[Samba] Replication problem

[Rowland penny]

On 11/03/2021 17:29, matthieu le roy via samba wrote:
> Hello,
> After many (too many) changes on my domain, I find myself in a situation
> that I can’t get out of.
> I have 2 domain controllers called ad03 and ad04 but replication doesn’t
> work and their ldap differs like this :
>
> samba-tool ldapcmp ldap://ad03 ldap://ad04 -v
> ldb_wrap open of secrets.ldb
> resolve_lmhosts: Attempting lmhosts lookup for name ad03<0x20>
> GENSEC backend 'gssapi_spnego' registered
> GENSEC backend 'gssapi_krb5' registered
> GENSEC backend 'gssapi_krb5_sasl' registered
> GENSEC backend 'spnego' registered
> GENSEC backend 'schannel' registered
> GENSEC backend 'naclrpc_as_system' registered
> GENSEC backend 'sasl-EXTERNAL' registered
> GENSEC backend 'ntlmssp' registered
> GENSEC backend 'ntlmssp_resume_ccache' registered
> GENSEC backend 'http_basic' registered
> GENSEC backend 'http_ntlm' registered
> GENSEC backend 'http_negotiate' registered
> GENSEC backend 'krb5' registered
> GENSEC backend 'fake_gssapi_krb5' registered
> resolve_lmhosts: Attempting lmhosts lookup for name ad04<0x20>
> * Comparing [DOMAIN] context...
> * Objects to be compared: 554
>      Difference in attribute values:
>          servicePrincipalName =>
> [b'E3514235-4B06-11D1-AB04-00C04FC2DCD2/ceddd4ea-a2fc-4070-bd37-0505d51c6c7c/
> domain.info', b'GC/ad04.domain.info/domain.info', b'HOST/AD04', b'HOST/
> ad04.domain.info']
> [b'E3514235-4B06-11D1-AB04-00C04FC2DCD2/ceddd4ea-a2fc-4070-bd37-0505d51c6c7c/
> domain.info', b'GC/ad04.domain.info/domain.info', b'HOST/AD04', b'HOST/
> ad04.domain.info', b'HOST/ad04.domain.info/DOMAIN', b'HOST/
> ad04.domain.info/domain.info', b'RestrictedKrbHost/AD04',
> b'RestrictedKrbHost/ad04.domain.info', b'ldap/AD04', b'ldap/ad04.domain.info',
> b'ldap/ad04.domain.info/DomainDnsZones.domain.info', b'ldap/
> ad04.domain.info/ForestDnsZones.domain.info', b'ldap/ad04.domain.info/DOMAIN',
> b'ldap/ad04.domain.info/domain.info',
> b'ldap/ceddd4ea-a2fc-4070-bd37-0505d51c6c7c._msdcs.domain.info']
>      FAILED
> * Result for [DOMAIN]: FAILURE
> SUMMARY
> ---------
> Attributes with different values:
>      servicePrincipalName
> * Comparing [CONFIGURATION] context...
> * DN lists have different size: 1622 != 1623
>      CN=87B79F9E-8A4F-4DF7-8A30-67F11FAD6AFD,CN=NTDS
> SETTINGS,CN=AD04,CN=SERVERS,CN=DEFAULT-FIRST-SITE-NAME,CN=SITES,CN=CONFIGURATION,DC=DOMAIN,DC=INFO
> * Objects to be compared: 1622
> * Result for [CONFIGURATION]: FAILURE
> SUMMARY
> ---------
> * Comparing [SCHEMA] context...
> * Objects to be compared: 1550
> ERROR: Compare failed: -1
> * Result for [SCHEMA]: SUCCESS
> * Comparing [DNSDOMAIN] context...
> * Objects to be compared: 136
> * Result for [DNSDOMAIN]: SUCCESS
> * Comparing [DNSFOREST] context...
> * Objects to be compared: 36
> * Result for [DNSFOREST]: SUCCESS
> root at ad03:/#
>

Have you tried 'samba-tool dbcheck' and 'samba-tool drs replicate' ?

Rowland