4.0.rc2 drs issue
Gémes Géza
geza at kzsdabas.hu
Thu Oct 18 14:02:47 MDT 2012
2012-10-18 07:43 keltezéssel, Matthieu Patou írta:
> On 10/17/2012 12:53 PM, Gémes Géza wrote:
>> Hi,
>>
>> I have a (production) domain created by a 3.5->4.0beta6(some git
>> version)->4.0rc2 upgrade path, with the last upgrade executed as a
>> join of a 4.0rc2 install (machine name dc1) and removal of the beta8
>> install (machine name dc0). Immediately after the removal of beta8 (I
>> wasn't able to demote it, however forcibly transfered the fsmo roles
>> to rc2) I've installed another instance of rc2 (with the same IP
>> address and name as beta8 had (dc0)) and joined it to rc2 (without
>> removing anything related to dc0 from the directory). Unfortunately
>> I've observed that drs is not working as expected (I had dc0 as an
>> incoming and outgoing replica partner on dc1, but dc1 was only an
>> incoming partner for dc0). Because of that I've decided to remove dc0
>> from the domain entirely to rejoin it cleanly (also plan to upgrde
>> both servers to rc3 in the process). Unfortunately dc0 won't demote
>> as it claims to hold still two roles, but samba-tool fsmo show gives
>> (on both servers) that all five roles are hold by dc1. Being stuck on
>> it I've decided to forcibly remove it following:
>> http://technet.microsoft.com/en-us/library/cc736378%28WS.10%29.aspx
>> After removal I've checked that dc0 disappeared without trace (except
>> dns where I've cleaned it out).
>> After joining it back I still have:
>> root at dc1:~# samba-tool drs showrepl
>> Default-First-Site-Name\DC1
>> DSA Options: 0x00000001
>> DSA object GUID: f5ea5559-534c-4341-9f63-c0d7a0019635
>> DSA invocationId: 574709d5-5de7-472a-ba15-fc7b5ca97da0
>>
>> ==== INBOUND NEIGHBORS ====
>>
>> DC=DomainDnsZones,DC=kzsdabas,DC=hu
>> Default-First-Site-Name\DC0 via RPC
>> DSA object GUID: fa8ad1e1-f8e0-42ef-b8da-dfdb22141d5f
>> Last attempt @ NTTIME(0) was successful
>> 0 consecutive failure(s).
>> Last success @ NTTIME(0)
>>
>> CN=Schema,CN=Configuration,DC=kzsdabas,DC=hu
>> Default-First-Site-Name\DC0 via RPC
>> DSA object GUID: fa8ad1e1-f8e0-42ef-b8da-dfdb22141d5f
>> Last attempt @ NTTIME(0) was successful
>> 0 consecutive failure(s).
>> Last success @ NTTIME(0)
>>
>> DC=kzsdabas,DC=hu
>> Default-First-Site-Name\DC0 via RPC
>> DSA object GUID: fa8ad1e1-f8e0-42ef-b8da-dfdb22141d5f
>> Last attempt @ NTTIME(0) was successful
>> 0 consecutive failure(s).
>> Last success @ NTTIME(0)
>>
>> DC=ForestDnsZones,DC=kzsdabas,DC=hu
>> Default-First-Site-Name\DC0 via RPC
>> DSA object GUID: fa8ad1e1-f8e0-42ef-b8da-dfdb22141d5f
>> Last attempt @ NTTIME(0) was successful
>> 0 consecutive failure(s).
>> Last success @ NTTIME(0)
>>
>> CN=Configuration,DC=kzsdabas,DC=hu
>> Default-First-Site-Name\DC0 via RPC
>> DSA object GUID: fa8ad1e1-f8e0-42ef-b8da-dfdb22141d5f
>> Last attempt @ NTTIME(0) was successful
> ^^^^^^^^^^^^^^^^^^^ This means that it has never replicated from this
> server
>> 0 consecutive failure(s).
>> Last success @ NTTIME(0)
>>
>> ==== OUTBOUND NEIGHBORS ====
>>
>> DC=DomainDnsZones,DC=kzsdabas,DC=hu
>> Default-First-Site-Name\DC0 via RPC
>> DSA object GUID: fa8ad1e1-f8e0-42ef-b8da-dfdb22141d5f
>> Last attempt @ NTTIME(0) was successful
>> 0 consecutive failure(s).
>> Last success @ NTTIME(0)
>>
>> CN=Schema,CN=Configuration,DC=kzsdabas,DC=hu
>> Default-First-Site-Name\DC0 via RPC
>> DSA object GUID: fa8ad1e1-f8e0-42ef-b8da-dfdb22141d5f
>> Last attempt @ NTTIME(0) was successful
>> 0 consecutive failure(s).
>> Last success @ NTTIME(0)
>>
>> DC=kzsdabas,DC=hu
>> Default-First-Site-Name\DC0 via RPC
>> DSA object GUID: fa8ad1e1-f8e0-42ef-b8da-dfdb22141d5f
>> Last attempt @ NTTIME(0) was successful
>> 0 consecutive failure(s).
>> Last success @ NTTIME(0)
>>
>> DC=ForestDnsZones,DC=kzsdabas,DC=hu
>> Default-First-Site-Name\DC0 via RPC
>> DSA object GUID: fa8ad1e1-f8e0-42ef-b8da-dfdb22141d5f
>> Last attempt @ NTTIME(0) was successful
>> 0 consecutive failure(s).
>> Last success @ NTTIME(0)
>>
>> CN=Configuration,DC=kzsdabas,DC=hu
>> Default-First-Site-Name\DC0 via RPC
>> DSA object GUID: fa8ad1e1-f8e0-42ef-b8da-dfdb22141d5f
>> Last attempt @ NTTIME(0) was successful
> ^^^^^^^^^^^^^^^^^^^ in outgoing the nttime is always 0
>> 0 consecutive failure(s).
>> Last success @ NTTIME(0)
>>
>> ==== KCC CONNECTION OBJECTS ====
>>
>> Connection --
>> Connection name: c9f0627b-6d81-4817-adca-1849005d0d7c
>> Enabled : TRUE
>> Server DNS name : DC0.kzsdabas.hu
>> Server DN name : CN=NTDS
>> Settings,CN=DC0,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=kzsdabas,DC=hu
>> TransportType: RPC
>> options: 0x00000001
>> Warning: No NC replicated for Connection!
>>
>> Which seems ok
> no it's not
>>
>> and:
>> root at dc0:~# samba-tool drs showrepl
>> Default-First-Site-Name\DC0
>> DSA Options: 0x00000001
>> DSA object GUID: fa8ad1e1-f8e0-42ef-b8da-dfdb22141d5f
>> DSA invocationId: c733b71a-c093-4a0e-b990-839d8b9ffaf2
>>
>> ==== INBOUND NEIGHBORS ====
>>
>> DC=DomainDnsZones,DC=kzsdabas,DC=hu
>> Default-First-Site-Name\DC1 via RPC
>> DSA object GUID: f5ea5559-534c-4341-9f63-c0d7a0019635
>> Last attempt @ Wed Oct 17 21:44:35 2012 CEST was successful
>> 0 consecutive failure(s).
>> Last success @ Wed Oct 17 21:44:35 2012 CEST
>>
>> CN=Schema,CN=Configuration,DC=kzsdabas,DC=hu
>> Default-First-Site-Name\DC1 via RPC
>> DSA object GUID: f5ea5559-534c-4341-9f63-c0d7a0019635
>> Last attempt @ Wed Oct 17 21:44:35 2012 CEST was successful
>> 0 consecutive failure(s).
>> Last success @ Wed Oct 17 21:44:35 2012 CEST
>>
>> DC=kzsdabas,DC=hu
>> Default-First-Site-Name\DC1 via RPC
>> DSA object GUID: f5ea5559-534c-4341-9f63-c0d7a0019635
>> Last attempt @ Wed Oct 17 21:44:36 2012 CEST was successful
>> 0 consecutive failure(s).
>> Last success @ Wed Oct 17 21:44:36 2012 CEST
>>
>> DC=ForestDnsZones,DC=kzsdabas,DC=hu
>> Default-First-Site-Name\DC1 via RPC
>> DSA object GUID: f5ea5559-534c-4341-9f63-c0d7a0019635
>> Last attempt @ Wed Oct 17 21:44:35 2012 CEST was successful
>> 0 consecutive failure(s).
>> Last success @ Wed Oct 17 21:44:35 2012 CEST
>>
>> CN=Configuration,DC=kzsdabas,DC=hu
>> Default-First-Site-Name\DC1 via RPC
>> DSA object GUID: f5ea5559-534c-4341-9f63-c0d7a0019635
>> Last attempt @ Wed Oct 17 21:44:36 2012 CEST was successful
>> 0 consecutive failure(s).
>> Last success @ Wed Oct 17 21:44:36 2012 CEST
>>
>> ==== OUTBOUND NEIGHBORS ====
>>
>> ==== KCC CONNECTION OBJECTS ====
>>
>> Connection --
>> Connection name: 4eb7c88b-62c9-46d1-817d-15b5be7b9e41
>> Enabled : TRUE
>> Server DNS name : DC1.kzsdabas.hu
>> Server DN name : CN=NTDS
>> Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=kzsdabas,DC=hu
>> TransportType: RPC
>> options: 0x00000001
>> Warning: No NC replicated for Connection!
>>
>> Which seems less perfect
>
> Well you should check the repsto and repsfrom, attributes (use
> ldbsearch -H ldap://<ip> --cross-ncs --show-binary '(repsto=*)
> repsfrom repsto
>
> Also check that on both host you can resolve the two following DNS names
>
> <guid_ntds_server1>._msdcs.<domain>
> <guid_ntds_server2>._msdcs.<domain>
>
> Use this command:
> ./bin/ldbsearch -H ldap://<ip> '(invocationid=*)' --cross-ncs
> objectguid to get the guid_ntds_server1 & guid_ntds_server2
>
> Matthieu.
>
>
> Matthieu
>
Hi,
Thank you again for those commands, with only one DC alive and working
I've checked its guid entry and it was as expected, however I've
discovered lots of leftovers from the other (removed) DC under _msdcs
(including NS pointing only to it) after removing/fixing them the
remaining DC reports as expected:
# samba-tool drs showrepl
Default-First-Site-Name\DC1
DSA Options: 0x00000001
DSA object GUID: f5ea5559-534c-4341-9f63-c0d7a0019635
DSA invocationId: 574709d5-5de7-472a-ba15-fc7b5ca97da0
==== INBOUND NEIGHBORS ====
==== OUTBOUND NEIGHBORS ====
==== KCC CONNECTION OBJECTS ====
During the weekend I'll try to upgrade the now removed DC to RC3 and
rejoin. After which I'll check the records you've mentioned. Will report
back about success/failure.
Cheers
Geza Gemes
More information about the samba-technical
mailing list