Samba4: DC replication only working one way

steve steve at steve-ss.com
Wed Jul 11 13:25:47 MDT 2012 

Hi
After a successful join:
On DC1 ( originl provisioned DC):

samba-tool drs showrepl
Default-First-Site-Name\HH1
DSA Options: 0x00000001
DSA object GUID: 01d5fe3b-c017-4b03-aea5-607e8c41cf03
DSA invocationId: 601d95bc-c261-45fd-b1e1-372c1527cddf

==== INBOUND NEIGHBORS ====

DC=ForestDnsZones,DC=hh3,DC=site
	Default-First-Site-Name\HH6 via RPC
		DSA object GUID: 809204b5-7081-4896-9523-4ee2c8794591
		Last attempt @ NTTIME(0) was successful
		0 consecutive failure(s).
		Last success @ NTTIME(0)

DC=DomainDnsZones,DC=hh3,DC=site
	Default-First-Site-Name\HH6 via RPC
		DSA object GUID: 809204b5-7081-4896-9523-4ee2c8794591
		Last attempt @ NTTIME(0) was successful
		0 consecutive failure(s).
		Last success @ NTTIME(0)

DC=hh3,DC=site
	Default-First-Site-Name\HH6 via RPC
		DSA object GUID: 809204b5-7081-4896-9523-4ee2c8794591
		Last attempt @ NTTIME(0) was successful
		0 consecutive failure(s).
		Last success @ NTTIME(0)

CN=Schema,CN=Configuration,DC=hh3,DC=site
	Default-First-Site-Name\HH6 via RPC
		DSA object GUID: 809204b5-7081-4896-9523-4ee2c8794591
		Last attempt @ NTTIME(0) was successful
		0 consecutive failure(s).
		Last success @ NTTIME(0)

CN=Configuration,DC=hh3,DC=site
	Default-First-Site-Name\HH6 via RPC
		DSA object GUID: 809204b5-7081-4896-9523-4ee2c8794591
		Last attempt @ NTTIME(0) was successful
		0 consecutive failure(s).
		Last success @ NTTIME(0)

==== OUTBOUND NEIGHBORS ====

DC=ForestDnsZones,DC=hh3,DC=site
	Default-First-Site-Name\HH6 via RPC
		DSA object GUID: 809204b5-7081-4896-9523-4ee2c8794591
		Last attempt @ NTTIME(0) was successful
		0 consecutive failure(s).
		Last success @ NTTIME(0)

DC=DomainDnsZones,DC=hh3,DC=site
	Default-First-Site-Name\HH6 via RPC
		DSA object GUID: 809204b5-7081-4896-9523-4ee2c8794591
		Last attempt @ NTTIME(0) was successful
		0 consecutive failure(s).
		Last success @ NTTIME(0)

DC=hh3,DC=site
	Default-First-Site-Name\HH6 via RPC
		DSA object GUID: 809204b5-7081-4896-9523-4ee2c8794591
		Last attempt @ NTTIME(0) was successful
		0 consecutive failure(s).
		Last success @ NTTIME(0)

CN=Schema,CN=Configuration,DC=hh3,DC=site
	Default-First-Site-Name\HH6 via RPC
		DSA object GUID: 809204b5-7081-4896-9523-4ee2c8794591
		Last attempt @ Wed Jul 11 21:15:01 2012 CEST failed, result 121 
(WERR_SEM_TIMEOUT)
		1 consecutive failure(s).
		Last success @ NTTIME(0)

CN=Configuration,DC=hh3,DC=site
	Default-First-Site-Name\HH6 via RPC
		DSA object GUID: 809204b5-7081-4896-9523-4ee2c8794591
		Last attempt @ Wed Jul 11 21:16:01 2012 CEST failed, result 121 
(WERR_SEM_TIMEOUT)
		1 consecutive failure(s).
		Last success @ NTTIME(0)

==== KCC CONNECTION OBJECTS ====

Connection --
	Connection name: 001d8857-ccc5-4ddb-a8a8-a6a823b48b8a
	Enabled        : TRUE
	Server DNS name : hh1.hh3.site
	Server DN name  : CN=NTDS 
Settings,CN=HH6,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=hh3,DC=site
		TransportType: RPC
		options: 0x00000001
Warning: No NC replicated for Connection!

And on DC2 (the unprovisioned DC that was joined)
samba-tool drs showrepl
Default-First-Site-Name\HH6
DSA Options: 0x00000001
DSA object GUID: 809204b5-7081-4896-9523-4ee2c8794591
DSA invocationId: 059e4d54-5d64-4679-a79f-898c988af71e

==== INBOUND NEIGHBORS ====

CN=Schema,CN=Configuration,DC=hh3,DC=site
	Default-First-Site-Name\HH1 via RPC
		DSA object GUID: 01d5fe3b-c017-4b03-aea5-607e8c41cf03
		Last attempt @ Wed Jul 11 21:14:05 2012 CEST was successful
		0 consecutive failure(s).
		Last success @ Wed Jul 11 21:14:05 2012 CEST

DC=hh3,DC=site
	Default-First-Site-Name\HH1 via RPC
		DSA object GUID: 01d5fe3b-c017-4b03-aea5-607e8c41cf03
		Last attempt @ Wed Jul 11 21:14:06 2012 CEST was successful
		0 consecutive failure(s).
		Last success @ Wed Jul 11 21:14:06 2012 CEST

DC=ForestDnsZones,DC=hh3,DC=site
	Default-First-Site-Name\HH1 via RPC
		DSA object GUID: 01d5fe3b-c017-4b03-aea5-607e8c41cf03
		Last attempt @ Wed Jul 11 21:14:04 2012 CEST was successful
		0 consecutive failure(s).
		Last success @ Wed Jul 11 21:14:04 2012 CEST

DC=DomainDnsZones,DC=hh3,DC=site
	Default-First-Site-Name\HH1 via RPC
		DSA object GUID: 01d5fe3b-c017-4b03-aea5-607e8c41cf03
		Last attempt @ Wed Jul 11 21:14:04 2012 CEST was successful
		0 consecutive failure(s).
		Last success @ Wed Jul 11 21:14:04 2012 CEST

CN=Configuration,DC=hh3,DC=site
	Default-First-Site-Name\HH1 via RPC
		DSA object GUID: 01d5fe3b-c017-4b03-aea5-607e8c41cf03
		Last attempt @ Wed Jul 11 21:14:07 2012 CEST was successful
		0 consecutive failure(s).
		Last success @ Wed Jul 11 21:14:07 2012 CEST

==== OUTBOUND NEIGHBORS ====

==== KCC CONNECTION OBJECTS ====

Connection --
	Connection name: 1f0e4b5b-800d-47bc-bff9-e045d1b46f4b
	Enabled        : TRUE
	Server DNS name : HH6.hh3.site
	Server DN name  : CN=NTDS 
Settings,CN=HH1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=hh3,DC=site
		TransportType: RPC
		options: 0x00000001
Warning: No NC replicated for Connection!

On DC1 (it times out):
samba-tool drs kcc -UAdministrator hh6
ERROR(<class 'samba.drs_utils.drsException'>): DRS connection to hh6 
failed - drsException: DRS connection to hh6 failed: (-1073741643, 
'NT_STATUS_IO_TIMEOUT')
   File 
"/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/drs.py", line 
39, in drsuapi_connect
     (ctx.drsuapi, ctx.drsuapi_handle, ctx.bind_supported_extensions) = 
drs_utils.drsuapi_connect(ctx.server, ctx.lp, ctx.creds)
   File 
"/usr/local/samba/lib/python2.7/site-packages/samba/drs_utils.py", line 
54, in drsuapi_connect
     raise drsException("DRS connection to %s failed: %s" % (server, e))

On DC2 (it's fine):
samba-tool drs kcc -UAdministrator hh1
Password for [MARINA\Administrator]:
Consistency check on hh1 successful.

Summary:
Replication DC1 to DC2 works, not the other way.

Any ideas,
Steve

More information about the samba-technical mailing list