Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
[Samba] Replication and DNS issue
438 views
Skip to first unread message
Donaldson Jeff
Jul 15, 2014, 3:40:01 PM7/15/14
to
Greetings,
I recently setup a new server to join an existing domain as a DC. I installed Ubuntu 12.04 server and downloaded and installed Samba 4.1.8. The installation went well and once completed I joined the domain with the following command - samba-tool domain join mydomain DC -Uadministrator --realm=mydomain (actual name changed). I got the Joined domain as a DC message. I followed the steps outlined in the Samba Join a Domain as DC wiki page to check required DNS entries. Running the host -t A server.domain returns the correct IP address. If I run the ldbsearch -H /usr/local/samba/private/sam.ldb '(invocationid=*)' --cross-ncs objectguid I see all three of my Domain controllers and their respective guids. I then ran the host -t CNAME guid._msdcs.mydomain command and found the msdc record wasn't added. I then used samba-tool to add it. It added correctly and the previous command now returns that the guid is an alias for the server. I then start Samba services without any errors. When I then check replication using samba-tool drs showrepl I have one inbound replication error and all outbound attempts fail. How can I get the new server to replicate to the existing DCs correctly (see txt attachment for showrepl results)?
The other issue I noticed is running DNS checks. If I run the host -t SRV _ldap._tcp.mydomain command, the newly joined DC doesn't appear. Same goes for the host -t SRV _kerberos._udp.mydomain. It does return correctly when running host -t A myserver.mydomain command. How can I correct the DNS entries? Kerberos appears to be working because I can kinit administrator and see the ticket. Any ideas?
I'm fairly new to Samba4, so please excuse my ignorance. Any help is appreciated!
Regards,
Jeff
Jeff Donaldson
Technology Director
Newark Charter School
jeff.do...@ncs.k12.de.us
(302) 369-2001 ext: 425
I recently setup a new server to join an existing domain as a DC. I installed Ubuntu 12.04 server and downloaded and installed Samba 4.1.8. The installation went well and once completed I joined the domain with the following command - samba-tool domain join mydomain DC -Uadministrator --realm=mydomain (actual name changed). I got the Joined domain as a DC message. I followed the steps outlined in the Samba Join a Domain as DC wiki page to check required DNS entries. Running the host -t A server.domain returns the correct IP address. If I run the ldbsearch -H /usr/local/samba/private/sam.ldb '(invocationid=*)' --cross-ncs objectguid I see all three of my Domain controllers and their respective guids. I then ran the host -t CNAME guid._msdcs.mydomain command and found the msdc record wasn't added. I then used samba-tool to add it. It added correctly and the previous command now returns that the guid is an alias for the server. I then start Samba services without any errors. When I then check replication using samba-tool drs showrepl I have one inbound replication error and all outbound attempts fail. How can I get the new server to replicate to the existing DCs correctly (see txt attachment for showrepl results)?
The other issue I noticed is running DNS checks. If I run the host -t SRV _ldap._tcp.mydomain command, the newly joined DC doesn't appear. Same goes for the host -t SRV _kerberos._udp.mydomain. It does return correctly when running host -t A myserver.mydomain command. How can I correct the DNS entries? Kerberos appears to be working because I can kinit administrator and see the ticket. Any ideas?
I'm fairly new to Samba4, so please excuse my ignorance. Any help is appreciated!
Regards,
Jeff
Jeff Donaldson
Technology Director
Newark Charter School
jeff.do...@ncs.k12.de.us
(302) 369-2001 ext: 425
steve
Jul 16, 2014, 6:20:01 AM7/16/14
to
On Tue, 2014-07-15 at 19:20 +0000, Donaldson Jeff wrote:
> Greetings,
>
>
> I recently setup a new server to join an existing domain as a DC.
Hi
> Greetings,
>
>
> I recently setup a new server to join an existing domain as a DC.
After the join there are various DNS entries you need to kick start the
replication, not only the CNAMEs. There are some krb SRV entries that
are needed too. You haven't given much information, so I don't know what
stage you're at. Full story:
http://linuxcostablanca.blogspot.com.es/2014/06/samba4-dc-replication-on-ubuntu.html
HTH
Steve
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Donaldson Jeff
Jul 16, 2014, 2:30:02 PM7/16/14
to
Steve,
Thank you for the link. I manually added the failover DNS entries and all of the DNS checks return successfully on each server now. I am still having an issue with replication however. When I force the new DC to replicate to existing DCs using the following, samba-tool drs replicate ncssamba1 ncsauth2 DC=ncs,DC=k12,DC=de,DC=us or samba-tool drs replicate ncssamba1 ncsauth2 CN=Configuration,DC=ncs,DC=k12,DC=de,DC=us, I get the following error
ERROR(<class 'samba.drs_utils.drsException'>): DsReplicaSync failed - drsException: DsReplicaSync failed (-1073610723, 'NT_STATUS_RPC_PROTOCOL_ERROR')
File "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/drs.py", line 345, in run
drs_utils.sendDsReplicaSync(self.drsuapi, self.drsuapi_handle, source_dsa_guid, NC, req_options)
File "/usr/local/samba/lib/python2.7/site-packages/samba/drs_utils.py", line 83, in sendDsReplicaSync
raise drsException("DsReplicaSync failed %s" % estr)
Oddly, when I run the samba-tool drs showrepl command on the new DC, it no longer shows any outbound errors. It does however show an inbound error from my other DC specifically during replication of CN=Configuration,DC=ncs,DC=k12,DC=de,DC=us. The error is result 58 (WERR_BAD_NET_RESP).
I'm not sure why running samba-tool drs showrepl shows no issues with outbound replication to my two other DCs now, but if I manually tell it to replicate to either of them I get the first error above.
Any ideas? Thanks for your help!
Regards,
Jeff
Jeff Donaldson
Technology Director
Newark Charter School
jeff.do...@ncs.k12.de.us
(302) 369-2001 ext: 425
________________________________________
From: samba-...@lists.samba.org <samba-...@lists.samba.org> on behalf of steve <st...@steve-ss.com>
Sent: Wednesday, July 16, 2014 6:14 AM
To: sa...@lists.samba.org
Subject: Re: [Samba] Replication and DNS issue
Thank you for the link. I manually added the failover DNS entries and all of the DNS checks return successfully on each server now. I am still having an issue with replication however. When I force the new DC to replicate to existing DCs using the following, samba-tool drs replicate ncssamba1 ncsauth2 DC=ncs,DC=k12,DC=de,DC=us or samba-tool drs replicate ncssamba1 ncsauth2 CN=Configuration,DC=ncs,DC=k12,DC=de,DC=us, I get the following error
ERROR(<class 'samba.drs_utils.drsException'>): DsReplicaSync failed - drsException: DsReplicaSync failed (-1073610723, 'NT_STATUS_RPC_PROTOCOL_ERROR')
File "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/drs.py", line 345, in run
drs_utils.sendDsReplicaSync(self.drsuapi, self.drsuapi_handle, source_dsa_guid, NC, req_options)
File "/usr/local/samba/lib/python2.7/site-packages/samba/drs_utils.py", line 83, in sendDsReplicaSync
raise drsException("DsReplicaSync failed %s" % estr)
Oddly, when I run the samba-tool drs showrepl command on the new DC, it no longer shows any outbound errors. It does however show an inbound error from my other DC specifically during replication of CN=Configuration,DC=ncs,DC=k12,DC=de,DC=us. The error is result 58 (WERR_BAD_NET_RESP).
I'm not sure why running samba-tool drs showrepl shows no issues with outbound replication to my two other DCs now, but if I manually tell it to replicate to either of them I get the first error above.
Any ideas? Thanks for your help!
Regards,
Jeff
Jeff Donaldson
Technology Director
Newark Charter School
jeff.do...@ncs.k12.de.us
(302) 369-2001 ext: 425
From: samba-...@lists.samba.org <samba-...@lists.samba.org> on behalf of steve <st...@steve-ss.com>
Sent: Wednesday, July 16, 2014 6:14 AM
To: sa...@lists.samba.org
Subject: Re: [Samba] Replication and DNS issue
steve
Jul 16, 2014, 3:30:01 PM7/16/14
to
On Wed, 2014-07-16 at 18:21 +0000, Donaldson Jeff wrote:
> Steve,
>
> Thank you for the link. I manually added the failover DNS entries and all of the DNS checks return successfully on each server now. I am still having an issue with replication however. When I force the new DC to replicate to existing DCs using the following, samba-tool drs replicate ncssamba1 ncsauth2 DC=ncs,DC=k12,DC=de,DC=us or samba-tool drs replicate ncssamba1 ncsauth2 CN=Configuration,DC=ncs,DC=k12,DC=de,DC=us, I get the following error
>
> ERROR(<class 'samba.drs_utils.drsException'>): DsReplicaSync failed - drsException: DsReplicaSync failed (-1073610723, 'NT_STATUS_RPC_PROTOCOL_ERROR')
> File "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/drs.py", line 345, in run
> drs_utils.sendDsReplicaSync(self.drsuapi, self.drsuapi_handle, source_dsa_guid, NC, req_options)
> File "/usr/local/samba/lib/python2.7/site-packages/samba/drs_utils.py", line 83, in sendDsReplicaSync
> raise drsException("DsReplicaSync failed %s" % estr)
>
> Oddly, when I run the samba-tool drs showrepl command on the new DC, it no longer shows any outbound errors. It does however show an inbound error from my other DC specifically during replication of CN=Configuration,DC=ncs,DC=k12,DC=de,DC=us. The error is result 58 (WERR_BAD_NET_RESP).
>
> I'm not sure why running samba-tool drs showrepl shows no issues with outbound replication to my two other DCs now, but if I manually tell it to replicate to either of them I get the first error above.
>
> Any ideas? Thanks for your help!
Hi
> Steve,
>
> Thank you for the link. I manually added the failover DNS entries and all of the DNS checks return successfully on each server now. I am still having an issue with replication however. When I force the new DC to replicate to existing DCs using the following, samba-tool drs replicate ncssamba1 ncsauth2 DC=ncs,DC=k12,DC=de,DC=us or samba-tool drs replicate ncssamba1 ncsauth2 CN=Configuration,DC=ncs,DC=k12,DC=de,DC=us, I get the following error
>
> ERROR(<class 'samba.drs_utils.drsException'>): DsReplicaSync failed - drsException: DsReplicaSync failed (-1073610723, 'NT_STATUS_RPC_PROTOCOL_ERROR')
> File "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/drs.py", line 345, in run
> drs_utils.sendDsReplicaSync(self.drsuapi, self.drsuapi_handle, source_dsa_guid, NC, req_options)
> File "/usr/local/samba/lib/python2.7/site-packages/samba/drs_utils.py", line 83, in sendDsReplicaSync
> raise drsException("DsReplicaSync failed %s" % estr)
>
> Oddly, when I run the samba-tool drs showrepl command on the new DC, it no longer shows any outbound errors. It does however show an inbound error from my other DC specifically during replication of CN=Configuration,DC=ncs,DC=k12,DC=de,DC=us. The error is result 58 (WERR_BAD_NET_RESP).
>
> I'm not sure why running samba-tool drs showrepl shows no issues with outbound replication to my two other DCs now, but if I manually tell it to replicate to either of them I get the first error above.
>
> Any ideas? Thanks for your help!
The only other thing which comes to mind is the firewall.
Donaldson Jeff
Jul 16, 2014, 3:40:02 PM7/16/14
to
Port 135 issue?
steve
Jul 16, 2014, 4:30:02 PM7/16/14
to
On Wed, 2014-07-16 at 19:38 +0000, Donaldson Jeff wrote:
> Port 135 issue?
>
Yeah, that's it. But remember that you don't see anything about it on
the DC which doesn't replicate (your latest DC). Look on the others.
Best is to wait for some down time and lose the firewall all together.
If you can get just one other close by that would be a bonus for
testing.
Cheers
> Port 135 issue?
>
Yeah, that's it. But remember that you don't see anything about it on
the DC which doesn't replicate (your latest DC). Look on the others.
Best is to wait for some down time and lose the firewall all together.
If you can get just one other close by that would be a bonus for
testing.
Cheers
Donaldson Jeff
Jul 16, 2014, 4:40:01 PM7/16/14
to
Our samba1 and Auth2 (hostnames) servers are on the same physical network and should be able to talk to each other without going through firewall and our two working DCs have no issues with replication. I still think it is something DNS related. Any other suggestions or things to look at? Any help is appreciated.
Thanks!
Jeff
Sent from my mobile device
Thanks!
Jeff
Sent from my mobile device
0 new messages