samba - Dec 2019 - Replication not working for remote Domain Controller

>
> Good, the _msdcs domain is the forest domain

So is it normal that DC4 is not in that?

> but are there records for
all three DCs in:
>
> DC=your.domain.com
> ,CN=MicrosoftDNS,DC=DomainDnsZones,DC=your,DC=domain,DC=com
>
I tried to find this path in the LDAP Browser and ASDI Edit but I did not
manage in find it.
In the Windows DNS Manager connected to DC1 I found _ldap SRV records for
dc1 and dc2 into DNS\dc1\Forward Lookup Zones\my.domain.com
\domaindnszones\_sites\mysite\_tcp.
There are no record for dc4 there.

> What version(s) of Samba is this ?
>
Samba Version 4.6.7-Ubuntu on every three domain controllers.

Thanks!

On 12/12/2019 08:09, shacky wrote:
>
>     Good, the _msdcs domain is the forest domain
>
>
> So is it normal that DC4 is not in that?
>
>     but are there records for 
>
>     all three DCs in:
>
>     DC=your.domain.com
>    
<http://your.domain.com>,CN=MicrosoftDNS,DC=DomainDnsZones,DC=your,DC=domain,DC=com
>
>
> I tried to find this path in the LDAP Browser and ASDI Edit but I did 
> not manage in find it.
> In the Windows DNS Manager connected to DC1 I found _ldap SRV records 
> for dc1 and dc2 into DNS\dc1\Forward Lookup Zones\my.domain.com 
> <http://my.domain.com>\domaindnszones\_sites\mysite\_tcp.
> There are no record for dc4 there.
>
>     What version(s) of Samba is this ?
>
>
> Samba?Version 4.6.7-Ubuntu on every three domain controllers.
>
> Thanks!
OK, log into a working DC and run this:

ldbsearch --cross-ncs -H /var/lib/samba/private/sam.ldb -b 
'DC=samdom.example.com,CN=MicrosoftDNS,DC=DomainDnsZones,DC=samdom,DC=example,DC=com'
-s sub '(objectclass=dnsnode)' | grep dn:

Notes: it should all be on one line and. It will? you will have to alter 
it to match your DNS domain. It may also output a large amount, so you 
might have to redirect the output to a file with something like ' > 
/tmp/dn.txt'. You may also have to install ldb-tools.

In the output, there should be lines likes these:

dn: 
DC=_gc._tcp.Default-First-Site-Name._sites,DC=samdom.example.com,CN=MicrosoftDNS,DC=DomainDnsZones,DC=samdom,DC=example,DC=com
dn: 
DC=_ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones,DC=samdom.example.com,CN=MicrosoftDNS,DC=DomainDnsZones,DC=samdom,DC=example,DC=com
dn: 
DC=_msdcs,DC=samdom.example.com,CN=MicrosoftDNS,DC=DomainDnsZones,DC=samdom,DC=example,DC=com
dn: 
DC=_ldaps._tcp,DC=samdom.example.com,CN=MicrosoftDNS,DC=DomainDnsZones,DC=samdom,DC=example,DC=com
dn: 
DC=_gc._tcp,DC=samdom.example.com,CN=MicrosoftDNS,DC=DomainDnsZones,DC=samdom,DC=example,DC=com
dn: 
DC=_ldap._tcp,DC=samdom.example.com,CN=MicrosoftDNS,DC=DomainDnsZones,DC=samdom,DC=example,DC=com
dn: 
DC=_ldap._tcp.ForestDnsZones,DC=samdom.example.com,CN=MicrosoftDNS,DC=DomainDnsZones,DC=samdom,DC=example,DC=com
dn: 
DC=_kpasswd._udp,DC=samdom.example.com,CN=MicrosoftDNS,DC=DomainDnsZones,DC=samdom,DC=example,DC=com
dn: 
DC=_kerberos._udp,DC=samdom.example.com,CN=MicrosoftDNS,DC=DomainDnsZones,DC=samdom,DC=example,DC=com
dn: 
DC=DomainDnsZones,DC=samdom.example.com,CN=MicrosoftDNS,DC=DomainDnsZones,DC=samdom,DC=example,DC=com
dn: 
DC=_ldap._tcp.Default-First-Site-Name._sites,DC=samdom.example.com,CN=MicrosoftDNS,DC=DomainDnsZones,DC=samdom,DC=example,DC=com
dn: 
DC=_ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones,DC=samdom.example.com,CN=MicrosoftDNS,DC=DomainDnsZones,DC=samdom,DC=example,DC=com
dn: 
DC=@,DC=samdom.example.com,CN=MicrosoftDNS,DC=DomainDnsZones,DC=samdom,DC=example,DC=com
dn: 
DC=_kerberos._tcp,DC=samdom.example.com,CN=MicrosoftDNS,DC=DomainDnsZones,DC=samdom,DC=example,DC=com
dn: 
DC=_kpasswd._tcp,DC=samdom.example.com,CN=MicrosoftDNS,DC=DomainDnsZones,DC=samdom,DC=example,DC=com
dn: 
DC=ForestDnsZones,DC=samdom.example.com,CN=MicrosoftDNS,DC=DomainDnsZones,DC=samdom,DC=example,DC=com
dn: 
DC=_ldap._tcp.DomainDnsZones,DC=samdom.example.com,CN=MicrosoftDNS,DC=DomainDnsZones,DC=samdom,DC=example,DC=com
dn: 
DC=_kerberos._tcp.Default-First-Site-Name._sites,DC=samdom.example.com,CN=MicrosoftDNS,DC=DomainDnsZones,DC=samdom,DC=example,DC=com

There should also be a like this for every DC:

dn: 
DC=DC4,DC=samdom.example.com,CN=MicrosoftDNS,DC=DomainDnsZones,DC=samdom,DC=example,DC=com

Where did your domain come from ?

Was it provisioned as a Samba domain and if so, what Samba version was 
it ? Or was it originally a Windows domain and again, if it was, what 
was the original Windows version.

Rowland

On 17/12/2019 16:28, shacky wrote:
> Hi, sorry for the?late reply!
>
>     ldbsearch --cross-ncs -H /var/lib/samba/private/sam.ldb -b
>     'DC=samdom.example.com
>    
<http://samdom.example.com>,CN=MicrosoftDNS,DC=DomainDnsZones,DC=samdom,DC=example,DC=com'
>
>     -s sub '(objectclass=dnsnode)' | grep dn:
>
>
> I receive an empty output:
>
> ================================== 8< 
> =========================================> root at dc1:/ (17:23:33)#
ldbsearch --cross-ncs -H
> /var/lib/samba/private/sam.ldb -b 'DC=my.domain.com 
>
<http://my.domain.com>,CN=MicrosoftDNS,DC=DomainDnsZones,DC=my,DC=domain,DC=com'
> -s sub '(objectclass=dnsnode)' | grep dn
>
> root at dc1:/ (17:23:36)#
> ================================== 8< 
> =========================================> root at dc2:/# ldbsearch
--cross-ncs -H /var/lib/samba/private/sam.ldb -b
> 'DC=my.domain.com 
>
<http://my.domain.com>,CN=MicrosoftDNS,DC=DomainDnsZones,DC=my,DC=domain,DC=com'
> -s sub '(objectclass=dnsnode)' | grep dn
> root at dc2:/#
> ================================== 8< 
> =========================================> root at dc4:/# ldbsearch
--cross-ncs -H /var/lib/samba/private/sam.ldb -b
> 'DC=my.domain.com 
>
<http://my.domain.com>,CN=MicrosoftDNS,DC=DomainDnsZones,DC=my,DC=domain,DC=com'
> -s sub '(objectclass=dnsnode)' | grep dn
> root at dc4:/#
> ================================== 8< 
> =========================================>
>     Was it provisioned as a Samba domain and if so, what Samba version
>     was
>     it ? Or was it originally a Windows domain and again, if it was, what
>     was the original Windows version.
>
>
> It was provisioned many years ago on a Windows Server 2003.
This means that you are not running a domain integrated DNS server, or 
to put it another way, you are missing hugh chunks of
AD.
> One year ago I migrated it on Samba 4 using two Zentyal virtual 
> machines as domain controllers and some weeks ago I added a third 
> domain controller on the remote site (I then wish to add a fourth one 
> on the remote site to have a failover there).
In the last year this has come up a few times, try reading this:

https://support.microsoft.com/en-gb/help/817470/how-to-reconfigure-an-msdcs-subdomain-to-a-forest-wide-dns-application

It looks like we need a tool to correct AD :-(

Rowland

Il giorno mar 17 dic 2019 alle ore 17:49 Rowland penny via samba <
samba at lists.samba.org> ha scritto:

In the last year this has come up a few times, try reading
this
>
>
https://support.microsoft.com/en-gb/help/817470/how-to-reconfigure-an-msdcs-subdomain-to-a-forest-wide-dns-application
> It looks like we need a tool to correct AD :-(
>
Thanks! I will read that article.

Do you think that this could be the same reason why sometimes I'm having
clients that are losing their trust connection with the domain controller
(so users cannot login anymore) and I need to rejoin it to the domain?

Also, showrepl on DC4 is returning the following error:

=================================8<
============================================= KCC CONNECTION OBJECTS ===
Connection --
Connection name: 15ff6132-37b4-458a-ac13-a2fe2fedb7bc
Enabled        : TRUE
Server DNS name : dc2.my.domain.com
Server DN name  : CN=NTDS
Settings,CN=DC2,CN=Servers,CN=mydomain,CN=Sites,CN=Configuration,DC=my,DC=domain,DC=com
TransportType: RPC
options: 0x00000001
Warning: No NC replicated for Connection!
Connection --
Connection name: 365283e3-885d-4610-8929-91e3372530da
Enabled        : TRUE
Server DNS name : dc1.my.domain.com
Server DN name  : CN=NTDS
Settings,CN=DC1,CN=Servers,CN=mydomain,CN=Sites,CN=Configuration,DC=my,DC=domain,DC=com
TransportType: RPC
options: 0x00000001
Warning: No NC replicated for Connection!
Connection --
ERROR(<type 'exceptions.IndexError'>): uncaught exception - list
index out
of range
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py",
line
176, in _run
    return self.run(*args, **kwargs)
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/drs.py", line
180, in
run
    c_server_dns = c_server_res[0]["dnsHostName"][0]
=================================8< =========================================
Do you think I will be able to repair the Active Directory with the
document from the provided link or do you think it would be better to
provision a new Active Directory from scratch with a different domain?

Thank you very much for your help!
Bye