Hai Stefan,> > ;-) > > 3000 errors ... I mean ... what?No.. Not error, out of sync objects.> > ~30 users: smallOk thats small, a dc should be rebooted within 1-2 min and 1-2 min really max for AD sync.> > maybe I risk a DC1 reboot after 6pm > Not much time tmrw, so I am hesitating. Otherwise I'd like to have it > solved (again/for a a while).If you talking about "risking" a reboot, then you really not sure about the setup, correct? This is the part you need to work on, really.. Make more stable setup's, and know your reboot time. Because if i want to reboot a server here, i reboot it. DC's members.. All, except one, my mail server. Yes, even when everybody is working. ( between 60-100 users ) I'm that confident, it good and nothing happens after a reboot.> > > > Tested on Debian 9 servers. > > > > Improvements, suggestions, well its on github.. > > Or pm me. > > Will read and test, thanks!I think it wil help you but not for the current problem. For that you need to reboot you DC's first. PS. You might want to set on DC2 the resolv.conf nameserver IP1_of DC1 as first. Then reboot, after reboot, check the sync, if its ok, change the resolving back on DC2. Greetz, Louis
Am 13.03.19 um 16:53 schrieb L.P.H. van Belle:> Hai Stefan, > >> >> ;-) >> >> 3000 errors ... I mean ... what? > No.. Not error, out of sync objects. > >> >> ~30 users: small > Ok thats small, a dc should be rebooted within 1-2 min and 1-2 min really max for AD sync. > >> >> maybe I risk a DC1 reboot after 6pm >> Not much time tmrw, so I am hesitating. Otherwise I'd like to have it >> solved (again/for a a while). > > If you talking about "risking" a reboot, then you really not sure about the setup, correct? > > This is the part you need to work on, really.. Make more stable setup's, and know your reboot time. > Because if i want to reboot a server here, i reboot it. DC's members.. All, except one, my mail server. > Yes, even when everybody is working. ( between 60-100 users ) > I'm that confident, it good and nothing happens after a reboot.Well, normally I *am* confident with my servers. But when out of the blue, without me touching anything, such an important "backend" starts "new behavior" ... this makes me nervous. Trying to fix it since 11am sounds and feels like "working on it" to me. (frustrated) I basically run 2 samba-based ADS-envs for customers and you ml-guys have seen and discussed these configs for years now (every few months something comes up). I ask, try my best to follow the suggestions, do updates etc .. then things work. Until the next issue, then I post, and magically another line or parameter is missing ... pls understand my frustration now and then. And also understand my appreciation for all the help on my way.
Am 13.03.19 um 17:13 schrieb Stefan G. Weichinger via samba:> Am 13.03.19 um 16:53 schrieb L.P.H. van Belle: >> Ok thats small, a dc should be rebooted within 1-2 min and 1-2 min really max for AD sync.one more observation: manually running this works: root at pre01svdeb03:~# samba-tool drs replicate dc PRE01SVDEB03 dc=blabla,dc=at --full-sync but the one user I created (and need) via Windows RSAT, is only visible via wbinfo on one DC: root at pre01svdeb03:~# wbinfo -u | grep elser root at pre01svdeb03:~# root at pre01svdeb02:~# wbinfo -u | grep elser BUERO\elser This was the original issue: I created the user and they couldn't login (because the other DC didn't know it yet?) No problem removing and readding it, but for sure I'd like to get the "more confident solution". ;-)
Hi Stefan,> > Well, normally I *am* confident with my servers. >Yes, i know, that shows also on you list messages.> But when out of the blue, without me touching anything, such an > important "backend" starts "new behavior" ... this makes me nervous. > > Trying to fix it since 11am sounds and feels like "working on > it" to me. > > (frustrated)Yeah totaly understand that. I would say, after the replication error is fixed. You should do a good compairison of you DC's .> > I basically run 2 samba-based ADS-envs for customers and you ml-guys > have seen and discussed these configs for years now (every few months > something comes up). > > I ask, try my best to follow the suggestions, do updates etc .. then > things work. Until the next issue, then I post, and magically another > line or parameter is missing ...And thats why i dont think samba is the problem here.> > pls understand my frustration now and then.We do, and your totaly allowed to. We all have this. Sometimes..> > And also understand my appreciation for all the help on my way. >Ahh, thank you, warm words are always good to hear. Greetz, Louis
Am 14.03.19 um 09:07 schrieb L.P.H. van Belle via samba:> Ahh, thank you, warm words are always good to hear.And at least as good is to find the solution to a nagging problem. Thanks to Louis *again*, he helped me to debug this via private mail ... The reason seems to have been some wrong/old DNS-record, there was a A-record "DC" and a CNAME etc short: DC1 had an old and a newer name, and A/CNAME/PTR didn't all really fit. I still don't understand and know why this worked since classic upgrade ... very likely it didn't matter that much until I added that 2nd DC etc - For now I am happy with 0 error replication. Minor issue: connecting via RSAT fails for the AD-users Snapin. Maybe some DNS-entry still missing, I will recheck asap. New user gets synced OK, though. Thanks @Louis and @Rowland. Stefan