[Samba] Four DCs, No Replication [and no demotion]

Adam Tauno Williams awilliam at whitemice.org
Wed Aug 13 09:01:46 MDT 2014 

On Tue, 2014-08-12 at 16:02 -0400, Adam Tauno Williams wrote: 
> On Tue, 2014-08-12 at 15:08 -0400, Adam Tauno Williams wrote: 
> > I added three DCs to a single DC Samba4 AD domain.
> > They initially replicated and came up - but replication does not appear
> > to be ongoing.  A change made to a user via MMC connected to one DC does
> > not appear on another DC.
> > It the logs I see bursts of the following message:
> > [2014/08/12 15:08:08.026270,
> > 0] ../source4/librpc/rpc/dcerpc_util.c:660(dcerpc_pipe_auth_recv)
> >   Failed to bind to uuid e3514235-4b06-11d1-ab04-00c04fc2dcd2 for
> > e3514235-4b06-11d1-ab04-00c04fc2dcd2 at ncacn_ip_tcp:3a74ac28-1613-471f-ac3d-1b8932eeb167._msdcs.example.com[1024,seal,krb5] NT_STATUS_INVALID_PARAMETER
> > Could these be the cause to the lack of replication?  I've search about
> > and cannot ping down a meaning for this message.
> So I have tried to demote one of the new DCs, as it is not actually
> working.  Only I cannot demote -
> [root at larkin26 ~]# samba-tool domain demote -Uadministrator
> Using LARKIN27.micore.us as partner server for the demotion
> Password for [BACKBONE\administrator]:
> Desactivating inbound replication
> Asking partner server LARKIN27.micore.us to synchronize from us
> Error while demoting, re-enabling inbound replication
> ERROR(<class 'samba.drs_utils.drsException'>): Error while sending a
> DsReplicaSync for partion CN=Schema,CN=Configuration,DC=micore,DC=us -
> drsException: DsReplicaSync failed (87, 'WERR_INVALID_PARAM')
>   File "/usr/lib64/python2.6/site-packages/samba/netcmd/domain.py", line
> 647, in run
>     sendDsReplicaSync(drsuapiBind, drsuapi_handle, ntds_guid, str(part),
> drsuapi.DRSUAPI_DRS_WRIT_REP)
>   File "/usr/lib64/python2.6/site-packages/samba/drs_utils.py", line 83,
> in sendDsReplicaSync
>     raise drsException("DsReplicaSync failed %s" % estr)

Cleaning up a duplicated servicePrincipalName fixed replication  - but
user logon scripts still do not work.  So in trying to fight my way back
to a single working DC I want to demote all the new Samba4 DCs.  But I
can't.  It now fails with -

[root at larkin26 ~]# samba-tool domain demote
Using LARKIN27.micore.us as partner server for the demotion
Password for [administrator at MICORE.US]:
Desactivating inbound replication
Asking partner server LARKIN27.micore.us to synchronize from us
Changing userControl and container
Error while demoting, re-enabling inbound replication
ERROR(<type 'exceptions.IndexError'>): Error while changing account
control - list index out of range
  File "/usr/lib64/python2.6/site-packages/samba/netcmd/domain.py", line
666, in run
    dc_dn = res[0].dn
[root at larkin26 ~]# 

Should I just do a kill on these DCs and then try forcable remove as if
they had died?  Or does someone have an idea why I cannot demote these
DCs?

<https://wiki.samba.org/index.php/Demote_a_Samba_DC#Demote_a_DC_that_isn.27t_accessable_any_more>



-- 
Adam Tauno Williams <mailto:awilliam at whitemice.org> GPG D95ED383
Systems Administrator, Python Developer, LPI / NCLA

More information about the samba mailing list