Hi, Let me just check this and revert back. -- Thanks & Regards, Anantha Raghava DISCLAIMER: This e-mail communication and any attachments may be privileged and confidential to eXza Technology Consulting & Services, and are intended only for the use of the recipients named above If you are not the addressee you may not copy, forward, disclose or use any part of it. If you have received this message in error, please delete it and all copies from your system and notify the sender immediately by return e-mail. Internet communications cannot be guaranteed to be timely, secure, error or virus-free. The sender does not accept liability for any errors or omissions. Do not print this e-mail unless required. Save Paper & trees. On Thursday 04 May 2017 05:52 PM, lingpanda101 wrote:> On 5/4/2017 3:37 AM, Anantha Raghava wrote: >> >> Hello James, >> >> Thanks for your quick response. >> >> Find attached smb.conf file from DC1 and DC2. Also attached the >> screen shot of the event viewer from the workstation. >> >> At the moment, we have brought down the DC3 and DC4 in another >> location and observed that DC2 is unable to replicate get the >> information from DC1 or send the information to DC1. It appears >> replication is working in background but it is taking a long time. >> When try to use samba-tool drs command, it throws errors. >> >> Also, randomly, users are not allowed to change their password. It >> throws error like "either your password does not meet complexity, >> length or history requirement". "Workstation relationship with Domain >> is not trusted" is another error message that occasionally throws up. >> >> Another observation is even though PDC emulator and all FSMO roles >> are with DC1, users are logged into DC2. Any change made to user >> credential, above error is thrown. Output of FSMO role display from >> DC1 is attached for your information. >> >> In our group policy, we have disabled complexity requirements, length >> is set to 7 characters. >> >> There is no clear pattern to its behavior, making it difficult to >> analyse the issue and fix them. >> >> Look forward for your assistance in figuring out what is happening >> and fixing it. >> >> 7000 People from nearly 700 location use these domain controllers. >> This is turning out be very critical issue. >> >> -- >> >> Thanks & Regards, >> >> >> Anantha Raghava >> >> eXzaTech Consulting And Services Pvt. Ltd. >> >> DISCLAIMER: >> >> This e-mail communication and any attachments may be privileged and >> confidential to eXza Technology Consulting & Services, and are >> intended only for the use of the recipients named above If you are >> not the addressee you may not copy, forward, disclose or use any part >> of it. If you have received this message in error, please delete it >> and all copies from your system and notify the sender immediately by >> return e-mail. Internet communications cannot be guaranteed to be >> timely, secure, error or virus-free. The sender does not accept >> liability for any errors or omissions. >> >> >> Do not print this e-mail unless required. Save Paper & trees. >> >> On Thursday 04 May 2017 01:27 AM, lingpanda101 via samba wrote: >>> On 5/3/2017 2:00 PM, Anantha Raghava via samba wrote: >>>> Hello, >>>> >>>> I have implemented Samba as Active Directory Domain Controller with >>>> Version 4.6.3 on CentOS 7.3, el-514. We have 4 domain controllers >>>> named as DC1, DC2, DC3 and DC4. DC1 & 2 are in one location and DC3 >>>> & 4 are in a different location. DNS is SAMBA INTERNAL. All 4 >>>> servers are properly synchronizing and even GPO updates are working >>>> properly with rsync process. >>>> >>>> However, off late we have been noticing that on some Windows XP >>>> with Service Pack 3 and Windows 7 with Service Pack 1, after >>>> joining domain, when user is logging in for the first time, as per >>>> policy, the DC will force the user to change their password. When >>>> user changes password, PC reports, cannot reach domain or your >>>> relationship with DC is not trusted and it happens randomly for >>>> some users. >>>> We are unable to figure out what's happenning. >>>> >>>> Can some one guide us in figuring out and fixing this issue? >>>> >>>> Thanks in advance. >>> >>> Can you provide your smb.conf on one of your DC's? Are you able to >>> look through event viewer on the workstation exhibiting the issue >>> and see anything relevant? >>> >> > Real quick before I get around to looking at your attachments. I will > advise you that password complexity requirements are handled by > samba-tool and not GPO's. Issue the following command on your DC's to > view them. They are also changed here as well. > > 'samba-tool domain passwordsettinsg show' > > -- > -- > James
On 5/4/2017 8:33 AM, Anantha Raghava wrote:> > Hi, > > Let me just check this and revert back. > > -- > > Thanks & Regards, > > > Anantha Raghava > > > DISCLAIMER: > > This e-mail communication and any attachments may be privileged and > confidential to eXza Technology Consulting & Services, and are > intended only for the use of the recipients named above If you are not > the addressee you may not copy, forward, disclose or use any part of > it. If you have received this message in error, please delete it and > all copies from your system and notify the sender immediately by > return e-mail. Internet communications cannot be guaranteed to be > timely, secure, error or virus-free. The sender does not accept > liability for any errors or omissions. > > > Do not print this e-mail unless required. Save Paper & trees. > > On Thursday 04 May 2017 05:52 PM, lingpanda101 wrote: >> On 5/4/2017 3:37 AM, Anantha Raghava wrote: >>> >>> Hello James, >>> >>> Thanks for your quick response. >>> >>> Find attached smb.conf file from DC1 and DC2. Also attached the >>> screen shot of the event viewer from the workstation. >>> >>> At the moment, we have brought down the DC3 and DC4 in another >>> location and observed that DC2 is unable to replicate get the >>> information from DC1 or send the information to DC1. It appears >>> replication is working in background but it is taking a long time. >>> When try to use samba-tool drs command, it throws errors. >>> >>> Also, randomly, users are not allowed to change their password. It >>> throws error like "either your password does not meet complexity, >>> length or history requirement". "Workstation relationship with >>> Domain is not trusted" is another error message that occasionally >>> throws up. >>> >>> Another observation is even though PDC emulator and all FSMO roles >>> are with DC1, users are logged into DC2. Any change made to user >>> credential, above error is thrown. Output of FSMO role display from >>> DC1 is attached for your information. >>> >>> In our group policy, we have disabled complexity requirements, >>> length is set to 7 characters. >>> >>> There is no clear pattern to its behavior, making it difficult to >>> analyse the issue and fix them. >>> >>> Look forward for your assistance in figuring out what is happening >>> and fixing it. >>> >>> 7000 People from nearly 700 location use these domain controllers. >>> This is turning out be very critical issue. >>> >>> -- >>> >>> Thanks & Regards, >>> >>> >>> Anantha Raghava >>> >>> eXzaTech Consulting And Services Pvt. Ltd. >>> >>> DISCLAIMER: >>> >>> This e-mail communication and any attachments may be privileged and >>> confidential to eXza Technology Consulting & Services, and are >>> intended only for the use of the recipients named above If you are >>> not the addressee you may not copy, forward, disclose or use any >>> part of it. If you have received this message in error, please >>> delete it and all copies from your system and notify the sender >>> immediately by return e-mail. Internet communications cannot be >>> guaranteed to be timely, secure, error or virus-free. The sender >>> does not accept liability for any errors or omissions. >>> >>> >>> Do not print this e-mail unless required. Save Paper & trees. >>> >>> On Thursday 04 May 2017 01:27 AM, lingpanda101 via samba wrote: >>>> On 5/3/2017 2:00 PM, Anantha Raghava via samba wrote: >>>>> Hello, >>>>> >>>>> I have implemented Samba as Active Directory Domain Controller >>>>> with Version 4.6.3 on CentOS 7.3, el-514. We have 4 domain >>>>> controllers named as DC1, DC2, DC3 and DC4. DC1 & 2 are in one >>>>> location and DC3 & 4 are in a different location. DNS is SAMBA >>>>> INTERNAL. All 4 servers are properly synchronizing and even GPO >>>>> updates are working properly with rsync process. >>>>> >>>>> However, off late we have been noticing that on some Windows XP >>>>> with Service Pack 3 and Windows 7 with Service Pack 1, after >>>>> joining domain, when user is logging in for the first time, as per >>>>> policy, the DC will force the user to change their password. When >>>>> user changes password, PC reports, cannot reach domain or your >>>>> relationship with DC is not trusted and it happens randomly for >>>>> some users. >>>>> We are unable to figure out what's happenning. >>>>> >>>>> Can some one guide us in figuring out and fixing this issue? >>>>> >>>>> Thanks in advance. >>>> >>>> Can you provide your smb.conf on one of your DC's? Are you able to >>>> look through event viewer on the workstation exhibiting the issue >>>> and see anything relevant? >>>> >>> >> Real quick before I get around to looking at your attachments. I will >> advise you that password complexity requirements are handled by >> samba-tool and not GPO's. Issue the following command on your DC's to >> view them. They are also changed here as well. >> >> 'samba-tool domain passwordsettinsg show' >> >> -- >> -- >> James >All DC's smb.conf should include 'idmap_ldb:use rfc 2307 = yes' if you provisioned the first with it. See https://wiki.samba.org/index.php/Setting_up_RFC2307_in_AD It also looks as if you are not using sites separate sites. Are all these users and computers in the same location? If not you should look at setting up sites and services. See https://wiki.samba.org/index.php/Active_Directory_Sites It also appears the issue is with Windows XP clients only? Address the first two issues above and report back. -- -- James
Thanks James. I will revert back. -- Thanks & Regards, Anantha Raghava DISCLAIMER: This e-mail communication and any attachments may be privileged and confidential to eXza Technology Consulting & Services, and are intended only for the use of the recipients named above If you are not the addressee you may not copy, forward, disclose or use any part of it. If you have received this message in error, please delete it and all copies from your system and notify the sender immediately by return e-mail. Internet communications cannot be guaranteed to be timely, secure, error or virus-free. The sender does not accept liability for any errors or omissions. Do not print this e-mail unless required. Save Paper & trees. On Thursday 04 May 2017 06:15 PM, lingpanda101 wrote:> On 5/4/2017 8:33 AM, Anantha Raghava wrote: >> >> Hi, >> >> Let me just check this and revert back. >> >> -- >> >> Thanks & Regards, >> >> >> Anantha Raghava >> >> >> DISCLAIMER: >> >> This e-mail communication and any attachments may be privileged and >> confidential to eXza Technology Consulting & Services, and are >> intended only for the use of the recipients named above If you are >> not the addressee you may not copy, forward, disclose or use any part >> of it. If you have received this message in error, please delete it >> and all copies from your system and notify the sender immediately by >> return e-mail. Internet communications cannot be guaranteed to be >> timely, secure, error or virus-free. The sender does not accept >> liability for any errors or omissions. >> >> >> Do not print this e-mail unless required. Save Paper & trees. >> >> On Thursday 04 May 2017 05:52 PM, lingpanda101 wrote: >>> On 5/4/2017 3:37 AM, Anantha Raghava wrote: >>>> >>>> Hello James, >>>> >>>> Thanks for your quick response. >>>> >>>> Find attached smb.conf file from DC1 and DC2. Also attached the >>>> screen shot of the event viewer from the workstation. >>>> >>>> At the moment, we have brought down the DC3 and DC4 in another >>>> location and observed that DC2 is unable to replicate get the >>>> information from DC1 or send the information to DC1. It appears >>>> replication is working in background but it is taking a long time. >>>> When try to use samba-tool drs command, it throws errors. >>>> >>>> Also, randomly, users are not allowed to change their password. It >>>> throws error like "either your password does not meet complexity, >>>> length or history requirement". "Workstation relationship with >>>> Domain is not trusted" is another error message that occasionally >>>> throws up. >>>> >>>> Another observation is even though PDC emulator and all FSMO roles >>>> are with DC1, users are logged into DC2. Any change made to user >>>> credential, above error is thrown. Output of FSMO role display from >>>> DC1 is attached for your information. >>>> >>>> In our group policy, we have disabled complexity requirements, >>>> length is set to 7 characters. >>>> >>>> There is no clear pattern to its behavior, making it difficult to >>>> analyse the issue and fix them. >>>> >>>> Look forward for your assistance in figuring out what is happening >>>> and fixing it. >>>> >>>> 7000 People from nearly 700 location use these domain controllers. >>>> This is turning out be very critical issue. >>>> >>>> -- >>>> >>>> Thanks & Regards, >>>> >>>> >>>> Anantha Raghava >>>> >>>> eXzaTech Consulting And Services Pvt. Ltd. >>>> >>>> DISCLAIMER: >>>> >>>> This e-mail communication and any attachments may be privileged and >>>> confidential to eXza Technology Consulting & Services, and are >>>> intended only for the use of the recipients named above If you are >>>> not the addressee you may not copy, forward, disclose or use any >>>> part of it. If you have received this message in error, please >>>> delete it and all copies from your system and notify the sender >>>> immediately by return e-mail. Internet communications cannot be >>>> guaranteed to be timely, secure, error or virus-free. The sender >>>> does not accept liability for any errors or omissions. >>>> >>>> >>>> Do not print this e-mail unless required. Save Paper & trees. >>>> >>>> On Thursday 04 May 2017 01:27 AM, lingpanda101 via samba wrote: >>>>> On 5/3/2017 2:00 PM, Anantha Raghava via samba wrote: >>>>>> Hello, >>>>>> >>>>>> I have implemented Samba as Active Directory Domain Controller >>>>>> with Version 4.6.3 on CentOS 7.3, el-514. We have 4 domain >>>>>> controllers named as DC1, DC2, DC3 and DC4. DC1 & 2 are in one >>>>>> location and DC3 & 4 are in a different location. DNS is SAMBA >>>>>> INTERNAL. All 4 servers are properly synchronizing and even GPO >>>>>> updates are working properly with rsync process. >>>>>> >>>>>> However, off late we have been noticing that on some Windows XP >>>>>> with Service Pack 3 and Windows 7 with Service Pack 1, after >>>>>> joining domain, when user is logging in for the first time, as >>>>>> per policy, the DC will force the user to change their password. >>>>>> When user changes password, PC reports, cannot reach domain or >>>>>> your relationship with DC is not trusted and it happens randomly >>>>>> for some users. >>>>>> We are unable to figure out what's happenning. >>>>>> >>>>>> Can some one guide us in figuring out and fixing this issue? >>>>>> >>>>>> Thanks in advance. >>>>> >>>>> Can you provide your smb.conf on one of your DC's? Are you able to >>>>> look through event viewer on the workstation exhibiting the issue >>>>> and see anything relevant? >>>>> >>>> >>> Real quick before I get around to looking at your attachments. I >>> will advise you that password complexity requirements are handled by >>> samba-tool and not GPO's. Issue the following command on your DC's >>> to view them. They are also changed here as well. >>> >>> 'samba-tool domain passwordsettinsg show' >>> >>> -- >>> -- >>> James >> > All DC's smb.conf should include > > 'idmap_ldb:use rfc 2307 = yes' > > if you provisioned the first with it. See > https://wiki.samba.org/index.php/Setting_up_RFC2307_in_AD > > It also looks as if you are not using sites separate sites. Are all > these users and computers in the same location? If not you should look > at setting up sites and services. See > > https://wiki.samba.org/index.php/Active_Directory_Sites > > It also appears the issue is with Windows XP clients only? Address the > first two issues above and report back. > > -- > -- > James
Hello James, To your question "It also appears the issue is with Windows XP clients only?" the answer is no. It happens even on Windows 7 Workstations. Never tried to check this on Windows 8 or 8.1 or Windows 10 Workstations. However we will check and revert back on the suggestions you have given. -- Thanks & Regards, Anantha Raghava DISCLAIMER: This e-mail communication and any attachments may be privileged and confidential to eXza Technology Consulting & Services, and are intended only for the use of the recipients named above If you are not the addressee you may not copy, forward, disclose or use any part of it. If you have received this message in error, please delete it and all copies from your system and notify the sender immediately by return e-mail. Internet communications cannot be guaranteed to be timely, secure, error or virus-free. The sender does not accept liability for any errors or omissions. Do not print this e-mail unless required. Save Paper & trees. On Thursday 04 May 2017 06:15 PM, lingpanda101 wrote:> On 5/4/2017 8:33 AM, Anantha Raghava wrote: >> >> Hi, >> >> Let me just check this and revert back. >> >> -- >> >> Thanks & Regards, >> >> >> Anantha Raghava >> >> >> DISCLAIMER: >> >> This e-mail communication and any attachments may be privileged and >> confidential to eXza Technology Consulting & Services, and are >> intended only for the use of the recipients named above If you are >> not the addressee you may not copy, forward, disclose or use any part >> of it. If you have received this message in error, please delete it >> and all copies from your system and notify the sender immediately by >> return e-mail. Internet communications cannot be guaranteed to be >> timely, secure, error or virus-free. The sender does not accept >> liability for any errors or omissions. >> >> >> Do not print this e-mail unless required. Save Paper & trees. >> >> On Thursday 04 May 2017 05:52 PM, lingpanda101 wrote: >>> On 5/4/2017 3:37 AM, Anantha Raghava wrote: >>>> >>>> Hello James, >>>> >>>> Thanks for your quick response. >>>> >>>> Find attached smb.conf file from DC1 and DC2. Also attached the >>>> screen shot of the event viewer from the workstation. >>>> >>>> At the moment, we have brought down the DC3 and DC4 in another >>>> location and observed that DC2 is unable to replicate get the >>>> information from DC1 or send the information to DC1. It appears >>>> replication is working in background but it is taking a long time. >>>> When try to use samba-tool drs command, it throws errors. >>>> >>>> Also, randomly, users are not allowed to change their password. It >>>> throws error like "either your password does not meet complexity, >>>> length or history requirement". "Workstation relationship with >>>> Domain is not trusted" is another error message that occasionally >>>> throws up. >>>> >>>> Another observation is even though PDC emulator and all FSMO roles >>>> are with DC1, users are logged into DC2. Any change made to user >>>> credential, above error is thrown. Output of FSMO role display from >>>> DC1 is attached for your information. >>>> >>>> In our group policy, we have disabled complexity requirements, >>>> length is set to 7 characters. >>>> >>>> There is no clear pattern to its behavior, making it difficult to >>>> analyse the issue and fix them. >>>> >>>> Look forward for your assistance in figuring out what is happening >>>> and fixing it. >>>> >>>> 7000 People from nearly 700 location use these domain controllers. >>>> This is turning out be very critical issue. >>>> >>>> -- >>>> >>>> Thanks & Regards, >>>> >>>> >>>> Anantha Raghava >>>> >>>> eXzaTech Consulting And Services Pvt. Ltd. >>>> >>>> DISCLAIMER: >>>> >>>> This e-mail communication and any attachments may be privileged and >>>> confidential to eXza Technology Consulting & Services, and are >>>> intended only for the use of the recipients named above If you are >>>> not the addressee you may not copy, forward, disclose or use any >>>> part of it. If you have received this message in error, please >>>> delete it and all copies from your system and notify the sender >>>> immediately by return e-mail. Internet communications cannot be >>>> guaranteed to be timely, secure, error or virus-free. The sender >>>> does not accept liability for any errors or omissions. >>>> >>>> >>>> Do not print this e-mail unless required. Save Paper & trees. >>>> >>>> On Thursday 04 May 2017 01:27 AM, lingpanda101 via samba wrote: >>>>> On 5/3/2017 2:00 PM, Anantha Raghava via samba wrote: >>>>>> Hello, >>>>>> >>>>>> I have implemented Samba as Active Directory Domain Controller >>>>>> with Version 4.6.3 on CentOS 7.3, el-514. We have 4 domain >>>>>> controllers named as DC1, DC2, DC3 and DC4. DC1 & 2 are in one >>>>>> location and DC3 & 4 are in a different location. DNS is SAMBA >>>>>> INTERNAL. All 4 servers are properly synchronizing and even GPO >>>>>> updates are working properly with rsync process. >>>>>> >>>>>> However, off late we have been noticing that on some Windows XP >>>>>> with Service Pack 3 and Windows 7 with Service Pack 1, after >>>>>> joining domain, when user is logging in for the first time, as >>>>>> per policy, the DC will force the user to change their password. >>>>>> When user changes password, PC reports, cannot reach domain or >>>>>> your relationship with DC is not trusted and it happens randomly >>>>>> for some users. >>>>>> We are unable to figure out what's happenning. >>>>>> >>>>>> Can some one guide us in figuring out and fixing this issue? >>>>>> >>>>>> Thanks in advance. >>>>> >>>>> Can you provide your smb.conf on one of your DC's? Are you able to >>>>> look through event viewer on the workstation exhibiting the issue >>>>> and see anything relevant? >>>>> >>>> >>> Real quick before I get around to looking at your attachments. I >>> will advise you that password complexity requirements are handled by >>> samba-tool and not GPO's. Issue the following command on your DC's >>> to view them. They are also changed here as well. >>> >>> 'samba-tool domain passwordsettinsg show' >>> >>> -- >>> -- >>> James >> > All DC's smb.conf should include > > 'idmap_ldb:use rfc 2307 = yes' > > if you provisioned the first with it. See > https://wiki.samba.org/index.php/Setting_up_RFC2307_in_AD > > It also looks as if you are not using sites separate sites. Are all > these users and computers in the same location? If not you should look > at setting up sites and services. See > > https://wiki.samba.org/index.php/Active_Directory_Sites > > It also appears the issue is with Windows XP clients only? Address the > first two issues above and report back. > > -- > -- > James
Hello James, Even after setting the rfc2307 in smb.conf replication error continues and password change error continues. Error thrown while forcing replication is shown below. ------------------------------------------------------------------- Even after setting RFC, DC2 is not getting synced from DC1. Connection time out error comes. #samba-tool drs replicate DC2.KTKBANKLTD.COM <http://DC2.KTKBANKLTD.COM> DC1.KTKBANKLTD.COM <http://DC1.KTKBANKLTD.COM> DC=ForestDnsZones,DC=KTKBANKLTD,DC=COM Failed to bind to uuid e3514235-4b06-11d1-ab04-00c04fc2dcd2 for ncacn_ip_tcp:172.20.107.31[1024,seal,target_hostname=DC2.KTKBANKLTD.COM <http://DC2.KTKBANKLTD.COM>,abstract_syntax=e3514235-4b06-11d1-ab04-00c04fc2dcd2/0x00000004,localaddress=172.20.107.31] NT_STATUS_IO_TIMEOUT ERROR(<class 'samba.drs_utils.drsException'>): DRS connection to DC2.KTKBANKLTD.COM <http://DC2.KTKBANKLTD.COM> failed - drsException: DRS connection to DC2.KTKBANKLTD.COM <http://DC2.KTKBANKLTD.COM> failed: (-1073741643, '{Device Timeout} The specified I/O operation on %hs was not completed before the time-out period expired.') File "/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/drs.py", line 41, in drsuapi_connect (ctx.drsuapi, ctx.drsuapi_handle, ctx.bind_supported_extensions) = drs_utils.drsuapi_connect(ctx.server, ctx.lp, ctx.creds) File "/usr/local/samba/lib64/python2.7/site-packages/samba/drs_utils.py", line 54, in drsuapi_connect raise drsException("DRS connection to %s failed: %s" % (server, e)) ---------------------------------------------------------------------- Also, as you had suggested, we have run the command 'samba-tool domain passwordsettinsg show' ---------------------------------------------------------------------- Before modification: Password informations for domain 'DC=ktkbankltd,DC=com' Password complexity: on Store plaintext passwords: off Password history length: 24 Minimum password length: 7 Minimum password age (days): 1 Maximum password age (days): 42 Account lockout duration (mins): 30 Account lockout threshold (attempts): 0 Reset account lockout after (mins): 30 ---------------------------------------------------------------------------------- Passowrd information for domain after modification using samba-tool: Password informations for domain 'DC=ktkbankltd,DC=com' Password complexity: off Store plaintext passwords: off Password history length: 3 Minimum password length: 7 Minimum password age (days): 0 Maximum password age (days): 60 Account lockout duration (mins): 30 Account lockout threshold (attempts): 0 Reset account lockout after (mins): 30 --------------------------------------------------------------------------------- When we reset the password policy using samba-tool, after about 10 minutes, the policy comes to DC2 from DC1 and users are allowed to change their password. Now we have disabled the GPO for Password settings. Probably I feel, due to this replication issue, the DB is becoming inconsistent and errors are being thrown. Also, DNS errors appear to exist in the Domain Controllers. We are using INTERNAL DNS which is adding to problem. Request you to help us in solving this issue. -- Thanks & Regards, Anantha Raghava DISCLAIMER: This e-mail communication and any attachments may be privileged and confidential to eXza Technology Consulting & Services, and are intended only for the use of the recipients named above If you are not the addressee you may not copy, forward, disclose or use any part of it. If you have received this message in error, please delete it and all copies from your system and notify the sender immediately by return e-mail. Internet communications cannot be guaranteed to be timely, secure, error or virus-free. The sender does not accept liability for any errors or omissions. Do not print this e-mail unless required. Save Paper & trees. On Thursday 04 May 2017 06:15 PM, lingpanda101 wrote:> > Thanks & Regards, >