To get an overview of the current drs replication status you can use this command at every UCS Samba 4 DC which is joined to the domain:
samba-tool drs showrepl Sitename\Servername DSA Options: 0x00000001 DSA object GUID: ffad9f19-0e90-457b-b733-469e4b2280a1 DSA invocationId: 908dbb52-12a6-47a2-ae03-1a71014cc4f4 ==== INBOUND NEIGHBORS ==== DC=domain,DC=base Sitename\Servername via RPC DSA object GUID: 397575b4-23c7-4ceb-8114-166a1d7a1bfe Last attempt @ Tue Jun 18 03:30:23 2013 MDT was successful 0 consecutive failure(s). Last success @ Tue Jun 18 03:30:23 2013 MDT CN=Schema,CN=Configuration,DC=domain,DC=base Sitename\Servername via RPC DSA object GUID: 397575b4-23c7-4ceb-8114-166a1d7a1bfe Last attempt @ Tue Jun 18 03:30:31 2013 MDT failed, result 2 (WERR_BADFILE) 14 consecutive failure(s). Last success @ NTTIME(0) CN=Configuration,DC=domain,DC=base Sitename\Servername via RPC DSA object GUID: 397575b4-23c7-4ceb-8114-166a1d7a1bfe Last attempt @ Tue Jun 18 03:30:34 2013 MDT failed, result 2 (WERR_BADFILE) 14 consecutive failure(s). Last success @ NTTIME(0) ==== OUTBOUND NEIGHBORS ==== ==== KCC CONNECTION OBJECTS ==== Connection -- Connection name: facd713f-869d-4672-ad9b-b694e7c53cd8 Enabled : TRUE Server DNS name : Servername Server DN name : CN=NTDS Settings,CN=Servername,CN=Servers,CN=Sitename,CN=Sites,CN=Configuration,DC=domain,DC=base TransportType: RPC options: 0x00000001 Warning: No NC replicated for Connection!
The output shows four sections. The header shows the GUID of the local directory service agent (DSA), which can be thought of as an ID for the local DC. The second section shows inbound connections. The local domain controller replicates directory objects from the inbound neighbors. Each directory partition is replicated separately. The section outbound neighbors lists remote domain controllers that are replicating objects from the local domain controller. In this case, the output shows a situation directly after the join of the local domain controller, where it replicated from the neighbor DC it joined to, but no other DC has replicated any objects from the local DC yet. The third section shows a summary of the connections to neighbor DCs.
The output will always show “Warning: No NC replicated for Connections” as last line. This Warning is expected and completely harmless.
This command can be used to manually trigger the Samba 4 “Knowledge Consistency Checker” (KCC) to update its current knowledge about connections to neighbor DCs. The command can also conveniently e used to trigger the KCC on a remote host by adding -UAdministrator <fqdn>.
This can be useful in case DC objects are absend in the output of samba-tool drs showrepl or are showing consecutive failures.
It is always recommend to also have a look in /var/log/samba/log.samba for further hints when facing drs replication issues.
You can trigger the drs replication with the help of this command. Most likely you will get specific hints and error messages directly when used during an in depth analysis of DRS replication issues.
An example would be:
samba-tool drs replicate destinationhost sourcehost dc=domain,dc=base
We have an example in this Article
For a given user, computer, or built-in account, this attribute specifies the Kerberos version number of the current key for that account.
Therefore it can be used to compare the replication status of systems:
root@master:~# univention-s4search cn=master msDS-KeyVersionNumber root@backup:~# univention-s4search cn=master msDS-KeyVersionNumber
The values have to be equal - otherweise the replication seems to be broken. If a system uses another value in comparison to the master, then it has to be rejoined or you first try to replicate just the Server account. → again this article
root@master:~# univention-s4search cn=master msDS-KeyVersionNumber dn: CN=MASTER,OU=Domain Controllers,DC=test,DC=domain msDS-KeyVersionNumber: 7 root@backup:~# univention-s4search cn=master msDS-KeyVersionNumber dn: CN=MASTER,OU=Domain Controllers,DC=test,DC=domain msDS-KeyVersionNumber: 1
Here the system backup is obviously out of sync and a rejoin should be considered.
This checks the database of samba4. Samba saves its date not just in one database,but it slits it up in 5 partitions. To check al partitions and not just the basic one you need to add the parameter
samba-tool dbcheck --cross-ncs
To fix upcomming issues you can use
--yes if you do not want to be asked for approval each error or warning.
samba-tool dbcheck --cross-ncs --fix --yes
For a complete overview of the relevant dns records you have the possibility to check the output of the following script:
Please have a look at dns-probleme-in-alteren-samba-ad-domanen, dns-problems-in-samba4, and when-renaming-a-computer-the-old-dns-entry-remains-in-dns
Here are some related article for troubleshooting:
remove-a-file-from-sysvol, sysvol-sync-placing-triggerfile-with-ssh-failed, how-gpos-and-sysvol-are-working-together-in-ucs-school, reduce-the-sysvol-replication-complexity, samba-tool-ntacl-sysvolcheck, samba-tool-ntacl-sysvolcheck-shows-nt-status-object-name-not-found/, rsync-to-local-sysvol-exited-with-23
The best way to completely remove a DC object would be the following steps but for more detail look here: How-To: Remove a Server
samba-tool dbcheck --fix(see LDB Tools)
samba-tool domain demote --remove-other-dead-server=<hostname>
- Checking for references in the LDB and eventually remove them. You can use the objectGUID of the DC object for these searches to determine objects with remaining references, for example:
ldbsearch -H /var/lib/samba/private/sam.ldb --cross-ncs | grep -A10 f5031d0e-86a7-4b60-ad6b-1ff8108a3e2a
It should be sufficient to use
If this does not succeed, there could be old references in the ldb. You can use the steps underneath “LDB Tools” or use the following:
The next commands have to be executed at the dc which has to be rejoined
mv /var/lib/samba/private /var/tmp/samba_backup
In case this does not work either, the DC account can be removed first by logging into the UCS domain controller running the S4 Connector (usually the DC Master) and executing the steps described in the section “Removal of Domain Controllers” (see above). After that, the join process can be started again using the three steps above (samba4 stop, move directory, univention-join).
In some cases a deeper inspection of the Samba database backend (sam.ldb) is required.
Searching within the LDB:
ldbsearch -H /var/lib/samba/private/sam.ldb --cross-ncs [-b <dn> ] [<ldap-filter>]
ldbdel can be used to remove objects. This could be needed e.g. if removed computer objects left reference objects underneath cn=configuration,$ldap_base:
ldbdel -H /var/lib/samba/private/sam.ldb <dn>
The other way to determine such inconsistent references (and automatically fix them) is the usage of samba-tool dbcheck.
samba-tool dbcheck [--cross-ncs --fix --yes]
You can use the following command to have a look at the current fsmo roles:
samba-tool fsmo show
InfrastructureMasterRole owner: CN=NTDS Settings,CN=Servername,CN=Servers,CN=Sitename,CN=Sites,CN=Configuration,DC=sec,DC=lan RidAllocationMasterRole owner: CN=NTDS Settings,CN=Servername,CN=Servers,CN=Sitename,CN=Sites,CN=Configuration,DC=sec,DC=lan PdcEmulationMasterRole owner: CN=NTDS Settings,CN=Servername,CN=Servers,CN=Sitename,CN=Sites,CN=Configuration,DC=sec,DC=lan DomainNamingMasterRole owner: CN=NTDS Settings,CN=Servername,CN=Servers,CN=Sitename,CN=Sites,CN=Configuration,DC=sec,DC=lan SchemaMasterRole owner: CN=NTDS Settings,CN=Servername,CN=Servers,CN=Sitename,CN=Sites,CN=Configuration,DC=sec,DC=lan