[Samba] Replication not working for remote Domain Controller

Rowland penny rpenny at samba.org
Wed Dec 18 09:35:42 UTC 2019 

On 18/12/2019 09:16, shacky wrote:
> Il giorno mar 17 dic 2019 alle ore 17:49 Rowland penny via samba 
> <samba at lists.samba.org <mailto:samba at lists.samba.org>> ha scritto:
>
>     In the last year this has come up a few times, try reading this
>     https://support.microsoft.com/en-gb/help/817470/how-to-reconfigure-an-msdcs-subdomain-to-a-forest-wide-dns-application
>     It looks like we need a tool to correct AD :-(
>
>
> Thanks! I will read that article.
>
> Do you think that this could be the same reason why sometimes I'm 
> having clients that are losing their trust connection with the domain 
> controller (so users cannot login anymore) and I need to rejoin it to 
> the domain?
>
> Also, showrepl on DC4 is returning the following error:
>
> ================================== 
> 8< ==========================================
> ==== KCC CONNECTION OBJECTS ====
>
> Connection --
> Connection name: 15ff6132-37b4-458a-ac13-a2fe2fedb7bc
> Enabled        : TRUE
> Server DNS name : dc2.my.domain.com <http://dc2.my.domain.com>
> Server DN name  : CN=NTDS 
> Settings,CN=DC2,CN=Servers,CN=mydomain,CN=Sites,CN=Configuration,DC=my,DC=domain,DC=com
> TransportType: RPC
> options: 0x00000001
> Warning: No NC replicated for Connection!
> Connection --
> Connection name: 365283e3-885d-4610-8929-91e3372530da
> Enabled        : TRUE
> Server DNS name : dc1.my.domain.com <http://dc1.my.domain.com>
> Server DN name  : CN=NTDS 
> Settings,CN=DC1,CN=Servers,CN=mydomain,CN=Sites,CN=Configuration,DC=my,DC=domain,DC=com
> TransportType: RPC
> options: 0x00000001
> Warning: No NC replicated for Connection!
> Connection --
> ERROR(<type 'exceptions.IndexError'>): uncaught exception - list index 
> out of range
>   File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", 
> line 176, in _run
>     return self.run(*args, **kwargs)
>   File "/usr/lib/python2.7/dist-packages/samba/netcmd/drs.py", line 
> 180, in run
>     c_server_dns = c_server_res[0]["dnsHostName"][0]
> ================================== 
> 8< ==========================================
>
> Do you think I will be able to repair the Active Directory with the 
> document from the provided link or do you think it would be better to 
> provision a new Active Directory from scratch with a different domain?
>
> Thank you very much for your help!
> Bye

I have been doing a bit of investigation and I 'think' we do have a tool ;-)

If you examine 'samba_upgradedns', at the top it says this:

# Upgrade DNS provision from BIND9_FLATFILE to BIND9_DLZ or SAMBA_INTERNAL

I think if you use it to upgrade to either BIND_DLZ or SAMBA_INTERNAL, 
it should create the required AD objects.

Is there any way that you could clone a DC and sandbox it (you will 
probably have to forcibly demote the other DCs) and then run 
samba_upgradedns against it ?

Hopefully, this would create the required AD objects, but do not try 
this on a production DC!

Rowland

More information about the samba mailing list