[Samba] Replication and KCC problems on upgrade

Fri Mar 1 15:20:52 UTC 2019

----- On Mar 1, 2019, at 3:35 AM, samba samba at lists.samba.org wrote:
> 
> I wonder if this has anything to do with the 'you cannot upgrade
> directly from 4.7.x to 4.9.x' bug ?

I was not aware of this bug. Do you think I should scrap this upgrade and try again jumping like so? 4.0.6-12 -> 4.7 -> 4.8 -> 4.9

> I know this might seem strange, but try running ldbedit on your new DC.

"ldbedit -H ldap://dc3 -UAdministrator" seemed to run without issue and let me modify an entry.

> 
> Rowland
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

After running the ldbedit command, I checked the state of the DCs.

"samba-tool dbcheck --cross-ncs" returned nothing on dc0; on dc3 it returned:

Checking 6916 objects
NOTE: old (due to rename or delete) DN string component for fromServer in object CN=6a8bca7c-3069-4ada-be59-100c970d59fd,CN=NTDS Settings,CN=DC3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=x-es,DC=com - CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=x-es,DC=com
Not fixing old string component
NOTE: old (due to rename or delete) DN string component for lastKnownParent in object CN=ee835988-3702-420f-a935-d12d8f977f47\0ADEL:adc1836d-adba-4785-8cd7-73065c3e6d53,CN=Deleted Objects,CN=Configuration,DC=x-es,DC=com - CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=x-es,DC=com
Not fixing old string component
NOTE: old (due to rename or delete) DN string component for lastKnownParent in object CN=ab5dcd50-9fd9-4db7-bc59-e4f9b55fcbd7\0ADEL:0f50abd8-b289-412e-9ae6-4299bbe06d66,CN=Deleted Objects,CN=Configuration,DC=x-es,DC=com - CN=NTDS Settings,CN=DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=x-es,DC=com
Not fixing old string component
NOTE: old (due to rename or delete) DN string component for lastKnownParent in object CN=9ea6a27c-ae95-4fac-a00f-33ea2c2a9dab\0ADEL:bff63288-ef7b-4b1a-8cad-74f4c88db301,CN=Deleted Objects,CN=Configuration,DC=x-es,DC=com - CN=NTDS Settings,CN=DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=x-es,DC=com
Not fixing old string component
NOTE: old (due to rename or delete) DN string component for lastKnownParent in object CN=5d421d22-2216-4475-beb2-8cc46a514cb9\0ADEL:323679f7-d893-451e-ab10-3d8e08e05843,CN=Deleted Objects,CN=Configuration,DC=x-es,DC=com - CN=NTDS Settings,CN=DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=x-es,DC=com
Not fixing old string component
NOTE: old (due to rename or delete) DN string component for lastKnownParent in object CN=2d38127c-7f95-42f7-aaf2-a42f86d54aab\0ADEL:27e13ab1-9930-4363-9d56-2704f275eed3,CN=Deleted Objects,CN=Configuration,DC=x-es,DC=com - CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=x-es,DC=com
Not fixing old string component
NOTE: old (due to rename or delete) DN string component for lastKnownParent in object CN=53c549bb-6964-4bbe-bd24-33f40c9ef5f3\0ADEL:1bc38396-2162-47d9-8780-29177548e208,CN=Deleted Objects,CN=Configuration,DC=x-es,DC=com - CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=x-es,DC=com
Not fixing old string component
Checked 6916 objects (0 errors)

Running "samba-tool dbcheck --cross-ncs --fix" removed these notes without issue and they did not show up on a subsequent run.

The "fromServer" object note is interesting as that was the attribute (and CN) listed as a difference in the ldapcmp.

However, running "samba-tool ldapcmp dc0 dc3 configuration --filter=msDS-NcType,serverState,subrefs" still errors on the fromServer attribute.

Running "samba-tool drs kcc dc0" on dc3 still breaks with the DRS connection failure.