[Samba] Replication and KCC problems on upgrade

Mike Ray mray at xes-inc.com
Fri Mar 1 00:04:50 UTC 2019 

Hello all-

I am trying to upgrade a old domain to a newer version. The old DCs are a custom compiled version of Samba, so instead of upgrading the DCs in place, the plan is to upgrade by joining new DCs to the domain, replicating data and then shutting down the old ones after transferring the FSMO roles.

I had the new DC (dc3, version 4.9.4-12) replicating to the other DCs (dc0, versions 4.0.6-12 and dc1 and dc2, version 4.0.6-8) with no known issues. Specifically, "samba-tool dbcheck --cross-ncs" reported no issues on any DCs, "samba-tool drs showrepl" reported no issues on any DCs and "samba-tool ldapcmp" returned without errors on dc0 compared to all other DCs.

Clients and all functions seemed to be behaving appropriately.

At that point, I demoted dc1 and dc2. The demote command did not return errors.

However, now dc0 and dc3 are having issues. Specifically, "samba-tool ldapcmp" run on dc0 compared to dc3 returns:

Comparing:
'CN=6a8bca7c-3069-4ada-be59-100c970d59fd,CN=NTDS Settings,CN=DC3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com' [dc0]
'CN=6a8bca7c-3069-4ada-be59-100c970d59fd,CN=NTDS Settings,CN=DC3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com' [dc3]
    Attributes found only in dc3:
        fromServer
    FAILED

This error is NOT shown when comparing dc3 to dc0.

While poking around at this, I also found that "samba-tool drs kcc dc3" (run on dc0) returns no errors, but "samba-tool drs kcc dc0" (run on dc3) fails with:

Failed to bind to uuid e3514235-4b06-11d1-ab04-00c04fc2dcd2 for ncacn_ip_tcp:::1[49152,seal,target_hostname=dc0,abstract_syntax=e3514235-4b06-11d1-ab04-00c04fc2dcd2/0x00000004,localaddress=::1] NT_STATUS_UNSUCCESSFUL
ERROR(<call 'samba.drs_utils.drsException'>): DRS connection to dc0 failed - drsException: DRS connection to dc0 failed: (3221225473, '{Operation Failed} The requested operation was unsuccessful.')


Anyone have more information one why the errors are one-sided and what I can do about this?


Thanks,

Mike Ray

More information about the samba mailing list