Yep, I did.
SPN of newly added DC were missing on all DC except for the newly added DC.
I expect SPN are created on joined DC then replicated on others DCs.
Adding SPN for that newly added DC in DIT of FSMO owner does not helped
much.
Now the error is coming repetitively in newly added DC is:
[2015/11/16 16:49:42.529374, 0]
../source4/dsdb/repl/replicated_objects.c:818(dsdb_replicated_objects_commit)
../source4/dsdb/repl/replicated_objects.c:818 Failed to prepare commit of
transaction: operations error at
../source4/dsdb/samdb/ldb_modules/descriptor.c:1147
[2015/11/16 16:49:42.533140, 0]
../source4/dsdb/repl/drepl_out_helpers.c:773(dreplsrv_op_pull_source_apply_changes_trigger)
Failed to commit objects:
WERR_GENERAL_FAILURE/NT_STATUS_INVALID_NETWORK_RESPONSE
2015-11-16 16:35 GMT+01:00 Rowland Penny <rowlandpenny241155 at
gmail.com>:
> On 16/11/15 15:09, mathias dufresne wrote:
>
>> That did not work. I've added DNS entries mentioned in that wiki
page. I
>> also forced creation of all entries mentioned by samba_dnsupdate
>> --all-names --verbose.
>> So I expect all needed DNS entries are present. If some are still
missing
>> they are not mentioned by samba_dnsupdate. And as samba_dnsupdate job
is
>> to
>> create missing DNS entries, I dare rely on it.
>>
>> I expect the issue comes from missing servicePrincipalName.
>>
>> I'm wondering why these LDAP fields are not filled...
>>
>> Cheers,
>>
>> mathias
>>
>> 2015-11-16 15:39 GMT+01:00 Rowland Penny <rowlandpenny241155 at
gmail.com>:
>>
>> On 16/11/15 14:33, mathias dufresne wrote:
>>>
>>> Another error coming often:
>>>> [2015/11/16 15:11:07.592598, 0]
>>>> ../source4/librpc/rpc/dcerpc_util.c:745(dcerpc_pipe_auth_recv)
>>>> Failed to bind to uuid e3514235-4b06-11d1-ab04-00c04fc2dcd2
for
>>>>
>>>>
>>>>
ncacn_ip_tcp:10.156.248.219[1024,seal,krb5,target_hostname=231cc777-1ab8-4b15-be6c-dcd218df48e9._msdcs.samba.domain.tld,abstract_syntax=e3514235-4b06-11d1-ab04-00c04fc2dcd2/0x00000004,localaddress=10.156.248.221]
>>>> NT_STATUS_INVALID_PARAMETER
>>>>
>>>> Digging a bit further there is no
"servicePrincipalName" for last added
>>>> DC.
>>>> Using samba_spnupdate on FSMO owner or on newly added DC has no
effect.
>>>>
>>>> I'm about to create these servicePrincipalName by hand to
see if it
>>>> could
>>>> solve my little issue.
>>>>
>>>> Cheers,
>>>>
>>>> mathias
>>>>
>>>>
>>>> 2015-11-16 14:40 GMT+01:00 mathias dufresne <infractory at
gmail.com>:
>>>>
>>>> Hi all,
>>>>
>>>>> I have 3 DCs running Samba 4.3.1 in the same domain. They
seem to work
>>>>> quiet well with coherent databases on each of them.
>>>>>
>>>>> After rebuilding my RPM to include systemd units, I've
joined a Samba
>>>>> 4.3.1 today, using --domain-critical-only. The join was
successful, the
>>>>> replication was not. This DC has only 146 objects in the DB
when it
>>>>> should
>>>>> have a bit less than 50000 objects.
>>>>>
>>>>> As I was suspecting the newly built RPMs, I set up another
DC using
>>>>> same
>>>>> RPMs as the ones used to prepare first 3 DC. I joined that
5th DC to
>>>>> the
>>>>> domain, successfully, but replication does not work too.
>>>>>
>>>>> Finally I installed 4.2.5 sernet's version, join it to
the domain and
>>>>> still replication does not work.
>>>>>
>>>>> In log.samba from newly added DC there are lines:
>>>>> [2015/11/16 14:25:05.966500, 0]
>>>>>
>>>>>
>>>>>
../source4/dsdb/repl/replicated_objects.c:818(dsdb_replicated_objects_commit)
>>>>> ../source4/dsdb/repl/replicated_objects.c:818 Failed to
prepare
>>>>> commit
>>>>> of transaction: operations error at
>>>>> ../source4/dsdb/samdb/ldb_modules/descriptor.c:1147
>>>>> [2015/11/16 14:25:05.968151, 0]
>>>>>
>>>>>
>>>>>
../source4/dsdb/repl/drepl_out_helpers.c:770(dreplsrv_op_pull_source_apply_changes_trigger)
>>>>> Failed to commit objects:
>>>>> WERR_GENERAL_FAILURE/NT_STATUS_INVALID_NETWORK_RESPONSE
>>>>>
>>>>> Coming repetitively.
>>>>>
>>>>> One important thing is I changed FSMO owner on that domain
once I
>>>>> switched
>>>>> from 4.3.0 to 4.3.1.
>>>>> As already discussed seizing FSMO does not modify DNS entry
for SOA so
>>>>> I'd
>>>>> modified that manually plus lot of others entries to remove
traces of
>>>>> old
>>>>> DCs. There is no more LDAP entry for these old DCs.
>>>>>
>>>>> If someone has some idea to solve that, he would be
welcomed :)
>>>>>
>>>>> Cheers,
>>>>>
>>>>> mathias
>>>>>
>>>>>
>>>>>
>>>>> Have a look here:
>>>
https://wiki.samba.org/index.php/Check_and_fix_DNS_entries_on_DC_joins
>>>
>>> --
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions: https://lists.samba.org/mailman/options/samba
>>>
>>>
> Before you do anything else, have you tried rebooting the DC?
>
> Rowland
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>