[Samba] 4th DC Unable to Replicate - WERR_DS_DRA_ACCESS_DENIED

David Minard david at scem.uws.edu.au
Tue Oct 6 00:48:47 UTC 2015 

G'day Marc,

     Thanks for the interesting reply - seems to have opened up a can of 
worms :-)

     I will look into it after I chase one more thing down.  I had a 
thought over the weekend, now my brain hurts.  The new testing DC was 
joined (and a production DC as well), at a new site.  They are both 
exhibiting the same lack of post join replication.  My thought was that 
there just might be a block on RPC ports on the network there, and as 
RPC seems to be the way the replication works, this would do it.  The 
last time we had this type of problem was over 20 years ago when the 
University IT guys decided that RPC traffic should be blocked by 
default.  We had to ask for this to be changed between all of the 
School's subnets - we couldn't map shares across sites!

      So, before I try anything "dangerous", I'll see if my hunch is 
correct.  Once the Uni IT guys allow RPC traffic to/from the new site to 
all the School's networks, we'll see how things go.

     I'll let the list know how things goes.


On 05/10/15 19:29, Marc Muehlfeld wrote:
> Hello David,
>
> Am 01.10.2015 um 02:24 schrieb David Minard:
>>      I don't know if running the domain join again is a good idea, or if
>> that will break more stuff....
> If the DC has the same name, it should be no problem. samba-tool check
> for existing entries and removes them before re-adding. Looks like this
> then: https://cpaste.org/p2t5huhmm (Line 8-14).
>
> Two things are to mention about this procedure: After the join, the DC
> has a new GUID. This means that you have to remove the old
> GUID._msdcs.samdom.example.com DNS record and add the right one (the
> latter you have to do anyway when joining a DC at the moment. See
> https://wiki.samba.org/index.php/Check_and_fix_DNS_entries_on_DC_joins#Resolve_the_objectGUID_CNAME_record_of_the_new_joined_Domain_Controller)
>
> https://wiki.samba.org/index.php/DNS_administration#Delete_a_record_2
> shows you how to delete a record.
>
>
> Of course, you should create a working backup before and do good testing
> afterwards! ;-)
>
>
> Regards,
> Marc
>

-- 

Cheers,
David Minard.
Ph:    0247 360 155
Fax:    0247 360 770

School of Computing, Engineering, and Mathematics
Western Sydney University
Building Y - Penrith Campus (Kingswood)
Locked bag 1797
Penrith South DC
NSW 1797

[Sometimes waking up just isn't worth the insult of the day to come.]


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

More information about the samba mailing list