net ads leave weird errors due to replication not having occurred ...
Andrew Bartlett
abartlet at samba.org
Mon Mar 4 14:10:42 MST 2013
On Mon, 2013-03-04 at 12:56 -0800, Richard Sharpe wrote:
> Hi folks,
>
> We have seen a number of bugs in leaving a domain that seem related to
> replication not having occurred when we try to leave the domain. This
> will mostly occur in domains where there are multiple DCs if someone
> does a net ads join and then a net ads leave for the same member
> server before replication happens (defaults to once per hour, it
> seems.)
>
> We have seen cases where net ads leave:
>
> 1. fails to find the computer account because it looked on the wrong DC
>
> 2. gets errors like KRB5KDC_ERR_C_PRINCIPLE_UNKNOWN on a subsequent
> authentication attempt after the first.
>
> It would seem that we should:
>
> 1. Use the same KDC that we authenticated against in the first case.
>
> 2. If the first DC we contact does not know of the Machine Account, we
> should grab the FSMO PDC role and contact that DC.
An AD domain that isn't replicating is already broken for so many other
things. Replication should be within seconds, not once per hour.
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
More information about the samba-technical
mailing list