ZENTYAL 5.0.7 unable to connect to Windows 2008 Domain

[fintnovo]

Good day.
The problem during connecting Zentyal 5.0.7 (Development Edition) as aditional Domain Controller to Windows 2008 domain - XXX.local.
Other Workstations and Windows Servers connects to Domain without problems.

During connection following errors occures:

Some modules reported error when saving changes . More information on the logs in /var/log/zentyal/
The following modules failed while saving their changes, their state is unknown: samba

In /var/log/zentyal.log following:

2017/03/19 15:10:13 INFO> Provision.pm:825 EBox::Samba::Provision::checkAddress - Resolving dc.XXX.local to an IP address
2017/03/19 15:10:13 INFO> Provision.pm:845 EBox::Samba::Provision::checkAddress - The DC dc.XXX.local has been resolved to 192.168.10.201
2017/03/19 15:10:13 INFO> Provision.pm:848 EBox::Samba::Provision::checkAddress - Checking reverse DNS resolution of '192.168.10.201'...
2017/03/19 15:10:13 INFO> Provision.pm:872 EBox::Samba::Provision::checkAddress - The IP address 192.168.10.201 does not have associated PTR record
2017/03/19 15:10:13 INFO> Provision.pm:771 EBox::Samba::Provision::checkServerReachable - Checking if AD server '192.168.10.201' is online...
2017/03/19 15:10:13 INFO> Provision.pm:881 EBox::Samba::Provision::checkFunctionalLevels - Checking forest and domain functional levels...
2017/03/19 15:10:13 INFO> Provision.pm:909 EBox::Samba::Provision::checkRfc2307 - Checking RFC2307 compliant schema...
2017/03/19 15:10:13 INFO> Provision.pm:790 EBox::Samba::Provision::checkLocalRealmAndDomain - Checking local domain and realm...
2017/03/19 15:10:13 INFO> Provision.pm:983 EBox::Samba::Provision::checkClockSkew - Checking clock skew with AD server...
2017/03/19 15:10:13 INFO> Provision.pm:1004 EBox::Samba::Provision::checkClockSkew - Clock skew below two minutes, should be enough.
2017/03/19 15:10:13 INFO> Provision.pm:690 EBox::Samba::Provision::checkDnsZonesInMainPartition - Checking for old DNS zones stored in main domain partition...
2017/03/19 15:10:13 INFO> Provision.pm:737 EBox::Samba::Provision::checkForestDomains - Checking number of domains inside forest...
2017/03/19 15:10:13 INFO> Provision.pm:943 EBox::Samba::Provision::checkTrustDomainObjects - Checking for domain trust relationships...
2017/03/19 15:10:13 INFO> Provision.pm:1045 EBox::Samba::Provision::checkADServerSite - Checking the site where the specified server is located
2017/03/19 15:10:13 INFO> Provision.pm:1053 EBox::Samba::Provision::checkADServerSite - The specified server has been located at site named Default-First-Site-Name
2017/03/19 15:10:13 INFO> Provision.pm:1070 EBox::Samba::Provision::checkADNebiosName - Checking domain neXXXos name...
2017/03/19 15:10:13 INFO> Provision.pm:1293 EBox::Samba::Provision::provisionADC - Joining to domain 'XXX.local' as DC
2017/03/19 15:10:14 INFO> Provision.pm:1306 EBox::Samba::Provision::provisionADC - Trying to get a kerberos ticket for principal 'ADMIN@XXX.LOCAL'
2017/03/19 15:10:14 ERROR> Sudo.pm:240 EBox::Sudo::_rootError - root command kinit -e arcfour-hmac-md5 --password-file='/var/lib/zentyal/tmp/KOSxAe' 'ADMIN@XXX.LOCAL' failed.
Error output: kinit: krb5_get_init_creds: unable to reach any KDC in realm XXX.LOCAL

Command output: .
Exit value: 1 at root command kinit -e arcfour-hmac-md5 --password-file='/var/lib/zentyal/tmp/KOSxAe' 'ADMIN@XXX.LOCAL' failed.
Error output: kinit: krb5_get_init_creds: unable to reach any KDC in realm XXX.LOCAL

I've checked following is OK:

1. 88 port on AD Controller - 192.168.10.201 open
2. Time on both servers is correct
3. Admin users and passwords to join domain - is correct

Why I can not get a kerberos ticket for principal 'ADMIN@XXX.LOCAL' ?

[mcoa]

Hello,
I've the same error with Zentyal 5.0 when i try setting additional domain controller:

2017/04/21 19:50:57 ERROR> GlobalImpl.pm:661 EBox::GlobalImpl::saveAllModules - Failed to save changes in module samba: root command kinit -e arcfour-hmac-md5 --password-file='/var/lib/zentyal/tmp/nrACf9' 'user@EXAMPLE.COM' failed.
Error output: kinit: krb5_get_init_creds: unable to reach any KDC in realm EXAMPLE.COM

Command output: .
Exit value: 1

1. Both (primary and secondary) have the same date (sync with ntp)
2. I dont have firewall between servers
3. Telnet to primary server to 88 port is ok