[Samba] outbound replication of newly added DC not working

Thomas Schulz schulz at adi.com
Wed Mar 19 20:38:24 MDT 2014 

> Am 19.03.2014 16:16, schrieb Thomas Schulz:
>>> Am 14.03.2014 12:48, schrieb Andreas Oster:
>>>> Hi all,
>>>>
>>>> I have just added a DC to our existing AD. Join did work without any
>>>> error messages but now I have recognized that only inbound replication
>>>> from old DCs is working outbound list is empty.
>>>>
>>>> Samba version is: Version 4.2.0pre1-GIT-cff0f8e
>>>>
>>>> here is the output of samba-tool drs showrepl:
>>>>
>>>> DSA Options: 0x00000001
>>>> DSA object GUID: 94534f65-5d06-41f5-844d-a58a0bc03c93
>>>> DSA invocationId: 3db6f686-cbd9-4ef8-992d-1ae1671e6c17
>>>>
>>>> ==== INBOUND NEIGHBORS ====
>>>>
>>>> DC=sambadom,DC=com
>>>>          Standardname-des-ersten-Standorts\dc02 via RPC
>>>>                  DSA object GUID: ef37f4de-a03c-493c-96f6-e521a5415d81
>>>>                  Last attempt @ Fri Mar 14 12:41:07 2014 CET was successful
>>>>                  0 consecutive failure(s).
>>>>                  Last success @ Fri Mar 14 12:41:07 2014 CET
> > 
> > ------------------- lines removed ------------------------------
>>>>
>>>> CN=Schema,CN=Configuration,DC=sambadom,DC=com
>>>>          Standardname-des-ersten-Standorts\dc01 via RPC
>>>>                  DSA object GUID: c60bca82-df6e-409e-85c5-e2cc733691da
>>>>                  Last attempt @ Fri Mar 14 12:40:42 2014 CET was successful
>>>>                  0 consecutive failure(s).
>>>>                  Last success @ Fri Mar 14 12:40:42 2014 CET
>>>>
>>>> ==== OUTBOUND NEIGHBORS ====
>>>>
>>>> ==== KCC CONNECTION OBJECTS ====
>>>>
>>>> Connection --
>>>>          Connection name: dc01
>>>>          Enabled        : TRUE
>>>>          Server DNS name : dc01.sambadom.com
>>>>          Server DN name  : CN=NTDS
>>>> Settings,CN=dc01,CN=Servers,CN=Standardname-des-ersten-Standorts,CN=Sites,
> >    CN=Configuration,DC=sambadom,DC=com
>>>>                  TransportType: RPC
>>>>                  options: 0x00000000
>>>> Warning: No NC replicated for Connection!
>>>> Connection --
>>>>          Connection name: dc02
>>>>          Enabled        : TRUE
>>>>          Server DNS name : dc02.sambadom.com
>>>>          Server DN name  : CN=NTDS
>>>> Settings,CN=dc02,CN=Servers,CN=Standardname-des-ersten-Standorts,CN=Sites,
> >    CN=Configuration,DC=sambadom,DC=com
>>>>                  TransportType: RPC
>>>>                  options: 0x00000000
>>>> Warning: No NC replicated for Connection!
>>>>
>>>> ( I have replaced domain and DC names in the output text !)
>>>>
>>>>
>>>> Does anybody know how to fix this issue and get outbound replication to
>>>> work ?
>>>>
>>>> I have already tried to demote and re-join the new DC, but this did not
>>>> help. I have also checked the DNS entries and those seem to be OK.
>>>>
>>>> Thank you for your kind help
>>>>
>>>> best regards
>>>>
>>>> Andreas
>>>>
>>>
>>> Hi all,
>>>
>>> I have been able to manually start outbound replication by issuing 
>>> "samba-tool drs replicate" for all the missing outbound NCs.
> > 
> > Did you get a one time replication or does it now replicate automatically?
> > I tried to use the "samba-tool drs replicate" command but I can not
> > figrue out what to use for 'NC'. I found out what NC means but not exactly
> > what to enter.
> > 
> > I set email to the list a few weeks ago about one way replication. I have
> > been assuming that my problem is because I have a Windows 2000 DC and DNS
> > replication is not supported with a Windows 2000 DC. I am about to try
> > manually entering the DNS records for the Samba 4.1.6 DC into the
> > Windows 2000 DNS and then see what happens.
>>>
>>> Thanks
>>>
>>> best regards
>>>
>>> Andreas
>>> -- 
> > 
> > Tom Schulz
> > Applied Dynamics Intl.
> > schulz at adi.com
> > 
> Hello Thomas,
> 
> yes it is working for me now. NCs are in my case:
> 
> DC=sambadom,DC=com
> DC=ForestDnsZones,DC=sambadom,DC=com
> CN=Configuration,DC=sambadom,DC=com
> DC=DomainDnsZones,DC=sambadom,DC=com
> CN=Schema,CN=Configuration,DC=sambadom,DC=com
> 
> Obviously you will have different domain name entries.
> If inbound replication is working you should see those entries when
> executing "samba-tool drs showrepl".
> 
> I am not sure if replication is still supported between samba4 and
> windows 2000, but it is vital, that all the required DNS entries are
> available.
> In the old samba4 alpha days replication did work, I know this for sure
> because I migrated our win2000 AD to a samba4 only one.
> 
> In order to start outbound replication from one DC to the other you have
> to do something like this, given that all outbound NCs are missing:
> 
> samba-tool drs replicate <destinationDC> <sourceDC> DC=sambadom,DC=com
> 
> samba-tool drs replicate <destinationDC> <sourceDC>
> DC=ForestDnsZones,DC=sambadom,DC=com
> 
> samba-tool drs replicate <destinationDC> <sourceDC>
> CN=Configuration,DC=sambadom,DC=com
> 
> samba-tool drs replicate <destinationDC> <sourceDC>
> DC=DomainDnsZones,DC=sambadom,DC=com
> 
> samba-tool drs replicate <destinationDC> <sourceDC>
> CN=Schema,CN=Configuration,DC=sambadom,DC=com
> 
> Make sure to use the correct NCs !  <sourceDC> is the DC which is
> missing outbound replication peers.

It looks like this is not going to work with a Windows 2000 server.
I manually entered the DNS information on the 2000 server.
samba_dnsupdate --verbose now says that all is OK (before it said that
<2003 is not supported). samba-tool drs showrepl shows nothing under
both inbound neighbors and outbound neighbors. It does list the 2000
server in connection objects. Dispite showing nothing under inbound
neighbors, inbound replication does work. I tried

./samba-tool drs replicate starfish2 koi DC=adi,DC=com

and got the following error

ERROR(<class 'samba.drs_utils.drsException'>): DsReplicaSync failed
     - drsException: DsReplicaSync failed (8452, 'WERR_DS_DRA_NO_REPLICA')
  File "/opt/local/samba4/lib/python2.7/site-packages/samba/netcmd/drs.py",
       line 345, in run
    drs_utils.sendDsReplicaSync(self.drsuapi, self.drsuapi_handle,
         source_dsa_guid, NC, req_options)
  File "/opt/local/samba4/lib/python2.7/site-packages/samba/drs_utils.py",
        line 83, in sendDsReplicaSync
    raise drsException("DsReplicaSync failed %s" % estr)

I can reverse the machine names and get a sucessfun inbound replication.
I may have to try to stop using the windows 2000 server.

> 
> best regards
> 
> Andreas

Tom Schulz
Applied Dynamics Intl.
schulz at adi.com

More information about the samba mailing list