Hi all!
I have an AD domain with two DC's, DC3 (samba 4.20.4 from backports in a VM
running debian 12) and DC2 (samba 4.18.9 in a VM running slackware 15.0) who
holds the FSMO roles and I tried to replace DC2 with another host named DC2
(samba 4.20.5 from backports in a VM running debian 12).
What I did was (in this order):
* Shutdown both DC's
* Snapshot both DC's disks
* Brought back up both DC's
* Verified that idmap.ldb on (old) DC2 and DC3 where in sync
* Transfered the roles from DC2 (old) to DC3
* Demoted DC2 and shutdown the slackware 15.0 VM
* Brought up the debian VM holding the (new) DC2
* Joined (new) DC2 to the domain as a DC
* Copied idmap.ldb from DC3 to (new) DC2
* rsync'ed sysvol from DC3 to (new) DC2
* run net cache flush on (new) DC2
* start samba-ad-dc service on (new) DC2
* run samba-tool ntacl sysvol-reset on (new) DC2
While sysvol-reset was running i was doing some checks and found entries on DC3
stating
Oct 15 07:31:25 dc3 samba[610]: [2024/10/15 07:31:25.243401, 0]
source4/librpc/rpc/dcerpc_util.c:681(dcerpc_pipe_auth_recv)
Oct 15 07:31:25 dc3 samba[610]: Failed to bind to uuid
e3514235-4b06-11d1-ab04-00c04fc2dcd2 for
ncacn_ip_tcp:192.168.1.3[49153,seal,krb5,target_hostname=25d3f929-0284-4f3f-a609-a869bb9b9722._msdcs.ad.samdom.com,target_principal=GC/dc2.ad.samdom.com/ad.samdom.com,abstract_syntax=e3514235-4b06-11d1-ab04-00c04fc2dcd2/0x00000004,localaddress=192.168.1.2]
NT_STATUS_UNSUCCESSFUL
I saw on a windows workstation that in the "Active directory sites and
services" RSAT applet there wasn't a connection in the NTDS connections
of DC3 so I manually created one to DC2
On (new) DC2 I verified the replication and the output of the samba-tool drs
showrepl command was as follows
Default-First-Site-Name\DC2
DSA Options: 0x00000001
DSA object GUID: 25d3f929-0284-4f3f-a609-a869bb9b9722
DSA invocationId: d7b7eea4-67e7-4dba-a338-acd99ac30dc9
==== INBOUND NEIGHBORS ===
DC=ForestDnsZones,DC=ad,DC=samdom,DC=com
Default-First-Site-Name\DC3 via RPC
DSA object GUID: d2347f3c-1b9e-4ad5-a936-52c8cb1c0fc3
Last attempt @ Tue Oct 15 07:35:41 2024 -03 was successful
0 consecutive failure(s).
Last success @ Tue Oct 15 07:35:41 2024 -03
DC=DomainDnsZones,DC=ad,DC=samdom,DC=com
Default-First-Site-Name\DC3 via RPC
DSA object GUID: d2347f3c-1b9e-4ad5-a936-52c8cb1c0fc3
Last attempt @ Tue Oct 15 07:35:41 2024 -03 was successful
0 consecutive failure(s).
Last success @ Tue Oct 15 07:35:41 2024 -03
CN=Schema,CN=Configuration,DC=ad,DC=samdom,DC=com
Default-First-Site-Name\DC3 via RPC
DSA object GUID: d2347f3c-1b9e-4ad5-a936-52c8cb1c0fc3
Last attempt @ Tue Oct 15 07:35:42 2024 -03 was successful
0 consecutive failure(s).
Last success @ Tue Oct 15 07:35:42 2024 -03
CN=Configuration,DC=ad,DC=samdom,DC=com
Default-First-Site-Name\DC3 via RPC
DSA object GUID: d2347f3c-1b9e-4ad5-a936-52c8cb1c0fc3
Last attempt @ Tue Oct 15 07:35:42 2024 -03 was successful
0 consecutive failure(s).
Last success @ Tue Oct 15 07:35:42 2024 -03
DC=ad,DC=samdom,DC=com
Default-First-Site-Name\DC3 via RPC
DSA object GUID: d2347f3c-1b9e-4ad5-a936-52c8cb1c0fc3
Last attempt @ Tue Oct 15 07:35:42 2024 -03 was successful
0 consecutive failure(s).
Last success @ Tue Oct 15 07:35:42 2024 -03
==== OUTBOUND NEIGHBORS ===
==== KCC CONNECTION OBJECTS ===
Connection --
Connection name: 0ec9a878-eeff-4b55-8015-5529b4013326
Enabled : TRUE
Server DNS name : dc3.ad.samdom.com
Server DN name : CN=NTDS
Settings,CN=DC3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ad,DC=samdom,DC=com
TransportType: RPC
options: 0x00000001
Warning: No NC replicated for Connection!
Connection --
Connection name: DC3
Enabled : TRUE
Server DNS name : dc3.ad.samdom.com
Server DN name : CN=NTDS
Settings,CN=DC3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ad,DC=samdom,DC=com
TransportType: RPC
options: 0x00000000
Warning: No NC replicated for Connection!
The output of samba-tool drs showrepl on DC3 looked like this
Default-First-Site-Name\DC3
DSA Options: 0x00000001
DSA object GUID: d2347f3c-1b9e-4ad5-a936-52c8cb1c0fc3
DSA invocationId: 9e1fd29b-8f65-4f75-af93-00b358b046d2
==== INBOUND NEIGHBORS ===
DC=ForestDnsZones,DC=ad,DC=samdom,DC=com
Default-First-Site-Name\DC2 via RPC
DSA object GUID: 25d3f929-0284-4f3f-a609-a869bb9b9722
Last attempt @ Tue Oct 15 07:36:24 2024 -03 failed, result 31
(WERR_GEN_FAILURE)
3 consecutive failure(s).
Last success @ NTTIME(0)
DC=DomainDnsZones,DC=ad,DC=samdom,DC=com
Default-First-Site-Name\DC2 via RPC
DSA object GUID: 25d3f929-0284-4f3f-a609-a869bb9b9722
Last attempt @ Tue Oct 15 07:36:24 2024 -03 failed, result 31
(WERR_GEN_FAILURE)
3 consecutive failure(s).
Last success @ NTTIME(0)
CN=Schema,CN=Configuration,DC=ad,DC=samdom,DC=com
Default-First-Site-Name\DC2 via RPC
DSA object GUID: 25d3f929-0284-4f3f-a609-a869bb9b9722
Last attempt @ Tue Oct 15 07:36:24 2024 -03 failed, result 31
(WERR_GEN_FAILURE)
3 consecutive failure(s).
Last success @ NTTIME(0)
CN=Configuration,DC=ad,DC=samdom,DC=com
Default-First-Site-Name\DC2 via RPC
DSA object GUID: 25d3f929-0284-4f3f-a609-a869bb9b9722
Last attempt @ Tue Oct 15 07:36:25 2024 -03 failed, result 31
(WERR_GEN_FAILURE)
3 consecutive failure(s).
Last success @ NTTIME(0)
DC=ad,DC=samdom,DC=com
Default-First-Site-Name\DC2 via RPC
DSA object GUID: 25d3f929-0284-4f3f-a609-a869bb9b9722
Last attempt @ Tue Oct 15 07:36:25 2024 -03 failed, result 31
(WERR_GEN_FAILURE)
3 consecutive failure(s).
Last success @ NTTIME(0)
==== OUTBOUND NEIGHBORS ===
DC=ForestDnsZones,DC=ad,DC=samdom,DC=com
Default-First-Site-Name\DC2 via RPC
DSA object GUID: 25d3f929-0284-4f3f-a609-a869bb9b9722
Last attempt @ Tue Oct 15 07:39:18 2024 -03 failed, result 31
(WERR_GEN_FAILURE)
44 consecutive failure(s).
Last success @ NTTIME(0)
DC=DomainDnsZones,DC=ad,DC=samdom,DC=com
Default-First-Site-Name\DC2 via RPC
DSA object GUID: 25d3f929-0284-4f3f-a609-a869bb9b9722
Last attempt @ Tue Oct 15 07:39:18 2024 -03 failed, result 31
(WERR_GEN_FAILURE)
44 consecutive failure(s).
Last success @ NTTIME(0)
CN=Schema,CN=Configuration,DC=ad,DC=samdom,DC=com
Default-First-Site-Name\DC2 via RPC
DSA object GUID: 25d3f929-0284-4f3f-a609-a869bb9b9722
Last attempt @ Tue Oct 15 07:39:18 2024 -03 failed, result 31
(WERR_GEN_FAILURE)
44 consecutive failure(s).
Last success @ NTTIME(0)
CN=Configuration,DC=ad,DC=samdom,DC=com
Default-First-Site-Name\DC2 via RPC
DSA object GUID: 25d3f929-0284-4f3f-a609-a869bb9b9722
Last attempt @ Tue Oct 15 07:39:18 2024 -03 failed, result 31
(WERR_GEN_FAILURE)
44 consecutive failure(s).
Last success @ NTTIME(0)
DC=ad,DC=samdom,DC=com
Default-First-Site-Name\DC2 via RPC
DSA object GUID: 25d3f929-0284-4f3f-a609-a869bb9b9722
Last attempt @ Tue Oct 15 07:39:19 2024 -03 failed, result 31
(WERR_GEN_FAILURE)
44 consecutive failure(s).
Last success @ NTTIME(0)
==== KCC CONNECTION OBJECTS ===
Connection --
Connection name: 2aea5c8f-b9b5-45da-bf46-e3d775554bd1
Enabled : TRUE
Server DNS name : dc2.ad.samdom.com
Server DN name : CN=NTDS
Settings,CN=DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ad,DC=samdom,DC=com
TransportType: RPC
options: 0x00000001
Warning: No NC replicated for Connection!
By the time I got to this point my window of opportunity to perform this change
of DC's was closing so I reverted to the snapshots taken before anything and
everything is working OK but next week I'm going to be attempting to change
this DC again and I was wondering if someone could see what might have gone
wrong because I certainly can't.
Thanks in advance!
Best regards,
Dave.
