samba - Feb 2015 - multi-site DC - AD

hi all

i have problem with my multi-site AD-DC installation, one of my DC, 
suddently cant start well, i think problem(corrupt) with the LDAP database
then i try to re join it, but every time i try to join it i always has 
issue like this

/Finding a writeable DC for domain 'domain.co.id'
Found DC pdc.domain.co.id
Password for [domain\administrator]:
workgroup is domain
realm is domain.co.id
checking sAMAccountName
Adding CN=DC24,OU=Domain Controllers,DC=domain,DC=co,DC=id
Adding 
CN=DC24,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,D
C=domain,DC=co,DC=id
Adding CN=NTDS 
Settings,CN=DC24,CN=Servers,CN=Default-First-Site-Name,CN=Sites,C 
N=Configuration,DC=domain,DC=co,DC=id
Failed to bind to uuid e3514235-4b06-11d1-ab04-00c04fc2dcd2 for 
e3514235-4b06-11 
d1-ab04-00c04fc2dcd2 at ncacn_ip_tcp:pdc.domain.co.id[1024,seal] 
NT_STATUS_IO_TIM EOUT
Join failed - cleaning up
checking sAMAccountName
Deleted CN=DC24,OU=Domain Controllers,DC=domain,DC=co,DC=id
Deleted 
CN=DC24,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration, 
DC=domain,DC=co,DC=id
ERROR(runtime): uncaught exception - (-1073741643,
'NT_STATUS_IO_TIMEOUT')
   File 
"/usr/local/samba/lib64/python2.6/site-packages/samba/netcmd/__init__.py"
,
line 175, in _run
     return self.run(*args, **kwargs)
   File 
"/usr/local/samba/lib64/python2.6/site-packages/samba/netcmd/domain.py",
line 555, in run
     machinepass=machinepass, use_ntvfs=use_ntvfs, dns_backend=dns_backend)
   File
"/usr/local/samba/lib64/python2.6/site-packages/samba/join.py",
line 1172 , in join_DC
     ctx.do_join()
   File
"/usr/local/samba/lib64/python2.6/site-packages/samba/join.py",
line 1075 , in do_join
     ctx.join_add_objects()
   File
"/usr/local/samba/lib64/python2.6/site-packages/samba/join.py",
line 541, in join_add_objects
     ctx.join_add_ntdsdsa()
   File
"/usr/local/samba/lib64/python2.6/site-packages/samba/join.py",
line 474, in join_add_ntdsdsa
     ctx.DsAddEntry([rec])
   File
"/usr/local/samba/lib64/python2.6/site-packages/samba/join.py",
line 384, in DsAddEntry
     ctx.drsuapi_connect()
   File
"/usr/local/samba/lib64/python2.6/site-packages/samba/join.py",
line 362, in drsuapi_connect
     ctx.drsuapi = drsuapi.drsuapi(binding_string, ctx.lp, ctx.creds)/

i have about 1mbps OpenVPN connection between this site to another DC to 
join
i try to ping from each DC    , i think its fine

/[root at dc24 ~]# ping pdc
PING pdc.domain.co.id (172.16.99.3) 56(84) bytes of data.
64 bytes from 172.16.99.3: icmp_seq=1 ttl=61 time=140 ms
64 bytes from 172.16.99.3: icmp_seq=2 ttl=61 time=51.2 ms
64 bytes from 172.16.99.3: icmp_seq=3 ttl=61 time=48.5 ms
64 bytes from 172.16.99.3: icmp_seq=4 ttl=61 time=59.3 ms
64 bytes from 172.16.99.3: icmp_seq=5 ttl=61 time=194 ms
64 bytes from 172.16.99.3: icmp_seq=6 ttl=61 time=50.2 ms
64 bytes from 172.16.99.3: icmp_seq=7 ttl=61 time=65.5 ms
64 bytes from 172.16.99.3: icmp_seq=8 ttl=61 time=62.3 ms
64 bytes from 172.16.99.3: icmp_seq=9 ttl=61 time=50.1 ms
^C
--- pdc.domain.co.id ping statistics ---
9 packets transmitted, 9 received, 0% packet loss, time 8835ms
rtt min/avg/max/mdev = 48.567/80.214/194.278/48.556 ms/

but still i cant re joint the dc
any suggest to overcome this problem ?

Thanks In Advance

and you have added the following to the /etc/hosts 

172.16.99.3	pdc.domain.co.id pdc

and you did setup your krb5.conf in that way you point directly to the correct
hosts without the use of a search

like: 
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
default_realm = SMBDOM.EXAMPLE.COM
dns_lookup_realm = false
dns_lookup_kdc = true
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true

[realms]
EXAMPLE.COM = {
kdc = kerberos.example.com
admin_server = kerberos.example.com
}

[domain_realm]
.example.com = EXAMPLE.COM
example.com = EXAMPLE.COM


and maybe you should also find out where your latency delay is comming
from.
>64 bytes from 172.16.99.3: icmp_seq=5 ttl=61 time=194 ms
>64 bytes from 172.16.99.3: icmp_seq=6 ttl=61 time=50.2 ms
install for example smokeping and track with mtr.


Louis



>-----Oorspronkelijk bericht-----
>Van: bentunx at gmail.com [mailto:samba-bounces at lists.samba.org] 
>Namens zhia chandra
>Verzonden: donderdag 12 februari 2015 9:10
>Aan: samba at lists.samba.org
>Onderwerp: [Samba] multi-site DC - AD
>
>hi all
>
>i have problem with my multi-site AD-DC installation, one of my DC, 
>suddently cant start well, i think problem(corrupt) with the 
>LDAP database
>then i try to re join it, but every time i try to join it i always has 
>issue like this
>
>/Finding a writeable DC for domain 'domain.co.id'
>Found DC pdc.domain.co.id
>Password for [domain\administrator]:
>workgroup is domain
>realm is domain.co.id
>checking sAMAccountName
>Adding CN=DC24,OU=Domain Controllers,DC=domain,DC=co,DC=id
>Adding 
>CN=DC24,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Confi
guration,D C=domain,DC=co,DC=id
>Adding CN=NTDS 
>Settings,CN=DC24,CN=Servers,CN=Default-First-Site-Name,CN=Sites,C 
>N=Configuration,DC=domain,DC=co,DC=id
>Failed to bind to uuid e3514235-4b06-11d1-ab04-00c04fc2dcd2 for 
>e3514235-4b06-11 
>d1-ab04-00c04fc2dcd2 at ncacn_ip_tcp:pdc.domain.co.id[1024,seal] 
>NT_STATUS_IO_TIM EOUT
>Join failed - cleaning up
>checking sAMAccountName
>Deleted CN=DC24,OU=Domain Controllers,DC=domain,DC=co,DC=id
>Deleted 
>CN=DC24,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Confi
guration, 
>DC=domain,DC=co,DC=id
>ERROR(runtime): uncaught exception - (-1073741643, 
>'NT_STATUS_IO_TIMEOUT')
>   File 
>"/usr/local/samba/lib64/python2.6/site-packages/samba/netcmd/__
init__.py" , 
>line 175, in _run
>     return self.run(*args, **kwargs)
>   File 
>"/usr/local/samba/lib64/python2.6/site-packages/samba/netcmd/do
main.py", 
>line 555, in run
>     machinepass=machinepass, use_ntvfs=use_ntvfs, 
>dns_backend=dns_backend)
>   File 
>"/usr/local/samba/lib64/python2.6/site-packages/samba/join.py", 
>line 1172 , in join_DC
>     ctx.do_join()
>   File 
>"/usr/local/samba/lib64/python2.6/site-packages/samba/join.py", 
>line 1075 , in do_join
>     ctx.join_add_objects()
>   File 
>"/usr/local/samba/lib64/python2.6/site-packages/samba/join.py", 
>line 541, in join_add_objects
>     ctx.join_add_ntdsdsa()
>   File 
>"/usr/local/samba/lib64/python2.6/site-packages/samba/join.py", 
>line 474, in join_add_ntdsdsa
>     ctx.DsAddEntry([rec])
>   File 
>"/usr/local/samba/lib64/python2.6/site-packages/samba/join.py", 
>line 384, in DsAddEntry
>     ctx.drsuapi_connect()
>   File 
>"/usr/local/samba/lib64/python2.6/site-packages/samba/join.py", 
>line 362, in drsuapi_connect
>     ctx.drsuapi = drsuapi.drsuapi(binding_string, ctx.lp, ctx.creds)/
>
>i have about 1mbps OpenVPN connection between this site to 
>another DC to 
>join
>i try to ping from each DC    , i think its fine
>
>/[root at dc24 ~]# ping pdc
>PING pdc.domain.co.id (172.16.99.3) 56(84) bytes of data.
>64 bytes from 172.16.99.3: icmp_seq=1 ttl=61 time=140 ms
>64 bytes from 172.16.99.3: icmp_seq=2 ttl=61 time=51.2 ms
>64 bytes from 172.16.99.3: icmp_seq=3 ttl=61 time=48.5 ms
>64 bytes from 172.16.99.3: icmp_seq=4 ttl=61 time=59.3 ms
>64 bytes from 172.16.99.3: icmp_seq=5 ttl=61 time=194 ms
>64 bytes from 172.16.99.3: icmp_seq=6 ttl=61 time=50.2 ms
>64 bytes from 172.16.99.3: icmp_seq=7 ttl=61 time=65.5 ms
>64 bytes from 172.16.99.3: icmp_seq=8 ttl=61 time=62.3 ms
>64 bytes from 172.16.99.3: icmp_seq=9 ttl=61 time=50.1 ms
>^C
>--- pdc.domain.co.id ping statistics ---
>9 packets transmitted, 9 received, 0% packet loss, time 8835ms
>rtt min/avg/max/mdev = 48.567/80.214/194.278/48.556 ms/
>
>but still i cant re joint the dc
>any suggest to overcome this problem ?
>
>Thanks In Advance
>-- 
>To unsubscribe from this list go to the following URL and read the
>instructions:  https://lists.samba.org/mailman/options/samba
>
>

hi Louise

i have follow ur instruction
but i think my problem is on the openvpn network latency
are there any /NT_STATUS_IO_TIMEOUT/ parameter that i can config
to add more time of /IO_TIMEOUT/  ?

regards
zhia

On 2/12/2015 4:04 PM, L.P.H. van Belle wrote:
> and you have added the following to the /etc/hosts
>
> 172.16.99.3	pdc.domain.co.id pdc
>
> and you did setup your krb5.conf in that way you point directly to the
correct hosts without the use of a search
>
> like:
> [logging]
> default = FILE:/var/log/krb5libs.log
> kdc = FILE:/var/log/krb5kdc.log
> admin_server = FILE:/var/log/kadmind.log
>
> [libdefaults]
> default_realm = SMBDOM.EXAMPLE.COM
> dns_lookup_realm = false
> dns_lookup_kdc = true
> ticket_lifetime = 24h
> renew_lifetime = 7d
> forwardable = true
>
> [realms]
> EXAMPLE.COM = {
> kdc = kerberos.example.com
> admin_server = kerberos.example.com
> }
>
> [domain_realm]
> .example.com = EXAMPLE.COM
> example.com = EXAMPLE.COM
>
>
> and maybe you should also find out where your latency delay is comming
from.
>> 64 bytes from 172.16.99.3: icmp_seq=5 ttl=61 time=194 ms
>> 64 bytes from 172.16.99.3: icmp_seq=6 ttl=61 time=50.2 ms
> install for example smokeping and track with mtr.
>
>
> Louis
>
>
>
>
>> -----Oorspronkelijk bericht-----
>> Van: bentunx at gmail.com [mailto:samba-bounces at lists.samba.org]
>> Namens zhia chandra
>> Verzonden: donderdag 12 februari 2015 9:10
>> Aan: samba at lists.samba.org
>> Onderwerp: [Samba] multi-site DC - AD
>>
>> hi all
>>
>> i have problem with my multi-site AD-DC installation, one of my DC,
>> suddently cant start well, i think problem(corrupt) with the
>> LDAP database
>> then i try to re join it, but every time i try to join it i always has
>> issue like this
>>
>> /Finding a writeable DC for domain 'domain.co.id'
>> Found DC pdc.domain.co.id
>> Password for [domain\administrator]:
>> workgroup is domain
>> realm is domain.co.id
>> checking sAMAccountName
>> Adding CN=DC24,OU=Domain Controllers,DC=domain,DC=co,DC=id
>> Adding
>> CN=DC24,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Confi
> guration,D C=domain,DC=co,DC=id
>> Adding CN=NTDS
>> Settings,CN=DC24,CN=Servers,CN=Default-First-Site-Name,CN=Sites,C
>> N=Configuration,DC=domain,DC=co,DC=id
>> Failed to bind to uuid e3514235-4b06-11d1-ab04-00c04fc2dcd2 for
>> e3514235-4b06-11
>> d1-ab04-00c04fc2dcd2 at ncacn_ip_tcp:pdc.domain.co.id[1024,seal]
>> NT_STATUS_IO_TIM EOUT
>> Join failed - cleaning up
>> checking sAMAccountName
>> Deleted CN=DC24,OU=Domain Controllers,DC=domain,DC=co,DC=id
>> Deleted
>> CN=DC24,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Confi
> guration,
>> DC=domain,DC=co,DC=id
>> ERROR(runtime): uncaught exception - (-1073741643,
>> 'NT_STATUS_IO_TIMEOUT')
>>    File
>> "/usr/local/samba/lib64/python2.6/site-packages/samba/netcmd/__
> init__.py" ,
>> line 175, in _run
>>      return self.run(*args, **kwargs)
>>    File
>> "/usr/local/samba/lib64/python2.6/site-packages/samba/netcmd/do
> main.py",
>> line 555, in run
>>      machinepass=machinepass, use_ntvfs=use_ntvfs,
>> dns_backend=dns_backend)
>>    File
>>
"/usr/local/samba/lib64/python2.6/site-packages/samba/join.py",
>> line 1172 , in join_DC
>>      ctx.do_join()
>>    File
>>
"/usr/local/samba/lib64/python2.6/site-packages/samba/join.py",
>> line 1075 , in do_join
>>      ctx.join_add_objects()
>>    File
>>
"/usr/local/samba/lib64/python2.6/site-packages/samba/join.py",
>> line 541, in join_add_objects
>>      ctx.join_add_ntdsdsa()
>>    File
>>
"/usr/local/samba/lib64/python2.6/site-packages/samba/join.py",
>> line 474, in join_add_ntdsdsa
>>      ctx.DsAddEntry([rec])
>>    File
>>
"/usr/local/samba/lib64/python2.6/site-packages/samba/join.py",
>> line 384, in DsAddEntry
>>      ctx.drsuapi_connect()
>>    File
>>
"/usr/local/samba/lib64/python2.6/site-packages/samba/join.py",
>> line 362, in drsuapi_connect
>>      ctx.drsuapi = drsuapi.drsuapi(binding_string, ctx.lp, ctx.creds)/
>>
>> i have about 1mbps OpenVPN connection between this site to
>> another DC to
>> join
>> i try to ping from each DC    , i think its fine
>>
>> /[root at dc24 ~]# ping pdc
>> PING pdc.domain.co.id (172.16.99.3) 56(84) bytes of data.
>> 64 bytes from 172.16.99.3: icmp_seq=1 ttl=61 time=140 ms
>> 64 bytes from 172.16.99.3: icmp_seq=2 ttl=61 time=51.2 ms
>> 64 bytes from 172.16.99.3: icmp_seq=3 ttl=61 time=48.5 ms
>> 64 bytes from 172.16.99.3: icmp_seq=4 ttl=61 time=59.3 ms
>> 64 bytes from 172.16.99.3: icmp_seq=5 ttl=61 time=194 ms
>> 64 bytes from 172.16.99.3: icmp_seq=6 ttl=61 time=50.2 ms
>> 64 bytes from 172.16.99.3: icmp_seq=7 ttl=61 time=65.5 ms
>> 64 bytes from 172.16.99.3: icmp_seq=8 ttl=61 time=62.3 ms
>> 64 bytes from 172.16.99.3: icmp_seq=9 ttl=61 time=50.1 ms
>> ^C
>> --- pdc.domain.co.id ping statistics ---
>> 9 packets transmitted, 9 received, 0% packet loss, time 8835ms
>> rtt min/avg/max/mdev = 48.567/80.214/194.278/48.556 ms/
>>
>> but still i cant re joint the dc
>> any suggest to overcome this problem ?
>>
>> Thanks In Advance
>> -- 
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>
>>