[Samba] Replication issue after rejoining a DC

Cedric Puchalver cedric at season-of-mist.com
Wed Oct 8 13:53:43 UTC 2025 

Hello,

I have 2 Samba DCs running on two different sites. They are both running 
Samba compiled from source and I decided to use Samba from Debian 
Bookworm backports instead.

I demoted the DC that wasn't holding FSMO roles by following the wiki : 
https://wiki.samba.org/index.php/Demoting_a_Samba_AD_DC#Demoting_an_Online_Domain_Controller

I installed Samba packages from Debian repos and followed the wiki to 
join the domain again.

Everything went fine but when I started the freshly-joined DC I have 
errors in the log :

[2025/10/08 07:30:08.906866,  1] 
source4/auth/gensec/gensec_gssapi.c:852(gensec_gssapi_update_internal)
   GSS server Update(krb5)(1) Update failed:  Miscellaneous failure (see 
text): Decrypt integrity check failed for checksum type 
hmac-sha1-96-aes256, key type aes256-cts-hmac-sha1-96
[2025/10/08 07:30:08.907110,  0] 
source4/librpc/rpc/dcerpc_util.c:697(dcerpc_pipe_auth_recv)
   Failed to bind to uuid e3514235-4b06-11d1-ab04-00c04fc2dcd2 for 
ncacn_ip_tcp:192.168.20.5[49153,seal,krb5,target_hostname=e6af5447-965a-451b-8d60-3bef78100504._msdcs.season-of-mist.intranet,target_principal=GC/dc3.season-of-mist.intranet/season-of-mist.intranet,abstract_syntax=e3514235-4b06-11d1-ab04-00c04fc2dcd2/0x00000004,localaddress=192.168.20.5] 
NT_STATUS_UNSUCCESSFUL

It seems that the replication between DCs is failing.

samba-tool drs showrepl returns this on the DC that holds FSMO roles :

Default-First-Site-Name\DC3
DSA Options: 0x00000001
DSA object GUID: e6af5447-965a-451b-8d60-3bef78100504
DSA invocationId: f427c422-6111-417b-9885-f96405e956f4

==== INBOUND NEIGHBORS ====

DC=season-of-mist,DC=intranet
         Chaos-Theory\DC2 via RPC
                 DSA object GUID: 2f2aee44-0eca-4ad1-9b77-d11d8d31e3eb
                 Last attempt @ Wed Oct  8 15:48:04 2025 CEST failed, 
result 1225 (WERR_CONNECTION_REFUSED)
                 30 consecutive failure(s).
                 Last success @ NTTIME(0)

CN=Schema,CN=Configuration,DC=season-of-mist,DC=intranet
         Chaos-Theory\DC2 via RPC
                 DSA object GUID: 2f2aee44-0eca-4ad1-9b77-d11d8d31e3eb
                 Last attempt @ Wed Oct  8 15:48:04 2025 CEST failed, 
result 1225 (WERR_CONNECTION_REFUSED)
                 30 consecutive failure(s).
                 Last success @ NTTIME(0)

DC=ForestDnsZones,DC=season-of-mist,DC=intranet
         Chaos-Theory\DC2 via RPC
                 DSA object GUID: 2f2aee44-0eca-4ad1-9b77-d11d8d31e3eb
                 Last attempt @ Wed Oct  8 15:48:04 2025 CEST failed, 
result 1225 (WERR_CONNECTION_REFUSED)
                 30 consecutive failure(s).
                 Last success @ NTTIME(0)

CN=Configuration,DC=season-of-mist,DC=intranet
         Chaos-Theory\DC2 via RPC
                 DSA object GUID: 2f2aee44-0eca-4ad1-9b77-d11d8d31e3eb
                 Last attempt @ Wed Oct  8 15:48:04 2025 CEST failed, 
result 1225 (WERR_CONNECTION_REFUSED)
                 30 consecutive failure(s).
                 Last success @ NTTIME(0)

DC=DomainDnsZones,DC=season-of-mist,DC=intranet
         Chaos-Theory\DC2 via RPC
                 DSA object GUID: 2f2aee44-0eca-4ad1-9b77-d11d8d31e3eb
                 Last attempt @ Wed Oct  8 15:48:04 2025 CEST failed, 
result 1225 (WERR_CONNECTION_REFUSED)
                 30 consecutive failure(s).
                 Last success @ NTTIME(0)

==== OUTBOUND NEIGHBORS ====

==== KCC CONNECTION OBJECTS ====

Connection --
         Connection name: 6a7fe61b-d6d6-44b8-bc3a-b1a0a464e3bb
         Enabled        : TRUE
         Server DNS name : dc2.season-of-mist.intranet
         Server DN name  : CN=NTDS 
Settings,CN=DC2,CN=Servers,CN=Chaos-Theory,CN=Sites,CN=Configuration,DC=season-of-mist,DC=intranet
                 TransportType: RPC
                 options: 0x00000001
Warning: No NC replicated for Connection!

Here is the output of the same command on the "new" DC :

Chaos-Theory\DC2
DSA Options: 0x00000001
DSA object GUID: 2f2aee44-0eca-4ad1-9b77-d11d8d31e3eb
DSA invocationId: a8f75274-c493-4b23-87d4-fcba4a7d9a2f

==== INBOUND NEIGHBORS ====

DC=season-of-mist,DC=intranet
         Default-First-Site-Name\DC3 via RPC
                 DSA object GUID: e6af5447-965a-451b-8d60-3bef78100504
                 Last attempt @ Wed Oct  8 07:30:08 2025 EDT failed, 
result 31 (WERR_GEN_FAILURE)
                 1 consecutive failure(s).
                 Last success @ Wed Oct  8 07:17:15 2025 EDT

CN=Schema,CN=Configuration,DC=season-of-mist,DC=intranet
         Default-First-Site-Name\DC3 via RPC
                 DSA object GUID: e6af5447-965a-451b-8d60-3bef78100504
                 Last attempt @ Wed Oct  8 07:30:08 2025 EDT failed, 
result 31 (WERR_GEN_FAILURE)
                 1 consecutive failure(s).
                 Last success @ Wed Oct  8 07:17:06 2025 EDT

DC=ForestDnsZones,DC=season-of-mist,DC=intranet
         Default-First-Site-Name\DC3 via RPC
                 DSA object GUID: e6af5447-965a-451b-8d60-3bef78100504
                 Last attempt @ Wed Oct  8 07:30:07 2025 EDT failed, 
result 31 (WERR_GEN_FAILURE)
                 1 consecutive failure(s).
                 Last success @ Wed Oct  8 07:17:22 2025 EDT

CN=Configuration,DC=season-of-mist,DC=intranet
         Default-First-Site-Name\DC3 via RPC
                 DSA object GUID: e6af5447-965a-451b-8d60-3bef78100504
                 Last attempt @ Wed Oct  8 07:30:08 2025 EDT failed, 
result 31 (WERR_GEN_FAILURE)
                 1 consecutive failure(s).
                 Last success @ Wed Oct  8 07:17:10 2025 EDT

DC=DomainDnsZones,DC=season-of-mist,DC=intranet
         Default-First-Site-Name\DC3 via RPC
                 DSA object GUID: e6af5447-965a-451b-8d60-3bef78100504
                 Last attempt @ Wed Oct  8 07:30:08 2025 EDT failed, 
result 31 (WERR_GEN_FAILURE)
                 1 consecutive failure(s).
                 Last success @ Wed Oct  8 07:17:21 2025 EDT

==== OUTBOUND NEIGHBORS ====

==== KCC CONNECTION OBJECTS ====

Connection --
         Connection name: 1b0cce3d-b8d7-4729-a6bd-81d1562e3058
         Enabled        : TRUE
         Server DNS name : dc3.season-of-mist.intranet
         Server DN name  : CN=NTDS 
Settings,CN=DC3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=season-of-mist,DC=intranet
                 TransportType: RPC
                 options: 0x00000001
Warning: No NC replicated for Connection!

Here is the smb.conf on the "rejoined" DC

# Global parameters
[global]
         netbios name = DC2
         realm = SEASON-OF-MIST.INTRANET
         server role = active directory domain controller
         workgroup = SEASON-OF-MIST
         idmap_ldb:use rfc2307  = yes
         # Kerberos settings
         kerberos method = secrets and keytab
         winbind refresh tickets = yes
         # DNS settings
         dns forwarder = 192.168.20.1
         # Logging settings
         log file = /var/log/samba/samba.log
         # TLS settings
         tls enabled = yes
         tls keyfile = /var/lib/samba/private/tls/myKey.pem
         tls certfile = /var/lib/samba/private/tls/myCert.pem
         tls cafile = /var/lib/samba/private/tls/myCA.pem
         # Disable CUPS
         load printers = no
         printing = cups
         printcap name = /dev/null
         disable spoolss = yes

[sysvol]
         path = /var/lib/samba/sysvol
         read only = No

[netlogon]
         path = /var/lib/samba/sysvol/season-of-mist.intranet/scripts
         read only = No

How can I fix it ?

More information about the samba mailing list