Am 13.03.19 um 17:13 schrieb Stefan G. Weichinger via samba:> Am 13.03.19 um 16:53 schrieb L.P.H. van Belle: >> Ok thats small, a dc should be rebooted within 1-2 min and 1-2 min really max for AD sync.one more observation: manually running this works: root at pre01svdeb03:~# samba-tool drs replicate dc PRE01SVDEB03 dc=blabla,dc=at --full-sync but the one user I created (and need) via Windows RSAT, is only visible via wbinfo on one DC: root at pre01svdeb03:~# wbinfo -u | grep elser root at pre01svdeb03:~# root at pre01svdeb02:~# wbinfo -u | grep elser BUERO\elser This was the original issue: I created the user and they couldn't login (because the other DC didn't know it yet?) No problem removing and readding it, but for sure I'd like to get the "more confident solution". ;-)
On Wed, 13 Mar 2019 18:36:22 +0100 "Stefan G. Weichinger via samba" <samba at lists.samba.org> wrote:> Am 13.03.19 um 17:13 schrieb Stefan G. Weichinger via samba: > > Am 13.03.19 um 16:53 schrieb L.P.H. van Belle: > >> Ok thats small, a dc should be rebooted within 1-2 min and 1-2 min > >> really max for AD sync. > > one more observation: > > manually running this works: > > > root at pre01svdeb03:~# samba-tool drs replicate dc PRE01SVDEB03 > dc=blabla,dc=at --full-sync > > > but the one user I created (and need) via Windows RSAT, is only > visible via wbinfo on one DC: > > root at pre01svdeb03:~# wbinfo -u | grep elser > root at pre01svdeb03:~# > > root at pre01svdeb02:~# wbinfo -u | grep elser > BUERO\elser > > This was the original issue: I created the user and they couldn't > login (because the other DC didn't know it yet?) > > No problem removing and readding it, but for sure I'd like to get the > "more confident solution". > > ;-) >Try running 'samba-tool ldapcmp ldap://dc1 ldap://dc2' It should result in something like this: * Comparing [DOMAIN] context... * Objects to be compared: 421 * Result for [DOMAIN]: SUCCESS * Comparing [CONFIGURATION] context... * Objects to be compared: 1618 * Result for [CONFIGURATION]: SUCCESS * Comparing [SCHEMA] context... * Objects to be compared: 1568 * Result for [SCHEMA]: SUCCESS * Comparing [DNSDOMAIN] context... * Objects to be compared: 288 * Result for [DNSDOMAIN]: SUCCESS * Comparing [DNSFOREST] context... * Objects to be compared: 28 * Result for [DNSFOREST]: SUCCESS Rowland
Am 13.03.19 um 18:50 schrieb Rowland Penny via samba:> Try running 'samba-tool ldapcmp ldap://dc1 ldap://dc2'thanks! I get differences, too many to post here, but I assume mostly related to the drift between the 2 dcs now? (lastLogonTimestamp seems obvious to me) What might solve the initial problem *maybe* * Comparing [DNSFOREST] context... * Objects to be compared: 19 Comparing: 'DC=@,DC=_msdcs.mytld.at,CN=MicrosoftDNS,DC=ForestDnsZones,DC=mytld,DC=at' [ldap://dc] 'DC=@,DC=_msdcs.mytld.at,CN=MicrosoftDNS,DC=ForestDnsZones,DC=mytld,DC=at' [ldap://pre01svdeb03] Difference in attribute values: dnsRecord => ['\x14\x00\x02\x00\x05\xf0\x00\x00n\x00\x00\x00\x00\x00\x03\x84\x00\x00\x00\x00\x00\x00\x00\x00\x12\x03\x02dc\nmytld\x02at\x00', '\x1e\x00\x02\x00\x05\xf0\x00\x00n\x00\x00\x00\x00\x00\x03\x84\x00\x00\x00\x00\x00\x00\x00\x00\x1c\x03\x0cpre01svdeb03\nmytld\x02at\x00', 'D\x00\x06\x00\x05\xf0\x00\x00\xdd\xa0\t\x00\x00\x00\x0e\x10\x00\x00\x00\x00\x9c\xef7\x00\x00\t\xa0\xdd\x00\x00\x03\x84\x00\x00\x02X\x00\x01Q\x80\x00\x00\x0e\x10\x12\x03\x02dc\nmytld\x02at\x00\x1a\x03\nhostmaster\nmytld\x02at\x00'] ['\x14\x00\x02\x00\x05\xf0\x00\x00n\x00\x00\x00\x00\x00\x03\x84\x00\x00\x00\x00\x00\x00\x00\x00\x12\x03\x02dc\nmytld\x02at\x00', '\x1e\x00\x02\x00\x05\xf0\x00\x00n\x00\x00\x00\x00\x00\x03\x84\x00\x00\x00\x00\x00\x00\x00\x00\x1c\x03\x0cpre01svdeb03\nmytld\x02at\x00', 'D\x00\x06\x00\x05\xf0\x00\x00!\x96\t\x00\x00\x00\x0e\x10\x00\x00\x00\x00l\xef7\x00\x00\t\x96!\x00\x00\x03\x84\x00\x00\x02X\x00\x01Q\x80\x00\x00\x0e\x10\x12\x03\x02dc\nmytld\x02at\x00\x1a\x03\nhostmaster\nmytld\x02at\x00'] FAILED As far as I interpret, the 2 DCs/DNSes have different records for "dc.mytld.at", right? Could correcting this lead to proper replication again?