[Samba] AD DC out of sync

Andrey Repin anrdaemon at yandex.ru
Thu Apr 23 15:05:45 MDT 2015 

Greetings, Dr. Lars Hanke!

> It did happen again and this time I was a little less panicked and took 
> some time to figure out what happened.

> On my primary DC (SAMBA) I did not notice anything extraordinary. 
> However, my secondary (VERDANDI) reported issues:

> root at verdandi:~# samba-tool drs showrepl
> Default-First-Site-Name\VERDANDI
> DSA Options: 0x00000001
> DSA object GUID: a03bbb51-1dca-44ae-a4d9-7aa8cb4a1ace
> DSA invocationId: 8bdb4f85-1da2-4f5a-b9a9-e8369d202745

> ==== INBOUND NEIGHBORS ====

> CN=Schema,CN=Configuration,DC=ad,DC=microsult,DC=de
>          Default-First-Site-Name\SAMBA via RPC
>                  DSA object GUID: b19509be-c3ee-4a58-9fc9-afd61759a23f
>                  Last attempt @ Wed Apr 22 00:12:36 2015 CEST failed, 
> result 5 (WERR_ACCESS_DENIED)
>                  1265 consecutive failure(s).
>                  Last success @ Fri Apr 17 14:47:18 2015 CEST

> [...]
> ==== OUTBOUND NEIGHBORS ====
> [... everything OK for no attempts were ever made, but ...]

> DC=ad,DC=microsult,DC=de
>          Default-First-Site-Name\SAMBA via RPC
>                  DSA object GUID: b19509be-c3ee-4a58-9fc9-afd61759a23f
>                  Last attempt @ Wed Apr 22 00:14:00 2015 CEST failed, 
> result 5 (WERR_ACCESS_DENIED)
>                  31 consecutive failure(s).
>                  Last success @ NTTIME(0)

> And consequently the password update that happened the previous day was 
> out of sync:

> samba-tool ldapcmp ldap://samba ldap://verdandi -Uadministrator
> Password for [AD\administrator]:

> * Comparing [DOMAIN] context...

> * Objects to be compared: 289

> Comparing:
> 'CN=Builtin,DC=ad,DC=microsult,DC=de' [ldap://samba]
> 'CN=Builtin,DC=ad,DC=microsult,DC=de' [ldap://verdandi]
>      Attributes found only in ldap://samba:
>          serverState
>      FAILED

> Comparing:
> 'CN=Lars LH. Hanke,CN=Users,DC=ad,DC=microsult,DC=de' [ldap://samba]
> 'CN=Lars LH. Hanke,CN=Users,DC=ad,DC=microsult,DC=de' [ldap://verdandi]
>      Difference in attribute values:
>          pwdLastSet =>
> ['130740170160000000']
> ['130703672860000000']

Looks very much like an hour off.
I suggest checking tzdata configuration.

>      FAILED

> [...]

> Having restarted the secondary DC some 34h ago, it synchronized 
> immediately and still does, i.e. drs showrepl has its last success 5 
> minutes ago, no failures.

> It looks a little like an expired ticket, which fails to renew after 
> several weeks. But this is pure speculation.

> Any ideas for troubleshooting?


-- 
With best regards,
Andrey Repin
Friday, April 24, 2015 00:04:34

Sorry for my terrible english...

More information about the samba mailing list