Today I noticed something that has been going on for some weeks:
I have 2 dc, (dc1 and dc2) both debian buster with the distro provided
samba (4.9.5), recently upgraded from stretch.
samba-tool drs showrepl on dc2 says
DC=DomainDnsZones,DC=samba,DC=wetron,DC=es
Default-First-Site-Name\DC1 via RPC
DSA object GUID: 89812346-9037-43b0-86ab-c5052f55125d
Last attempt @ Thu Oct 10 20:05:28 2019 CEST failed,
result 58 (WERR_BAD_NET_RESP)
273 consecutive failure(s).
Last success @ Thu Oct 10 12:05:27 2019 CEST
(the rest of the incoming replications are fine, only the DomainDnsZone
fails).
It turns out that dc2 chokes on "\0ADEL" dns records, supposedly
deleted
objects.
I found a "solution" here:
https://www.dotnetcatch.com/2018/06/19/samba-replication-failures/
The procedure to solve it is not exactly the same but it put me on the,
hopefully, right track. I scripted it since it got tiresome and it
solved the replication problem, for a while, but now it reappeared
(that's the message above).
This started on September 25, when I upgraded dc2 from stretch to
buster. A few days later I also upgraded dc1 (it was still running jessie).
I'm using internal dns and the dhcp server talks to dc1 to update the
dns records, that would explain why there are records to replicate but
doesn't explain why samba fails (when it didn't before).
Bye
--
Luca Olivetti
Wetron Automation Technology http://www.wetron.es/
Tel. +34 93 5883004 (Ext.3010) Fax +34 93 5883007
On 10/10/2019 19:23, Luca Olivetti via samba wrote:> Today I noticed something that has been going on for some weeks: > > I have 2 dc, (dc1 and dc2) both debian buster with the distro provided > samba (4.9.5), recently upgraded from stretch. > > samba-tool drs showrepl on dc2 says > > DC=DomainDnsZones,DC=samba,DC=wetron,DC=es > ??????? Default-First-Site-Name\DC1 via RPC > ??????????????? DSA object GUID: 89812346-9037-43b0-86ab-c5052f55125d > ??????????????? Last attempt @ Thu Oct 10 20:05:28 2019 CEST failed, > result 58 (WERR_BAD_NET_RESP) > ??????????????? 273 consecutive failure(s). > ??????????????? Last success @ Thu Oct 10 12:05:27 2019 CEST > > (the rest of the incoming replications are fine, only the > DomainDnsZone fails). > > It turns out that dc2 chokes on "\0ADEL" dns records, supposedly > deleted objects.What you have there is known as a tombstone record and Samba has a tool to remove them: samba-tool domain tombstones expunge NC --tombstone-lifetime=TOMBSTONE_LIFETIME Where 'NC' is the naming context and 'TOMBSTONE_LIFETIME' is the days to keep deleted records for.> > I found a "solution" here: > > https://www.dotnetcatch.com/2018/06/19/samba-replication-failures/ > > The procedure to solve it is not exactly the same but it put me on > the, hopefully, right track. I scripted it since it got tiresome and > it solved the replication problem, for a while, but now it reappeared > (that's the message above). > > This started on September 25, when I upgraded dc2 from stretch to > buster. A few days later I also upgraded dc1 (it was still running > jessie). > > I'm using internal dns and the dhcp server talks to dc1 to update the > dns records, that would explain why there are records to replicate but > doesn't explain why samba fails (when it didn't before).How is the dhcp server updating the dns records ? Rowland
El 10/10/19 a les 20:41, Rowland penny via samba ha escrit:>> It turns out that dc2 chokes on "\0ADEL" dns records, supposedly >> deleted objects. > > What you have there is known as a tombstone record and Samba has a tool > to remove them: > > samba-tool domain tombstones expunge NC > --tombstone-lifetime=TOMBSTONE_LIFETIME > > Where 'NC' is the naming context and 'TOMBSTONE_LIFETIME' is the days to > keep deleted records for.Good to know, but why do they trigger the replication problem?> >> >> I found a "solution" here: >> >> https://www.dotnetcatch.com/2018/06/19/samba-replication-failures/ >> >> The procedure to solve it is not exactly the same but it put me on >> the, hopefully, right track. I scripted it since it got tiresome and >> it solved the replication problem, for a while, but now it reappeared >> (that's the message above). >> >> This started on September 25, when I upgraded dc2 from stretch to >> buster. A few days later I also upgraded dc1 (it was still running >> jessie). >> >> I'm using internal dns and the dhcp server talks to dc1 to update the >> dns records, that would explain why there are records to replicate but >> doesn't explain why samba fails (when it didn't before). > > How is the dhcp server updating the dns records ?Using this method: https://wiki.archlinux.org/index.php/Samba/Active_Directory_domain_controller#DHCP_with_dynamic_DNS_updates TLDR: it does a "samba-tool dns add" when a host get a lease and "samba-tool dns delete" when it releases it or expires. Bye -- Luca Olivetti Wetron Automation Technology http://www.wetron.es/ Tel. +34 93 5883004 (Ext.3010) Fax +34 93 5883007
El 10/10/19 a les 20:23, Luca Olivetti via samba ha escrit:> Today I noticed something that has been going on for some weeks: > > I have 2 dc, (dc1 and dc2) both debian buster with the distro provided > samba (4.9.5), recently upgraded from stretch. > > samba-tool drs showrepl on dc2 says > > DC=DomainDnsZones,DC=samba,DC=wetron,DC=es > ??????? Default-First-Site-Name\DC1 via RPC > ??????????????? DSA object GUID: 89812346-9037-43b0-86ab-c5052f55125d > ??????????????? Last attempt @ Thu Oct 10 20:05:28 2019 CEST failed, > result 58 (WERR_BAD_NET_RESP) > ??????????????? 273 consecutive failure(s). > ??????????????? Last success @ Thu Oct 10 12:05:27 2019 CEST > > (the rest of the incoming replications are fine, only the DomainDnsZone > fails). > > It turns out that dc2 chokes on "\0ADEL" dns records, supposedly deleted > objects. > > I found a "solution" here: > > https://www.dotnetcatch.com/2018/06/19/samba-replication-failures/ > > The procedure to solve it is not exactly the same but it put me on the, > hopefully, right track. I scripted it since it got tiresome and it > solved the replication problem, for a while, but now it reappeared > (that's the message above). > > This started on September 25, when I upgraded dc2 from stretch to > buster. A few days later I also upgraded dc1 (it was still running jessie). > > I'm using internal dns and the dhcp server talks to dc1 to update the > dns records, that would explain why there are records to replicate but > doesn't explain why samba fails (when it didn't before).The problem persists :-( DC=DomainDnsZones,DC=samba,DC=wetron,DC=es Default-First-Site-Name\DC1 via RPC DSA object GUID: 89812346-9037-43b0-86ab-c5052f55125d Last attempt @ Fri Oct 11 15:50:30 2019 CEST failed, result 58 (WERR_BAD_NET_RESP) 283 consecutive failure(s). Last success @ Fri Oct 11 08:35:30 2019 CEST samba-tool dbcheck --cross-ncs gives no error on both DCs (though dc1 is reporting 20276 objects and dc2 20180, after cleaning the bad entries the count is 20272 on dc1 and 20208 on dc2) The strange thing is that this is happening now with both DCs running buster with the same samba version and never happened when dc1 was running jessie and dc2 stretch. Bye -- Luca Olivetti Wetron Automation Technology http://www.wetron.es/ Tel. +34 93 5883004 (Ext.3010) Fax +34 93 5883007
On 11/10/2019 14:58, Luca Olivetti via samba wrote:> El 10/10/19 a les 20:23, Luca Olivetti via samba ha escrit: >> Today I noticed something that has been going on for some weeks: >> >> I have 2 dc, (dc1 and dc2) both debian buster with the distro >> provided samba (4.9.5), recently upgraded from stretch. >> >> samba-tool drs showrepl on dc2 says >> >> DC=DomainDnsZones,DC=samba,DC=wetron,DC=es >> ???????? Default-First-Site-Name\DC1 via RPC >> ???????????????? DSA object GUID: 89812346-9037-43b0-86ab-c5052f55125d >> ???????????????? Last attempt @ Thu Oct 10 20:05:28 2019 CEST failed, >> result 58 (WERR_BAD_NET_RESP) >> ???????????????? 273 consecutive failure(s). >> ???????????????? Last success @ Thu Oct 10 12:05:27 2019 CEST >> >> (the rest of the incoming replications are fine, only the >> DomainDnsZone fails). >> >> It turns out that dc2 chokes on "\0ADEL" dns records, supposedly >> deleted objects. >> >> I found a "solution" here: >> >> https://www.dotnetcatch.com/2018/06/19/samba-replication-failures/ >> >> The procedure to solve it is not exactly the same but it put me on >> the, hopefully, right track. I scripted it since it got tiresome and >> it solved the replication problem, for a while, but now it reappeared >> (that's the message above). >> >> This started on September 25, when I upgraded dc2 from stretch to >> buster. A few days later I also upgraded dc1 (it was still running >> jessie). >> >> I'm using internal dns and the dhcp server talks to dc1 to update the >> dns records, that would explain why there are records to replicate >> but doesn't explain why samba fails (when it didn't before). > > The problem persists :-( > > DC=DomainDnsZones,DC=samba,DC=wetron,DC=es > ??????? Default-First-Site-Name\DC1 via RPC > ??????????????? DSA object GUID: 89812346-9037-43b0-86ab-c5052f55125d > ??????????????? Last attempt @ Fri Oct 11 15:50:30 2019 CEST failed, > result 58 (WERR_BAD_NET_RESP) > ??????????????? 283 consecutive failure(s). > ??????????????? Last success @ Fri Oct 11 08:35:30 2019 CEST > > samba-tool dbcheck --cross-ncs gives no error on both DCs (though dc1 > is reporting 20276 objects and dc2 20180, after cleaning the bad > entries the count is 20272 on dc1 and 20208 on dc2) > > > The strange thing is that this is happening now with both DCs running > buster with the same samba version and never happened when dc1 was > running jessie and dc2 stretch. > > ByeTry running this on a DC: samba-tool ldapcmp ldap://DC1 ldap://DC2 --filter='whenChanged,dc,DC,cn,CN,ou,OU' Replace 'DC1' and 'DC2' with your actual DC short hostnames It should tell you the differences. Rowland