Hello, after demote and rejoun my dc2 i have problems with replication. First of all some srv records on dc1 are missing, on dc2 they are exist. root at dc2:~# dig srv _ldap._tcp.ForestDnsZones.samdom.example.com @dc2.samdom.example.com. ; <<>> DiG 9.11.5-P4-5.1+deb10u1-Debian <<>> srv _ldap._tcp.ForestDnsZones.samdom.example.com @dc2.samdom.example.com. ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24006 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 3 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ; COOKIE: 02673acd16cc5898631a26895f5b2dc871b581bdeff30034 (good) ;; QUESTION SECTION: ;_ldap._tcp.ForestDnsZones.samdom.example.com. IN SRV ;; ANSWER SECTION: _ldap._tcp.ForestDnsZones.samdom.example.com. 900 IN SRV 0 100 389 dc1.samdom.example.com. _ldap._tcp.ForestDnsZones.samdom.example.com. 900 IN SRV 0 100 389 dc2.samdom.example.com. ;; AUTHORITY SECTION: samdom.example.com. 900 IN NS dc1.samdom.example.com. samdom.example.com. 900 IN NS dc2.samdom.example.com. root at dc2:~# dig srv _ldap._tcp.ForestDnsZones.samdom.example.com @dc1.samdom.example.com. ; <<>> DiG 9.11.5-P4-5.1+deb10u1-Debian <<>> srv _ldap._tcp.ForestDnsZones.samdom.example.com @dc1.samdom.example.com. ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27953 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ; COOKIE: ac11efdc0079349e6f510d165f5b2d77d220607c8b2be893 (good) ;; QUESTION SECTION: ;_ldap._tcp.ForestDnsZones.samdom.example.com. IN SRV ;; ANSWER SECTION: _ldap._tcp.ForestDnsZones.samdom.example.com. 900 IN SRV 0 100 389 dc1.samdom.example.com. ;; AUTHORITY SECTION: samdom.example.com. 900 IN NS dc2.samdom.example.com. samdom.example.com. 900 IN NS dc1.samdom.example.com. In the journal I get also get relocation erros. task[dcesrv][520]: [2020/09/11 09:48:40.728120, 0] ../source4/rpc_server/drsuapi/updaterefs.c:374(dcesrv_drsuapi_DsReplicaUpdateRefs) Sep 11 09:48:40 dc1 samba[520]: task[dcesrv][520]: ../source4/rpc_server/drsuapi/updaterefs.c:374: Refusing DsReplicaUpdateRefs for sid S-1-5-21-1732978637-3172972945-805327809-1180 with GUID 6397e622-4305-4a6e-ba1b-8adbbbd5eace or Sep 11 09:50:22 dc1 samba[528]: task[dreplsrv][528]: [2020/09/11 09:50:22.081293, 0] ../source4/librpc/rpc/dcerpc_util.c:737(dcerpc_pipe_auth_recv) Sep 11 09:50:22 dc1 samba[528]: task[dreplsrv][528]: Failed to bind to uuid e3514235-4b06-11d1-ab04-00c04fc2dcd2 for ncacn_ip_tcp:192.168.1.135[49152,seal,krb5,target_hostname=1d4c0c04-1fa8-4873-9987-212af8558bfb._msdcs.samdom.example.com,target_principal=GC/dc2.samdom.example.com/samdom.example.com,abstract_syntax=e3514235-4b06-11d1-ab04-00c04fc2dcd2/0x00000004,localaddress=192.168.1.133] NT_STATUS_UNSUCCESSFUL Is there a way to fix it without reinstall the whole domain forest?
> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > basti via samba > Verzonden: vrijdag 11 september 2020 10:01 > Aan: samba at lists.samba.org > Onderwerp: [Samba] Problems with sysrepl > > Hello, > > after demote and rejoun my dc2 i have problems with replication. > First of all some srv records on dc1 are missing, on dc2 they > are exist.Ok, wait, recap. - you have/had 2dc's - you removed DC2 and readded it. Did you remove the "dead" DC2? Completely, (AD and DNS) and verified it. Did you move FSMO roles to DC1? This :> Refusing DsReplicaUpdateRefs for sid S-1-5-21-1732978637-3172972945-805327809-1180 > with GUID 6397e622-4305-4a6e-ba1b-8adbbbd5eaceI think you missed to clear/clean the sites. look at this, and verify the sited on DC1. https://www.rebeladmin.com/2015/02/how-to-setup-active-directory-sites-subnets-site-links/ If you 100% sure all info is correct in DC2, you can force a push of the AD to the other server But i suggest, check sites first. Last, after all is correct, dont forget to sync the idmap.tdb file between the DC's. Greetz, Louis> > > > root at dc2:~# dig srv _ldap._tcp.ForestDnsZones.samdom.example.com > @dc2.samdom.example.com. > > ; <<>> DiG 9.11.5-P4-5.1+deb10u1-Debian <<>> srv > _ldap._tcp.ForestDnsZones.samdom.example.com @dc2.samdom.example.com. > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24006 > ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, > ADDITIONAL: 3 > > ;; OPT PSEUDOSECTION: > ; EDNS: version: 0, flags:; udp: 4096 > ; COOKIE: 02673acd16cc5898631a26895f5b2dc871b581bdeff30034 (good) > ;; QUESTION SECTION: > ;_ldap._tcp.ForestDnsZones.samdom.example.com. IN SRV > > ;; ANSWER SECTION: > _ldap._tcp.ForestDnsZones.samdom.example.com. 900 IN SRV 0 100 389 > dc1.samdom.example.com. > _ldap._tcp.ForestDnsZones.samdom.example.com. 900 IN SRV 0 100 389 > dc2.samdom.example.com. > > ;; AUTHORITY SECTION: > samdom.example.com. 900 IN NS dc1.samdom.example.com. > samdom.example.com. 900 IN NS dc2.samdom.example.com. > > > root at dc2:~# dig srv _ldap._tcp.ForestDnsZones.samdom.example.com > @dc1.samdom.example.com. > > ; <<>> DiG 9.11.5-P4-5.1+deb10u1-Debian <<>> srv > _ldap._tcp.ForestDnsZones.samdom.example.com @dc1.samdom.example.com. > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27953 > ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, > ADDITIONAL: 1 > > ;; OPT PSEUDOSECTION: > ; EDNS: version: 0, flags:; udp: 4096 > ; COOKIE: ac11efdc0079349e6f510d165f5b2d77d220607c8b2be893 (good) > ;; QUESTION SECTION: > ;_ldap._tcp.ForestDnsZones.samdom.example.com. IN SRV > > ;; ANSWER SECTION: > _ldap._tcp.ForestDnsZones.samdom.example.com. 900 IN SRV 0 100 389 > dc1.samdom.example.com. > > ;; AUTHORITY SECTION: > samdom.example.com. 900 IN NS dc2.samdom.example.com. > samdom.example.com. 900 IN NS dc1.samdom.example.com. > > > In the journal I get also get relocation erros. > > task[dcesrv][520]: [2020/09/11 09:48:40.728120, 0] > ../source4/rpc_server/drsuapi/updaterefs.c:374(dcesrv_drsuapi_ > DsReplicaUpdateRefs) > Sep 11 09:48:40 dc1 samba[520]: task[dcesrv][520]: > ../source4/rpc_server/drsuapi/updaterefs.c:374: Refusing > DsReplicaUpdateRefs for sid > S-1-5-21-1732978637-3172972945-805327809-1180 with GUID > 6397e622-4305-4a6e-ba1b-8adbbbd5eace > > or > > Sep 11 09:50:22 dc1 samba[528]: task[dreplsrv][528]: [2020/09/11 > 09:50:22.081293, 0] > ../source4/librpc/rpc/dcerpc_util.c:737(dcerpc_pipe_auth_recv) > Sep 11 09:50:22 dc1 samba[528]: task[dreplsrv][528]: Failed > to bind to > uuid e3514235-4b06-11d1-ab04-00c04fc2dcd2 for > ncacn_ip_tcp:192.168.1.135[49152,seal,krb5,target_hostname=1d4 > c0c04-1fa8-4873-9987-212af8558bfb._msdcs.samdom.example.com,target_principal=GC/dc2.samdom.example.com/samdom.example.com,abstract_syntax=e3514235-4b06-11d1-> ab04-00c04fc2dcd2/0x00000004,localaddress=192.168.1.133]> NT_STATUS_UNSUCCESSFUL > > > Is there a way to fix it without reinstall the whole domain forest? > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >
On 11/09/2020 09:00, basti via samba wrote:> Hello, > > after demote and rejoun my dc2 i have problems with replication. > First of all some srv records on dc1 are missing, on dc2 they are exist. > > >Start by ensuring that the nameserver in /etc/resolv.conf on dc2 points to its own ipaddress, then reboot. Rowland
DC2 need IP DC1 first in the DNS, yes, BUT, the sites GUID needs to be corrected first. Then, reboot, things should sync. Then, correct IP in resolv.conf. If this goes wrong, you and up with 2 zones on both server that are off sync. I had this ones.. And yes, its always fixable. In worst cased, down DC2 again. Sieze FSMO roles to DC1. Clean AD and DNS, (and dont forget to clean sites) All needs to be checked before a re-join. The order in this fix attempt is most important. Dont rush it, take the time to clean the AD and DNS. Not needed to re-install DC2, its basilcy. Cleanup /var/lib/samba (and subfolders.) Cleanup /var/cache/samba (and subfolders.) Resolv.conf to DC1 IP first, join, reboot. Resolv.conf to DC2 IP first Down samba DC2, copy Idmap DC1 to DC2 Start samba DC2 Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Rowland penny via samba > Verzonden: vrijdag 11 september 2020 10:18 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] Problems with sysrepl > > On 11/09/2020 09:00, basti via samba wrote: > > Hello, > > > > after demote and rejoun my dc2 i have problems with replication. > > First of all some srv records on dc1 are missing, on dc2 > they are exist. > > > > > > > Start by ensuring that the nameserver in /etc/resolv.conf on > dc2 points to its own ipaddress, then reboot. > > Rowland > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >
I have try "list". without suggess. I think all is clean fine. after rejoin the sync connection in (Default-First-Site-Name) from dc2 to dc1 is missing and i still geht this error: Sep 11 11:04:14 dc1 samba[528]: task[dreplsrv][528]: [2020/09/11 11:04:14.336276, 0] ../source4/librpc/rpc/dcerpc_util.c:737(dcerpc_pipe_auth_recv) Sep 11 11:04:14 dc1 samba[528]: task[dreplsrv][528]: Failed to bind to uuid e3514235-4b06-11d1-ab04-00c04fc2dcd2 for ncacn_ip_tcp:193.137.1.135[49152,seal,krb5,target_hostname=d5faff53-a2ef-4449-86ad-e5a55acffa3a._msdcs.samdom.example.com,target_principal=GC/dc2.samdom.example.com/samdom.example.com,abstract_syntax=e3514235-4b06-11d1-ab04-00c04fc2dcd2/0x00000004,localaddress=192.168.1.133] NT_STATUS_UNSUCCESSFUL On 11.09.20 10:28, L.P.H. van Belle via samba wrote:> > DC2 need IP DC1 first in the DNS, yes, BUT, the sites GUID needs to be corrected first. > > Then, reboot, things should sync. > Then, correct IP in resolv.conf. > > If this goes wrong, you and up with 2 zones on both server that are off sync. > I had this ones.. And yes, its always fixable. > > In worst cased, down DC2 again. > Sieze FSMO roles to DC1. > Clean AD and DNS, (and dont forget to clean sites) > All needs to be checked before a re-join. > > The order in this fix attempt is most important. > Dont rush it, take the time to clean the AD and DNS. > > Not needed to re-install DC2, its basilcy. > > Cleanup /var/lib/samba (and subfolders.) > Cleanup /var/cache/samba (and subfolders.) > Resolv.conf to DC1 IP first, join, reboot. > Resolv.conf to DC2 IP first > Down samba DC2, > copy Idmap DC1 to DC2 > Start samba DC2 > > > Greetz, > > Louis > >> -----Oorspronkelijk bericht----- >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens >> Rowland penny via samba >> Verzonden: vrijdag 11 september 2020 10:18 >> Aan: samba at lists.samba.org >> Onderwerp: Re: [Samba] Problems with sysrepl >> >> On 11/09/2020 09:00, basti via samba wrote: >>> Hello, >>> >>> after demote and rejoun my dc2 i have problems with replication. >>> First of all some srv records on dc1 are missing, on dc2 >> they are exist. >>> >>> >>> >> Start by ensuring that the nameserver in /etc/resolv.conf on >> dc2 points to its own ipaddress, then reboot. >> >> Rowland >> >> >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >> >> > >
the not existing connection i have create manually but does not solve the problem. On 11.09.20 10:28, L.P.H. van Belle via samba wrote:> > DC2 need IP DC1 first in the DNS, yes, BUT, the sites GUID needs to be corrected first. > > Then, reboot, things should sync. > Then, correct IP in resolv.conf. > > If this goes wrong, you and up with 2 zones on both server that are off sync. > I had this ones.. And yes, its always fixable. > > In worst cased, down DC2 again. > Sieze FSMO roles to DC1. > Clean AD and DNS, (and dont forget to clean sites) > All needs to be checked before a re-join. > > The order in this fix attempt is most important. > Dont rush it, take the time to clean the AD and DNS. > > Not needed to re-install DC2, its basilcy. > > Cleanup /var/lib/samba (and subfolders.) > Cleanup /var/cache/samba (and subfolders.) > Resolv.conf to DC1 IP first, join, reboot. > Resolv.conf to DC2 IP first > Down samba DC2, > copy Idmap DC1 to DC2 > Start samba DC2 > > > Greetz, > > Louis > >> -----Oorspronkelijk bericht----- >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens >> Rowland penny via samba >> Verzonden: vrijdag 11 september 2020 10:18 >> Aan: samba at lists.samba.org >> Onderwerp: Re: [Samba] Problems with sysrepl >> >> On 11/09/2020 09:00, basti via samba wrote: >>> Hello, >>> >>> after demote and rejoun my dc2 i have problems with replication. >>> First of all some srv records on dc1 are missing, on dc2 >> they are exist. >>> >>> >>> >> Start by ensuring that the nameserver in /etc/resolv.conf on >> dc2 points to its own ipaddress, then reboot. >> >> Rowland >> >> >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >> >> > >
root at dc2:~# samba-tool drs replicate DC1 DC2 dc=samdom,dc=example,dc=com
--full-sync
ERROR(<class 'samba.drs_utils.drsException'>): DsReplicaSync
failed -
drsException: DsReplicaSync failed (31, 'WERR_GEN_FAILURE')
File "/usr/lib/python2.7/dist-packages/samba/netcmd/drs.py", line
568,
in run
drs_utils.sendDsReplicaSync(server_bind, server_bind_handle,
source_dsa_guid, NC, req_options)
File "/usr/lib/python2.7/dist-packages/samba/drs_utils.py", line 88,
in sendDsReplicaSync
raise drsException("DsReplicaSync failed %s" % estr)
On 11.09.20 10:28, L.P.H. van Belle via samba wrote:>
> DC2 need IP DC1 first in the DNS, yes, BUT, the sites GUID needs to be
corrected first.
>
> Then, reboot, things should sync.
> Then, correct IP in resolv.conf.
>
> If this goes wrong, you and up with 2 zones on both server that are off
sync.
> I had this ones.. And yes, its always fixable.
>
> In worst cased, down DC2 again.
> Sieze FSMO roles to DC1.
> Clean AD and DNS, (and dont forget to clean sites)
> All needs to be checked before a re-join.
>
> The order in this fix attempt is most important.
> Dont rush it, take the time to clean the AD and DNS.
>
> Not needed to re-install DC2, its basilcy.
>
> Cleanup /var/lib/samba (and subfolders.)
> Cleanup /var/cache/samba (and subfolders.)
> Resolv.conf to DC1 IP first, join, reboot.
> Resolv.conf to DC2 IP first
> Down samba DC2,
> copy Idmap DC1 to DC2
> Start samba DC2
>
>
> Greetz,
>
> Louis
>
>> -----Oorspronkelijk bericht-----
>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
>> Rowland penny via samba
>> Verzonden: vrijdag 11 september 2020 10:18
>> Aan: samba at lists.samba.org
>> Onderwerp: Re: [Samba] Problems with sysrepl
>>
>> On 11/09/2020 09:00, basti via samba wrote:
>>> Hello,
>>>
>>> after demote and rejoun my dc2 i have problems with replication.
>>> First of all some srv records on dc1 are missing, on dc2
>> they are exist.
>>>
>>>
>>>
>> Start by ensuring that the nameserver in /etc/resolv.conf on
>> dc2 points to its own ipaddress, then reboot.
>>
>> Rowland
>>
>>
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba
>>
>>
>
>
> I think all is clean fine.You "think"..?? .. You must verify this ! Asumption is the mother of all fuckups an old boss of me always said.. And he is right. Run : samba-tool fsmo show And verify both servers. https://wiki.samba.org/index.php/Verifying_and_Creating_a_DC_DNS_Record#The_objectGUID_CNAME_Record And go through : https://wiki.samba.org/index.php/Active_Directory_Sites#Setting_up_a_new_Site Sorry, but im pretty sure your problem is in this area.. And you can only fix it by verifying it all. Its not 1 problem your haveing. Its 2 or 3 at the same time.. One problem is the cause of the other problems. Like, this part. (your latest mail) samba-tool drs replicate DC1 DC2 dc=samdom,dc=example,dc=com --full-sync ERROR(<class 'samba.drs_utils.drsException'>): DsReplicaSync failed - drsException: DsReplicaSync failed (31, 'WERR_GEN_FAILURE') File "/usr/lib/python2.7/dist-packages/samba/netcmd/drs.py", line 568, in run drs_utils.sendDsReplicaSync(server_bind, server_bind_handle, source_dsa_guid, NC, req_options) File "/usr/lib/python2.7/dist-packages/samba/drs_utils.py", line 88, in sendDsReplicaSync raise drsException("DsReplicaSync failed %s" % estr) Will never work if you dont check and fixed the objectGUID . Mail before that one : host -t CNAME d5faff53-a2ef-4449-86ad-e5a55acffa3a._msdcs.samdom.example.com I hope its more clear now where to look first. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > basti via samba > Verzonden: vrijdag 11 september 2020 11:09 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] Problems with sysrepl > > I have try "list". without suggess. > > I think all is clean fine. > after rejoin the sync connection in (Default-First-Site-Name) from dc2 > to dc1 is missing and i still geht this error: > > Sep 11 11:04:14 dc1 samba[528]: task[dreplsrv][528]: [2020/09/11 > 11:04:14.336276, 0] > ../source4/librpc/rpc/dcerpc_util.c:737(dcerpc_pipe_auth_recv) > Sep 11 11:04:14 dc1 samba[528]: task[dreplsrv][528]: Failed > to bind to > uuid e3514235-4b06-11d1-ab04-00c04fc2dcd2 for > ncacn_ip_tcp:193.137.1.135[49152,seal,krb5,target_hostname=d5f > aff53-a2ef-4449-86ad-e5a55acffa3a._msdcs.samdom.example.com,target_principal=GC/dc2.samdom.example.com/samdom.example.com,abstract_syntax=e3514235-4b06-11d1-> ab04-00c04fc2dcd2/0x00000004,localaddress=192.168.1.133]> NT_STATUS_UNSUCCESSFUL > > On 11.09.20 10:28, L.P.H. van Belle via samba wrote: > > > > DC2 need IP DC1 first in the DNS, yes, BUT, the sites GUID > needs to be corrected first. > > > > Then, reboot, things should sync. > > Then, correct IP in resolv.conf. > > > > If this goes wrong, you and up with 2 zones on both server > that are off sync. > > I had this ones.. And yes, its always fixable. > > > > In worst cased, down DC2 again. > > Sieze FSMO roles to DC1. > > Clean AD and DNS, (and dont forget to clean sites) > > All needs to be checked before a re-join. > > > > The order in this fix attempt is most important. > > Dont rush it, take the time to clean the AD and DNS. > > > > Not needed to re-install DC2, its basilcy. > > > > Cleanup /var/lib/samba (and subfolders.) > > Cleanup /var/cache/samba (and subfolders.) > > Resolv.conf to DC1 IP first, join, reboot. > > Resolv.conf to DC2 IP first > > Down samba DC2, > > copy Idmap DC1 to DC2 > > Start samba DC2 > > > > > > Greetz, > > > > Louis > > > >> -----Oorspronkelijk bericht----- > >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens > >> Rowland penny via samba > >> Verzonden: vrijdag 11 september 2020 10:18 > >> Aan: samba at lists.samba.org > >> Onderwerp: Re: [Samba] Problems with sysrepl > >> > >> On 11/09/2020 09:00, basti via samba wrote: > >>> Hello, > >>> > >>> after demote and rejoun my dc2 i have problems with replication. > >>> First of all some srv records on dc1 are missing, on dc2 > >> they are exist. > >>> > >>> > >>> > >> Start by ensuring that the nameserver in /etc/resolv.conf on > >> dc2 points to its own ipaddress, then reboot. > >> > >> Rowland > >> > >> > >> > >> -- > >> To unsubscribe from this list go to the following URL and read the > >> instructions: https://lists.samba.org/mailman/options/samba > >> > >> > > > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >