No replication this morning but FSMO was rebooted yesterday. Only joined DC were rebooted. After verifying all A records related to new DC were created, I forced creation of replication related DNS entries as described there : https://wiki.samba.org/index.php/Check_and_fix_DNS_entries_on_DC_joins#Resolve_the_objectGUID_CNAME_record_of_the_new_joined_Domain_Controller I forced replication (drs replicate) from a replicated DC to all 10 new DC and also force replication in the other way. All drs replicate commands worked well. Back to newly joined DC I launched samba_dnsupdate, on 10 DC this command failed on 9 DC with mesage: "update failed: NOTAUTH". I rebooted all joined DC and samba_dnsupdate worked well on them. This gave time to Samba to replicate things around and now all things goes well. Joining new DC is still a bit tricky in my opinion. Hoping this would work better with 4.4.x Cheers, mathias 2016-01-27 19:33 GMT+01:00 mathias dufresne <infractory at gmail.com>:> Hai Louis, > > I should be able to answer you tomorrow: I pushed installation of 10 DC > before leaving work and this process would not be able to use workaround > described earlier because of SSH not yet open between the two sites. I > expect all other needed ports to be open, so I expect only the replication > workaround to be failed this night. > So tomorrow I should arrive at work with 10 DC joined to my AD and just > rebooted. > FSMO would not have been rebooted at that moment. If no replication took > place in the night I'll try to reboot FSMO then to reboot all DC one by one. > > Greetings, > > mathias > > 2016-01-20 16:39 GMT+01:00 L.P.H. van Belle <belle at bazuin.nl>: > >> Hai mathias, >> >> You welkom, always happy to help out and nice too hear you got it working. >> >> I must ask.. >> Did you reboot the servers after you added the second server to the DNS? >> And especialy in order, DC_with_FSMO, wait until its up again, then DC2. >> This often fixes the repliction problem and as far as i know, this only >> happend just after the install of a extra DC. >> >> >> Greetz, >> >> Louis >> >> >> >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >> > >
Errata: No replication this morning but FSMO was *not* rebooted yesterday. Only joined DC were rebooted. 2016-01-28 10:11 GMT+01:00 mathias dufresne <infractory at gmail.com>:> No replication this morning but FSMO was rebooted yesterday. Only joined > DC were rebooted. > > After verifying all A records related to new DC were created, I forced > creation of replication related DNS entries as described there : > https://wiki.samba.org/index.php/Check_and_fix_DNS_entries_on_DC_joins#Resolve_the_objectGUID_CNAME_record_of_the_new_joined_Domain_Controller > > I forced replication (drs replicate) from a replicated DC to all 10 new DC > and also force replication in the other way. All drs replicate commands > worked well. > > Back to newly joined DC I launched samba_dnsupdate, on 10 DC this command > failed on 9 DC with mesage: "update failed: NOTAUTH". I rebooted all joined > DC and samba_dnsupdate worked well on them. > > This gave time to Samba to replicate things around and now all things goes > well. > > Joining new DC is still a bit tricky in my opinion. Hoping this would work > better with 4.4.x > > Cheers, > > mathias > > > 2016-01-27 19:33 GMT+01:00 mathias dufresne <infractory at gmail.com>: > >> Hai Louis, >> >> I should be able to answer you tomorrow: I pushed installation of 10 DC >> before leaving work and this process would not be able to use workaround >> described earlier because of SSH not yet open between the two sites. I >> expect all other needed ports to be open, so I expect only the replication >> workaround to be failed this night. >> So tomorrow I should arrive at work with 10 DC joined to my AD and just >> rebooted. >> FSMO would not have been rebooted at that moment. If no replication took >> place in the night I'll try to reboot FSMO then to reboot all DC one by one. >> >> Greetings, >> >> mathias >> >> 2016-01-20 16:39 GMT+01:00 L.P.H. van Belle <belle at bazuin.nl>: >> >>> Hai mathias, >>> >>> You welkom, always happy to help out and nice too hear you got it >>> working. >>> >>> I must ask.. >>> Did you reboot the servers after you added the second server to the DNS? >>> And especialy in order, DC_with_FSMO, wait until its up again, then DC2. >>> This often fixes the repliction problem and as far as i know, this only >>> happend just after the install of a extra DC. >>> >>> >>> Greetz, >>> >>> Louis >>> >>> >>> >>> >>> -- >>> To unsubscribe from this list go to the following URL and read the >>> instructions: https://lists.samba.org/mailman/options/samba >>> >> >> >
On 28/01/16 09:11, mathias dufresne wrote:> No replication this morning but FSMO was rebooted yesterday. Only joined DC > were rebooted. > > After verifying all A records related to new DC were created, I forced > creation of replication related DNS entries as described there : > https://wiki.samba.org/index.php/Check_and_fix_DNS_entries_on_DC_joins#Resolve_the_objectGUID_CNAME_record_of_the_new_joined_Domain_Controller > > I forced replication (drs replicate) from a replicated DC to all 10 new DC > and also force replication in the other way. All drs replicate commands > worked well. > > Back to newly joined DC I launched samba_dnsupdate, on 10 DC this command > failed on 9 DC with mesage: "update failed: NOTAUTH". I rebooted all joined > DC and samba_dnsupdate worked well on them. > > This gave time to Samba to replicate things around and now all things goes > well. > > Joining new DC is still a bit tricky in my opinion. Hoping this would work > better with 4.4.x > > Cheers, > > mathias > >When you provision a domain, all the dns records are created during the provision, but when you join a DC to a domain they aren't. You need to restart Samba on the newly joined DC, once Samba is restarted, samba_dnsupdate will be run, this reads the file 'dns_update_list' and then adds (if needed) the records it finds in the file. If you do not restart Samba, the dns records do not get added and your problems start. Rowland
In fact after joining a DC I start samba-ad service. Here samba_dnsupdate should be run a first time. If you say the right process is to start samba once, then restart it, I would say this process seems to me a bit strange. Then once the instalaltion script is finished it reboots the newly joined DC, starting samba again and running samba_dnsupdate again. And DNS entries are created locally as expected. There is also the missing DNS entries related to replication as described in the follwoing link : https://wiki.samba.org/index.php/Check_and_fix_DNS_entries_on_DC_joins#Resolve_the_objectGUID_CNAME_record_of_the_new_joined_Domain_Controller If you forget them, even you restart samba, or the whole computer, problem are existing: as replication can't work without them, the fact samba_dnsupdate created DNS entries locally can't be reflected on the whole AD. We can create locally (on newly joined DC) these missing entries for objectGUID CNAME but if we don't perform that creation also on already replicated DC, replicated servers won't receive these newly created CNAME because they are created on newly joined DC which does not replicate to others. Please note I worked around all these traps, my DC are installed by a script which deliver working DC (meaning synchronized with others, no missing DNS entry too). To achieve that I force creation of: 1° A record for newly joined DC on local database + on FSMO owner (as this one replicates to already deployed DC), using SSH + samba-tool dns add... 2° missing objectGUID CNAME on newly joined DC and on FSMO owner, using SSH. Finally with this four actions I'm able to run replication. Now to speak about yesterday issue were the 10 DC installed this night did not replicated the reason was these DC are not yet allowed to run SSH command to the 10 others DC (those already installed, already replicating). So no SSH means no work around and this morning newly joined DC were not replicated even if they were all rebooted (all still means all newly joined DC). FSMO was not rebooted because I don't see the point rebooting a working server when it's not needed. And lanching failed SSH commands this morning solved all replication issues I spoted. Cheers, mathias 2016-01-28 11:05 GMT+01:00 Rowland penny <rpenny at samba.org>:> On 28/01/16 09:11, mathias dufresne wrote: > >> No replication this morning but FSMO was rebooted yesterday. Only joined >> DC >> were rebooted. >> >> After verifying all A records related to new DC were created, I forced >> creation of replication related DNS entries as described there : >> >> https://wiki.samba.org/index.php/Check_and_fix_DNS_entries_on_DC_joins#Resolve_the_objectGUID_CNAME_record_of_the_new_joined_Domain_Controller >> >> I forced replication (drs replicate) from a replicated DC to all 10 new DC >> and also force replication in the other way. All drs replicate commands >> worked well. >> >> Back to newly joined DC I launched samba_dnsupdate, on 10 DC this command >> failed on 9 DC with mesage: "update failed: NOTAUTH". I rebooted all >> joined >> DC and samba_dnsupdate worked well on them. >> >> This gave time to Samba to replicate things around and now all things goes >> well. >> >> Joining new DC is still a bit tricky in my opinion. Hoping this would work >> better with 4.4.x >> >> Cheers, >> >> mathias >> >> >> > When you provision a domain, all the dns records are created during the > provision, but when you join a DC to a domain they aren't. You need to > restart Samba on the newly joined DC, once Samba is restarted, > samba_dnsupdate will be run, this reads the file 'dns_update_list' and then > adds (if needed) the records it finds in the file. If you do not restart > Samba, the dns records do not get added and your problems start. > > Rowland > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >