Hi Denis
Please find below the logs
SERVER-2
root at iumsvrpdc:/home/administrator# tail -f -n 30 /var/log/samba/log.samba
[2018/01/10 12:47:04.162613, 3]
../source4/rpc_server/drsuapi/getncchanges.c:2822(dcesrv_drsuapi_DsGetNCChanges)
UpdateRefs on getncchanges for 8bf63977-f3b3-445e-8eb3-ff74cdd7e0fe
[2018/01/10 12:47:04.162667, 4]
../source4/rpc_server/drsuapi/updaterefs.c:209(drsuapi_UpdateRefs)
DsReplicaUpdateRefs for host '8bf63977-f3b3-445e-8eb3-ff74cdd7e0fe._
msdcs.iumnet.edu.na' with GUID 8bf63977-f3b3-445e-8eb3-ff74cdd7e0fe options
0x00000007
nc=<GUID=a218c4ba-d0cc-4e23-98db-375ab5e77a7d>;DC=ForestDnsZones,DC=iumnet,DC=edu,DC=na
[2018/01/10 12:47:04.163180, 2]
../source4/rpc_server/drsuapi/getncchanges.c:3006(dcesrv_drsuapi_DsGetNCChanges)
DsGetNCChanges with uSNChanged >= 141477 flags 0x00000064 on
<GUID=a218c4ba-d0cc-4e23-98db-375ab5e77a7d>;DC=ForestDnsZones,DC=iumnet,DC=edu,DC=na
gave 0 objects (done 0/0) 0 links (done 0/0 (as
S-1-5-21-3657809387-4003246294-368203321-126331))
[2018/01/10 12:47:05.348143, 4]
../source4/rpc_server/drsuapi/updaterefs.c:209(drsuapi_UpdateRefs)
DsReplicaUpdateRefs for host '8bf63977-f3b3-445e-8eb3-ff74cdd7e0fe._
msdcs.iumnet.edu.na' with GUID 8bf63977-f3b3-445e-8eb3-ff74cdd7e0fe options
0x0000001c
nc=<GUID=a218c4ba-d0cc-4e23-98db-375ab5e77a7d>;DC=ForestDnsZones,DC=iumnet,DC=edu,DC=na
[2018/01/10 12:47:05.890340, 4]
../source4/dsdb/repl/drepl_partitions.c:580(dreplsrv_refresh_partition)
dreplsrv_refresh_partition(DC=DomainDnsZones,DC=iumnet,DC=edu,DC=na)
[2018/01/10 12:47:05.891465, 4]
../source4/dsdb/repl/drepl_partitions.c:355(dreplsrv_out_connection_attach)
dreplsrv_out_connection_attach(8bf63977-f3b3-445e-8eb3-ff74cdd7e0fe._
msdcs.iumnet.edu.na): attach
[2018/01/10 12:47:05.891509, 4]
../source4/dsdb/repl/drepl_partitions.c:355(dreplsrv_out_connection_attach)
dreplsrv_out_connection_attach(8bf63977-f3b3-445e-8eb3-ff74cdd7e0fe._
msdcs.iumnet.edu.na): attach
[2018/01/10 12:47:05.891533, 4]
../source4/dsdb/repl/drepl_partitions.c:580(dreplsrv_refresh_partition)
dreplsrv_refresh_partition(DC=ForestDnsZones,DC=iumnet,DC=edu,DC=na)
[2018/01/10 12:47:05.892336, 4]
../source4/dsdb/repl/drepl_partitions.c:355(dreplsrv_out_connection_attach)
dreplsrv_out_connection_attach(8bf63977-f3b3-445e-8eb3-ff74cdd7e0fe._
msdcs.iumnet.edu.na): attach
[2018/01/10 12:47:05.892394, 4]
../source4/dsdb/repl/drepl_partitions.c:355(dreplsrv_out_connection_attach)
dreplsrv_out_connection_attach(8bf63977-f3b3-445e-8eb3-ff74cdd7e0fe._
msdcs.iumnet.edu.na): attach
[2018/01/10 12:47:05.892421, 4]
../source4/dsdb/repl/drepl_partitions.c:580(dreplsrv_refresh_partition)
dreplsrv_refresh_partition(CN=Configuration,DC=iumnet,DC=edu,DC=na)
[2018/01/10 12:47:05.893148, 4]
../source4/dsdb/repl/drepl_partitions.c:355(dreplsrv_out_connection_attach)
dreplsrv_out_connection_attach(8bf63977-f3b3-445e-8eb3-ff74cdd7e0fe._
msdcs.iumnet.edu.na): attach
[2018/01/10 12:47:05.893200, 4]
../source4/dsdb/repl/drepl_partitions.c:355(dreplsrv_out_connection_attach)
dreplsrv_out_connection_attach(8bf63977-f3b3-445e-8eb3-ff74cdd7e0fe._
msdcs.iumnet.edu.na): attach
[2018/01/10 12:47:05.893226, 4]
../source4/dsdb/repl/drepl_partitions.c:580(dreplsrv_refresh_partition)
dreplsrv_refresh_partition(DC=iumnet,DC=edu,DC=na)
[2018/01/10 12:47:05.894114, 4]
../source4/dsdb/repl/drepl_partitions.c:355(dreplsrv_out_connection_attach)
dreplsrv_out_connection_attach(8bf63977-f3b
SERVER-1
root at iumdcdp01:/home/administrator# tail -f -n 20 /var/log/samba/log.samba
[2018/01/10 12:41:12.566796, 0]
../source4/rpc_server/drsuapi/getncchanges.c:2030(dcesrv_drsuapi_DsGetNCChanges)
../source4/rpc_server/drsuapi/getncchanges.c:2030: DsGetNCChanges 2nd
replication on DN CN=IUM,CN=Computers,DC=iumnet,DC=edu,DC=na newer
highwatermark (last_dn (null))
[2018/01/10 12:41:36.413129, 0]
../source4/rpc_server/drsuapi/getncchanges.c:2016(dcesrv_drsuapi_DsGetNCChanges)
../source4/rpc_server/drsuapi/getncchanges.c:2016: DsGetNCChanges 2nd
replication on different DN DC=DomainDnsZones,DC=iumnet,DC=edu,DC=na
CN=IUM,CN=Computers,DC=iumnet,DC=edu,DC=na (last_dn (null))
[2018/01/10 12:42:06.066673, 0]
../lib/util/util_runcmd.c:316(samba_runcmd_io_handler)
/usr/sbin/samba_dnsupdate: tkey query failed: GSSAPI error: Major Unspecified
GSS failure. Minor code may provide more information, Minor Server not found in
Kerberos database.
[2018/01/10 12:42:07.289589, 0]
../lib/util/util_runcmd.c:316(samba_runcmd_io_handler)
/usr/sbin/samba_dnsupdate: tkey query failed: GSSAPI error: Major Unspecified
GSS failure. Minor code may provide more information, Minor Server not found in
Kerberos database.
[2018/01/10 12:42:08.595456, 0]
../lib/util/util_runcmd.c:316(samba_runcmd_io_handler)
/usr/sbin/samba_dnsupdate: tkey query failed: GSSAPI error: Major Unspecified
GSS failure. Minor code may provide more information, Minor Server not found in
Kerberos database.
[2018/01/10 12:42:08.797241, 0]
../source4/dsdb/repl/drepl_out_helpers.c:942(dreplsrv_op_pull_source_apply_changes_trigger)
Failed to commit objects:
WERR_GEN_FAILURE/NT_STATUS_INVALID_NETWORK_RESPONSE
[2018/01/10 12:42:09.713939, 0]
../lib/util/util_runcmd.c:316(samba_runcmd_io_handler)
/usr/sbin/samba_dnsupdate: tkey query failed: GSSAPI error: Major Unspecified
GSS failure. Minor code may provide more information, Minor Server not found in
Kerberos database.
[2018/01/10 12:42:30.207177, 0]
../source4/dsdb/repl/drepl_out_helpers.c:942(dreplsrv_op_pull_source_apply_changes_trigger)
Failed to commit objects:
WERR_GEN_FAILURE/NT_STATUS_INVALID_NETWORK_RESPONSE
[2018/01/10 12:44:14.272380, 0]
../lib/util/util_runcmd.c:316(samba_runcmd_io_handler)
/usr/sbin/samba_dnsupdate: tkey query failed: GSSAPI error: Major Unspecified
GSS failure. Minor code may provide more information, Minor Server not found in
Kerberos database.
[2018/01/10 12:44:15.379533, 0]
../lib/util/util_runcmd.c:316(samba_runcmd_io_handler)
/usr/sbin/samba_dnsupdate: tkey query failed: GSSAPI error: Major Unspecified
GSS failure. Minor code may provide more information, Minor Server not found in
Kerberos database.
[2018/01/10 12:44:17.460031, 0]
../lib/util/util_runcmd.c:316(samba_runcmd_io_handler)
/usr/sbin/samba_dnsupdate: tkey query failed: GSSAPI error: Major Unspecified
GSS failure. Minor code may provide more information, Minor Server not found in
Kerberos database.
[2018/01/10 12:44:18.311985, 0]
../lib/util/util_runcmd.c:316(samba_runcmd_io_handler)
/usr/sbin/samba_dnsupdate: tkey query failed: GSSAPI error: Major Unspecified
GSS failure. Minor code may provide more information, Minor Server not found in
Kerberos database.
[2018/01/10 12:46:05.789027, 0]
../source4/dsdb/repl/drepl_out_helpers.c:942(dreplsrv_op_pull_source_apply_changes_trigger)
Failed to commit objects:
WERR_GEN_FAILURE/NT_STATUS_INVALID_NETWORK_RESPONSE
[2018/01/10 12:47:10.411699, 0]
../source4/dsdb/repl/drepl_out_helpers.c:942(dreplsrv_op_pull_source_apply_changes_trigger)
Failed to commit objects:
WERR_GEN_FAILURE/NT_STATUS_INVALID_NETWORK_RESPONSE
[2018/01/10 12:52:06.024310, 0]
../lib/util/util_runcmd.c:316(samba_runcmd_io_handler)
/usr/sbin/samba_dnsupdate: tkey query failed: GSSAPI error: Major Unspecified
GSS failure. Minor code may provide more information, Minor Server not found in
Kerberos database.
[2018/01/10 12:52:06.944848, 0]
../lib/util/util_runcmd.c:316(samba_runcmd_io_handler)
/usr/sbin/samba_dnsupdate: tkey query failed: GSSAPI error: Major Unspecified
GSS failure. Minor code may provide more information, Minor Server not found in
Kerberos database.
[2018/01/10 12:52:08.150044, 0]
../source4/dsdb/repl/drepl_out_helpers.c:942(dreplsrv_op_pull_source_apply_changes_trigger)
Failed to commit objects:
WERR_GEN_FAILURE/NT_STATUS_INVALID_NETWORK_RESPONSE
[2018/01/10 12:52:16.933561, 0]
../lib/util/util_runcmd.c:316(samba_runcmd_io_handler)
/usr/sbin/samba_dnsupdate: tkey query failed: GSSAPI error: Major Unspecified
GSS failure. Minor code may provide more information, Minor Server not found in
Kerberos database.
[2018/01/10 12:52:17.948372, 0]
../lib/util/util_runcmd.c:316(samba_runcmd_io_handler)
/usr/sbin/samba_dnsupdate: tkey query failed: GSSAPI error: Major Unspecified
GSS failure. Minor code may provide more information, Minor Server not found in
Kerberos database
When I run samba-tool dbcheck --cross-ncs --fix --yes on SERVER-2
Checking 5893 objects
WARNING: no target object found for GUID component for DN value fromServer
in object
CN=7ba6644a-80b0-4e4a-b31c-37f0f1686c5a,CN=LostAndFoundConfig,CN=Configuration,DC=iumnet,DC=edu,DC=na
- <GUID=4c9a5b63-a53a-4476-8bfa-3f5200ba9837>;CN=NTDS
Settings,CN=IUMDCDP,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=iumnet,DC=edu,DC=na
WARNING: target DN is deleted for fromServer in object
CN=7ba6644a-80b0-4e4a-b31c-37f0f1686c5a,CN=LostAndFoundConfig,CN=Configuration,DC=iumnet,DC=edu,DC=na
- <GUID=4c9a5b63-a53a-4476-8bfa-3f5200ba9837>;CN=NTDS
Settings,CN=IUMDCDP,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=iumnet,DC=edu,DC=na
Target GUID points at deleted DN
'<GUID=4c9a5b63-a53a-4476-8bfa-3f5200ba9837>;CN=NTDS
Settings,CN=IUMDCDP,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=iumnet,DC=edu,DC=na'
Remove stale DN link? [YES]
ERROR: Failed to remove deleted DN attribute fromServer : (65,
"objectclass_attrs: at least one mandatory attribute ('fromServer')
on
entry
'CN=7ba6644a-80b0-4e4a-b31c-37f0f1686c5a,CN=LostAndFoundConfig,CN=Configuration,DC=iumnet,DC=edu,DC=na'
wasn't specified!")
File "/usr/lib/python2.7/dist-packages/samba/dbchecker.py", line
366, in
do_modify
self.samdb.modify(m, controls=controls, validate=validate)
The Kpasswd command works. Please assist to fix the drs replication issue.
Thanks n Regards
Harsh
*Harsh Kukreja *Systems Administrator
*International University of Namibia *Tel: 061-4336000 - E-mail: h.kukreja
@ium.edu.na - Web:
*http://www.ium.edu.na <http://www.ium.edu.na/>*Private Bag
14005,Bachbrech. 21-31 Hercules Street, Dorado Park, Windhoek, NAMIBIA
On Tue, Jan 9, 2018 at 4:23 PM, Denis Cardon <dcardon at tranquil.it>
wrote:
> Hi Harsh,
>
> Thanks for your response without your crystal ball.
>>
>> I have increased the log level =9 dns:0 on both the servers. It
>> replicates successfully by manually running the command
>> samba-tool drs replicate SERVER2 SERVER1 dc=iumnet,dc=edu,dc=na
>> --full-sync
>>
>
> --full-sync copy the whole partition and may hide problems. If there is a
> corrupted entry in it, I guess it may copy it along too.
>
> I've seen different execution/integrity check path for synchronization
in
> the past. For example when you join a new DC, I have seen initial join
> replication happily replicating a corrupted entry. However if on the same
> domain I would join the DC with --critical-objects-only, it will join but
> won't be able to replicate the partitions afterward.
>
> In your log file, you should look for the following lines and post the
> 10-20 lines before those to see which entry has problem:
>
> Failed to commit objects:
> WERR_GENERAL_FAILURE/NT_STATUS_INVALID_NETWORK_RESPONSE
>
> but it is still failing when I check from the samba-tool drs showrepl
>>
>> Also I run samba-tool dbcheck --cross-ncs --fix on both the servers
>> which didn't fix it. Please let me know how to check the
replication Logs.
>>
>
> did you have any warning/error message out of dbcheck --cross-ncs? I have
> seen quite a few issues with group membership after upgrade to 4.7 from
4.6.
>
> I will upgrade to the latest 4.7.4 to see if it fixes the problem.
>>
>> On some of the Win7 clients after the password reset when the user
>> changes their password on the logon screen it keeps on saying "
Your
>> Password has expired and must be Changed" even after the password
is
>> changed. What can be the reason behind this issue.
>>
>
> can you try to change it with kpasswd on the DC to see if you have the
> same behavior?
>
> Denis
>
>
>> Regards
>>
>> Harsh
>>
>> *Harsh Kukreja *Systems Administrator
>>
>> **International University of Namibia* *Tel: 061-4336000 -
>> E-mail: h.kukreja at ium.edu.na
>> <mailto:h.kukreja at ium.edu.na> - Web: _http://www.ium.edu.na
>> <http://www.ium.edu.na/>
>> _Private Bag 14005,Bachbrech. 21-31 Hercules Street, Dorado Park,
>> Windhoek, NAMIBIA
>>
>> ____
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> On Tue, Jan 9, 2018 at 1:22 PM, Denis Cardon <dcardon at tranquil.it
>> <mailto:dcardon at tranquil.it>> wrote:
>>
>> Hi Harsh,
>>
>> I am running Server-1 Samba4 AD 4.6.10 with an additional
>> Server-2 Samba4
>> AD 4.7.2 The Inbound replication on the Server-1 is failing
with
>> the error
>> below:
>>
>> DC=iumnet,DC=edu,DC=na
>> Default-First-Site-Name\Server-2 via RPC
>> DSA object GUID:
>> 27182378-a9c7-451e-bb95-7b2172a5f311
>> Last attempt @ Tue Jan 9 12:55:59 2018 WAST
>> failed, result
>> 58 (WERR_BAD_NET_RESP)
>> 15333 consecutive failure(s).
>> Last success @ Wed Nov 22 13:48:30 2017 WAST
>>
>> Please help to fix it.
>>
>>
>> sorry, my crystal ball is on maintenance. We'll need some more
>> information. Increase your log level by adding the following line
to
>> smb.conf:
>> log level = 9 dns:0
>>
>> It's going to be very verbose. You'll usually get the entry
having
>> replication issue at the end of the replication log.
>>
>> By the way, you'll should upgrade to 4.7.4, there has been
quite a
>> few bug fixes since 4.7.2.
>>
>> Have you run a samba-tool dbcheck --cross-ncs on your 4.7.2 server?
>>
>> Cheers,
>>
>> Denis
>>
>> --
>> Denis Cardon
>> Tranquil IT Systems
>> Les Espaces Jules Verne, bâtiment A
>> 12 avenue Jules Verne
>> 44230 Saint Sébastien sur Loire
>> tel : +33 (0) 2.40.97.57.55
<tel:%2B33%20%280%29%202.40.97.57.55>
>> http://www.tranquil-it-systems.fr
<http://www.tranquil-it-systems.fr>
>>
>>
>>
> --
> Denis Cardon
> Tranquil IT Systems
> Les Espaces Jules Verne, bâtiment A
> 12 avenue Jules Verne
> 44230 Saint Sébastien sur Loire
> tel : +33 (0) 2.40.97.57.55
> http://www.tranquil-it-systems.fr
>
>