Renaming of site name causes replication issues

Kev Latimer klatimer at tolent.co.uk
Wed Apr 25 06:38:38 MDT 2012 

Following on from my recent "resetting a DC" post, here's what happened 
and the errors I'm trying to clear.

To correct a "political typo" when I created my initial five sites in 
"sites and services", I renamed one site in said MMC.  The rename 
happened correctly and each DC reported the new name.  What didn't occur 
was renaming of DNS entries for each site, which I've subsequently 
modified/added/removed using a combination of PhpLDAPAdmin and the DNS MMC.

For background, I have 6 DC's - one initial DC, which is the nameserver 
running BIND9_DLZ and a second one on the same subnet/site.  I have four 
other DC's on four remote subnets/sites

The renaming seems to have caused a replication issue, however.  Every 
five minutes, I'll see the following in one of the "additional" DC's:

[2012/04/25 13:25:57,  0] ../lib/ldb-samba/ldb_wrap.c:68(ldb_wrap_debug)
   ldb: replmd_replicated_request rename 
CN=Teesside,CN=Sites,CN=Configuration,DC=tclad,DC=tolent,DC=co,DC=uk => 
CN=Thornaby,CN=Sites,CN=Configuration,DC=tclad,DC=tolent,DC=co,DC=uk 
failed - Linked attribute hasPartialReplicaNCs->msDS-IsPartialReplicaFor 
between CN=NTDS 
Settings,CN=TE-DC1,CN=Servers,CN=Teesside,CN=Sites,CN=Configuration,DC=tclad,DC=tolent,DC=co,DC=uk 
and DC=ForestDnsZones,DC=tclad,DC=tolent,DC=co,DC=uk - remote not found 
- No such Base DN: DC=ForestDnsZones,DC=tclad,DC=tolent,DC=co,DC=u

[2012/04/25 13:25:57,  0] 
../source4/dsdb/repl/replicated_objects.c:557(dsdb_replicated_objects_commit)
   Failed to apply records: Linked attribute 
hasPartialReplicaNCs->msDS-IsPartialReplicaFor between CN=NTDS 
Settings,CN=TE-DC1,CN=Servers,CN=Teesside,CN=Sites,CN=Configuration,DC=tclad,DC=tolent,DC=co,DC=uk 
and DC=ForestDnsZones,DC=tclad,DC=tolent,DC=co,DC=uk - remote not found 
- No such Base DN: DC=ForestDnsZones,DC=tclad,DC=tolent,DC=co,DC=u : Other
[2012/04/25 13:25:57,  0] 
../source4/dsdb/repl/drepl_out_helpers.c:714(dreplsrv_op_pull_source_apply_changes_trigger)
   Failed to commit objects: 
WERR_GENERAL_FAILURE/NT_STATUS_INVALID_NETWORK_RESPONSE

You can see the original site name 
(CN=Teesside,CN=Sites,CN=Configuration,DC=tclad,DC=tolent,DC=co,DC=uk) 
and the new site name 
(CN=Thornaby,CN=Sites,CN=Configuration,DC=tclad,DC=tolent,DC=co,DC=uk) 
in there, and which this is from the additional DC in the same subnet as 
the DNS-hosting DC, you'll also see this in any of the other additional 
DC's (but not in the original, DNS-hosting DC).

Following Matthieu's suggestions in my other thread, I tried to force a 
sync to correct, but no matter which I tried, I received the following 
from samba-tool:

root at ho-dc2:/usr/local/samba# bin/samba-tool drs replicate 
ho-dc2.tclad.tolent.co.uk ho-dc1.tclad.tolent.co.uk 
CN=Configuration,DC=tclad,DC=tolent,DC=co,DC=uk -d4 --full-sync
lpcfg_load: refreshing parameters from /usr/local/samba/etc/smb.conf
params.c:pm_process() - Processing configuration file 
"/usr/local/samba/etc/smb.conf"
Processing section "[global]"
Processing section "[netlogon]"
Processing section "[sysvol]"
pm_process() returned Yes
ldb_wrap open of secrets.ldb
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'schannel' registered
GENSEC backend 'spnego' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
Using binding ncacn_ip_tcp:ho-dc2.tclad.tolent.co.uk[,seal]
Mapped to DCERPC endpoint 135
added interface eth0 ip=fe80::20c:29ff:fed3:118f%eth0 
bcast=fe80::ffff:ffff:ffff:ffff%eth0 netmask=ffff:ffff:ffff:ffff::
added interface eth0 ip=10.21.1.8 bcast=10.21.255.255 netmask=255.255.0.0
added interface eth0 ip=fe80::20c:29ff:fed3:118f%eth0 
bcast=fe80::ffff:ffff:ffff:ffff%eth0 netmask=ffff:ffff:ffff:ffff::
added interface eth0 ip=10.21.1.8 bcast=10.21.255.255 netmask=255.255.0.0
Mapped to DCERPC endpoint 1024
added interface eth0 ip=fe80::20c:29ff:fed3:118f%eth0 
bcast=fe80::ffff:ffff:ffff:ffff%eth0 netmask=ffff:ffff:ffff:ffff::
added interface eth0 ip=10.21.1.8 bcast=10.21.255.255 netmask=255.255.0.0
added interface eth0 ip=fe80::20c:29ff:fed3:118f%eth0 
bcast=fe80::ffff:ffff:ffff:ffff%eth0 netmask=ffff:ffff:ffff:ffff::
added interface eth0 ip=10.21.1.8 bcast=10.21.255.255 netmask=255.255.0.0
Received smb_krb5 packet of length 280
Received smb_krb5 packet of length 1271
Received smb_krb5 packet of length 1314
Received smb_krb5 packet of length 1304
added interface eth0 ip=fe80::20c:29ff:fed3:118f%eth0 
bcast=fe80::ffff:ffff:ffff:ffff%eth0 netmask=ffff:ffff:ffff:ffff::
added interface eth0 ip=10.21.1.8 bcast=10.21.255.255 netmask=255.255.0.0
added interface eth0 ip=fe80::20c:29ff:fed3:118f%eth0 
bcast=fe80::ffff:ffff:ffff:ffff%eth0 netmask=ffff:ffff:ffff:ffff::
added interface eth0 ip=10.21.1.8 bcast=10.21.255.255 netmask=255.255.0.0
Received smb_krb5 packet of length 1314
Received smb_krb5 packet of length 1304
ERROR(<class 'samba.drs_utils.drsException'>): DsReplicaSync failed - 
drsExcepti
   File 
"/usr/local/samba/lib/python2.6/site-packages/samba/netcmd/drs.py", line
     drs_utils.sendDsReplicaSync(self.drsuapi, self.drsuapi_handle, 
source_dsa_gu
   File 
"/usr/local/samba/lib/python2.6/site-packages/samba/drs_utils.py", line 8
     raise drsException("DsReplicaSync failed %s" % estr)
root at ho-dc2:/usr/local/samba# bin/samba-tool domain demote -s 
ho-dc1.office.tole
ERROR(runtime): uncaught exception - Unable to load file 
ho-dc1.office.tolent.co
   File 
"/usr/local/samba/lib/python2.6/site-packages/samba/netcmd/__init__.py",
     return self.run(*args, **kwargs)
   File 
"/usr/local/samba/lib/python2.6/site-packages/samba/netcmd/domain.py", li
     lp = sambaopts.get_loadparm()
   File "/usr/local/samba/lib/python2.6/site-packages/samba/getopt.py", 
line 88,
     self._lp.load(self._configfile)

I've tried specifying the original DC as the source or just leaving it 
to it's own devices, result is the same.

Following Andrew's suggestion of "samba-tool dbcheck -cross-nc", it 
looks like it might have sent me in the correct direction:

root at ho-dc2:/usr/local/samba# bin/samba-tool dbcheck --cross-nc
Checking 4002 objects
ERROR: missing backlink attribute 'msDS-IsPartialReplicaFor' in 
DC=DomainDnsZones,DC=tclad,DC=tolent,DC=co,DC=uk for link 
hasPartialReplicaNCs in CN=NTDS 
Settings,CN=CE-DC1,CN=Servers,CN=Leeds,CN=Sites,CN=Configuration,DC=tclad,DC=tolent,DC=co,DC=uk
Not fixing missing backlink msDS-IsPartialReplicaFor
ERROR: incorrect GUID component for hasPartialReplicaNCs in object 
CN=NTDS 
Settings,CN=CE-DC1,CN=Servers,CN=Leeds,CN=Sites,CN=Configuration,DC=tclad,DC=tolent,DC=co,DC=uk 
- 
<GUID=1ac3117e-b4a4-4bc7-9d52-e9326d1b0be1>;DC=ForestDnsZones,DC=tclad,DC=tolent,DC=co,DC=uk
unable to find object for DN 
DC=ForestDnsZones,DC=tclad,DC=tolent,DC=co,DC=uk - (No such Base DN: 
DC=ForestDnsZones,DC=tclad,DC=tolent,DC=co,DC=uk)
Not removing dangling forward link
ERROR: missing backlink attribute 'msDS-IsPartialReplicaFor' in 
DC=DomainDnsZones,DC=tclad,DC=tolent,DC=co,DC=uk for link 
hasPartialReplicaNCs in CN=NTDS 
Settings,CN=TE-DC1,CN=Servers,CN=Teesside,CN=Sites,CN=Configuration,DC=tclad,DC=tolent,DC=co,DC=uk
Not fixing missing backlink msDS-IsPartialReplicaFor
ERROR: incorrect GUID component for hasPartialReplicaNCs in object 
CN=NTDS 
Settings,CN=TE-DC1,CN=Servers,CN=Teesside,CN=Sites,CN=Configuration,DC=tclad,DC=tolent,DC=co,DC=uk 
- 
<GUID=1ac3117e-b4a4-4bc7-9d52-e9326d1b0be1>;DC=ForestDnsZones,DC=tclad,DC=tolent,DC=co,DC=uk
unable to find object for DN 
DC=ForestDnsZones,DC=tclad,DC=tolent,DC=co,DC=uk - (No such Base DN: 
DC=ForestDnsZones,DC=tclad,DC=tolent,DC=co,DC=uk)
Not removing dangling forward link
ERROR: missing backlink attribute 'msDS-IsPartialReplicaFor' in 
DC=DomainDnsZones,DC=tclad,DC=tolent,DC=co,DC=uk for link 
hasPartialReplicaNCs in CN=NTDS 
Settings,CN=HO-DC2,CN=Servers,CN=Gateshead,CN=Sites,CN=Configuration,DC=tclad,DC=tolent,DC=co,DC=uk
Not fixing missing backlink msDS-IsPartialReplicaFor
ERROR: incorrect GUID component for hasPartialReplicaNCs in object 
CN=NTDS 
Settings,CN=HO-DC2,CN=Servers,CN=Gateshead,CN=Sites,CN=Configuration,DC=tclad,DC=tolent,DC=co,DC=uk 
- 
<GUID=1ac3117e-b4a4-4bc7-9d52-e9326d1b0be1>;DC=ForestDnsZones,DC=tclad,DC=tolent,DC=co,DC=uk
unable to find object for DN 
DC=ForestDnsZones,DC=tclad,DC=tolent,DC=co,DC=uk - (No such Base DN: 
DC=ForestDnsZones,DC=tclad,DC=tolent,DC=co,DC=uk)
Not removing dangling forward link
ERROR: missing backlink attribute 'msDS-IsPartialReplicaFor' in 
DC=DomainDnsZones,DC=tclad,DC=tolent,DC=co,DC=uk for link 
hasPartialReplicaNCs in CN=NTDS 
Settings,CN=CW-DC1,CN=Servers,CN=Manchester,CN=Sites,CN=Configuration,DC=tclad,DC=tolent,DC=co,DC=uk
Not fixing missing backlink msDS-IsPartialReplicaFor
ERROR: incorrect GUID component for hasPartialReplicaNCs in object 
CN=NTDS 
Settings,CN=CW-DC1,CN=Servers,CN=Manchester,CN=Sites,CN=Configuration,DC=tclad,DC=tolent,DC=co,DC=uk 
- 
<GUID=1ac3117e-b4a4-4bc7-9d52-e9326d1b0be1>;DC=ForestDnsZones,DC=tclad,DC=tolent,DC=co,DC=uk
unable to find object for DN 
DC=ForestDnsZones,DC=tclad,DC=tolent,DC=co,DC=uk - (No such Base DN: 
DC=ForestDnsZones,DC=tclad,DC=tolent,DC=co,DC=uk)
Not removing dangling forward link
ERROR: missing backlink attribute 'msDs-masteredBy' in 
DC=DomainDnsZones,DC=tclad,DC=tolent,DC=co,DC=uk for link 
msDS-hasMasterNCs in CN=NTDS 
Settings,CN=HO-DC1,CN=Servers,CN=Gateshead,CN=Sites,CN=Configuration,DC=tclad,DC=tolent,DC=co,DC=uk
Not fixing missing backlink msDs-masteredBy
ERROR: incorrect GUID component for msDS-hasMasterNCs in object CN=NTDS 
Settings,CN=HO-DC1,CN=Servers,CN=Gateshead,CN=Sites,CN=Configuration,DC=tclad,DC=tolent,DC=co,DC=uk 
- 
<GUID=1ac3117e-b4a4-4bc7-9d52-e9326d1b0be1>;DC=ForestDnsZones,DC=tclad,DC=tolent,DC=co,DC=uk
unable to find object for DN 
DC=ForestDnsZones,DC=tclad,DC=tolent,DC=co,DC=uk - (No such Base DN: 
DC=ForestDnsZones,DC=tclad,DC=tolent,DC=co,DC=uk)
Not removing dangling forward link
ERROR: missing backlink attribute 'msDS-IsPartialReplicaFor' in 
DC=DomainDnsZones,DC=tclad,DC=tolent,DC=co,DC=uk for link 
hasPartialReplicaNCs in CN=NTDS 
Settings,CN=SO-DC1,CN=Servers,CN=London,CN=Sites,CN=Configuration,DC=tclad,DC=tolent,DC=co,DC=uk
Not fixing missing backlink msDS-IsPartialReplicaFor
ERROR: incorrect GUID component for hasPartialReplicaNCs in object 
CN=NTDS 
Settings,CN=SO-DC1,CN=Servers,CN=London,CN=Sites,CN=Configuration,DC=tclad,DC=tolent,DC=co,DC=uk 
- 
<GUID=1ac3117e-b4a4-4bc7-9d52-e9326d1b0be1>;DC=ForestDnsZones,DC=tclad,DC=tolent,DC=co,DC=uk
unable to find object for DN 
DC=ForestDnsZones,DC=tclad,DC=tolent,DC=co,DC=uk - (No such Base DN: 
DC=ForestDnsZones,DC=tclad,DC=tolent,DC=co,DC=uk)
Not removing dangling forward link
Please use --fix to fix these errors
Checked 4002 objects (12 errors)

Now, I've not used "--fix" just yet, as I'd like some feedback, if 
anyone has any more specific suggestions to my "partial replica" 
problem?  Initially, I reckoned simply pulling the DC and rejoining 
might have been the quickest fix, but if anyone has any other ideas...?

Cheers all,

Kev
-- 
Kev

More information about the samba-technical mailing list