samba-tool ldapcmp and rodc and instanceType attribute

Andrew Bartlett abartlet at
Thu Nov 13 21:50:22 MST 2014

On Mon, 2014-11-10 at 21:36 +0100, Denis Cardon wrote:
> Hi all,
> I was doing some cleansing of replicated DC recently, I tried a ldapcmp 
> between the central DC and a remote RODC. samba-tool ldapcmp already 
> ignore some attribute, but I think it should also ignore the 
> instanceType attribute.
> Comparing:
> 'DC=r1,DC=tranquilit.local,CN=MicrosoftDNS,DC=DomainDnsZones,DC=tranquilit,DC=local' 
> [ldap://srvads]
> 'DC=r1,DC=tranquilit.local,CN=MicrosoftDNS,DC=DomainDnsZones,DC=tranquilit,DC=local' 
> [ldap://rodc-nantes]
>      Difference in attribute values:
>          instanceType =>
> ['4']
> ['0']
>      FAILED
> 0x00000004 value means that the entry is read/write on that directory, 
> which is indeed not the case on the RODC (so the reported error is 
> actually a correct case)
> Digging a little more in my RODC, I realized that many DNS entries has a 
> 0x00000004 value... and only recently created entries has the 0x00000000 
> value.
> This is probably a former bug that has been solved I guess. Do you all 
> advise to make a full sync of the remote partition when one upgrade to a 
> newer version to cleanup this kind of issue?

We should be able to clean that up with either a current or improve
dbcheck tool.  (We know pretty well what the values should be).

Andrew Bartlett

Andrew Bartlett
Authentication Developer, Samba Team
Samba Developer, Catalyst IT

More information about the samba-technical mailing list