[Samba] Problem creating new DC's

Chris Alavoine chrisa at acs-info.co.uk
Mon Jun 9 06:06:49 MDT 2014 

Hi James,

I may have spoken too soon. Replication to my other DC's (including the new
one in the new Site) keeps failing. After a samba restart replication work
for around 30 minutes and then this happens:

/usr/local/samba/bin/samba-tool drs showrepl | more
ERROR(<class 'samba.drs_utils.drsException'>): DRS connection to
REMOTEDC.example.com failed - drsException: DRS connection to
REMOTEDC.example.com failed: (-1073741643, 'NT_STATUS_IO_TIMEOUT')
  File "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/drs.py",
line 39, in drsuapi_connect
    (ctx.drsuapi, ctx.drsuapi_handle, ctx.bind_supported_extensions) =
drs_utils.drsuapi_connect(ctx.server, ctx.lp, ctx.creds)
  File "/usr/local/samba/lib/python2.7/site-packages/samba/drs_utils.py",
line 54, in drsuapi_connect
    raise drsException("DRS connection to %s failed: %s" % (server, e))

This has the added side-effect that Samba no longer functions (i.e. no
longer processes logins) until I do another restart.

The only DC impervious to this behaviour the main FSMO DC.

As a workaround I have a cronjob on my other DC's that restarts samba every
30 minutes but clearly this is no solution.

Last Friday evening after adding my new DC in it's correct Site I attempt
to demote the old one in this location. The samba-tool domain demote
command failed for me so I removed the DC manually and removed all traces
of it from DNS. Could this have caused problems?

Any help much appreciated.

Thanks,
Chris.



On 4 June 2014 14:08, Chris Alavoine <chrisa at acs-info.co.uk> wrote:

> Yep, new DC shows up under ADSS.
>
> c:)
>
>
> On 4 June 2014 14:04, lp101 <lingpanda101 at gmail.com> wrote:
>
>>  Hi Chris,
>>
>>     Great news! Confirm Site and Services does in fact show your New DC
>> in its appropriate location.
>>
>>
>> On 6/4/2014 8:58 AM, Chris Alavoine wrote:
>>
>> Hi James,
>>
>>  Just thought I'd report my success!
>>
>>  I'd forgotten to specify the local DC (same Site) in my domain
>> provision command:
>>
>>  /usr/local/samba/bin/samba-tool domain join example.com DC
>> -UAdministrator --realm=example.com --server=blahdc --site=blah
>>
>>  This still took over an hour but didn't produce the above TIMEOUT error.
>>
>>  Thanks for your help on this!
>>
>>  c:)
>>
>>
>>
>> On 3 June 2014 16:40, Chris Alavoine <chrisa at acs-info.co.uk> wrote:
>>
>>> Hi James,
>>>
>>>  I have upped the RAM to 20GB and given it 8 cores, but unfortunately
>>> am getting the same result. The time taken to process all the objects is
>>> well over an hour which I'm guessing is where my problem lies.
>>>
>>>  Not sure what else to try expect maybe attempting to reduce the number
>>> of DC's (over a weekend) and try again.
>>>
>>>  Thanks,
>>> Chris.
>>>
>>>
>>> On 3 June 2014 13:56, lp101 <lingpanda101 at gmail.com> wrote:
>>>
>>>>      I believe I needed at least 8GB to complete the join process. I
>>>> know it was more then 4GB. Here is a link to my discussion I had on this
>>>> list in Jan.
>>>>
>>>>
>>>> http://samba.2283325.n4.nabble.com/DomainDnsZone-Replication-Shows-200-000-Objects-td4658437i20.html
>>>>
>>>>     I strongly discourage using the tombstone attribute to fix this
>>>> issue within this discussion. It created more issues then it was worth. I'm
>>>> not sure if this bug was fixed or not. Increase the memory and attempt to
>>>> join the new DC to the existing DC at that site. It should help with the
>>>> timeout error. Good luck!
>>>>
>>>>
>>>>
>>>> On 6/3/2014 8:44 AM, Chris Alavoine wrote:
>>>>
>>>> Hi James,
>>>>
>>>>  Thanks for the reply.
>>>>
>>>>  My last attempt had 4GB RAM and 4 cores (VM). Do you think I should
>>>> give it some more?
>>>>
>>>>  Thanks,
>>>> Chris.
>>>>
>>>>
>>>> On 3 June 2014 13:42, lp101 <lingpanda101 at gmail.com> wrote:
>>>>
>>>>>     Hi Chris,
>>>>>
>>>>>     How much memory does your server have and are you attempting to
>>>>> join it to the local DC at the site? I've had an issue similar to this and
>>>>> increasing the server memory and attempting to join to a local DC helped.
>>>>>
>>>>>
>>>>> On 6/3/2014 8:04 AM, Chris Alavoine wrote:
>>>>>
>>>>>> Hi there,
>>>>>>
>>>>>> I currently have 6 Samba4 (4.1.5) DC's spread over a global network.
>>>>>> This
>>>>>> is working ok but they were created before any Sites were made and as
>>>>>> the
>>>>>> ability to move DC's to new Sites is not working, I am attempting to
>>>>>> create
>>>>>> new DC's in each location and then demote the old ones.
>>>>>>
>>>>>> The problem I am facing is the domain join process keeps timing out
>>>>>> for any
>>>>>> new DC. I think this is due the amount of objects that now need to be
>>>>>> synced:
>>>>>>
>>>>>> Partition[DC=DomainDnsZones,DC=essence,DC=internal,DC=com]
>>>>>> objects[142711/162691] linked_values[0/0]
>>>>>> Partition[DC=DomainDnsZones,DC=essence,DC=internal,DC=com]
>>>>>> objects[143113/162691] linked_values[0/0]
>>>>>> Partition[DC=DomainDnsZones,DC=essence,DC=internal,DC=com]
>>>>>> objects[143515/162691] linked_values[0/0]
>>>>>>
>>>>>> (this is a snippet from attempting to join, as you can see there are
>>>>>> 162691
>>>>>> objects which takes a fair amount of time to get through - I have
>>>>>> tried
>>>>>> this from various different locations).
>>>>>>
>>>>>> This is the final error I get:
>>>>>>
>>>>>> Replicating DC=ForestDnsZones,DC=essence,DC=internal,DC=com
>>>>>> Partition[DC=ForestDnsZones,DC=essence,DC=internal,DC=com]
>>>>>> objects[24/24]
>>>>>> linked_values[0/0]
>>>>>> Partition[DC=ForestDnsZones,DC=essence,DC=internal,DC=com]
>>>>>> objects[48/24]
>>>>>> linked_values[0/0]
>>>>>> Committing SAM database
>>>>>> Sending DsReplicateUpdateRefs for all the replicated partitions
>>>>>> Join failed - cleaning up
>>>>>> checking sAMAccountName
>>>>>> ERROR(runtime): uncaught exception - (-1073741643,
>>>>>> 'NT_STATUS_IO_TIMEOUT')
>>>>>>    File
>>>>>>
>>>>>> "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py",
>>>>>> line 175, in _run
>>>>>>      return self.run(*args, **kwargs)
>>>>>>    File
>>>>>> "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/domain.py",
>>>>>> line
>>>>>> 552, in run
>>>>>>      machinepass=machinepass, use_ntvfs=use_ntvfs,
>>>>>> dns_backend=dns_backend)
>>>>>>    File "/usr/local/samba/lib/python2.7/site-packages/samba/join.py",
>>>>>> line
>>>>>> 1172, in join_DC
>>>>>>      ctx.do_join()
>>>>>>    File "/usr/local/samba/lib/python2.7/site-packages/samba/join.py",
>>>>>> line
>>>>>> 1082, in do_join
>>>>>>      ctx.join_finalise()
>>>>>>    File "/usr/local/samba/lib/python2.7/site-packages/samba/join.py",
>>>>>> line
>>>>>> 881, in join_finalise
>>>>>>      ctx.send_DsReplicaUpdateRefs(nc)
>>>>>>    File "/usr/local/samba/lib/python2.7/site-packages/samba/join.py",
>>>>>> line
>>>>>> 866, in send_DsReplicaUpdateRefs
>>>>>>      ctx.drsuapi.DsReplicaUpdateRefs(ctx.drsuapi_handle, 1, r)
>>>>>>
>>>>>>
>>>>>> Which seem to suggest that the join fails, it tries to clean up and
>>>>>> gets a
>>>>>> NT_STATUS_IO_TIMEOUT error.
>>>>>>
>>>>>> This leaves me with a non-functioning DC appearing in the Domain
>>>>>> Controller
>>>>>> list on ADUC and ADSS which need to be cleaned out.
>>>>>>
>>>>>> Any advice on how I can get around this problem?
>>>>>>
>>>>>> Thanks
>>>>>> Chris.
>>>>>>
>>>>>>
>>>>> --
>>>>>  -James
>>>>>
>>>>>
>>>>
>>>>
>>>>  --
>>>> ACS (Alavoine Computer Services Ltd)
>>>> Chris Alavoine
>>>> mob +44 (0)7724 710 730 <%2B44%20%280%297724%20710%20730>
>>>> www.alavoinecs.co.uk
>>>> http://twitter.com/#!/alavoinecs
>>>> http://www.linkedin.com/pub/chris-alavoine/39/606/192
>>>>
>>>>
>>>>   --
>>>> -James
>>>>
>>>>
>>>
>>>
>>>  --
>>> ACS (Alavoine Computer Services Ltd)
>>> Chris Alavoine
>>> mob +44 (0)7724 710 730 <%2B44%20%280%297724%20710%20730>
>>> www.alavoinecs.co.uk
>>> http://twitter.com/#!/alavoinecs
>>> http://www.linkedin.com/pub/chris-alavoine/39/606/192
>>>
>>
>>
>>
>>  --
>> ACS (Alavoine Computer Services Ltd)
>> Chris Alavoine
>> mob +44 (0)7724 710 730
>> www.alavoinecs.co.uk
>> http://twitter.com/#!/alavoinecs
>> http://www.linkedin.com/pub/chris-alavoine/39/606/192
>>
>>
>> --
>> -James
>>
>>
>
>
> --
> ACS (Alavoine Computer Services Ltd)
> Chris Alavoine
> mob +44 (0)7724 710 730
> www.alavoinecs.co.uk
> http://twitter.com/#!/alavoinecs
> http://www.linkedin.com/pub/chris-alavoine/39/606/192
>



-- 
ACS (Alavoine Computer Services Ltd)
Chris Alavoine
mob +44 (0)7724 710 730
www.alavoinecs.co.uk
http://twitter.com/#!/alavoinecs
http://www.linkedin.com/pub/chris-alavoine/39/606/192

More information about the samba mailing list