samba - Sep 2016 - drs showrepl - Failed to bind to UUID - Undetermined error

Thanks Andrew.

No - it was my fault for including an easily-solved side query in the same
email as the main query.. :) I haven't solved the original issue, which is
that 'samba-tool drs showrepl' runs on two of my DCs but not on the
third.

I don't know if anything else also doesn't work, e.g. some aspect of
replication I haven't observed yet - but the only problem I can actually
see is that 'samba-tool drs showrepl' doesn't run on this one DC.

You ask a good question in terms of removing the DC that died. I think I
probably did not do this step correctly. I had two DCs die within a short
time of each other (disk issues) and I built new machines and simply joined
them to the domain 'over the top', using the same name and IP address as
previously. I now realise that this might not have been the best idea, as
they would now have new UUIDs and I have done nothing much to remove the
old UUIDs, apart from removing them from DNS/LDAP where I found them.
Perhaps I should have explicitly removed the DCs, before re-adding them? I
may well not have removed them fully myself.

Is there an easy place in AD where these UUIDs are stored - I'm happy to go
through and remove stale entries myself using ADSIEdit or similar? Or would
you recommend I temporarily remove each DC in turn using the demote tool,
then re-add? (Would the demote tool remove *all* UUIDs from the DCs, or
only the first one?)

Is there some form of AD-checker tool, perhaps (either MS or Samba) that
would check all the various LDAP entries, DNS entries (_msdcs, _sites,
_tcp, _kerberos etc.) and point out what I have wrong? :-)

At the moment I guess there might be multiple UUIDs somewhere in the
directory for this one DC, which might be why 'samba-tool drs showrepl'
chokes. There may well be multiple UUIDs for my other server that died,
too, but perhaps the first one that is returned from LDAP for that other
server is the current one, which is why 'samba-tool drs showrepl' works
on
that?

Many thanks,

Jonathan

On 9 September 2016 at 21:01, Andrew Bartlett <abartlet at samba.org>
wrote:
> On Fri, 2016-09-09 at 15:24 +0100, Jonathan Hunter via samba wrote:
> > Hi Guys,
> >
> > I have now updated to 4.5.0 - thank you to all the team for your
> > efforts on
> > this :)
> >
> > I was excited to read in the release notes that there were many
> > replication
> > improvements, and I have run 'samba-tool dbcheck --cross-ncs
--fix'
> > on all
> > my DCs; there were many, many replPropertyMetaData and other errors
> > which
> > have now been found and fixed - thanks!
> >
> > However, I think something still isn't right in my domain; this is
> > probably
> > not the fault of 4.5.0 but rather an inconsistency caused when one of
> > my
> > DCs died and was rebuilt - however I'm now not sure where to look
> > (presumably with ADSIEdit / ldbsearch) to check which object I need
> > to
> > remove / update.
>
> It looks like others have solved your issue, but just checking on the
> broader issue of removing servers.  Is the UUID for the removed server,
> and if so how did you remove the DC that died?
>
> We now have 'samba-tool domain demote --remove-other-dead-server'
that
> will do a more comprehensive job cleaning out the old DC.
>
> Thanks,
>
> Andrew Bartlett
> --
> Andrew Bartlett                       http://samba.org/~abartlet/
> Authentication Developer, Samba Team  http://samba.org
> Samba Developer, Catalyst IT          http://catalyst.net.nz/
> services/samba
>
>

-- 
"If we knew what it was we were doing, it would not be called research,
would it?"
      - Albert Einstein

On Sat, 2016-09-10 at 16:28 +0100, Jonathan Hunter via samba
wrote:
> Thanks Andrew.
> 
> No - it was my fault for including an easily-solved side query in the
> same
> email as the main query.. :) I haven't solved the original issue,
> which is
> that 'samba-tool drs showrepl' runs on two of my DCs but not on the
> third.
> 
> I don't know if anything else also doesn't work, e.g. some aspect
of
> replication I haven't observed yet - but the only problem I can
> actually
> see is that 'samba-tool drs showrepl' doesn't run on this one
DC.
> 
> You ask a good question in terms of removing the DC that died. I
> think I
> probably did not do this step correctly. I had two DCs die within a
> short
> time of each other (disk issues) and I built new machines and simply
> joined
> them to the domain 'over the top', using the same name and IP
address
> as
> previously. I now realise that this might not have been the best
> idea, as
> they would now have new UUIDs and I have done nothing much to remove
> the
> old UUIDs, apart from removing them from DNS/LDAP where I found them.
> Perhaps I should have explicitly removed the DCs, before re-adding
> them? I
> may well not have removed them fully myself.
> 
> Is there an easy place in AD where these UUIDs are stored - I'm happy
> to go
> through and remove stale entries myself using ADSIEdit or similar? Or
> would
> you recommend I temporarily remove each DC in turn using the demote
> tool,
> then re-add? (Would the demote tool remove *all* UUIDs from the DCs,
> or
> only the first one?)
> 
> Is there some form of AD-checker tool, perhaps (either MS or Samba)
> that
> would check all the various LDAP entries, DNS entries (_msdcs,
> _sites,
> _tcp, _kerberos etc.) and point out what I have wrong? :-)
> 
> At the moment I guess there might be multiple UUIDs somewhere in the
> directory for this one DC, which might be why 'samba-tool drs
> showrepl'
> chokes. There may well be multiple UUIDs for my other server that
> died,
> too, but perhaps the first one that is returned from LDAP for that
> other
> server is the current one, which is why 'samba-tool drs showrepl'
> works on
> that?
If you re-joined over the top, then it would have cleaned up most of
what it needed to.  It probably left some junk in DNS, but that is
mostly harmless.

Where the UUID may be is in the repsFrom and repsTo, but this should be
cleaned up by the new KCC.

There isn't currently a 'is this all correct' tool beyond dbcheck.

For the failure to connect, it is trying to connect to the local server
to perform the query, have you confirmed DNS is set resolving for the
name given and that the server is running, and listening?  Wireshark
may help, as might turning up the log level on the command eg -d10 and
the server.

Andrew Bartlett
-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

Thank you Andrew, you pointed me in exactly the right direction, and I now
have 'samba-tool drs showrepl' working fine on this DC. I unfortunately
now
don't know if this worked before I upgraded to 4.5, or not - but it does
work again now.

I am once again ashamed to say that there was a config error on this
machine; I can only assume that when I was rebuilding it after the disk
problems, I rebuilt it in a rush. The /etc/hosts file contained the wrong
IP for the local machine (in fact, it had the IP of another DC where I had
perhaps copied the format of the file from!). I have no idea why this
hadn't caused any more issues than just this - DNS was still correct so
perhaps enough programs consulted DNS before /etc/hosts. I'm kind of
impressed that samba seemed to otherwise run just fine on this machine!

Sorry for the false alarm; I think that with the KCC changes in 4.5, I
decided now would be a good time to check 'samba-tool drs showrepl' and
that finally highlighted the typo I made a couple of months back when I
rebuilt the DC..

Thanks all :-)

J


On 10 September 2016 at 20:43, Andrew Bartlett <abartlet at samba.org>
wrote:
> On Sat, 2016-09-10 at 16:28 +0100, Jonathan Hunter via samba wrote:
> > Thanks Andrew.
> >
> > No - it was my fault for including an easily-solved side query in the
> > same
> > email as the main query.. :) I haven't solved the original issue,
> > which is
> > that 'samba-tool drs showrepl' runs on two of my DCs but not
on the
> > third.
> >
> > I don't know if anything else also doesn't work, e.g. some
aspect of
> > replication I haven't observed yet - but the only problem I can
> > actually
> > see is that 'samba-tool drs showrepl' doesn't run on this
one DC.
> >
> > You ask a good question in terms of removing the DC that died. I
> > think I
> > probably did not do this step correctly. I had two DCs die within a
> > short
> > time of each other (disk issues) and I built new machines and simply
> > joined
> > them to the domain 'over the top', using the same name and IP
address
> > as
> > previously. I now realise that this might not have been the best
> > idea, as
> > they would now have new UUIDs and I have done nothing much to remove
> > the
> > old UUIDs, apart from removing them from DNS/LDAP where I found them.
> > Perhaps I should have explicitly removed the DCs, before re-adding
> > them? I
> > may well not have removed them fully myself.
> >
> > Is there an easy place in AD where these UUIDs are stored - I'm
happy
> > to go
> > through and remove stale entries myself using ADSIEdit or similar? Or
> > would
> > you recommend I temporarily remove each DC in turn using the demote
> > tool,
> > then re-add? (Would the demote tool remove *all* UUIDs from the DCs,
> > or
> > only the first one?)
> >
> > Is there some form of AD-checker tool, perhaps (either MS or Samba)
> > that
> > would check all the various LDAP entries, DNS entries (_msdcs,
> > _sites,
> > _tcp, _kerberos etc.) and point out what I have wrong? :-)
> >
> > At the moment I guess there might be multiple UUIDs somewhere in the
> > directory for this one DC, which might be why 'samba-tool drs
> > showrepl'
> > chokes. There may well be multiple UUIDs for my other server that
> > died,
> > too, but perhaps the first one that is returned from LDAP for that
> > other
> > server is the current one, which is why 'samba-tool drs
showrepl'
> > works on
> > that?
>
> If you re-joined over the top, then it would have cleaned up most of
> what it needed to.  It probably left some junk in DNS, but that is
> mostly harmless.
>
> Where the UUID may be is in the repsFrom and repsTo, but this should be
> cleaned up by the new KCC.
>
> There isn't currently a 'is this all correct' tool beyond
dbcheck.
>
> For the failure to connect, it is trying to connect to the local server
> to perform the query, have you confirmed DNS is set resolving for the
> name given and that the server is running, and listening?  Wireshark
> may help, as might turning up the log level on the command eg -d10 and
> the server.
>
> Andrew Bartlett
> --
> Andrew Bartlett                       http://samba.org/~abartlet/
> Authentication Developer, Samba Team  http://samba.org
> Samba Developer, Catalyst IT          http://catalyst.net.nz/
> services/samba
>
>

-- 
"If we knew what it was we were doing, it would not be called research,
would it?"
      - Albert Einstein