Replication to a Windows 2008 R2 fails

Andrew Bartlett abartlet at samba.org
Thu Sep 16 14:56:49 MDT 2010 

On Wed, 2010-09-15 at 14:01 -0500, David Gonzalez wrote:
> Hi, hope this one doesn't go like my other questions unanswered.

We don't intentionally let your questions go unanswered, but the dynamic
DNS area is frankly very complex, and the few team members who have
worked on it closely are very busy preparing for our annual development
week with Microsoft.  As such, we are incredibly busy trying to get as
much development done so we can test it - otherwise, we need to wait
another year before we see them again. 

> I'm trying to join a second DC to my domain and it's a w2k8 machine, dcpromo
> went well, I added the A record and objectguid as instructed to my zone
> which looks like this after samba_dnsupdate modified it:

If you are running the right version of bind, with the right options,
Windows should update it's DNS records correctly, and you should not
need to modify it.  Getting that to work is the best way to ensure that
things are set up correctly.  

I know it's tricky, and debugging bind9 dynamic updates is quite a
trial, but it's the best way. 

> As you see records were added succesfully but this error is showing up on my
> logs constamntly.
> 
> queued DsReplicaSync for CN=Configuration,DC=samba,DC=dghvoip,DC=com to
> 9b5d4b4c-57b6-47f5-a0d9-845ce8b224c2._msdcs.samba.dghvoip.com (urgent=true)
> uSN=0:3896
> started DsReplicaSync for DC=samba,DC=dghvoip,DC=com to
> 9b5d4b4c-57b6-47f5-a0d9-845ce8b224c2._msdcs.samba.dghvoip.com
> dreplsrv_notify_schedule(5) scheduled for: Wed Sep 15 13:59:27 2010 COT
> dreplsrv_notify: Failed to send DsReplicaSync to
> 9b5d4b4c-57b6-47f5-a0d9-845ce8b224c2._msdcs.samba.dghvoip.com for
> DC=samba,DC=dghvoip,DC=com - NT code 0xc0002105 : WERR_DS_DRA_ACCESS_DENIED
> started DsReplicaSync for
> CN=Schema,CN=Configuration,DC=samba,DC=dghvoip,DC=com to
> 9b5d4b4c-57b6-47f5-a0d9-845ce8b224c2._msdcs.samba.dghvoip.com
> dreplsrv_notify: Failed to send DsReplicaSync to
> 9b5d4b4c-57b6-47f5-a0d9-845ce8b224c2._msdcs.samba.dghvoip.com for
> CN=Schema,CN=Configuration,DC=samba,DC=dghvoip,DC=com - NT code 0xc0002105 :
> WERR_DS_DRA_ACCESS_DENIED
> started DsReplicaSync for CN=Configuration,DC=samba,DC=dghvoip,DC=com to
> 9b5d4b4c-57b6-47f5-a0d9-845ce8b224c2._msdcs.samba.dghvoip.com
> dreplsrv_notify: Failed to send DsReplicaSync to
> 9b5d4b4c-57b6-47f5-a0d9-845ce8b224c2._msdcs.samba.dghvoip.com for
> CN=Configuration,DC=samba,DC=dghvoip,DC=com - NT code 0xc0002105 :
> WERR_DS_DRA_ACCESS_DENIED

This would seem to be the Win2008 server rejecting our notification.
Are there any logs in the Win2008 side?  

> I'm using -d4 to see what's going on but can¡t seem to find a solution.
> 
> If anyone can help or if anymore info is required please ask.

A network capture might indicate if this a BIND NAK (Kerberos failure)
or a DCERPC level error (some other permission error).  I'm thinking
it's not Kerberos, as the error code seems wrong, but that means I don't
have any particularly good ideas what it is, unless you got your zone
update wrong.  

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Cisco Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 190 bytes
Desc: This is a digitally signed message part
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20100917/8f68511c/attachment.pgp>

More information about the samba-technical mailing list