdc = ad2.SAMPLE.DOM ... } 5- run samba_dnsupdate --all-names in "dc join mode" ( not exist today ): - update dc2 dns entrys - update dc1 dns entrys for dc2 - check that dns has updated as expected IF 5- failed then report that the domain join failed using samba4 DLZ. reason for all this .. ADS based massivly on DNS - dns entries must exist.
This bug LOOKS Critical shuold be fixed asap within the 4.1 and up.
Is this just a case that the DNS updates are made to the local DC (that just joined) as because they are not (at that point) known to the rest of the domain, and are critical to replication, they are not replicated to the rest of the system?
(In reply to Andrew Bartlett from comment #3) The two missings DNS record arent't in the local databases of the new joined DC nor in the existing AD.
this is fixed with Samba 4.7. See WHATSNEW of Samba 4.7. In earlier versions a manual samba_dnsupdate was required as workaround.