4.0.rc2 drs issue

Matthieu Patou mat at samba.org
Wed Oct 17 23:43:39 MDT 2012 

On 10/17/2012 12:53 PM, Gémes Géza wrote:
> Hi,
>
> I have a (production) domain created by a 3.5->4.0beta6(some git 
> version)->4.0rc2 upgrade path, with the last upgrade executed as a 
> join of a 4.0rc2 install (machine name dc1) and removal of the beta8 
> install (machine name dc0). Immediately after the removal of beta8 (I 
> wasn't able to demote it, however forcibly transfered the fsmo roles 
> to rc2) I've installed another instance of rc2 (with the same IP 
> address and name as beta8 had (dc0)) and joined it to rc2 (without 
> removing anything related to dc0 from the directory). Unfortunately 
> I've observed that drs is not working as expected (I had dc0 as an 
> incoming and outgoing replica partner on dc1, but dc1 was only an 
> incoming partner for dc0). Because of that I've decided to remove dc0 
> from the domain entirely to rejoin it cleanly (also plan to upgrde 
> both servers to rc3 in the process). Unfortunately dc0 won't demote as 
> it claims to hold still two roles, but samba-tool fsmo show gives (on 
> both servers) that all five roles are hold by dc1. Being stuck on it 
> I've decided to forcibly remove it following: 
> http://technet.microsoft.com/en-us/library/cc736378%28WS.10%29.aspx
> After removal I've checked that dc0 disappeared without trace (except 
> dns where I've cleaned it out).
> After joining it back I still have:
> root at dc1:~# samba-tool drs showrepl
> Default-First-Site-Name\DC1
> DSA Options: 0x00000001
> DSA object GUID: f5ea5559-534c-4341-9f63-c0d7a0019635
> DSA invocationId: 574709d5-5de7-472a-ba15-fc7b5ca97da0
>
> ==== INBOUND NEIGHBORS ====
>
> DC=DomainDnsZones,DC=kzsdabas,DC=hu
>     Default-First-Site-Name\DC0 via RPC
>         DSA object GUID: fa8ad1e1-f8e0-42ef-b8da-dfdb22141d5f
>         Last attempt @ NTTIME(0) was successful
>         0 consecutive failure(s).
>         Last success @ NTTIME(0)
>
> CN=Schema,CN=Configuration,DC=kzsdabas,DC=hu
>     Default-First-Site-Name\DC0 via RPC
>         DSA object GUID: fa8ad1e1-f8e0-42ef-b8da-dfdb22141d5f
>         Last attempt @ NTTIME(0) was successful
>         0 consecutive failure(s).
>         Last success @ NTTIME(0)
>
> DC=kzsdabas,DC=hu
>     Default-First-Site-Name\DC0 via RPC
>         DSA object GUID: fa8ad1e1-f8e0-42ef-b8da-dfdb22141d5f
>         Last attempt @ NTTIME(0) was successful
>         0 consecutive failure(s).
>         Last success @ NTTIME(0)
>
> DC=ForestDnsZones,DC=kzsdabas,DC=hu
>     Default-First-Site-Name\DC0 via RPC
>         DSA object GUID: fa8ad1e1-f8e0-42ef-b8da-dfdb22141d5f
>         Last attempt @ NTTIME(0) was successful
>         0 consecutive failure(s).
>         Last success @ NTTIME(0)
>
> CN=Configuration,DC=kzsdabas,DC=hu
>     Default-First-Site-Name\DC0 via RPC
>         DSA object GUID: fa8ad1e1-f8e0-42ef-b8da-dfdb22141d5f
>         Last attempt @ NTTIME(0) was successful
^^^^^^^^^^^^^^^^^^^ This means that it has never replicated from this server
> 0 consecutive failure(s).
>         Last success @ NTTIME(0)
>
> ==== OUTBOUND NEIGHBORS ====
>
> DC=DomainDnsZones,DC=kzsdabas,DC=hu
>     Default-First-Site-Name\DC0 via RPC
>         DSA object GUID: fa8ad1e1-f8e0-42ef-b8da-dfdb22141d5f
>         Last attempt @ NTTIME(0) was successful
>         0 consecutive failure(s).
>         Last success @ NTTIME(0)
>
> CN=Schema,CN=Configuration,DC=kzsdabas,DC=hu
>     Default-First-Site-Name\DC0 via RPC
>         DSA object GUID: fa8ad1e1-f8e0-42ef-b8da-dfdb22141d5f
>         Last attempt @ NTTIME(0) was successful
>         0 consecutive failure(s).
>         Last success @ NTTIME(0)
>
> DC=kzsdabas,DC=hu
>     Default-First-Site-Name\DC0 via RPC
>         DSA object GUID: fa8ad1e1-f8e0-42ef-b8da-dfdb22141d5f
>         Last attempt @ NTTIME(0) was successful
>         0 consecutive failure(s).
>         Last success @ NTTIME(0)
>
> DC=ForestDnsZones,DC=kzsdabas,DC=hu
>     Default-First-Site-Name\DC0 via RPC
>         DSA object GUID: fa8ad1e1-f8e0-42ef-b8da-dfdb22141d5f
>         Last attempt @ NTTIME(0) was successful
>         0 consecutive failure(s).
>         Last success @ NTTIME(0)
>
> CN=Configuration,DC=kzsdabas,DC=hu
>     Default-First-Site-Name\DC0 via RPC
>         DSA object GUID: fa8ad1e1-f8e0-42ef-b8da-dfdb22141d5f
>         Last attempt @ NTTIME(0) was successful
^^^^^^^^^^^^^^^^^^^ in outgoing the nttime is always 0
> 0 consecutive failure(s).
>         Last success @ NTTIME(0)
>
> ==== KCC CONNECTION OBJECTS ====
>
> Connection --
>     Connection name: c9f0627b-6d81-4817-adca-1849005d0d7c
>     Enabled        : TRUE
>     Server DNS name : DC0.kzsdabas.hu
>     Server DN name  : CN=NTDS 
> Settings,CN=DC0,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=kzsdabas,DC=hu
>         TransportType: RPC
>         options: 0x00000001
> Warning: No NC replicated for Connection!
>
> Which seems ok
no it's not
>
> and:
> root at dc0:~# samba-tool drs showrepl
> Default-First-Site-Name\DC0
> DSA Options: 0x00000001
> DSA object GUID: fa8ad1e1-f8e0-42ef-b8da-dfdb22141d5f
> DSA invocationId: c733b71a-c093-4a0e-b990-839d8b9ffaf2
>
> ==== INBOUND NEIGHBORS ====
>
> DC=DomainDnsZones,DC=kzsdabas,DC=hu
>     Default-First-Site-Name\DC1 via RPC
>         DSA object GUID: f5ea5559-534c-4341-9f63-c0d7a0019635
>         Last attempt @ Wed Oct 17 21:44:35 2012 CEST was successful
>         0 consecutive failure(s).
>         Last success @ Wed Oct 17 21:44:35 2012 CEST
>
> CN=Schema,CN=Configuration,DC=kzsdabas,DC=hu
>     Default-First-Site-Name\DC1 via RPC
>         DSA object GUID: f5ea5559-534c-4341-9f63-c0d7a0019635
>         Last attempt @ Wed Oct 17 21:44:35 2012 CEST was successful
>         0 consecutive failure(s).
>         Last success @ Wed Oct 17 21:44:35 2012 CEST
>
> DC=kzsdabas,DC=hu
>     Default-First-Site-Name\DC1 via RPC
>         DSA object GUID: f5ea5559-534c-4341-9f63-c0d7a0019635
>         Last attempt @ Wed Oct 17 21:44:36 2012 CEST was successful
>         0 consecutive failure(s).
>         Last success @ Wed Oct 17 21:44:36 2012 CEST
>
> DC=ForestDnsZones,DC=kzsdabas,DC=hu
>     Default-First-Site-Name\DC1 via RPC
>         DSA object GUID: f5ea5559-534c-4341-9f63-c0d7a0019635
>         Last attempt @ Wed Oct 17 21:44:35 2012 CEST was successful
>         0 consecutive failure(s).
>         Last success @ Wed Oct 17 21:44:35 2012 CEST
>
> CN=Configuration,DC=kzsdabas,DC=hu
>     Default-First-Site-Name\DC1 via RPC
>         DSA object GUID: f5ea5559-534c-4341-9f63-c0d7a0019635
>         Last attempt @ Wed Oct 17 21:44:36 2012 CEST was successful
>         0 consecutive failure(s).
>         Last success @ Wed Oct 17 21:44:36 2012 CEST
>
> ==== OUTBOUND NEIGHBORS ====
>
> ==== KCC CONNECTION OBJECTS ====
>
> Connection --
>     Connection name: 4eb7c88b-62c9-46d1-817d-15b5be7b9e41
>     Enabled        : TRUE
>     Server DNS name : DC1.kzsdabas.hu
>     Server DN name  : CN=NTDS 
> Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=kzsdabas,DC=hu
>         TransportType: RPC
>         options: 0x00000001
> Warning: No NC replicated for Connection!
>
> Which seems less perfect

Well you should check the repsto and repsfrom, attributes (use ldbsearch 
-H ldap://<ip> --cross-ncs --show-binary '(repsto=*) repsfrom repsto

Also check that on both host you can resolve the two following DNS names

<guid_ntds_server1>._msdcs.<domain>
<guid_ntds_server2>._msdcs.<domain>

Use this command:
  ./bin/ldbsearch -H ldap://<ip>  '(invocationid=*)' --cross-ncs  
objectguid to get the guid_ntds_server1 & guid_ntds_server2

Matthieu.


Matthieu

-- 
Matthieu Patou
Samba Team
http://samba.org

More information about the samba-technical mailing list