[Samba] Problems with sysrepl

L.P.H. van Belle belle at bazuin.nl
Fri Sep 11 08:15:10 UTC 2020 

 

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> basti via samba
> Verzonden: vrijdag 11 september 2020 10:01
> Aan: samba at lists.samba.org
> Onderwerp: [Samba] Problems with sysrepl
> 
> Hello,
> 
> after demote and rejoun my dc2 i have problems with replication.
> First of all some srv records on dc1 are missing, on dc2 they 
> are exist.

Ok, wait, recap. 
- you have/had 2dc's 
- you removed DC2 and readded it. 

Did you remove the "dead" DC2? Completely, (AD and DNS) and verified it.
Did you move FSMO roles to DC1? 

This : 
> Refusing DsReplicaUpdateRefs for sid S-1-5-21-1732978637-3172972945-805327809-1180 
> with GUID 6397e622-4305-4a6e-ba1b-8adbbbd5eace

I think you missed to clear/clean the sites. 

look at this, and verify the sited on DC1. 
https://www.rebeladmin.com/2015/02/how-to-setup-active-directory-sites-subnets-site-links/ 

If you 100% sure all info is correct in DC2, you can force a push of the AD to the other server
But i suggest, check sites first. 

Last, after all is correct, dont forget to sync the idmap.tdb file between the DC's. 


Greetz, 

Louis


> 
> 
> 
> root at dc2:~# dig srv _ldap._tcp.ForestDnsZones.samdom.example.com
> @dc2.samdom.example.com.
> 
> ; <<>> DiG 9.11.5-P4-5.1+deb10u1-Debian <<>> srv
> _ldap._tcp.ForestDnsZones.samdom.example.com @dc2.samdom.example.com.
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24006
> ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, 
> ADDITIONAL: 3
> 
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 4096
> ; COOKIE: 02673acd16cc5898631a26895f5b2dc871b581bdeff30034 (good)
> ;; QUESTION SECTION:
> ;_ldap._tcp.ForestDnsZones.samdom.example.com. IN SRV
> 
> ;; ANSWER SECTION:
> _ldap._tcp.ForestDnsZones.samdom.example.com. 900 IN SRV 0 100 389
> dc1.samdom.example.com.
> _ldap._tcp.ForestDnsZones.samdom.example.com. 900 IN SRV 0 100 389
> dc2.samdom.example.com.
> 
> ;; AUTHORITY SECTION:
> samdom.example.com.	900	IN	NS	dc1.samdom.example.com.
> samdom.example.com.	900	IN	NS	dc2.samdom.example.com.
> 
> 
> root at dc2:~# dig srv _ldap._tcp.ForestDnsZones.samdom.example.com
> @dc1.samdom.example.com.
> 
> ; <<>> DiG 9.11.5-P4-5.1+deb10u1-Debian <<>> srv
> _ldap._tcp.ForestDnsZones.samdom.example.com @dc1.samdom.example.com.
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27953
> ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, 
> ADDITIONAL: 1
> 
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 4096
> ; COOKIE: ac11efdc0079349e6f510d165f5b2d77d220607c8b2be893 (good)
> ;; QUESTION SECTION:
> ;_ldap._tcp.ForestDnsZones.samdom.example.com. IN SRV
> 
> ;; ANSWER SECTION:
> _ldap._tcp.ForestDnsZones.samdom.example.com. 900 IN SRV 0 100 389
> dc1.samdom.example.com.
> 
> ;; AUTHORITY SECTION:
> samdom.example.com.	900	IN	NS	dc2.samdom.example.com.
> samdom.example.com.	900	IN	NS	dc1.samdom.example.com.
> 
> 
> In the journal I get also get relocation erros.
> 
> task[dcesrv][520]: [2020/09/11 09:48:40.728120,  0]
> ../source4/rpc_server/drsuapi/updaterefs.c:374(dcesrv_drsuapi_
> DsReplicaUpdateRefs)
> Sep 11 09:48:40 dc1 samba[520]: task[dcesrv][520]:
> ../source4/rpc_server/drsuapi/updaterefs.c:374: Refusing
> DsReplicaUpdateRefs for sid
> S-1-5-21-1732978637-3172972945-805327809-1180 with GUID
> 6397e622-4305-4a6e-ba1b-8adbbbd5eace
> 
> or
> 
> Sep 11 09:50:22 dc1 samba[528]: task[dreplsrv][528]: [2020/09/11
> 09:50:22.081293,  0]
> ../source4/librpc/rpc/dcerpc_util.c:737(dcerpc_pipe_auth_recv)
> Sep 11 09:50:22 dc1 samba[528]: task[dreplsrv][528]:   Failed 
> to bind to
> uuid e3514235-4b06-11d1-ab04-00c04fc2dcd2 for
> ncacn_ip_tcp:192.168.1.135[49152,seal,krb5,target_hostname=1d4
> c0c04-1fa8-4873-9987-212af8558bfb._msdcs.samdom.example.com,ta
rget_principal=GC/dc2.samdom.example.com/samdom.example.com,abstract_syntax=e3514235-4b06-11d1-> ab04-00c04fc2dcd2/0x00000004,localaddress=192.168.1.133]
> NT_STATUS_UNSUCCESSFUL
> 
> 
> Is there a way to fix it without reinstall the whole domain forest?
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
>

More information about the samba mailing list