El 11/10/19 a les 16:59, Luca Olivetti via samba ha escrit:> El 11/10/19 a les 16:12, Rowland penny via samba ha escrit: >> Try running this on a DC: >> >> samba-tool ldapcmp ldap://DC1 ldap://DC2 >> --filter='whenChanged,dc,DC,cn,CN,ou,OU' >> >> Replace 'DC1' and 'DC2' with your actual DC short hostnames >> >> It should tell you the differences. > > The list is too long to post here.it's here: https://pastebin.com/UFEPvgjX> > There are 3 difference in versionNumber for the [DOMAIN] context, one > for pwdLastSet in the same domain. > > The big issue is the [DNSDOMAIN] context: > > * DN lists have different size: 753 != 865 > > and then a big list, I suppose of the records that are in one dc and not > in the other. > Of the remaining objects one is different > > The question is, why there are so many differences and how do I fix it? > > Bye-- Luca Olivetti Wetron Automation Technology http://www.wetron.es/ Tel. +34 93 5883004 (Ext.3010) Fax +34 93 5883007
On 11/10/2019 16:02, Luca Olivetti via samba wrote:> El 11/10/19 a les 16:59, Luca Olivetti via samba ha escrit: >> El 11/10/19 a les 16:12, Rowland penny via samba ha escrit: >>> Try running this on a DC: >>> >>> samba-tool ldapcmp ldap://DC1 ldap://DC2 >>> --filter='whenChanged,dc,DC,cn,CN,ou,OU' >>> >>> Replace 'DC1' and 'DC2' with your actual DC short hostnames >>> >>> It should tell you the differences. >> >> The list is too long to post here. > > it's here: > > https://pastebin.com/UFEPvgjXYour main problem appears to be that you have a lot of duplicate objects in the DNSDOMAIN context, these are the records with '0ACNF' in them. Have you stopped your Windows clients from updating their own records ? As you are using dhcp, I would delete all those records (they will get recreated if required), then run on the DC with the PDC Emulator FSMO role: samba-tool drs replicate <destinationDC> <sourceDC> Rowland
El 11/10/19 a les 17:29, Rowland penny via samba ha escrit:> On 11/10/2019 16:02, Luca Olivetti via samba wrote: >> El 11/10/19 a les 16:59, Luca Olivetti via samba ha escrit: >>> El 11/10/19 a les 16:12, Rowland penny via samba ha escrit: >>>> Try running this on a DC: >>>> >>>> samba-tool ldapcmp ldap://DC1 ldap://DC2 >>>> --filter='whenChanged,dc,DC,cn,CN,ou,OU' >>>> >>>> Replace 'DC1' and 'DC2' with your actual DC short hostnames >>>> >>>> It should tell you the differences. >>> >>> The list is too long to post here. >> >> it's here: >> >> https://pastebin.com/UFEPvgjX > > > Your main problem appears to be that you have a lot of duplicate objects > in the DNSDOMAIN context, these are the records with '0ACNF' in them. > > Have you stopped your Windows clients from updating their own records ? > > As you are using dhcp, I would delete all those records (they will get > recreated if required), then run on the DC with the PDC Emulator FSMO role: > > samba-tool drs replicate <destinationDC> <sourceDC>I'll try this on Monday, but I don't understand why this happened. After all I never modified directly the database (I just did that now to delete the records that stopped the replication), I only used published interfaces (either rsat, policy editor, windows dns or samba-tool). And should I worry about the differences in versionNumber, pwLastSet, dnsRecord? Bye -- Luca Olivetti Wetron Automation Technology http://www.wetron.es/ Tel. +34 93 5883004 (Ext.3010) Fax +34 93 5883007
El 11/10/19 a les 17:29, Rowland penny via samba ha escrit:>> it's here: >> >> https://pastebin.com/UFEPvgjX > > > Your main problem appears to be that you have a lot of duplicate objects > in the DNSDOMAIN context, these are the records with '0ACNF' in them.I think I know what happened: a while ago we had a problem with our virtualization infrastructure that lead to a partial failure of dc2 and a catastrophic failure of dc1 (not to mention failures in every other server). I could recover dc2 pretty quickly, but I had to recover dc1 from backups. That's *not* the problem though: while I was recovering dc1, dns resolution was unbearably slow on every server, because I had dc1 as the first nameserver and dc2 as the second. To avoid that happening again in the future, I installed dnsmasq (since it caches results and it's quicker to detect that a nameserver is down) on every server, including the dhcp server. Now, the script on the dhcp server that updates the dns record checks if the record exists using "host", but now it gets its result from dnsmasq, hence probably causing those duplicates. I amended the script to check directly on dc1, lets' see if it fixes the issue (a issue that shouldn't happen anyway: I'm using the published interfaces to update the records, so that shouldn't stop the replication). Bye -- Luca Olivetti Wetron Automation Technology http://www.wetron.es/ Tel. +34 93 5883004 (Ext.3010) Fax +34 93 5883007
El 11/10/19 a les 17:29, Rowland penny via samba ha escrit:> As you are using dhcp, I would delete all those records (they will get > recreated if required), then run on the DC with the PDC Emulator FSMO role: > > samba-tool drs replicate <destinationDC> <sourceDC>FWIW, after doing that (with the <NC> DC=DomainDnsZones,DC=samba,DC=wetron,DC=es otherwise samba-tool would complain) the differences in dnsdomain persist. Bye -- Luca Olivetti Wetron Automation Technology http://www.wetron.es/ Tel. +34 93 5883004 (Ext.3010) Fax +34 93 5883007