Greetings,
I inherited a samba based domain at my work with two domain controllers
running Zentyal 3.4.8 with samba version 4.1.6-Zentyal. I don't know if
it's modified by the Zentyal team but they don't support this version
anymore, that's why I'm writing to this list.
The previos sysadmin told me that replication stopped working a while back,
but only in one direction. PDC gets replicated to SDC successfully but SDC
does not get replicated to PDC.
If I run the samba-tool drs replicate PDC SDC DC=mydomain,DC=lan
--full-sync command I get the following error:
ERROR(<class 'samba.drs_utils.drsException'>): DsReplicaSync
failed -
drsException: DsReplicaSync failed (58, 'WERR_BAD_NET_RESP')
Running samba-tool drs showrepl command on SDC returnt no error, running it
on PDC returns this:
DC=mydomain,DC=lan
Default-First-Site-Name\SDC via RPC
DSA object GUID: 0a989f75-b8b8-4ae4-a6d3-b1a66fa1f895
Last attempt @ Mon Dec 7 11:58:50 2015 CET failed, result
58 (WERR_BAD_NET_RESP)
6922 consecutive failure(s).
Last success @ Mon Dec 7 11:58:47 2015 CET
I've found similar problems, but no solution so far, so any help would be
appreciated!
Thanks in advance,
David
Before digging into the whole stack of what composed an AD, I would try to replace this second DC (the one you called SDC). When joining a DC to a Samba AD domain,if this DC was already decalred as DC, Samba first demote that DC to then start a the whole process to join that DC to the domain. And that whole process includes re-creation of the AD database locally with full synchronisation. Not sure that solves your issue, but it could. In fact I would first test using a third (virtual) machine to create a third DC, just to check your AD is able to synchronize. Then, if it works, I would re-join the broken DC. Cheers, mathias 2015-12-07 12:02 GMT+01:00 Dave B <lancelot0501 at gmail.com>:> Greetings, > > I inherited a samba based domain at my work with two domain controllers > running Zentyal 3.4.8 with samba version 4.1.6-Zentyal. I don't know if > it's modified by the Zentyal team but they don't support this version > anymore, that's why I'm writing to this list. > The previos sysadmin told me that replication stopped working a while back, > but only in one direction. PDC gets replicated to SDC successfully but SDC > does not get replicated to PDC. > > If I run the samba-tool drs replicate PDC SDC DC=mydomain,DC=lan > --full-sync command I get the following error: > ERROR(<class 'samba.drs_utils.drsException'>): DsReplicaSync failed - > drsException: DsReplicaSync failed (58, 'WERR_BAD_NET_RESP') > > Running samba-tool drs showrepl command on SDC returnt no error, running it > on PDC returns this: > DC=mydomain,DC=lan > Default-First-Site-Name\SDC via RPC > DSA object GUID: 0a989f75-b8b8-4ae4-a6d3-b1a66fa1f895 > Last attempt @ Mon Dec 7 11:58:50 2015 CET failed, result > 58 (WERR_BAD_NET_RESP) > 6922 consecutive failure(s). > Last success @ Mon Dec 7 11:58:47 2015 CET > > I've found similar problems, but no solution so far, so any help would be > appreciated! > > Thanks in advance, > David > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
Thanks for the tip! I'll try this out some time but it seems to me it's a DNS related problem. There are some computers with static addresses on the network but pinging them using NetBIOS names pings a different address. Also there's a core file in /var/cache/bind back from february. As far as I know, replication stopped working back then. 2015-12-07 13:21 GMT+01:00 mathias dufresne <infractory at gmail.com>:> Before digging into the whole stack of what composed an AD, I would try to > replace this second DC (the one you called SDC). > > When joining a DC to a Samba AD domain,if this DC was already decalred as > DC, Samba first demote that DC to then start a the whole process to join > that DC to the domain. And that whole process includes re-creation of the > AD database locally with full synchronisation. > > Not sure that solves your issue, but it could. > > In fact I would first test using a third (virtual) machine to create a > third DC, just to check your AD is able to synchronize. Then, if it works, > I would re-join the broken DC. > > Cheers, > > mathias >