[Samba] outbound replication of newly added DC not working

Andreas Oster aoster at novanetwork.de
Wed Mar 19 23:36:28 MDT 2014 

Hello Tom,

thinking about it a little more I did remember, that I had to raise the 
domain and forest levels of my old AD to version 2003 before I have been 
able to successfuly add the first samba4 server. You will need a Windows 
2003 Server CD for that, though.

best regards

Andreas


Am 20. März 2014 03:38:42 schrieb schulz at adi.com (Thomas Schulz):

> > Am 19.03.2014 16:16, schrieb Thomas Schulz:
> >>> Am 14.03.2014 12:48, schrieb Andreas Oster:
> >>>> Hi all,
> >>>>
> >>>> I have just added a DC to our existing AD. Join did work without any
> >>>> error messages but now I have recognized that only inbound replication
> >>>> from old DCs is working outbound list is empty.
> >>>>
> >>>> Samba version is: Version 4.2.0pre1-GIT-cff0f8e
> >>>>
> >>>> here is the output of samba-tool drs showrepl:
> >>>>
> >>>> DSA Options: 0x00000001
> >>>> DSA object GUID: 94534f65-5d06-41f5-844d-a58a0bc03c93
> >>>> DSA invocationId: 3db6f686-cbd9-4ef8-992d-1ae1671e6c17
> >>>>
> >>>> ==== INBOUND NEIGHBORS ====
> >>>>
> >>>> DC=sambadom,DC=com
> >>>>          Standardname-des-ersten-Standorts\dc02 via RPC
> >>>>                  DSA object GUID: ef37f4de-a03c-493c-96f6-e521a5415d81
> >>>>                  Last attempt @ Fri Mar 14 12:41:07 2014 CET was 
> successful
> >>>>                  0 consecutive failure(s).
> >>>>                  Last success @ Fri Mar 14 12:41:07 2014 CET
> > > > ------------------- lines removed ------------------------------
> >>>>
> >>>> CN=Schema,CN=Configuration,DC=sambadom,DC=com
> >>>>          Standardname-des-ersten-Standorts\dc01 via RPC
> >>>>                  DSA object GUID: c60bca82-df6e-409e-85c5-e2cc733691da
> >>>>                  Last attempt @ Fri Mar 14 12:40:42 2014 CET was 
> successful
> >>>>                  0 consecutive failure(s).
> >>>>                  Last success @ Fri Mar 14 12:40:42 2014 CET
> >>>>
> >>>> ==== OUTBOUND NEIGHBORS ====
> >>>>
> >>>> ==== KCC CONNECTION OBJECTS ====
> >>>>
> >>>> Connection --
> >>>>          Connection name: dc01
> >>>>          Enabled        : TRUE
> >>>>          Server DNS name : dc01.sambadom.com
> >>>>          Server DN name  : CN=NTDS
> >>>> Settings,CN=dc01,CN=Servers,CN=Standardname-des-ersten-Standorts,CN=Sites,
> > >    CN=Configuration,DC=sambadom,DC=com
> >>>>                  TransportType: RPC
> >>>>                  options: 0x00000000
> >>>> Warning: No NC replicated for Connection!
> >>>> Connection --
> >>>>          Connection name: dc02
> >>>>          Enabled        : TRUE
> >>>>          Server DNS name : dc02.sambadom.com
> >>>>          Server DN name  : CN=NTDS
> >>>> Settings,CN=dc02,CN=Servers,CN=Standardname-des-ersten-Standorts,CN=Sites,
> > >    CN=Configuration,DC=sambadom,DC=com
> >>>>                  TransportType: RPC
> >>>>                  options: 0x00000000
> >>>> Warning: No NC replicated for Connection!
> >>>>
> >>>> ( I have replaced domain and DC names in the output text !)
> >>>>
> >>>>
> >>>> Does anybody know how to fix this issue and get outbound replication to
> >>>> work ?
> >>>>
> >>>> I have already tried to demote and re-join the new DC, but this did not
> >>>> help. I have also checked the DNS entries and those seem to be OK.
> >>>>
> >>>> Thank you for your kind help
> >>>>
> >>>> best regards
> >>>>
> >>>> Andreas
> >>>>
> >>>
> >>> Hi all,
> >>>
> >>> I have been able to manually start outbound replication by issuing 
> "samba-tool drs replicate" for all the missing outbound NCs.
> > > > Did you get a one time replication or does it now replicate 
> automatically?
> > > I tried to use the "samba-tool drs replicate" command but I can not
> > > figrue out what to use for 'NC'. I found out what NC means but not exactly
> > > what to enter.
> > > > I set email to the list a few weeks ago about one way replication. I have
> > > been assuming that my problem is because I have a Windows 2000 DC and DNS
> > > replication is not supported with a Windows 2000 DC. I am about to try
> > > manually entering the DNS records for the Samba 4.1.6 DC into the
> > > Windows 2000 DNS and then see what happens.
> >>>
> >>> Thanks
> >>>
> >>> best regards
> >>>
> >>> Andreas
> >>> -- > > > > Tom Schulz
> > > Applied Dynamics Intl.
> > > schulz at adi.com
> > > Hello Thomas,
> > yes it is working for me now. NCs are in my case:
> > DC=sambadom,DC=com
> > DC=ForestDnsZones,DC=sambadom,DC=com
> > CN=Configuration,DC=sambadom,DC=com
> > DC=DomainDnsZones,DC=sambadom,DC=com
> > CN=Schema,CN=Configuration,DC=sambadom,DC=com
> > Obviously you will have different domain name entries.
> > If inbound replication is working you should see those entries when
> > executing "samba-tool drs showrepl".
> > I am not sure if replication is still supported between samba4 and
> > windows 2000, but it is vital, that all the required DNS entries are
> > available.
> > In the old samba4 alpha days replication did work, I know this for sure
> > because I migrated our win2000 AD to a samba4 only one.
> > In order to start outbound replication from one DC to the other you have
> > to do something like this, given that all outbound NCs are missing:
> > samba-tool drs replicate <destinationDC> <sourceDC> DC=sambadom,DC=com
> > samba-tool drs replicate <destinationDC> <sourceDC>
> > DC=ForestDnsZones,DC=sambadom,DC=com
> > samba-tool drs replicate <destinationDC> <sourceDC>
> > CN=Configuration,DC=sambadom,DC=com
> > samba-tool drs replicate <destinationDC> <sourceDC>
> > DC=DomainDnsZones,DC=sambadom,DC=com
> > samba-tool drs replicate <destinationDC> <sourceDC>
> > CN=Schema,CN=Configuration,DC=sambadom,DC=com
> > Make sure to use the correct NCs !  <sourceDC> is the DC which is
> > missing outbound replication peers.
>
> It looks like this is not going to work with a Windows 2000 server.
> I manually entered the DNS information on the 2000 server.
> samba_dnsupdate --verbose now says that all is OK (before it said that
> <2003 is not supported). samba-tool drs showrepl shows nothing under
> both inbound neighbors and outbound neighbors. It does list the 2000
> server in connection objects. Dispite showing nothing under inbound
> neighbors, inbound replication does work. I tried
>
> ./samba-tool drs replicate starfish2 koi DC=adi,DC=com
>
> and got the following error
>
> ERROR(<class 'samba.drs_utils.drsException'>): DsReplicaSync failed
>      - drsException: DsReplicaSync failed (8452, 'WERR_DS_DRA_NO_REPLICA')
>   File "/opt/local/samba4/lib/python2.7/site-packages/samba/netcmd/drs.py",
>        line 345, in run
>     drs_utils.sendDsReplicaSync(self.drsuapi, self.drsuapi_handle,
>          source_dsa_guid, NC, req_options)
>   File "/opt/local/samba4/lib/python2.7/site-packages/samba/drs_utils.py",
>         line 83, in sendDsReplicaSync
>     raise drsException("DsReplicaSync failed %s" % estr)
>
> I can reverse the machine names and get a sucessfun inbound replication.
> I may have to try to stop using the windows 2000 server.
>
> > best regards
> > Andreas
>
> Tom Schulz
> Applied Dynamics Intl.
> schulz at adi.com

More information about the samba mailing list