Replication to a Windows 2008 R2 fails

David Gonzalez info at dghvoip.com
Thu Sep 16 18:55:55 MDT 2010


Well Andrew,

Thank you very much for you insights on this topic, I appreciate your time
and that from other samba members.

As I told you I've checked the latest git and installed it and Oh!, surprise
dynamic updates are working fine securely as expected, nice job those MS
guys will be very pleased with the progress  that samba is making.

Also I tried joinig my W2k8 machine and it successfully does it, but the
DRS_ACCESS_DENIED error keeps showing up, I'm trying to debug that so I can
see what is going on.

Also I tried joining another Samba DC with net vampire it looked good and
it's replicating fine, but as I asked on a previous message, when I start
samba or samba_dnsupdate I see that it's trying to update service names on
itself, I'd like to make that script point to my DNS server at 192.168.254.1
where also samba is running.

If you can spare sometime to help me with that it'd be nice.

Thank you and congratulations on a very well done job.

Bye.

---
... Chi va piano va sano e va lontano.
David Gonzalez H.
DGHVoIP - OPEN SOURCE TELEPHONY SOLUTIONS
Phone Bogotá: +(57-1)289-1168
Phone Medellin: +(57-4)247-0985
Mobile: +(57)315-838-8326
MSN: david at planetaradio.net
Skype: davidgonzalezh
WEB: http://www.dghvoip.com/
Linux User #294661


On Thu, Sep 16, 2010 at 3:56 PM, Andrew Bartlett <abartlet at samba.org> wrote:

> On Wed, 2010-09-15 at 14:01 -0500, David Gonzalez wrote:
> > Hi, hope this one doesn't go like my other questions unanswered.
>
> We don't intentionally let your questions go unanswered, but the dynamic
> DNS area is frankly very complex, and the few team members who have
> worked on it closely are very busy preparing for our annual development
> week with Microsoft.  As such, we are incredibly busy trying to get as
> much development done so we can test it - otherwise, we need to wait
> another year before we see them again.
>
> > I'm trying to join a second DC to my domain and it's a w2k8 machine,
> dcpromo
> > went well, I added the A record and objectguid as instructed to my zone
> > which looks like this after samba_dnsupdate modified it:
>
> If you are running the right version of bind, with the right options,
> Windows should update it's DNS records correctly, and you should not
> need to modify it.  Getting that to work is the best way to ensure that
> things are set up correctly.
>
> I know it's tricky, and debugging bind9 dynamic updates is quite a
> trial, but it's the best way.
>
> > As you see records were added succesfully but this error is showing up on
> my
> > logs constamntly.
> >
> > queued DsReplicaSync for CN=Configuration,DC=samba,DC=dghvoip,DC=com to
> > 9b5d4b4c-57b6-47f5-a0d9-845ce8b224c2._msdcs.samba.dghvoip.com(urgent=true)
> > uSN=0:3896
> > started DsReplicaSync for DC=samba,DC=dghvoip,DC=com to
> > 9b5d4b4c-57b6-47f5-a0d9-845ce8b224c2._msdcs.samba.dghvoip.com
> > dreplsrv_notify_schedule(5) scheduled for: Wed Sep 15 13:59:27 2010 COT
> > dreplsrv_notify: Failed to send DsReplicaSync to
> > 9b5d4b4c-57b6-47f5-a0d9-845ce8b224c2._msdcs.samba.dghvoip.com for
> > DC=samba,DC=dghvoip,DC=com - NT code 0xc0002105 :
> WERR_DS_DRA_ACCESS_DENIED
> > started DsReplicaSync for
> > CN=Schema,CN=Configuration,DC=samba,DC=dghvoip,DC=com to
> > 9b5d4b4c-57b6-47f5-a0d9-845ce8b224c2._msdcs.samba.dghvoip.com
> > dreplsrv_notify: Failed to send DsReplicaSync to
> > 9b5d4b4c-57b6-47f5-a0d9-845ce8b224c2._msdcs.samba.dghvoip.com for
> > CN=Schema,CN=Configuration,DC=samba,DC=dghvoip,DC=com - NT code
> 0xc0002105 :
> > WERR_DS_DRA_ACCESS_DENIED
> > started DsReplicaSync for CN=Configuration,DC=samba,DC=dghvoip,DC=com to
> > 9b5d4b4c-57b6-47f5-a0d9-845ce8b224c2._msdcs.samba.dghvoip.com
> > dreplsrv_notify: Failed to send DsReplicaSync to
> > 9b5d4b4c-57b6-47f5-a0d9-845ce8b224c2._msdcs.samba.dghvoip.com for
> > CN=Configuration,DC=samba,DC=dghvoip,DC=com - NT code 0xc0002105 :
> > WERR_DS_DRA_ACCESS_DENIED
>
> This would seem to be the Win2008 server rejecting our notification.
> Are there any logs in the Win2008 side?
>
> > I'm using -d4 to see what's going on but can¡t seem to find a solution.
> >
> > If anyone can help or if anymore info is required please ask.
>
> A network capture might indicate if this a BIND NAK (Kerberos failure)
> or a DCERPC level error (some other permission error).  I'm thinking
> it's not Kerberos, as the error code seems wrong, but that means I don't
> have any particularly good ideas what it is, unless you got your zone
> update wrong.
>
> Andrew Bartlett
>
> --
> Andrew Bartlett                                http://samba.org/~abartlet/<http://samba.org/%7Eabartlet/>
> Authentication Developer, Samba Team           http://samba.org
> Samba Developer, Cisco Inc.
>


More information about the samba-technical mailing list