Re: [Samba] Testing Directory Replication issue
On 09/10/2013 05:26 AM, 郁苗成 wrote: Every thing is ok except that "samba-tool drs showrepl" shows: Warning: No NC replicated for Connection! Hi there, not sure, but as far as I know this seems to be the default behavior [1]. i have this message on every samba4 setup I have deployed. As long as there are "0 consecutive failures" it's ok (I think...) Regards Peter [1] https://lists.samba.org/archive/samba-technical/2011-November/080377.html -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba4 domain trust
Hi there, I know domain trusts are currently not finished (as far as I know you can trust a Samba4 domain but not the other way). Is that still correct ? And my main question: Does it matter if it is a Samba4-Only Domain or Samba4/Windows DC domain ? In my case it's Samba4 only with two different domains i would like to trust each other... Best Regards Peter -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Win 2003 DC Demotion
On 07/23/2013 10:49 PM, Garth Keesler wrote: Sorry, I forgot to mention. This ONLY occurs when I join Samba 4.x to an existing Windows domain. When I join a Windows DC to an existing Samba 4.x domain, all works correctly including Forest and Domain bi-directional DNS repl. Thanx, Garth Hi Garth, It was once working in my test environment, but I do not know why. We had a little discussion some months ago [1]. But most of the time I was also having issues demoting Windows DCs (mostly with the samba-internal DNS database which told me the database is inconsistent as soon as I tried to add new records). As we do have small environments with about 30 users and we do use puppet for deployment, I have chosen not do to migration/demoting of existing Windows domains. I am starting now from scratch with new Samba4 domains which seems to work very well with single or multiple domain controllers. Sorry, not really helpful but I do not have an answer to the question. It's just my experience. Maybe it's because I'm using the "old" version which is used with Debian Wheezy, I don't know. Regards Peter [1] https://lists.samba.org/archive/samba/2013-February/171583.html -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Recently joined 2k3, shut down primary, seized roles, now have slight dns (maybe) problem.
On 05/03/2013 04:27 PM, Caio Zanolla wrote: Everything seems to be working fine except for dns management. Hi Caio, this is exactly the same issue I am facing and no solution so far. It even resolves perfectly for existing dns records on the Samba4 server, but no chance to add new records or connect with the windows mmc. I am also very interested how to solve such issues. Or in general - how to handle samba integrated dns issues in a production environment. Regards Peter -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] DNS questions
Hi there, When adding an additional Samba4 domain controller to an existing Windows domain, it is (as far as I know) not possible to use bind for DNS. Is that correct ? Is it possible to change to Bind after adding the domain controller ? Or a more generic question: are there any tasks to reconfigure DNS (for example if there are issues). A non-working DNS is the "most scary thing" to me... I've did some test scenarios adding a Samba4 dc to an existing domain, then demoting the windows server and usually most of my issues were DNS related - it was working but somehow I was unable to add new records... Hope someone can give me a hint...or an idea to prevent such issues... Thanks and best Regards Peter -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] [SOLVED] replace Windows 2003 dc]
Sérgio Henrique quatschte am Mon, Feb 25, 2013 at 04:26:30PM +: > Solved. > > I have sucessfully migrated a windows 2008R2 domain to samba4 and then > create a new samba domain as a replica. > > A lot of steps i had to introduce. Hi Sérgio, > 1- Working on DNS > add samba dc to forest and domain dns _ldap values > change DNS SOA to samba4 and add samba4 as NS are you talking about these records: _ldap._tcp.DomainDnsZones.example.local _ldap._tcp.ForestDnsZones.example.local _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.example.local _ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones.example.local ? I'd like to add that to my checklist... ;-) > 2- Working on fsmo > run script fixfsmo.vbs > samba-tool transfer all roles > run adsedit and change samba dc fsMORoleOwner to samba dc But you had to do that because of your dcpromo command was failing, correct ? What is fixfsmo.vbs ? Is that a Server 2008 script? > OUTBOUND NEIGHBORS > > DC=DomainDnsZones,DC=lisboa,DC=local > Default-First-Site-Name\DC2 via RPC > DSA object GUID: 1f42942d-4d0f-4075-b681-f09f5ed8c95b > Last attempt @ NTTIME(0) was successful > 0 consecutive failure(s). > Last success @ NTTIME(0) > > DC=ForestDnsZones,DC=lisboa,DC=local > Default-First-Site-Name\DC2 via RPC > DSA object GUID: 1f42942d-4d0f-4075-b681-f09f5ed8c95b > Last attempt @ NTTIME(0) was successful > 0 consecutive failure(s). > Last success @ NTTIME(0) and you got these outbound neighbors after adding the DNS SRV records mentioned above ? Somehow these two entries are also missing in my test environment with Server 2003... Thanks Peter -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] dns zone type (primary,ad integrated)
Amitay Isaacs quatschte am Tue, Feb 26, 2013 at 11:20:48AM +1100: > Hi Peter, Hi Amitay, > What windows version are you running on windows DC? Depending on the > windows version you will have to choose the --client-version. As far as I can remember I've had this issue on a 2003 and 2008R2 test server, but maybe it's also related to my samba version (debian wheezy) > Samba-tool dns command is used to manipulate DNS zones in AD and those > zones will be replicated to other DCs. So it does not matter on which DNS server the modification was made, if I understand correct, which also makes sense to me. Thanks Peter -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] [SOLVED] replace Windows 2003 dc
Sérgio Henrique quatschte am Mon, Feb 25, 2013 at 10:27:17AM +: > Hi Peter, > > I am unable to demote windows DC, i get always error when demoting windows > AD on ForestDNSzones and DomainDNSzones, i have tried a lot of things. > > Raise forest level, keep at 2003, add samba to nameservers,etc... Hi Sérgio, do you get this message: http://tinypic.com/view.php?pic=140itd4&s=6 ? This message is also shown in my test environment each time I run dcpromo to demote the Windows server. As far as I have seen it's no issue, if the replication is up to date. I had issues if the operation levels were lower than 2003 and Samba was already joined to the domain. Then the only change that was possible for me was to raise to Windows 2000 native, but not 2003 anymore. What I am doing after joining Samba to the domain: * check the operation levels (before joining) * check all the SRV records (usually added automatically) * create a reverse zone if not already there * add ns record for samba to all zones * drink some coffee to ensure everything gets replicated * check everything again, drink some more coffee * again ;-) * disable GC on the win server, running dcpromo but I am still testing the whole migration, no long term experience, most of the time I reset my virtual machine and try again to ensure it still works... > What i can see is that if i create a new samba4 as primary root domain and > then add windows AD i have no problems. > > But my objective is to migrate current windows domain to samba4 and not > the opposite. I am sure that is working very good, but the problem is, our customers usually already have a working Windows environment (I think a lot of us have exactly this problem) and we need to takeover these domainsand do not want to create everything from scratch ;-) Regards Peter -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] dns zone type (primary,ad integrated)
hi guys, is there a possibility to change dns zone options with samba-tool ? if I create a zone with samba-tool on the Windows Dc, I need to set "--client-version=w2k", otherwise the command fails. But with that option I get a primary zone (not ad integrated) on the Windows server. I know it's possible to change that manually, but if there is an option to fix that with samba-tool, i would prefer samba-tool to manage. The same command (without --client-version) against the samba-server works and creates an Active-Directory-integrated zone. Is this by design ? Or in other words: does it matter if the zone is created on the samba server ? as it is ad-integrated it gets replicated anyway, or am I wrong ? I am using samba-internal dns. Regards Peter -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] [SOLVED] replace Windows 2003 dc
Hi guys, I did some more testing: --- Scenario 1: Server 2003 with Forest Operation Level 'Windows 2000' and domain operation Level 'Windows 2000 mixed' (which seems to be the default when setting up Server 2003): After joining Samba4 to the domain I was unable to raise the level. Samba-tool just had an error, when trying to showing the levels: ERROR: Could not retrieve the actual domain, forest level and/or lowest DC function level! And on the Windows DC the only change that was possible was to raise up the domain operating level to "Windows 2000 native". No other changes were possible [cannot raise ...because this domain includes domain controllers that are not running the appropriate version of Windows] I also got issues with replicate: samba-tool drs replicate lab07 lab03 dc=domaindnszones,dc=adlab,dc=local ERROR(): DsReplicaSync failed - drsException: DsReplicaSync failed (8440, 'WERR_DS_DRA_BAD_NC') File "/usr/lib/python2.7/dist-packages/samba/netcmd/drs.py", line 331, in run drs_utils.sendDsReplicaSync(self.drsuapi, self.drsuapi_handle,source_dsa_guid, NC, req_options) File "/usr/lib/python2.7/dist-packages/samba/drs_utils.py", line 83, in sendDsReplicaSync raise drsException("DsReplicaSync failed %s" % estr) with option --local: samba-tool drs replicate lab07 lab03 dc=domaindnszones,dc=adlab,dc=local --local Partition[dc=domaindnszones,dc=adlab,dc=local] objects[26] linked_values[0] the same behaviour with forestdnszones. --- Scenario 2: Then the same setup again, but _before_ joining Samba, the Domain and Forest level were raised up to 2003. After joining the samba server, the levels were shown without issues: samba-tool was able to list the levels: Domain and forest function level for domain 'DC=adlab,DC=local' Forest function level: (Windows) 2003 Domain function level: (Windows) 2003 Lowest function level of a DC: (Windows) 2003 Also replicating seems (after restart of samba) to work successfull (with all its options like full-sync, local,etc): samba-tool drs replicate lab07 lab03 dc=domaindnszones,dc=adlab,dc=local Replicate from lab03 to lab07 was successful. samba-tool drs replicate lab07 lab03 dc=forestdnszones,dc=adlab,dc=local Replicate from lab03 to lab07 was successful. I was able do demote the Windows server like the times before. My conclusion is to ensure the forest and domain operating levels _before_ joining the Samba server to the domain and do not hurry with replacing to ensure the replication was done completely prevents from lots of issues and headache... I think the next test will be with Server 2008... Regards Peter -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] [SOLVED] replace Windows 2003 dc
Dustin C. Hatch quatschte am Fri, Feb 22, 2013 at 05:58:51PM -0600: > On 2/22/2013 15:22, Peter Beck wrote: > >Dustin C. Hatch quatschte am Fri, Feb 22, 2013 at > >12:31:05PM -0600: > My samba server works perfectly fine for all AD DC roles (including > Kerberos) except DNS. In my real and test environments, the forest > and domain functional levels are 2008 R2. I've just tried again, but still with 2003 functional levels and it was working again, after removing the windows domain I was able to add new users, change password policies, remove and change dns records. This time I installed Exchange 2003 on the Windows DC first (just to check if there are issues if Exchange is running on the dc. Exchange did not start after demoting the dc, btw). In productive environments we do not install Exchange, it was just to test if there are issues with replicating the schema or dcpromo fails while demoting.. after removing the windows dc I also rebooted the Samba server and tried to get a kerberos ticket, which was working as expected. > Same as mine, as defined in the wiki article. did you change your resolv.conf to the samba dc after removing the windows domain controller ? Silly question, but sometimes little things like that are the solution... > I don't see a list of values for this property in smb.conf(5); where > did you find this setting? > >server services = rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, > >ntp_signd, kcc, dnsupdate, smb, dns > According to smb.conf(5), this is the default value for `server > services`, less s3fs and plus smb. I don't think either of these > would matter in this case. the only value i have changed was adding +dns to the server services. the provision command was "samba-tool domain join adlab.local DC -Uadministrator%password --realm=$hostname.$realm --use-ntvfs --use-ntvfs because I am running debian wheezy > > dns forwarder = 8.8.8.8 > Again, this only affects queries outside the AD domain, so it > shouldn't matter. I do have it set, though. I know, just posted the complete config > Yes, that adds the NS records to the domain, and I've tried that. > Since the Samba server is a DNS server, this should be done > automatically anyway. In any case, it doesn't help. nameserver records for the samba dc are not automatically created in my test environments, I always have to add them manually. > >after adding these records / checking other dns records (_ldap._tcp, > >_kerberos etc) I've just did > > > These also should be added automatically if the Samba server is to > be a DNS server, but adding them manually doesn't help either. Yes, they are automatically added, but for me it's more safe to check before removing the windows domain controller ;-) > >samba-tool drs replicate dc=adlab,dc=local --local > This works fine > > >samba-tool drs replicate > >dc=forestdnszones,dc=adlab,dc=local --local > >samba-tool drs replicate > >dc=domaindnszones,dc=adlab,dc=local --local > These both fail because there is no outbound connection from the > Samba server to the Windows server for these directory partitions. > Adding them manually with repadmin works temporarily, but the KCC > eventually removes them. Never had issues like yours (at least - I can't remember). On the Windows dc in "active directory sites and services" it takes about 15 minutes until the replication is visible, but replicating from samba was never an issue on my machine. > >if everything is well (which was the case each time I've tested it), i > >moved the fsmo roles with samba-tool fsmo transfer --role= > > > Since Samba 4.0.3, which has a fix for the timeout problem, I have > had no trouble moving the FSMO roles around. Regardless, until the > DomainDnsZones and ForestDnsZones are replicated correctly, I cannot > demote the Windows DC. When demoting the Windows DC I get the message, that this DC holds the last replica for DomainDnsZones and ForestDnsZones, I've just checked remove them (otherwise dcpromo will cancel). So far everything still seems to work. I think this is because Windows still has the DNS server installed (?). I use the debian package version from wheezy, which holds an older version, 4.0.0~beta2+dfsg1-3.1. transferring seems to be a "cosmetic issue" because even if there is a timeout message if you check 15 minutes later all roles are transferred correct. Peter -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] [SOLVED] replace Windows 2003 dc
Dustin C. Hatch quatschte am Fri, Feb 22, 2013 at 12:31:05PM -0600: > On 2/22/2013 11:13, Sérgio Henrique wrote: > >I guess the comunication beetween MS AD and Samba4 is by kerberos, i have > >copied the /opt/samba/private/krb5.conf to /etc after joined to domain > > > >I have installed a windows server at 2003 forest level as PDC then > >installed samba4.0.3 > >join domain but everytime i am getting problems with forest and domain dns > >zones... > > > I have the same issue. I've tried countless times to add a Samba DC > to my (test) AD environment, but every time, it fails to add and > outbound connection for the DomainDnsZones and ForestDnsZones > directory partitions. In addition, the Samba server is not listed as > a name server for either the root zone or the _msdcs zone. yes, the basic setup is like it's written down in the Wiki pages at https://wiki.samba.org/index.php/Samba4/HOWTO/Join_a_domain_as_a_DC. I get kerberos tickets without any issue. I think the domain forest level is also important to raise up to 2003 (I can remember I also had issues earlier and then I've just raised the domain operation level). The forest operation level was something I've changed later... After raising up the operation level I always reboot the Windows Dc. Not sure if that is really needed... I for one will in future raise both levels up to 2003 _before_ I start deploying samba. my krb.conf looks like this: [libdefaults] default_realm = ADLAB.LOCAL dns_lookup_realm = true dns_lookup_kdc = true and this is my smb.conf, not sure if allow dns updates is need or not. # Global parameters [global] server role = active directory domain controller workgroup = ADLAB realm = adlab.local netbios name = LAB07 passdb backend = samba4 dcerpc endpoint servers = epmapper, wkssvc, rpcecho, samr, netlogon, lsarpc, spoolss, drsuapi, dssetup, unixinfo, browser, eventlog6, backupkey, dnsserver, winreg, srvsvc server services = rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate, smb, dns dns recursive queries = yes allow dns updates = true dns forwarder = 8.8.8.8 [netlogon] path = /var/lib/samba/sysvol/adlab.local/scripts read only = No [sysvol] path = /var/lib/samba/sysvol read only = No The samba server is not configured as nameserver by default. you can at it either on windows if you right click the zone and add it to the "nameserver" tab or if you use samba-tool dns add. I prefer the second one. to add it for example to the zone "adlab.local" you can use samba-tool dns add adlab.local adlab.local NS .adlab.local this will add an ns record for the zone "adlab.local" which looks like the existing entry for the windows dns "(same as parent folder)" and it will also automatically add the sambaserver into the "nameserver" tab of the zone. after adding these records / checking other dns records (_ldap._tcp, _kerberos etc) I've just did samba-tool drs replicate dc=adlab,dc=local --local samba-tool drs replicate dc=forestdnszones,dc=adlab,dc=local --local samba-tool drs replicate dc=domaindnszones,dc=adlab,dc=local --local if everything is well (which was the case each time I've tested it), i moved the fsmo roles with samba-tool fsmo transfer --role= But as I mentioned before - I am also still testing at the moment ;-) hope that helps Regards Peter -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] [SOLVED] replace Windows 2003 dc
Federico Nan quatschte am Fri, Feb 22, 2013 at 08:36:56AM -0300: > Wouw! > > And how do you handle the GPO and sysvol volumes? Did you copy them to the > samba sysvol? > > I´ve been trying and it always fails in the fsmo transferring. Did you do > this on the Windows MMC? Hi Federico, It was just a very basic test with a "naked" Windows 2003 DC and I did not test GPO/Sysvol transfers (only checked adding a GPO to the samba dc after removing the Windows DC, which was working perfect) If transferred the fsmo rules with samba-tool. fsmo seize did not work on my machine, there were always errors (can't remember excatly at the moment), transfer had a timeout the first try, but the second run was successful. I've also tried it with ntdsutil from Windows, exact the same behaviour (first try - timeout) so i think this is "normal". >From what I have seen it's also working with samba-tool the first time, even when there is a timeout message (I've used --role=all). After one run I left the computer to get some coffee and when I came back and checked the roles I could see that every role was now transferred... The only thing I'm unsure is with dcpromo when demoting the Windows DC - I always get a message with "holds the last replication of Application Directory Partitions" - usually ForestDNS and DomainDNS partitions. I've just selected "delete them" and so far there was no issue. But as mentioned, I'm also doing this in a little test environment and have often switched back to an earlier snapshot to try again...no long term experience.. ;-) I'm still testing... Regards Peter -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] [SOLVED] replace Windows 2003 dc
Hi guys, weehoo! Samba4 rocks ! Great work! if someone is interested - I finally managed to replace a Windows DC successfully. (at least i hope so ;-) this is what I have done: * Windows DC: Domain and Forest Operation Level = 2003 * Reboot Windows DC (always a good idea on Windows ;-) * joining the Samba Domain Controller to the existing 2003 domain * adding a Reverse zone for my network in DNS (on Windows) * replicating forestdnszones, domaindnszones * on the Windows DC i've changed the nameserver for each zone to the samba domain controller (which automatically added an NS-record to dns) * samba_dnsupdate --all-names --verbose * removing the Global Catalog on the Windows DC (including reboot ;-) * transferring all fsmo roles to the samba dc (what's the differnce to seizing ? for me transfer seems to work more reliable..) * demote the windows server Now I am able to add or remove records in dns (with samba tool and on Windows with the MMC-Snapin) and it looks very good. Now I think I just need to do some "cleaning" (removing dns entries for the replaced windows dc, etc). Regards Peter -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] S4 file server and DNS
Hervé Hénoch quatschte am Tue, Feb 19, 2013 at 02:56:43PM +0100: > Hello > > The problem seems to be with DNS dynamic updates. I insist on the > fact that my DNS server is working (all tests were successful). Bind > version is 9.8.1. Debian Wheeze. Maybe it's related to bug 692416 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=692416 The plan is to get bind 9.8.4.dfsg.P1-3 migrated to wheezy, which should support dynamic updates. As far as I know it's not working with the current version in wheezy. hope that helps Peter -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] replace Windows 2003 dc / dns issues
Peter Beck quatschte am Thu, Feb 14, 2013 at 03:04:40AM +0100: After lots of 'trial and error' I have done following scenario * setup samba4 as additional dc (samba internal dns) * added +dns to smb.conf server services, "dns recursive queries = yes" and "allow dns updates = true" * on the windows dc I've added a recursive zone for my network and the samba4-dc in the "nameservers"-tab of each zone. Replication changed to "All dns servers". (still not sure if this is needed with ad integrated zones ?) * replication with samba-tool/repadmin - no issues * samba-tool drs replicate s4dc w2k3dc dc=domaindnszones,dc..- no errors * samba-tool drs replicate s4dc w2k3dc dc=forestdnszones,dc..- no errors * samba_dnsupdate --verbose - no errors * dns was replicated completely now, including the entries inside the zones * transferring the fsmo roles to samba4 - no issues * disable global catalog for the windows dc * dcpromo demote the windows server I am still able to read the existing dns entries, but as soon as I try to update an existing entry or add an additional I get "the local security authority database contains an internal inconsistency" from Windows MMC-Snapin and samba-tool is reporting "uncaught exception - (1383, 'WERR_INTERNAL_DB_ERROR')" But adding additional zones and entries for them seems to work. It seems it's just dns related as adding groups and users is working fine. Any ideas ? If there is a "best practice to replace an existing dc" i would like to contribute that to the samba Wiki... Best Regards Peter -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] replace Windows 2003 dc / dns issues
Hi guys, I'm about to replace an existing Windows Server 2003 Active Directory domain with Samba4 (package from Debian Wheezy). Joining the Samba4 dc according the Samba Wiki[1] is working great, replication works without errors from both worlds (windows or samba). After transferring the fsmo roles with ntdsutil to the samba4 domain controller (btw: does it matter if ntdsutil or samba-tool fsmo transfer is being used ?), I would like to demote the windows server and use samba4 only. But if I shutdown the Windows DC, all DNS entries are "empty" on the samba side (the forward zones are created on the Samba server, but the only entries are the global catalog entries.) The domain functional level was set to "Server 2003" (the highest available option with 2003) before adding the new Samba4 dc. If I run samba_dnsupdate --verbose there are no errors - everything seems to be fine. samba-tool dns zonelist shows me following zones 2 zone(s) found pszZoneName : adlab.local Flags : DNS_RPC_ZONE_DSINTEGRATED DNS_RPC_ZONE_UPDATE_SECURE ZoneType: DNS_ZONE_TYPE_PRIMARY Version : 50 dwDpFlags : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT DNS_DP_ENLISTED pszDpFqdn : DomainDnsZones.adlab.local pszZoneName : _msdcs.adlab.local Flags : DNS_RPC_ZONE_DSINTEGRATED DNS_RPC_ZONE_UPDATE_SECURE ZoneType: DNS_ZONE_TYPE_PRIMARY Version : 50 dwDpFlags : DNS_DP_AUTOCREATED DNS_DP_FOREST_DEFAULT DNS_DP_ENLISTED pszDpFqdn : ForestDnsZones.adlab.local My question now is, if the Windows Server will be demoted, do I need to add "dns" to the "server services" section in smb.conf ? (I would like to use Samba internal DNS) IMO it's needed when Samba is the only dc in the network. Is that correct ? Do I also need to add the "nsupdate command" parameter to smb.conf after demoting the windows dc ? How do I correctly move dns to the Samba Server and replace the Windows DC finally ? Is it needed to configure zone transfers from the Windows DC to the Samba Server ? (even if both dns are active directory integrated ?) But even if I enable transfers, there is no content on the samba server dns... do I need to disable "Global Catalog" on the Windows DC before demoting the server ? Lots of questions... There are lots of manuals how to add an additional DC, but somehow I am missing a howto for _replacing_ an existing DC with Samba4. Thanks in advance Peter [1] https://wiki.samba.org/index.php/Samba4/HOWTO/Join_a_domain_as_a_DC -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba