Secondary DC running over a VPN - Replication problems?:

Charles Tryon charles.tryon at gmail.com
Fri Jun 8 14:34:08 MDT 2012 

I've mentioned before about a test I am trying to perform, bridging two
networks with a Samba4 DC joined over a VPN to a Windows DC.  The first
problem I ran into was the inability to set up DNS due to the fact that the
Windows DC was running at a functional level of Windows 2000, which is not
supported in Samba4.

Due to complications with trying to update that particular production DC to
run at a higher functional level, Iset up an independent W2K8 domain
controller, this time running at a W2003 functional level.  I created a new
test domain name of "usa.om.test".  I followed the "Join a Domain as a DC"
Wiki, and was able to set up the S4 Domain Controller.  I still had to use
the samba_dnsupdate tool to build my local bind9.9 based DNS server.  I
haven't had a chance to look deeply into the DNS to see what is there, but
with a couple of quick "dig" tests, it looks OK.  My /etc/resolv.conf
points to the local DNS, though the "authority" section in the "dig"
response lists the DNS server on the W2K8 server.

I tested the replication between the domains.  If I go to the Windows DC
and add a user there, the new user very quickly shows up with a samba-tool
user list on the S4 system.

HOWEVER, if I use the command line to add a new user on the S4 system, the
new user never shows up on the W2K8 DC.

What am I missing?  I'm no pro at managing Windows AD, so it's entirely
possible I've overlooked some permission on the Windows side.

______________________________
<s4testr>? sudo /usr/local/samba/bin/samba-tool drs kcc -Uadministrator
w2k8dc.usa.om.test
Password for [USA\administrator]:
ERROR(runtime): DsExecuteKCC failed - (-1073741643, 'NT_STATUS_IO_TIMEOUT')

______________________________
<s4test:var>? sudo /usr/local/samba/bin/samba-tool drs showrepl
Default-First-Site-Name\S4TEST
DSA Options: 0x00000001
DSA object GUID: f347bf87-159d-4faa-8933-d06bc6cdb9b2
DSA invocationId: 09fe5312-12d4-4db1-9332-cab5b75870d1

==== INBOUND NEIGHBORS ====

DC=ForestDnsZones,DC=usa,DC=om,DC=test
Default-First-Site-Name\W2K8DC via RPC
DSA object GUID: 944ce1cc-3182-42b3-b5f7-80fe45001618
Last attempt @ Fri Jun  8 15:49:34 2012 EDT was successful
0 consecutive failure(s).
Last success @ Fri Jun  8 15:49:34 2012 EDT

DC=DomainDnsZones,DC=usa,DC=om,DC=test
Default-First-Site-Name\W2K8DC via RPC
DSA object GUID: 944ce1cc-3182-42b3-b5f7-80fe45001618
Last attempt @ Fri Jun  8 15:49:35 2012 EDT was successful
0 consecutive failure(s).
Last success @ Fri Jun  8 15:49:35 2012 EDT

DC=usa,DC=om,DC=test
Default-First-Site-Name\W2K8DC via RPC
DSA object GUID: 944ce1cc-3182-42b3-b5f7-80fe45001618
Last attempt @ Fri Jun  8 15:49:35 2012 EDT was successful
0 consecutive failure(s).
Last success @ Fri Jun  8 15:49:35 2012 EDT

CN=Schema,CN=Configuration,DC=usa,DC=om,DC=test
Default-First-Site-Name\W2K8DC via RPC
DSA object GUID: 944ce1cc-3182-42b3-b5f7-80fe45001618
Last attempt @ Fri Jun  8 15:49:36 2012 EDT was successful
0 consecutive failure(s).
Last success @ Fri Jun  8 15:49:36 2012 EDT

CN=Configuration,DC=usa,DC=om,DC=test
Default-First-Site-Name\W2K8DC via RPC
DSA object GUID: 944ce1cc-3182-42b3-b5f7-80fe45001618
Last attempt @ Fri Jun  8 15:49:36 2012 EDT was successful
0 consecutive failure(s).
Last success @ Fri Jun  8 15:49:36 2012 EDT

==== OUTBOUND NEIGHBORS ====

==== KCC CONNECTION OBJECTS ====

Connection --
Connection name: 69b0a82a-51d4-4f8d-80a4-dfad18ea9ad3
Enabled        : TRUE
Server DNS name : S4TEST.usa.om.test
Server DN name  : CN=NTDS
Settings,CN=W2K8DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=usa,DC=om,DC=test
TransportType: RPC
options: 0x00000001
Warning: No NC replicated for Connection!

______________________________
-------- from .../var/log.samba:
[2012/06/08 14:37:48,  0]
../source4/dsdb/dns/dns_update.c:294(dnsupdate_nameupdate_done)
  ../source4/dsdb/dns/dns_update.c:294: Failed DNS update -
NT_STATUS_IO_TIMEOUT
[2012/06/08 14:37:48,  0]
../source4/dsdb/dns/dns_update.c:323(dnsupdate_spnupdate_done)
  ../source4/dsdb/dns/dns_update.c:323: Failed SPN update -
NT_STATUS_IO_TIMEOUT

______________________________
<s4test:var>? dig w2k8dc.usa.om.test
...
;; ANSWER SECTION:
w2k8dc.usa.om.test. 3600 IN A 10.4.0.164
...

______________________________
Doing "dig" on the S4 server gives both its LOCAL IP address (192.168.2.0/24),
and the one assigned by the VPN (10.4.0.0/22):

<s4test:var>? dig s4test.usa.om.test
; <<>> DiG 9.9.1-RedHat-9.9.1-1.fc17 <<>> s4test.usa.om.test
...
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;s4test.usa.om.test. IN A

;; ANSWER SECTION:
s4test.usa.om.test. 900 IN A 10.4.2.55
s4test.usa.om.test. 900 IN A 192.168.2.191

;; AUTHORITY SECTION:
usa.om.test. 3600 IN NS w2k8dc.usa.om.test.

;; ADDITIONAL SECTION:
w2k8dc.usa.om.test. 3600 IN A 10.4.0.164


<s4test:var>? route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use
Iface
default         192.168.2.1     0.0.0.0         UG    0      0        0 eth0
10.4.0.0        *               255.255.252.0   U     0      0        0 tap0
192.168.2.0     *               255.255.255.0   U     0      0        0 eth0


-- 
    Charles Tryon
_________________________________________________________________________
  “Risks are not to be evaluated in terms of the probability of success,
but in terms of the value of the goal.”
                - Ralph D. Winter

More information about the samba-technical mailing list