[Samba] AD error 8418: The replication operation failed because of a schema mismatch between the servers involved (WERR_DS_DRA_SCHEMA_MISMATCH) #11388

Noël Köthe noel.koethe at credativ.de
Mon Dec 10 12:42:56 UTC 2018


Hello Andrew,

Am Donnerstag, den 18.10.2018, 20:42 +1300 schrieb Andrew Bartlett:

> > we are running a 2008 R2 AD (schema 47) with two DCs:
> > * dc-win (Windows 2008 R2)
> > * dc-samba (samba 4.5.12, Debian stable)
> > 
> > Since some weeks replication works only from dc-win to dc-samba but not
> > in the other direction.:(
> 
> I've seen this before.

I found it in bugzilla: :-)
https://bugzilla.samba.org/show_bug.cgi?id=11388

> > Any hint how to solve this?
> > 
> > Thanks alot for your work.
> 
> Start with a current Samba.  Schema replication, while not perfect, is
> improved. 

I updated the system dc-samba yesterday to samba 4.9.2 (I'm aware of
4.9.3 for security but Debian package will come later) but the
replication error is still the same:

# samba-tool -V
4.9.2-Debian

# samba-tool drs showrepl
Default-First-Site-Name\DC-SAMBA
DSA Options: 0x00000001
DSA object GUID: 3715fa00-bdca-4782-a953-6d4b1fb08275
DSA invocationId: a2907a5d-6e53-42ce-a6e4-402b4e161313

==== INBOUND NEIGHBORS ====

CN=Configuration,DC=credativ,DC=de
        Default-First-Site-Name\DC-WIN via RPC
                DSA object GUID: 65b05486-16e3-4b5b-9483-f568e6cdeef5
                Last attempt @ Mon Dec 10 13:31:07 2018 CET was successful
                0 consecutive failure(s).
                Last success @ Mon Dec 10 13:31:07 2018 CET

DC=credativ,DC=de
        Default-First-Site-Name\DC-WIN via RPC
                DSA object GUID: 65b05486-16e3-4b5b-9483-f568e6cdeef5
                Last attempt @ Mon Dec 10 13:33:11 2018 CET was successful
                0 consecutive failure(s).
                Last success @ Mon Dec 10 13:33:11 2018 CET

CN=Schema,CN=Configuration,DC=credativ,DC=de
        Default-First-Site-Name\DC-WIN via RPC
                DSA object GUID: 65b05486-16e3-4b5b-9483-f568e6cdeef5
                Last attempt @ Mon Dec 10 13:31:07 2018 CET was successful
                0 consecutive failure(s).
                Last success @ Mon Dec 10 13:31:07 2018 CET

DC=DomainDnsZones,DC=credativ,DC=de
        Default-First-Site-Name\DC-WIN via RPC
                DSA object GUID: 65b05486-16e3-4b5b-9483-f568e6cdeef5
                Last attempt @ Mon Dec 10 13:31:07 2018 CET was successful
                0 consecutive failure(s).
                Last success @ Mon Dec 10 13:31:07 2018 CET

DC=ForestDnsZones,DC=credativ,DC=de
        Default-First-Site-Name\DC-WIN via RPC
                DSA object GUID: 65b05486-16e3-4b5b-9483-f568e6cdeef5
                Last attempt @ Mon Dec 10 13:31:07 2018 CET was successful
                0 consecutive failure(s).
                Last success @ Mon Dec 10 13:31:07 2018 CET

==== OUTBOUND NEIGHBORS ====

CN=Configuration,DC=credativ,DC=de
        Default-First-Site-Name\DC-WIN via RPC
                DSA object GUID: 65b05486-16e3-4b5b-9483-f568e6cdeef5
                Last attempt @ Mon Dec 10 12:24:01 2018 CET was successful
                0 consecutive failure(s).
                Last success @ Mon Dec 10 12:24:01 2018 CET

DC=credativ,DC=de
        Default-First-Site-Name\DC-WIN via RPC
                DSA object GUID: 65b05486-16e3-4b5b-9483-f568e6cdeef5
                Last attempt @ Mon Dec 10 12:53:44 2018 CET was successful
                0 consecutive failure(s).
                Last success @ Mon Dec 10 12:53:44 2018 CET

CN=Schema,CN=Configuration,DC=credativ,DC=de
        Default-First-Site-Name\DC-WIN via RPC
                DSA object GUID: 65b05486-16e3-4b5b-9483-f568e6cdeef5
                Last attempt @ Sun Dec  2 14:00:33 2018 CET was successful
                0 consecutive failure(s).
                Last success @ Sun Dec  2 14:00:33 2018 CET

DC=DomainDnsZones,DC=credativ,DC=de
        Default-First-Site-Name\DC-WIN via RPC
                DSA object GUID: 65b05486-16e3-4b5b-9483-f568e6cdeef5
                Last attempt @ Mon Dec 10 13:28:32 2018 CET was successful
                0 consecutive failure(s).
                Last success @ Mon Dec 10 13:28:32 2018 CET

DC=ForestDnsZones,DC=credativ,DC=de
        Default-First-Site-Name\DC-WIN via RPC
                DSA object GUID: 65b05486-16e3-4b5b-9483-f568e6cdeef5
                Last attempt @ Sun Dec  2 14:00:33 2018 CET was successful
                0 consecutive failure(s).
                Last success @ Sun Dec  2 14:00:33 2018 CET

==== KCC CONNECTION OBJECTS ====

Connection --
        Connection name: f34fb31f-32e9-42a4-af24-d305268446a5
        Enabled        : TRUE
        Server DNS name : dc-win.credativ.de
        Server DN name  : CN=NTDS Settings,CN=DC-WIN,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=credativ,DC=de
                TransportType: RPC
                options: 0x00000001
Warning: No NC replicated for Connection!

# samba-tool drs replicate dc-samba dc-win dc=credativ,dc=de
Replicate from dc-win to dc-samba was successful.

# samba-tool drs replicate dc-win dc-samba dc=credativ,dc=de
ERROR(<class 'samba.drs_utils.drsException'>): DsReplicaSync failed - drsException: DsReplicaSync failed (8418, 'WERR_DS_DRA_SCHEMA_MISMATCH')
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/drs.py", line 568, in run
    drs_utils.sendDsReplicaSync(server_bind, server_bind_handle, source_dsa_guid, NC, req_options)
  File "/usr/lib/python2.7/dist-packages/samba/drs_utils.py", line 88, in sendDsReplicaSync
    raise drsException("DsReplicaSync failed %s" % estr)

I will add the information to the #11388 and next step is to add an
additional windows DC to find if this can replicate.

Regards

	Noël
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part
URL: <http://lists.samba.org/pipermail/samba/attachments/20181210/b5f7ddef/signature.sig>


More information about the samba mailing list