Roland, Thank you very much for your attention to this. You should get a medal for all the help you give everyone on this list. On Sun, 10 May 2015, Rowland Penny wrote:> Why ? And why don't they show up when you ask for the zones with samba-tool ?I have that many subnets. As for why they don't show up: they are defined in BIND's configuration and not samba's; they never did show up with samba-tool. I wasn't expecting that they should.> Just check that it isn't just non replicating attributes that are different.It looks like a real problem. This is what I get when I compare DC1 and DC2 (again, DC1 and DC3 are the same): * Result for [DOMAIN]: FAILURE Attributes found only in ldap://baxter: isCriticalSystemObject cn ipsecName fSMORoleOwner objectClass ipsecISAKMPReference iPSECNegotiationPolicyAction showInAdvancedViewOnly ipsecFilterReference priorSetTime instanceType ipsecOwnersReference distinguishedName ipsecNFAReference msDS-TombstoneQuotaFactor ipsecData description objectCategory objectGUID whenCreated systemFlags ipsecNegotiationPolicyReference ipsecID lastSetTime iPSECNegotiationPolicyType name memberOf ipsecDataType * Result for [CONFIGURATION]: FAILURE Attributes found only in ldap://baxter: distinguishedName isCriticalSystemObject name objectCategory objectClass msDS-Behavior-Version description msDS-TombstoneQuotaFactor objectGUID showInAdvancedViewOnly systemFlags whenCreated fSMORoleOwner instanceType cn * Result for [DNSDOMAIN]: FAILURE Attributes found only in ldap://baxter: distinguishedName isCriticalSystemObject cn objectCategory objectClass objectGUID whenCreated showInAdvancedViewOnly systemFlags instanceType name * Result for [DNSFOREST]: FAILURE Attributes found only in ldap://baxter: distinguishedName isCriticalSystemObject cn objectCategory objectClass objectGUID whenCreated showInAdvancedViewOnly systemFlags instanceType name and everything else is in order. "samba-tool drs showrepl" shows no problems.> Check your FSMO roles.I've done that; this appears to be in order (DC1 = baxter): InfrastructureMasterRole owner: CN=NTDS Settings,CN=BAXTER,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=europa,DC=icse,DC=cornell,DC=edu RidAllocationMasterRole owner: CN=NTDS Settings,CN=BAXTER,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=europa,DC=icse,DC=cornell,DC=edu PdcEmulationMasterRole owner: CN=NTDS Settings,CN=BAXTER,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=europa,DC=icse,DC=cornell,DC=edu DomainNamingMasterRole owner: CN=NTDS Settings,CN=BAXTER,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=europa,DC=icse,DC=cornell,DC=edu SchemaMasterRole owner: CN=NTDS Settings,CN=BAXTER,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=europa,DC=icse,DC=cornell,DC=edu -Steve -- ---------------------------------------------------------------------------- Steve Thompson E-mail: smt AT vgersoft DOT com Voyager Software LLC Web: http://www DOT vgersoft DOT com 39 Smugglers Path VSW Support: support AT vgersoft DOT com Ithaca, NY 14850 "186,282 miles per second: it's not just a good idea, it's the law" ----------------------------------------------------------------------------
On 10/05/15 16:08, Steve Thompson wrote:> Roland, > > Thank you very much for your attention to this. You should get a medal > for all the help you give everyone on this list. > > On Sun, 10 May 2015, Rowland Penny wrote: > >> Why ? And why don't they show up when you ask for the zones with >> samba-tool ? > > I have that many subnets. As for why they don't show up: they are > defined in BIND's configuration and not samba's; they never did show > up with samba-tool. I wasn't expecting that they should. > >> Just check that it isn't just non replicating attributes that are >> different. > > It looks like a real problem. This is what I get when I compare DC1 > and DC2 (again, DC1 and DC3 are the same): > > * Result for [DOMAIN]: FAILURE > > Attributes found only in ldap://baxter: > > isCriticalSystemObject > cn > ipsecName > fSMORoleOwner > objectClass > ipsecISAKMPReference > iPSECNegotiationPolicyAction > showInAdvancedViewOnly > ipsecFilterReference > priorSetTime > instanceType > ipsecOwnersReference > distinguishedName > ipsecNFAReference > msDS-TombstoneQuotaFactor > ipsecData > description > objectCategory > objectGUID > whenCreated > systemFlags > ipsecNegotiationPolicyReference > ipsecID > lastSetTime > iPSECNegotiationPolicyType > name > memberOf > ipsecDataType > > * Result for [CONFIGURATION]: FAILURE > > Attributes found only in ldap://baxter: > > distinguishedName > isCriticalSystemObject > name > objectCategory > objectClass > msDS-Behavior-Version > description > msDS-TombstoneQuotaFactor > objectGUID > showInAdvancedViewOnly > systemFlags > whenCreated > fSMORoleOwner > instanceType > cn > > * Result for [DNSDOMAIN]: FAILURE > > Attributes found only in ldap://baxter: > > distinguishedName > isCriticalSystemObject > cn > objectCategory > objectClass > objectGUID > whenCreated > showInAdvancedViewOnly > systemFlags > instanceType > name > > * Result for [DNSFOREST]: FAILURE > > Attributes found only in ldap://baxter: > > distinguishedName > isCriticalSystemObject > cn > objectCategory > objectClass > objectGUID > whenCreated > showInAdvancedViewOnly > systemFlags > instanceType > name > > and everything else is in order. "samba-tool drs showrepl" shows no > problems. >You definitely seem to have problems there.>> Check your FSMO roles. > > I've done that; this appears to be in order (DC1 = baxter): > > InfrastructureMasterRole owner: CN=NTDS > Settings,CN=BAXTER,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=europa,DC=icse,DC=cornell,DC=edu > RidAllocationMasterRole owner: CN=NTDS > Settings,CN=BAXTER,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=europa,DC=icse,DC=cornell,DC=edu > PdcEmulationMasterRole owner: CN=NTDS > Settings,CN=BAXTER,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=europa,DC=icse,DC=cornell,DC=edu > DomainNamingMasterRole owner: CN=NTDS > Settings,CN=BAXTER,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=europa,DC=icse,DC=cornell,DC=edu > SchemaMasterRole owner: CN=NTDS > Settings,CN=BAXTER,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=europa,DC=icse,DC=cornell,DC=edu > > -SteveYou do know that there are 7 (yes seven) fsmoroles ? Have you got: CN=Infrastructure,DC=DomainDnsZones,DC=europa,DC=icse,DC=cornell,DC=edu CN=Infrastructure,DC=ForestDnsZones,DC=europa,DC=icse,DC=cornell,DC=edu There should be a 'fSMORoleOwner' attribute in each record. Rowland
On Sun, 10 May 2015, Rowland Penny wrote:> You definitely seem to have problems there.Indeed I do :-(> You do know that there are 7 (yes seven) fsmoroles ?Oh crap. I checked on the original DC before I demoted it, and there were only 5 displayed, so I thought that was all I should have. At least, I transferred -all roles, and only those 5 made it. This is going to be a pain to fix. Steve -- ---------------------------------------------------------------------------- Steve Thompson E-mail: smt AT vgersoft DOT com Voyager Software LLC Web: http://www DOT vgersoft DOT com 39 Smugglers Path VSW Support: support AT vgersoft DOT com Ithaca, NY 14850 "186,282 miles per second: it's not just a good idea, it's the law" ----------------------------------------------------------------------------