Turned out at least part of the problem was due to the missing sysvol
replication. Apparently I missed that this is important when using GPO's
:-)
However, when I now do a samba-tool ldapcmp I see there is still a
difference in the DOMAIN section altough it is shown as 'SUCCESS'. Why
would that be?
root at dc2:~# samba-tool ldapcmp ldap://dc1 ldap://dc2 -Uadministrator
--filter=msDS-NcType,serverState,subrefs
INFO: Current debug levels:
all: 5
tdb: 5
printdrivers: 5
lanman: 5
smb: 5
rpc_parse: 5
rpc_srv: 5
rpc_cli: 5
passdb: 5
sam: 5
auth: 5
winbind: 5
vfs: 5
idmap: 5
quota: 5
acls: 5
locking: 5
msdfs: 5
dmapi: 5
registry: 5
scavenger: 5
dns: 5
ldb: 5
Processing section "[netlogon]"
Processing section "[sysvol]"
pm_process() returned Yes
added interface ens160 ip=192.168.2.6 bcast=192.168.7.255
netmask=255.255.248.0
added interface ens160 ip=192.168.2.6 bcast=192.168.7.255
netmask=255.255.248.0
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'schannel' registered
GENSEC backend 'spnego' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
Starting GENSEC mechanism spnego
Starting GENSEC submechanism gssapi_krb5
Password for [OFFICE\administrator]:
gensec_gssapi: credentials were delegated
GSSAPI Connection will have no cryptographic protection
added interface ens160 ip=192.168.2.6 bcast=192.168.7.255
netmask=255.255.248.0
added interface ens160 ip=192.168.2.6 bcast=192.168.7.255
netmask=255.255.248.0
Starting GENSEC mechanism spnego
Starting GENSEC submechanism gssapi_krb5
gensec_gssapi: credentials were delegated
GSSAPI Connection will have no cryptographic protection
* Comparing [DOMAIN] context...
* DN lists have different size: 400 != 399
CN=NICO-PC-VM,OU=OPS,OU=DomainComputers,DC=win,DC=office
CN=NICO-VM,CN=Computers,DC=win,DC=office
CN=NICO-VM,OU=OPS,OU=DomainComputers,DC=win,DC=office
* Objects to be compared: 398
* Result for [DOMAIN]: SUCCESS
* Comparing [CONFIGURATION] context...
* Objects to be compared: 1615
* Result for [CONFIGURATION]: SUCCESS
* Comparing [SCHEMA] context...
* Objects to be compared: 1550
* Result for [SCHEMA]: SUCCESS
* Comparing [DNSDOMAIN] context...
* Objects to be compared: 56
* Result for [DNSDOMAIN]: SUCCESS
* Comparing [DNSFOREST] context...
* Objects to be compared: 18
* Result for [DNSFOREST]: SUCCESS
On Thu, Jan 14, 2016 at 4:46 PM, Nico De Ranter <nico.deranter at
esaturnus.com> wrote:
>
> Hi,
>
> I am running a Windows Domain based on 2 Samba AD servers. The setup is
> running mostly fine but I have the impression that the 2 DC's are not
> syncing their information. For instance:
> - I added a Windows pc to the domain last week, when I started 'Active
> directory users and computers' today on a windows pc I could not see
that
> pc, after rebooting one of the DC's the pc suddenly appeared
> - I configured a group policy (using RSAT on a Windows pc). When I force
> a group policy update on another windows pc after more than 1 hour,
> gpupdate complains it can't access some files. Again rebooting one of
the
> DC's fixed this.
>
> I tried running:
>
> samba-tool ldapcmp ldap://dc1 ldap://dc2 -Uadministrator
> --filter=msDS-NcType,serverState,subrefs
>
> But it doesn't show any issues (but I did that after the reboot).
>
> Is there any way to force an update between 2 samba dc's?
>
> Nico
>
>
> --
> Nico De Ranter
>
> Operations Engineer
>
> T. +32 16 40 12 82
>
> M. +32 497 91 53 78
>
>
> <http://www.esaturnus.com>
>
> eSATURNUS
> Romeinse straat 12
> 3001 Leuven – Belgium
>
> T. +32 16 40 12 82
> F. +32 16 40 84 77
> www.esaturnus.com
>
>
>
>
>
> <http://www.esaturnus.com/>
>
--
Nico De Ranter
Operations Engineer
T. +32 16 40 12 82
M. +32 497 91 53 78
<http://www.esaturnus.com>
eSATURNUS
Romeinse straat 12
3001 Leuven – Belgium
T. +32 16 40 12 82
F. +32 16 40 84 77
www.esaturnus.com
<http://www.esaturnus.com/>