samba - Feb 2016 - Desynced DC

Hi list,

We use samba 4.1.17 (debian's version) on several DCs. I just realized 
that one of them is desynced and cannot get it to resync.

The long story: we got 5 DCs splitted over several sites. Recently we 
had to replace one of them (let's call him DC5). Since both had to run 
in parallel for data recovery/users work we decided to join a brand new 
DC (DC6) and latter demote the second one (DC5). Where things get even 
more complicated is that once DC5 has been removed we put DC6 on its IP 
(following wiki). We performed some cleanup in the DNS and all was 
beautiful, data got replicated. However I just realized that a completly 
different DC (say DC3) didn't catch the replacement. samba-tool drs 
showrepl reports errors where we can see the no-more existing DC and a 
DNS query returns the old DC6 address. Is there a way to force 
replication (even by copying files manually)? samba-tools drs replicate 
fails miserably without any meaningful error.

Thanks in advance

Have you tried to replicate with the --sync-forced and --full-sync options?

Am 24.02.2016 um 14:31 schrieb Sébastien Le Ray:
> Hi list,
>
> We use samba 4.1.17 (debian's version) on several DCs. I just realized 
> that one of them is desynced and cannot get it to resync.
>
> The long story: we got 5 DCs splitted over several sites. Recently we 
> had to replace one of them (let's call him DC5). Since both had to run 
> in parallel for data recovery/users work we decided to join a brand 
> new DC (DC6) and latter demote the second one (DC5). Where things get 
> even more complicated is that once DC5 has been removed we put DC6 on 
> its IP (following wiki). We performed some cleanup in the DNS and all 
> was beautiful, data got replicated. However I just realized that a 
> completly different DC (say DC3) didn't catch the replacement. 
> samba-tool drs showrepl reports errors where we can see the no-more 
> existing DC and a DNS query returns the old DC6 address. Is there a 
> way to force replication (even by copying files manually)? samba-tools 
> drs replicate fails miserably without any meaningful error.
>
> Thanks in advance
>

Well, no since I never saw these options

Are these samba-tool drs replicate options?

The only output it gives me is

ERROR(<class 'samba.drs_utils.drsException'>): DsReplicaSync
failed -
drsException: DsReplicaSync failed (-1073610723, 
'NT_STATUS_RPC_PROTOCOL_ERROR')
   File "/usr/lib/python2.7/dist-packages/samba/netcmd/drs.py", line 
346, in run
     drs_utils.sendDsReplicaSync(self.drsuapi, self.drsuapi_handle, 
source_dsa_guid, NC, req_options)
   File "/usr/lib/python2.7/dist-packages/samba/drs_utils.py", line
83,
in sendDsReplicaSync
     raise drsException("DsReplicaSync failed %s" % estr)

Which is not very helpful :)


Le 24/02/2016 16:24, Achim Gottinger a écrit :
> Have you tried to replicate with the --sync-forced and --full-sync 
> options?
>
> Am 24.02.2016 um 14:31 schrieb Sébastien Le Ray:
>> Hi list,
>>
>> We use samba 4.1.17 (debian's version) on several DCs. I just 
>> realized that one of them is desynced and cannot get it to resync.
>>
>> The long story: we got 5 DCs splitted over several sites. Recently we 
>> had to replace one of them (let's call him DC5). Since both had to 
>> run in parallel for data recovery/users work we decided to join a 
>> brand new DC (DC6) and latter demote the second one (DC5). Where 
>> things get even more complicated is that once DC5 has been removed we 
>> put DC6 on its IP (following wiki). We performed some cleanup in the 
>> DNS and all was beautiful, data got replicated. However I just 
>> realized that a completly different DC (say DC3) didn't catch the 
>> replacement. samba-tool drs showrepl reports errors where we can see 
>> the no-more existing DC and a DNS query returns the old DC6 address. 
>> Is there a way to force replication (even by copying files manually)? 
>> samba-tools drs replicate fails miserably without any meaningful error.
>>
>> Thanks in advance
>>
>
>

Yes they are, see samba-tool drs replicate -h.



Am 24.02.2016 um 16:24 schrieb Achim Gottinger:
> Have you tried to replicate with the --sync-forced and --full-sync 
> options?
>
> Am 24.02.2016 um 14:31 schrieb Sébastien Le Ray:
>> Hi list,
>>
>> We use samba 4.1.17 (debian's version) on several DCs. I just 
>> realized that one of them is desynced and cannot get it to resync.
>>
>> The long story: we got 5 DCs splitted over several sites. Recently we 
>> had to replace one of them (let's call him DC5). Since both had to 
>> run in parallel for data recovery/users work we decided to join a 
>> brand new DC (DC6) and latter demote the second one (DC5). Where 
>> things get even more complicated is that once DC5 has been removed we 
>> put DC6 on its IP (following wiki). We performed some cleanup in the 
>> DNS and all was beautiful, data got replicated. However I just 
>> realized that a completly different DC (say DC3) didn't catch the 
>> replacement. samba-tool drs showrepl reports errors where we can see 
>> the no-more existing DC and a DNS query returns the old DC6 address. 
>> Is there a way to force replication (even by copying files manually)? 
>> samba-tools drs replicate fails miserably without any meaningful error.
>>
>> Thanks in advance
>>
>
>

I'd try to rejoin the faulty DC instead of copying sam.ldb files. I 
guess there are unique DC specific entries in the local database.
Can be samba-tool replicate works if you try the push the settings from 
an other dc or pull em on the faulty dc.
What command did you try andn on what dc?

Am 25.02.2016 um 14:02 schrieb Sébastien Le Ray:
> Still the same error…
>
> ERROR(<class 'samba.drs_utils.drsException'>): DsReplicaSync
failed -
> drsException: DsReplicaSync failed (-1073610723, 
> 'NT_STATUS_RPC_PROTOCOL_ERROR')
>
> Would copying the sam.ldb* files from a working DC be a mistake?
>
> Le 25/02/2016 12:45, Achim Gottinger a écrit :
>> Yes they are, see samba-tool drs replicate -h.
>>
>>
>>
>> Am 24.02.2016 um 16:24 schrieb Achim Gottinger:
>>> Have you tried to replicate with the --sync-forced and --full-sync 
>>> options?
>>>
>>> Am 24.02.2016 um 14:31 schrieb Sébastien Le Ray:
>>>> Hi list,
>>>>
>>>> We use samba 4.1.17 (debian's version) on several DCs. I
just
>>>> realized that one of them is desynced and cannot get it to
resync.
>>>>
>>>> The long story: we got 5 DCs splitted over several sites.
Recently
>>>> we had to replace one of them (let's call him DC5). Since
both had
>>>> to run in parallel for data recovery/users work we decided to
join
>>>> a brand new DC (DC6) and latter demote the second one (DC5).
Where
>>>> things get even more complicated is that once DC5 has been
removed
>>>> we put DC6 on its IP (following wiki). We performed some
cleanup in
>>>> the DNS and all was beautiful, data got replicated. However I
just
>>>> realized that a completly different DC (say DC3) didn't
catch the
>>>> replacement. samba-tool drs showrepl reports errors where we
can
>>>> see the no-more existing DC and a DNS query returns the old DC6
>>>> address. Is there a way to force replication (even by copying
files
>>>> manually)? samba-tools drs replicate fails miserably without
any
>>>> meaningful error.
>>>>
>>>> Thanks in advance
>>>>
>>>
>>>
>>
>>
>

Can I rejoin without leaving?
If by settings you mean smb.conf, there is nothing different except for 
the netbios name

I did
beuss at desynced-dc:~$ sudo samba-tool drs replicate 
DESYNCED-DC.ad.my.company SANE-AND-REACHABLE-DC.ad.my.company 
dc=ad,dc=my,dc=company --full-sync --sync-forced

it failed…

Thanks to drs replicate -h I found the --local which seem to work better 
(well better as in "it doesn't fail", replication is not finished
yet)


Le 25/02/2016 14:10, Achim Gottinger a écrit :
> I'd try to rejoin the faulty DC instead of copying sam.ldb files. I 
> guess there are unique DC specific entries in the local database.
> Can be samba-tool replicate works if you try the push the settings 
> from an other dc or pull em on the faulty dc.
> What command did you try andn on what dc?
>
> Am 25.02.2016 um 14:02 schrieb Sébastien Le Ray:
>> Still the same error…
>>
>> ERROR(<class 'samba.drs_utils.drsException'>):
DsReplicaSync failed -
>> drsException: DsReplicaSync failed (-1073610723, 
>> 'NT_STATUS_RPC_PROTOCOL_ERROR')
>>
>> Would copying the sam.ldb* files from a working DC be a mistake?
>>
>> Le 25/02/2016 12:45, Achim Gottinger a écrit :
>>> Yes they are, see samba-tool drs replicate -h.
>>>
>>>
>>>
>>> Am 24.02.2016 um 16:24 schrieb Achim Gottinger:
>>>> Have you tried to replicate with the --sync-forced and
--full-sync
>>>> options?
>>>>
>>>> Am 24.02.2016 um 14:31 schrieb Sébastien Le Ray:
>>>>> Hi list,
>>>>>
>>>>> We use samba 4.1.17 (debian's version) on several DCs.
I just
>>>>> realized that one of them is desynced and cannot get it to
resync.
>>>>>
>>>>> The long story: we got 5 DCs splitted over several sites.
Recently
>>>>> we had to replace one of them (let's call him DC5).
Since both had
>>>>> to run in parallel for data recovery/users work we decided
to join
>>>>> a brand new DC (DC6) and latter demote the second one
(DC5). Where
>>>>> things get even more complicated is that once DC5 has been
removed
>>>>> we put DC6 on its IP (following wiki). We performed some
cleanup
>>>>> in the DNS and all was beautiful, data got replicated.
However I
>>>>> just realized that a completly different DC (say DC3)
didn't catch
>>>>> the replacement. samba-tool drs showrepl reports errors
where we
>>>>> can see the no-more existing DC and a DNS query returns the
old
>>>>> DC6 address. Is there a way to force replication (even by
copying
>>>>> files manually)? samba-tools drs replicate fails miserably
without
>>>>> any meaningful error.
>>>>>
>>>>> Thanks in advance
>>>>>
>>>>
>>>>
>>>
>>>
>>
>
>