Multi-Samba4 DC Domain With Replication/DNS Issues
Ted Salmon
tass2001 at hotmail.com
Sat Dec 3 09:23:11 MST 2011
Hello Matthieu,
> Hello Ted,
>
> On 02/12/2011 19:44, Ted Salmon wrote:
> > Hello,
> > I recently setup a second AD DC in my Domain which is running in a VM. Both DCs in the domain run Samba4 Alpha 17 (Final Alpha) and were installed from the same package which I compiled. The PDC of the domain is running Bind 9.8.1 P1 with GSSAPI for Kerberos DNS updates which are working great (I've added multiple client machines and watched them replicate into the DNS). The trouble comes with replication from DC to DC. It seems the PDC replicates just fine to the other DC in the domain but replication does not work from the secondary DC back to the PDC. I noticed that the Secondary DC is also NOT in DNS so I had to add it via host entry (really ghetto). I'm not sure why it won't show up in DNS as other client machines on the domain replicate into DNS without fault. The PDC does have all failures for replication in and error out with 'WERR_BADFILE'. Also, is there a way to remove the secondary DC from the domain now that it's been joined?
> > Here's what my PDC has to say about AD DCs in my domain:root at NETW1-STATS:~# ldbsearch -H /usr/var/lib/samba/private/sam.ldb objectclass=ntdsdsa objectguid --cross-ncs# record 1dn: CN=NTDS Settings,CN=NETW1-STATS,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=network,DC=localobjectGUID: 607a8cb6-c2ed-4e21-b616-576fae043d7b
> > # record 2dn: CN=NTDS Settings,CN=NETW2-DEV,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=network,DC=localobjectGUID: 78398891-722d-4c85-96b4-41416e126a1c
>
> The whole email is quite hard to read think about more spacing next time.
Sorry About that! Not sure what hotmail did with my formatting...
Here's a pastebin with all the relevant info: http://pastebin.com/EVxZx6FG
> The thing is that in order for replication to work correctly you need a
> lot of DNS records.
>
> So it seems that you still have them, let's try to fix them.
>
> Can you enable the debug in bind like indicated here:
> http://www.matws.net/pres/sambaxp_2011/#%2816%29 it's page 16 of my
> presentation at last XP.
> Also check that you can get a kerberos ticket on the second dc:
> kinit administrator
kinit Administrator works great on the second DC (see pastebin). I also turned on debugging per your link and the update-debug.log file is completely blank and no errors are seen in syslog :(
> Then restart samba and look at the debug file, you might find
> informations on why your updates from second DC are not allowed on the
> first DC.
I rebooted both DCs and waited roughly 15 mins, nothing in the error log(s) and no new entries in DNS. My query log does seem to be getting flooded for requests on the UID of the secondary DC made by the PDC as shown in the pastebin.
>
> Matthieu.
>
> --
> Matthieu Patou
> Samba Team
> http://samba.org
>
>
More information about the samba-technical
mailing list