[Samba] Replication only working one way

Peter Pollock peter.pollock at kingschristian.org
Wed Jul 15 06:47:00 UTC 2020


OK, I demoted the windows server (which has now been unplugged and thrown
out of the window), leaving the two Linux servers.

I finally managed to demote Genesis but then the rejoin failed and it was
stuck.

So I restored from a backup.

Problem is, Genesis came back believing it was still part of the AD but
Luke doesn't recognize it.

Any ideas what steps I can take? Please.

sudo samba-tool drs replicate genesis luke dc=kcs,dc=local --full-sync
-Udomainadmin
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
Using binding ncacn_ip_tcp:genesis[,seal]
resolve_lmhosts: Attempting lmhosts lookup for name genesis<0x20>
resolve_lmhosts: Attempting lmhosts lookup for name genesis<0x20>
Password for [KCS\domainadmin]:
Server ldap/GENESIS at KCS.LOCAL is not registered with our KDC:
 Miscellaneous failure (see text): Server (ldap/GENESIS at KCS.LOCAL) unknown
SPNEGO(gssapi_krb5) creating NEG_TOKEN_INIT for ldap/GENESIS failed
(next[ntlmssp]): NT_STATUS_INVALID_PARAMETER

On Tue, Jul 14, 2020 at 11:28 AM Rowland penny via samba <
samba at lists.samba.org> wrote:

> On 14/07/2020 19:07, Peter Pollock wrote:
> > Checking the databases against each other throws up pages and pages of
> > errors. The two are completely out of sync now.
> >
> > What I have seen is that for no apparent reason, one of the servers
> > suddenly decided it would sync with the Windows server, which appears
> > to have updated the schema. Yesterday when I compared the databases on
> > the two linux servers they only had a couple of errors, today, many
> > errors and now the schema says it is a different size:
> >
> > * Result for [CONFIGURATION]: FAILURE
> >
> > SUMMARY
> > ---------
> >
> > Attributes found only in ldap://genesis:
> >
> >     dSASignature
> >     serverReference
> >
> > Attributes with different values:
> >
> >     msDS-NC-Replica-Locations
> >     extraColumns
> >     mS-DS-ReplicatesNCReason
> >     adminPropertyPages
> >     appliesTo
> >     attributeDisplayNames
> >     masteredBy
> >     interSiteTopologyGenerator
> >     adminContextMenu
> >     msDs-masteredBy
> >     classDisplayName
> >     revision
> >
> > * Comparing [SCHEMA] context...
> >
> > * DN lists have different size: 1789 != 1569
> > CN=Dns-Zone-Scope,CN=Schema,CN=Configuration,DC=kcs,DC=local
> >
> > Genesis is, I believe, correct. Is there a way to force Luke to update
> > itself from Genesis completely?
>
> You said 'Mathew' was a Windows 2008R2 DC, but 'CN=Dns-Zone-Scope' only
> appeared with Windows 2016, which Samba does not yet support. You have,
> undoubtedly and unwittingly, borked your Samba DC's.
>
> If you wish to continue using Samba DC's, you will need to remove the
> Windows 2016 DC from the domain and then use 'Luke' as the main DC,
> hopefully this is still functioning correctly. Seize the FSMO roles to
> Luke, demote the other two DC's and clean them up, then join them to the
> domain again. If everything works okay, then you have been lucky, if it
> doesn't, then do you have backups from before the Windows 2016 dc was
> added ?
>
> Rowland
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>


More information about the samba mailing list