How to get DNS replication working properly?

Tue Jul 10 08:45:34 MDT 2012

Hi Andrew,

Don't need to apologise, I know that all of you must be under a lot of 
pressure at this time, I just needed to call for someone's attention to 
be able to get any progress to report to my superiors in order to get 
samba still on the table.
Samba is started in one of the servers, but in the other I get an error 
with samba_dlz that I just mentioned to Amitay.
In the one running bind, now (beta3) I get data that I didn't get by 
beta2, but still even running dnsupdate I don't get all the records from 
the DNS that I get from the windows DNS.
If I use samba-toot I get an error that never had with previous compiles:

/usr/local/samba/bin/samba-tool dns query sambadc1 
jgimenez-nb.montecarlotv.com.uy @ ALL -U administrador
Password for [CANAL4\administrador]:
ERROR(runtime): uncaught exception - (9714, 
'WERR_DNS_ERROR_NAME_DOES_NOT_EXIST')
   File 
"/usr/local/samba/lib64/python2.6/site-packages/samba/netcmd/__init__.py", 
line 160, in _run
     return self.run(*args, **kwargs)
   File 
"/usr/local/samba/lib64/python2.6/site-packages/samba/netcmd/dns.py", 
line 967, in run
     None)

About the replica, I found some of this events in the windows logs of 
both AD servers:

Tipo de suceso:    Error
Origen del suceso:    NTDS Replication
Categoría del suceso:    Replicación
Id. suceso:    1864
Fecha:        09/07/2012
Hora:        17:03:01
Usuario:        NT AUTHORITY\ANONYMOUS LOGON
Equipo:    ADS1
Descripción:
Éste es el estado de replicación para la siguiente partición del 
directorio en el controlador de dominio local.

Partición del directorio:
DC=montecarlotv,DC=com,DC=uy

El controlador de dominio local no recibió recientemente información de 
replicación de varios controladores de dominio.   A continuación puede 
ver el número de controladores de dominio, separados en los siguientes 
intervalos.

Más de 24 horas:
1
Más de una semana:
1
Más de un mes:
1
Más de dos meses:
1
Más de un período de vida de desecho:
1
Período de vida de desecho (días):
180
  Los controladores de dominio que no replican a tiempo pueden encontrar 
errores. Pueden perder cambios de contraseña y no podrían realizar la 
autenticación. Un DC que no se replica en el período de vida de desecho 
puede perder la información de eliminación de algunos objetos y bloquear 
automáticamente  su futura replicación hasta que se reconcilie.

Para identificar los controladores de dominio por el nombre, instale las 
herramientas de soporte incluidas en el CD  de instalación y ejecute 
dcdiag.exe.
También puede utilizar la herramienta de soporte repadmin.exe para 
mostrar las latencias de replicación de los controladores de dominio del 
bosque. El comando es "repadmin /showvector /latency <partition-dn>".

About samba log, do you want me to attach log.samba? If I use log level 
5, I get several MB of log in a few minutes, so as I don't want to fill 
the list with my crap, I may send you the log in a private mail. If you 
want a lower log level, please tell me.
About windows log level, I have many stuff to set to debug, can you 
specify which do you need (ds schema, ds rpc client, directory access, 
ds rpc server, etc)

About the ram, I'll see what I can do because both samba 4 are into VMs 
on productive servers that has not much room left. I guess that in the 
future the ram requirements will drop as samba RC reaches daylight.
Thank you all for your great effort and for your patience with newies 
like me.
Regards,

Juan Pablo Lorier

On 09/07/12 21:37, Andrew Bartlett wrote:
> On Thu, 2012-07-05 at 14:29 -0300, Juan Pablo Lorier wrote:
>> Hi Andrew,
>>
>> I don't know if you received the reply to your last mail. I'm back at
>> the office and I'm compiling beta3 to test everything with the patch
>> (that if I don't get it wrong should be at the master branch at this
>> time, isn't it?).
>> I told you in the last mail that I get partial things running, I get the
>> partitions right at joing time with your patch but I don't get dynamic
>> dns to update from the windows controllers to samba and I don't get bind
>> to work.
>> I get the right dns records if I samba-tool dns qerry but I don't get
>> them if I use dig (that should querry the bind instead of samba, doesn't
>> it?).
> I'm sorry for not getting back to you earlier.  On your query today I
> found this half-compleated mail (got distracted trying to investigate
> the issues further, and never sent it).
>
> Is bind started, and showing that it is loading and using the dlz
> module?
>
>> I also get an error if I upgradedns complaining about not finding the
>> zone file in the private directory (I've tried creating it manually but
>> the script deletes it).
> I wanted to say you don't need to run this any more, once you have the
> zone data imported into one replica, but fact-checking this statement
> got my distracted because it isn't true.  You must still run
> samba_upgradedns to allow updates to the second DC (everything else
> should work however).
>
>> With beta3 I get this error in one of my samba DCs:
> Can you turn up the log level on both ends and get some more detail on
> why it fails?
>
>> So it seems replica is not working.
>> Another thing that I'll confirm if is fixed in beta3 is that in beta2 I
>> had samba eating the ram of the system. I had to kill samba every 2 days
>> at most to release the memory (virtual machine with 2GB ram and about
>> 100 users and 100 machines in the domain).
>> If you can point me a direction so I can look for a way to test what is
>> not working, I'll be happy to work to get this running.
>> Regards,
> I would just give it more ram.  The replication process seems to require
> a lot of ram, which due to the way malloc() works will be retained by
> the process.
>
> Andrew Bartlett
>