Hi guys, i have some issue with our company DC (samba 4.7.12 on a Debain 9 machine) and work ok from about 3 years. Now we tried to join another DC for redundancy but we receive the following error: Provision OK for domain DN DC=example,DC=com Starting replication Schema-DN[CN=Schema,CN=Configuration,DC=example,DC=com] objects[402/1550] linked_values[0/0] Schema-DN[CN=Schema,CN=Configuration,DC=example,DC=com] objects[804/1550] linked_values[0/0] Schema-DN[CN=Schema,CN=Configuration,DC=example,DC=com] objects[1206/1550] linked_values[0/0] Schema-DN[CN=Schema,CN=Configuration,DC=example,DC=com] objects[1550/1550] linked_values[0/0] Analyze and apply schema objects Partition[CN=Configuration,DC=example,DC=com] objects[402/1619] linked_values[0/0] Partition[CN=Configuration,DC=example,DC=com] objects[804/1619] linked_values[0/0] Partition[CN=Configuration,DC=example,DC=com] objects[1206/1619] linked_values[0/0] Partition[CN=Configuration,DC=example,DC=com] objects[1609/1619] linked_values[0/10] Partition[CN=Configuration,DC=example,DC=com] objects[1619/1619] linked_values[31/31] Failed to commit objects: DOS code 0x000021bf Missing target object - retrying with DRS_GET_TGT Partition[CN=Configuration,DC=example,DC=com] objects[2021/1619] linked_values[31/0] Partition[CN=Configuration,DC=example,DC=com] objects[2423/1619] linked_values[31/0] Partition[CN=Configuration,DC=example,DC=com] objects[2825/1619] linked_values[31/0] Partition[CN=Configuration,DC=example,DC=com] objects[3228/1619] linked_values[31/10] Partition[CN=Configuration,DC=example,DC=com] objects[3238/1619] linked_values[62/31] Replicating critical objects from the base DN of the domain Partition[DC=example,DC=com] objects[98/98] linked_values[28/28] Partition[DC=example,DC=com] objects[402/927] linked_values[0/201] ../../ldb_key_value/ldb_kv_index.c:2413: duplicate attribute value in CN=DIPIETROA,OU=PC,DC=example,DC=com for index on servicePrincipalName, duplicate of objectGUID 8bb534af-e1fb-4591-8460-dfa5675766dd in @INDEX:SERVICEPRINCIPALNAME:TERMSRV/DIPIETROA.example.com Partition[DC=example,DC=com] objects[804/927] linked_values[0/560] ../../ldb_key_value/ldb_kv_index.c:2413: duplicate attribute value in CN=OMNIOSBK,OU=PC,DC=example,DC=com for index on servicePrincipalName, duplicate of objectGUID e8f8df31-e78f-48ca-a43a-17b30dfee013 in @INDEX:SERVICEPRINCIPALNAME:HTTP/OMNIOSBK.example.com Partition[DC=example,DC=com] objects[927/927] linked_values[560/560] ../../ldb_key_value/ldb_kv_index.c:2413: duplicate attribute value in CN=BONAMORE,OU=PC,DC=example,DC=com for index on servicePrincipalName, duplicate of objectGUID 4164606b-d7dd-4fbd-b263-4dca38e0b519 in @INDEX:SERVICEPRINCIPALNAME:TERMSRV/BONAMORE.example.com Done with always replicated NC (base, config, schema) Replicating DC=DomainDnsZones,DC=example,DC=com Join failed - cleaning up Deleted CN=DC2,OU=Domain Controllers,DC=example,DC=com Deleted CN=NTDS Settings,CN=DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com Deleted CN=DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com ERROR(runtime): uncaught exception - (8442, 'WERR_DS_DRA_INTERNAL_ERROR') File "/usr/lib/python3/dist-packages/samba/netcmd/__init__.py", line 185, in _run return self.run(*args, **kwargs) File "/usr/lib/python3/dist-packages/samba/netcmd/domain.py", line 700, in run backend_store=backend_store) File "/usr/lib/python3/dist-packages/samba/join.py", line 1544, in join_DC ctx.do_join() File "/usr/lib/python3/dist-packages/samba/join.py", line 1438, in do_join ctx.join_replicate() File "/usr/lib/python3/dist-packages/samba/join.py", line 997, in join_replicate replica_flags=ctx.replica_flags) File "/usr/lib/python3/dist-packages/samba/drs_utils.py", line 338, in replicate (level, ctr) = self.drs.DsGetNCChanges(self.drs_handle, req_level, req) I tried using the "--dns-backend=NONE" option during the join as suggested here https://wiki.samba.org/index.php/Samba_AD_DC_Troubleshooting (https://wiki.samba.org/index.php/Samba_AD_DC_Troubleshooting), and it work, but when i manually force the replication of the DOMAINDNSZONES partition i got the same error. Maybe the problem is the database partition DC=DOMAINDNSZONES that seems to be broken, when i try: ldbsearch -H CN=DOMAINDNSZONES ldb file, i received the error "search error - Indexed and full searches both failed!" after the # record 5. The samba-tools dbcheck do not report any error. Using the Windows RSAT tool for DNS works without problem, no error when adding or removing entry and also the dynamic updates works. Is possible to find the damaged entry, remove it and rebuild the db? Any help is welcome, thanks
On 25/02/2020 08:48, JeanLuc via samba wrote:> Hi guys, > > i have some issue with our company DC (samba 4.7.12 on a Debain 9 machine) and work ok from about 3 years. > Now we tried to join another DC for redundancy but we receive the following error: > > Provision OK for domain DN DC=example,DC=com > Starting replication > > Replicating DC=DomainDnsZones,DC=example,DC=com > Join failed - cleaning upYour problem does appear to be with the domain dns zone, but I wouldn't try to fix it directly, use 'samba-tool dbcheck' with '--cross-ncs' instead. You say your DC is running Samba 4.7.12 , was this a provisioned domain or was it originally a Windows domain and if so what version ? Rowland
On Tue, 2020-02-25 at 08:48 +0000, JeanLuc via samba wrote:> Hi guys, > > i have some issue with our company DC (samba 4.7.12 on a Debain 9 machine) and work ok from about 3 years. > Now we tried to join another DC for redundancy but we receive the following error:I would first try joining a much more modern DC. We have fixed a lot of replication issues since 4.7. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
Thanks for reply, it's a provisioned domain, the samba-tool dbcheck --cross-ncs command exit with the error: ERROR(ldb): uncaught exception - Indexed and full search both failed! 25 febbraio 2020 10:43, "Rowland penny via samba" <samba at lists.samba.org> wrote:> On 25/02/2020 08:48, JeanLuc via samba wrote: > >> Hi guys, >> >> i have some issue with our company DC (samba 4.7.12 on a Debain 9 machine) and work ok from about 3 >> years. >> Now we tried to join another DC for redundancy but we receive the following error: >> >> Provision OK for domain DN DC=example,DC=com >> Starting replication >> >> Replicating DC=DomainDnsZones,DC=example,DC=com >> Join failed - cleaning up > > Your problem does appear to be with the domain dns zone, but I wouldn't try to fix it directly, use > 'samba-tool dbcheck' with '--cross-ncs' instead. > > You say your DC is running Samba 4.7.12 , was this a provisioned domain or was it originally a > Windows domain and if so what version ? > > Rowland > > -- To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba
Thanks for reply, the new DC is an ubuntu machine with samba 4.10.7 version. 25 febbraio 2020 10:51, "Andrew Bartlett via samba" <samba at lists.samba.org> wrote:> On Tue, 2020-02-25 at 08:48 +0000, JeanLuc via samba wrote: > >> Hi guys, >> >> i have some issue with our company DC (samba 4.7.12 on a Debain 9 machine) and work ok from about 3 >> years. >> Now we tried to join another DC for redundancy but we receive the following error: > > I would first try joining a much more modern DC. We have fixed a lot > of replication issues since 4.7. > > Andrew Bartlett > -- > Andrew Bartlett http://samba.org/~abartlet > Authentication Developer, Samba Team http://samba.org > Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba
On Tue, 2020-02-25 at 08:48 +0000, JeanLuc via samba wrote:> Hi guys, > > i have some issue with our company DC (samba 4.7.12 on a Debain 9 machine) and work ok from about 3 years. > Now we tried to join another DC for redundancy but we receive the following error:> ../../ldb_key_value/ldb_kv_index.c:2413: duplicate attribute value in CN=DIPIETROA,OU=PC,DC=example,DC=com for index on servicePrincipalName, duplicate of objectGUID 8bb534af-e1fb-4591-8460-dfa5675766dd in @INDEX:SERVICEPRINCIPALNAME:TERMSRV/DIPIETROA.example.com > Partition[DC=example,DC=com] objects[804/927] linked_values[0/560] > ../../ldb_key_value/ldb_kv_index.c:2413: duplicate attribute value in CN=OMNIOSBK,OU=PC,DC=example,DC=com for index on servicePrincipalName, duplicate of objectGUID e8f8df31-e78f-48ca-a43a-17b30dfee013 in @INDEX:SERVICEPRINCIPALNAME:HTTP/OMNIOSBK.example.com > Partition[DC=example,DC=com] objects[927/927] linked_values[560/560] > ../../ldb_key_value/ldb_kv_index.c:2413: duplicate attribute value in CN=BONAMORE,OU=PC,DC=example,DC=com for index on servicePrincipalName, duplicate of objectGUID 4164606b-d7dd-4fbd-b263-4dca38e0b519 in @INDEX:SERVICEPRINCIPALNAME:TERMSRV/BONAMORE.example.com >I just want to note quickly that these, while scary, are not your error. Samba has for a long time permitted duplicate (if correctly read case-insensitively) values in attributes. This is wrong, and so we print scary messages, but we can't deny it as it would break everyone. As background, there is a MR out to fix this (as I say, unrelated issue) properly, but it needs someone to write tests: https://gitlab.com/samba-team/samba/-/merge_requests/698 Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba