Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
[Samba] replicating sysvol to a 2008r2 server
317 views
Skip to first unread message
Neil Price
Sep 16, 2015, 6:10:03 AM9/16/15
to
I don't see any info in the wiki on this. Anybody done it? This is what I''ve done so far. Comments
appreciated.
Newly installed Samba 4.2.3, sernet packages on debian jessie.
Provsioned as per wiki instructions. Added test users and group policies with windows tools. Works
great.
Joined 2008r2 server as another dc. No errors.
samba-tool drs replicate works fine
I created the sysvol share via the registry as per the wiki.
To sync sysvol I used deltacopy rsync server on the windows box. No acl support. Would cwrsync be
better?
Extended acl's obviously did not work so I rsynced sysvol without the acls and then ran secedit to
restore default acls on the Windows sysvol as per
https://technet.microsoft.com/en-us/library/cc816750(v=ws.10).aspx
<https://technet.microsoft.com/en-us/library/cc816750%28v=ws.10%29.aspx>
Then I manually created the NETLOGON share. Netlogon service starts ok.
dcdiag /test:logons reports all good but dcdiag reports some errors. I haven't tried to fix them yet.
Starting test: VerifyReferences
Some objects relating to the DC WIN-AD-TEST have problems:
[1] Problem: Missing Expected Value
Base Object:
CN=NTDS Settings,CN=WIN-AD-TEST,CN=Servers,CN=Default-First-Site-Nam
,CN=Sites,CN=Configuration,DC=ad,DC=gibb,DC=co,DC=za
Base Object Description: "DSA Object"
Value Object Attribute Name: serverReferenceBL
Value Object Description: "SYSVOL FRS Member Object"
Recommended Action: See Knowledge Base Article: Q312862
[1] Problem: Missing Expected Value
Base Object:
CN=WIN-AD-TEST,OU=Domain Controllers,DC=ad,DC=gibb,DC=co,DC=za
Base Object Description: "DC Account Object"
Value Object Attribute Name: frsComputerReferenceBL
Value Object Description: "SYSVOL FRS Member Object"
Recommended Action: See Knowledge Base Article: Q312862
......................... WIN-AD-TEST failed test VerifyReferences
Running partition tests on : DomainDnsZones
Starting test: CheckSDRefDom
The application directory partition
DC=DomainDnsZones,DC=ad,DC=gibb,DC=co,DC=za is missing a security
descriptor reference domain. The administrator should set the
msDS-SD-Reference-Domain attribute on the cross reference object
CN=86a2d720-bbe7-4744-8aec-8f426666e08a,CN=Partitions,CN=Configurati
on,DC=ad,DC=gibb,DC=co,DC=za
to the DN of a domain.
......................... DomainDnsZones failed test CheckSDRefDom
Starting test: CrossRefValidation
......................... DomainDnsZones passed test
CrossRefValidation
Running partition tests on : ForestDnsZones
Starting test: CheckSDRefDom
The application directory partition
DC=ForestDnsZones,DC=ad,DC=gibb,DC=co,DC=za is missing a security
descriptor reference domain. The administrator should set the
msDS-SD-Reference-Domain attribute on the cross reference object
CN=d96faa07-bc45-418b-9404-eed8baef11b4,CN=Partitions,CN=Configurati
on,DC=ad,DC=gibb,DC=co,DC=za
to the DN of a domain.
......................... ForestDnsZones failed test CheckSDRefDom
Starting test: CrossRefValidation
......................... ForestDnsZones passed test
CrossRefValidation
Running partition tests on : Schema
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
appreciated.
Newly installed Samba 4.2.3, sernet packages on debian jessie.
Provsioned as per wiki instructions. Added test users and group policies with windows tools. Works
great.
Joined 2008r2 server as another dc. No errors.
samba-tool drs replicate works fine
I created the sysvol share via the registry as per the wiki.
To sync sysvol I used deltacopy rsync server on the windows box. No acl support. Would cwrsync be
better?
Extended acl's obviously did not work so I rsynced sysvol without the acls and then ran secedit to
restore default acls on the Windows sysvol as per
https://technet.microsoft.com/en-us/library/cc816750(v=ws.10).aspx
<https://technet.microsoft.com/en-us/library/cc816750%28v=ws.10%29.aspx>
Then I manually created the NETLOGON share. Netlogon service starts ok.
dcdiag /test:logons reports all good but dcdiag reports some errors. I haven't tried to fix them yet.
Starting test: VerifyReferences
Some objects relating to the DC WIN-AD-TEST have problems:
[1] Problem: Missing Expected Value
Base Object:
CN=NTDS Settings,CN=WIN-AD-TEST,CN=Servers,CN=Default-First-Site-Nam
,CN=Sites,CN=Configuration,DC=ad,DC=gibb,DC=co,DC=za
Base Object Description: "DSA Object"
Value Object Attribute Name: serverReferenceBL
Value Object Description: "SYSVOL FRS Member Object"
Recommended Action: See Knowledge Base Article: Q312862
[1] Problem: Missing Expected Value
Base Object:
CN=WIN-AD-TEST,OU=Domain Controllers,DC=ad,DC=gibb,DC=co,DC=za
Base Object Description: "DC Account Object"
Value Object Attribute Name: frsComputerReferenceBL
Value Object Description: "SYSVOL FRS Member Object"
Recommended Action: See Knowledge Base Article: Q312862
......................... WIN-AD-TEST failed test VerifyReferences
Running partition tests on : DomainDnsZones
Starting test: CheckSDRefDom
The application directory partition
DC=DomainDnsZones,DC=ad,DC=gibb,DC=co,DC=za is missing a security
descriptor reference domain. The administrator should set the
msDS-SD-Reference-Domain attribute on the cross reference object
CN=86a2d720-bbe7-4744-8aec-8f426666e08a,CN=Partitions,CN=Configurati
on,DC=ad,DC=gibb,DC=co,DC=za
to the DN of a domain.
......................... DomainDnsZones failed test CheckSDRefDom
Starting test: CrossRefValidation
......................... DomainDnsZones passed test
CrossRefValidation
Running partition tests on : ForestDnsZones
Starting test: CheckSDRefDom
The application directory partition
DC=ForestDnsZones,DC=ad,DC=gibb,DC=co,DC=za is missing a security
descriptor reference domain. The administrator should set the
msDS-SD-Reference-Domain attribute on the cross reference object
CN=d96faa07-bc45-418b-9404-eed8baef11b4,CN=Partitions,CN=Configurati
on,DC=ad,DC=gibb,DC=co,DC=za
to the DN of a domain.
......................... ForestDnsZones failed test CheckSDRefDom
Starting test: CrossRefValidation
......................... ForestDnsZones passed test
CrossRefValidation
Running partition tests on : Schema
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Sketch
Sep 16, 2015, 10:10:03 AM9/16/15
to
On Wed, 16 Sep 2015, Neil Price wrote:
> I don't see any info in the wiki on this. Anybody done it? This is what I''ve
> done so far. Comments appreciated.
Glad to hear someone is actually doing this. This is on my todo list, but
> I don't see any info in the wiki on this. Anybody done it? This is what I''ve
> done so far. Comments appreciated.
I haven't set it up yet. There is (or was, I haven't checked recently) a
mention of it on the samba wiki, but the page it links to doesn't exist.
> To sync sysvol I used deltacopy rsync server on the windows box. No acl
> support. Would cwrsync be better?
requires a patch) may do what you want, though it sounds like you might
need to populate cygwin's /etc/passwd with the Unix UIDs used on the Samba
side to get it to work:
https://lists.samba.org/archive/rsync/2006-October/016532.html
Neil Price
Sep 18, 2015, 3:00:03 AM9/18/15
to
On 16/09/2015 16:03, Sketch wrote:
>
> Glad to hear someone is actually doing this. This is on my todo list, but I haven't set it up
> yet. There is (or was, I haven't checked recently) a mention of it on the samba wiki, but the
> page it links to doesn't exist.
>
>> To sync sysvol I used deltacopy rsync server on the windows box. No acl support. Would cwrsync be
>> better?
>
> Old, but seems to imply that cygwin with rsync -A (which no longer requires a patch) may do what
> you want, though it sounds like you might need to populate cygwin's /etc/passwd with the Unix UIDs
> used on the Samba side to get it to work:
>
> https://lists.samba.org/archive/rsync/2006-October/016532.html
A little update, the first two errors in original post I found I could ignore. It seems they are
>
> Glad to hear someone is actually doing this. This is on my todo list, but I haven't set it up
> yet. There is (or was, I haven't checked recently) a mention of it on the samba wiki, but the
> page it links to doesn't exist.
>
>> To sync sysvol I used deltacopy rsync server on the windows box. No acl support. Would cwrsync be
>> better?
>
> Old, but seems to imply that cygwin with rsync -A (which no longer requires a patch) may do what
> you want, though it sounds like you might need to populate cygwin's /etc/passwd with the Unix UIDs
> used on the Samba side to get it to work:
>
> https://lists.samba.org/archive/rsync/2006-October/016532.html
common even on pure MS installations. The KB article referred in the error is completely irrelevant.
The last two errors I got rid of by putting the DN of my domain in THe msSD_reference-Domain
attribure in the CN=(UID-number),CN=Partitions,CN=Configuration,DC=ad,DC=domain,dc=com, rgen
rplication partitions froom the samba server to the windows server. It seems the samba4 does not set
these attributes but I'm not sure if this is important enough to be a bug.
I'm still getting "unexpected number of reps-to neighbours returned from (samba4 server)"
Testing continues.
0 new messages