[Samba] Problem creating new DC's
lp101
lingpanda101 at gmail.com
Mon Jun 9 07:06:58 MDT 2014
Chris,
I may not be able to offer much more help. Maybe someone on the
list can chime in. After restarting samba can you run "/samba-tool drs
kcc" on your DC that holds all the FSMO roles as well as your new one?
Also after restart does "/samba-tool drs showrepl" show no errors on any
DC in your forest?
On 6/9/2014 8:06 AM, Chris Alavoine wrote:
> Hi James,
>
> I may have spoken too soon. Replication to my other DC's (including
> the new one in the new Site) keeps failing. After a samba restart
> replication work for around 30 minutes and then this happens:
>
> /usr/local/samba/bin/samba-tool drs showrepl | more
> ERROR(<class 'samba.drs_utils.drsException'>): DRS connection to
> REMOTEDC.example.com <http://REMOTEDC.example.com> failed -
> drsException: DRS connection to REMOTEDC.example.com
> <http://REMOTEDC.example.com> failed: (-1073741643,
> 'NT_STATUS_IO_TIMEOUT')
> File
> "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/drs.py",
> line 39, in drsuapi_connect
> (ctx.drsuapi, ctx.drsuapi_handle, ctx.bind_supported_extensions) =
> drs_utils.drsuapi_connect(ctx.server, ctx.lp, ctx.creds)
> File
> "/usr/local/samba/lib/python2.7/site-packages/samba/drs_utils.py",
> line 54, in drsuapi_connect
> raise drsException("DRS connection to %s failed: %s" % (server, e))
>
> This has the added side-effect that Samba no longer functions (i.e. no
> longer processes logins) until I do another restart.
>
> The only DC impervious to this behaviour the main FSMO DC.
>
> As a workaround I have a cronjob on my other DC's that restarts samba
> every 30 minutes but clearly this is no solution.
>
> Last Friday evening after adding my new DC in it's correct Site I
> attempt to demote the old one in this location. The samba-tool domain
> demote command failed for me so I removed the DC manually and removed
> all traces of it from DNS. Could this have caused problems?
>
> Any help much appreciated.
>
> Thanks,
> Chris.
>
>
>
> On 4 June 2014 14:08, Chris Alavoine <chrisa at acs-info.co.uk
> <mailto:chrisa at acs-info.co.uk>> wrote:
>
> Yep, new DC shows up under ADSS.
>
> c:)
>
>
> On 4 June 2014 14:04, lp101 <lingpanda101 at gmail.com
> <mailto:lingpanda101 at gmail.com>> wrote:
>
> Hi Chris,
>
> Great news! Confirm Site and Services does in fact show
> your New DC in its appropriate location.
>
>
> On 6/4/2014 8:58 AM, Chris Alavoine wrote:
>> Hi James,
>>
>> Just thought I'd report my success!
>>
>> I'd forgotten to specify the local DC (same Site) in my
>> domain provision command:
>>
>> /usr/local/samba/bin/samba-tool domain join example.com
>> <http://example.com> DC -UAdministrator --realm=example.com
>> <http://example.com> --server=blahdc --site=blah
>>
>> This still took over an hour but didn't produce the above
>> TIMEOUT error.
>>
>> Thanks for your help on this!
>>
>> c:)
>>
>>
>>
>> On 3 June 2014 16:40, Chris Alavoine <chrisa at acs-info.co.uk
>> <mailto:chrisa at acs-info.co.uk>> wrote:
>>
>> Hi James,
>>
>> I have upped the RAM to 20GB and given it 8 cores, but
>> unfortunately am getting the same result. The time taken
>> to process all the objects is well over an hour which I'm
>> guessing is where my problem lies.
>>
>> Not sure what else to try expect maybe attempting to
>> reduce the number of DC's (over a weekend) and try again.
>>
>> Thanks,
>> Chris.
>>
>>
>> On 3 June 2014 13:56, lp101 <lingpanda101 at gmail.com
>> <mailto:lingpanda101 at gmail.com>> wrote:
>>
>> I believe I needed at least 8GB to complete the
>> join process. I know it was more then 4GB. Here is a
>> link to my discussion I had on this list in Jan.
>>
>> http://samba.2283325.n4.nabble.com/DomainDnsZone-Replication-Shows-200-000-Objects-td4658437i20.html
>>
>> I strongly discourage using the tombstone
>> attribute to fix this issue within this discussion.
>> It created more issues then it was worth. I'm not
>> sure if this bug was fixed or not. Increase the
>> memory and attempt to join the new DC to the existing
>> DC at that site. It should help with the timeout
>> error. Good luck!
>>
>>
>>
>> On 6/3/2014 8:44 AM, Chris Alavoine wrote:
>>> Hi James,
>>>
>>> Thanks for the reply.
>>>
>>> My last attempt had 4GB RAM and 4 cores (VM). Do you
>>> think I should give it some more?
>>>
>>> Thanks,
>>> Chris.
>>>
>>>
>>> On 3 June 2014 13:42, lp101 <lingpanda101 at gmail.com
>>> <mailto:lingpanda101 at gmail.com>> wrote:
>>>
>>> Hi Chris,
>>>
>>> How much memory does your server have and
>>> are you attempting to join it to the local DC at
>>> the site? I've had an issue similar to this and
>>> increasing the server memory and attempting to
>>> join to a local DC helped.
>>>
>>>
>>> On 6/3/2014 8:04 AM, Chris Alavoine wrote:
>>>
>>> Hi there,
>>>
>>> I currently have 6 Samba4 (4.1.5) DC's
>>> spread over a global network. This
>>> is working ok but they were created before
>>> any Sites were made and as the
>>> ability to move DC's to new Sites is not
>>> working, I am attempting to create
>>> new DC's in each location and then demote
>>> the old ones.
>>>
>>> The problem I am facing is the domain join
>>> process keeps timing out for any
>>> new DC. I think this is due the amount of
>>> objects that now need to be
>>> synced:
>>>
>>> Partition[DC=DomainDnsZones,DC=essence,DC=internal,DC=com]
>>> objects[142711/162691] linked_values[0/0]
>>> Partition[DC=DomainDnsZones,DC=essence,DC=internal,DC=com]
>>> objects[143113/162691] linked_values[0/0]
>>> Partition[DC=DomainDnsZones,DC=essence,DC=internal,DC=com]
>>> objects[143515/162691] linked_values[0/0]
>>>
>>> (this is a snippet from attempting to join,
>>> as you can see there are 162691
>>> objects which takes a fair amount of time to
>>> get through - I have tried
>>> this from various different locations).
>>>
>>> This is the final error I get:
>>>
>>> Replicating
>>> DC=ForestDnsZones,DC=essence,DC=internal,DC=com
>>> Partition[DC=ForestDnsZones,DC=essence,DC=internal,DC=com]
>>> objects[24/24]
>>> linked_values[0/0]
>>> Partition[DC=ForestDnsZones,DC=essence,DC=internal,DC=com]
>>> objects[48/24]
>>> linked_values[0/0]
>>> Committing SAM database
>>> Sending DsReplicateUpdateRefs for all the
>>> replicated partitions
>>> Join failed - cleaning up
>>> checking sAMAccountName
>>> ERROR(runtime): uncaught exception -
>>> (-1073741643, 'NT_STATUS_IO_TIMEOUT')
>>> File
>>> "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py",
>>> line 175, in _run
>>> return self.run(*args, **kwargs)
>>> File
>>> "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/domain.py",
>>> line
>>> 552, in run
>>> machinepass=machinepass,
>>> use_ntvfs=use_ntvfs, dns_backend=dns_backend)
>>> File
>>> "/usr/local/samba/lib/python2.7/site-packages/samba/join.py",
>>> line
>>> 1172, in join_DC
>>> ctx.do_join()
>>> File
>>> "/usr/local/samba/lib/python2.7/site-packages/samba/join.py",
>>> line
>>> 1082, in do_join
>>> ctx.join_finalise()
>>> File
>>> "/usr/local/samba/lib/python2.7/site-packages/samba/join.py",
>>> line
>>> 881, in join_finalise
>>> ctx.send_DsReplicaUpdateRefs(nc)
>>> File
>>> "/usr/local/samba/lib/python2.7/site-packages/samba/join.py",
>>> line
>>> 866, in send_DsReplicaUpdateRefs
>>> ctx.drsuapi.DsReplicaUpdateRefs(ctx.drsuapi_handle,
>>> 1, r)
>>>
>>>
>>> Which seem to suggest that the join fails,
>>> it tries to clean up and gets a
>>> NT_STATUS_IO_TIMEOUT error.
>>>
>>> This leaves me with a non-functioning DC
>>> appearing in the Domain Controller
>>> list on ADUC and ADSS which need to be
>>> cleaned out.
>>>
>>> Any advice on how I can get around this problem?
>>>
>>> Thanks
>>> Chris.
>>>
>>>
>>> --
>>> -James
>>>
>>>
>>>
>>>
>>> --
>>> ACS (Alavoine Computer Services Ltd)
>>> Chris Alavoine
>>> mob +44 (0)7724 710 730
>>> <tel:%2B44%20%280%297724%20710%20730>
>>> www.alavoinecs.co.uk <http://www.alavoinecs.co.uk>
>>> http://twitter.com/#!/alavoinecs
>>> <http://twitter.com/#%21/alavoinecs>
>>> http://www.linkedin.com/pub/chris-alavoine/39/606/192
>>
>> --
>> -James
>>
>>
>>
>>
>> --
>> ACS (Alavoine Computer Services Ltd)
>> Chris Alavoine
>> mob +44 (0)7724 710 730 <tel:%2B44%20%280%297724%20710%20730>
>> www.alavoinecs.co.uk <http://www.alavoinecs.co.uk>
>> http://twitter.com/#!/alavoinecs
>> <http://twitter.com/#%21/alavoinecs>
>> http://www.linkedin.com/pub/chris-alavoine/39/606/192
>>
>>
>>
>>
>> --
>> ACS (Alavoine Computer Services Ltd)
>> Chris Alavoine
>> mob +44 (0)7724 710 730 <tel:%2B44%20%280%297724%20710%20730>
>> www.alavoinecs.co.uk <http://www.alavoinecs.co.uk>
>> http://twitter.com/#!/alavoinecs
>> <http://twitter.com/#%21/alavoinecs>
>> http://www.linkedin.com/pub/chris-alavoine/39/606/192
>
> --
> -James
>
>
>
>
> --
> ACS (Alavoine Computer Services Ltd)
> Chris Alavoine
> mob +44 (0)7724 710 730 <tel:%2B44%20%280%297724%20710%20730>
> www.alavoinecs.co.uk <http://www.alavoinecs.co.uk>
> http://twitter.com/#!/alavoinecs <http://twitter.com/#%21/alavoinecs>
> http://www.linkedin.com/pub/chris-alavoine/39/606/192
>
>
>
>
> --
> ACS (Alavoine Computer Services Ltd)
> Chris Alavoine
> mob +44 (0)7724 710 730
> www.alavoinecs.co.uk <http://www.alavoinecs.co.uk>
> http://twitter.com/#!/alavoinecs <http://twitter.com/#%21/alavoinecs>
> http://www.linkedin.com/pub/chris-alavoine/39/606/192
--
-James
More information about the samba
mailing list