0

Main domain controller is made with samba 4.3.4 on CentOS 7 (name=samba). Just made a new second domain controller on WinSrv2008R2Sp1 (name=dc).

Sysvol replication was made using the following article & the Sysvol folder is correctly copied with robocopy every 5 minutes (although the service File Replication cannot start with 1053 error, & all dependencies are started & looking ok): https://wiki.samba.org/index.php/Robocopy_based_SysVol_replication_workaround

The problem is with the automatic replication which is supposed to happen every 15 minutes: it doesn't work (f.e. I create a user on samba & on a dc it doesn't appear after 15 minutes & etc).

Replication works manually on both sides (& f.e. the newly created user does appear):

on samba:

[root@samba]# samba-tool drs replicate dc samba dc=xxxxx,dc=com --full-sync Replicate from samba to dc was successful.

на dc:

Microsoft Windows [Version 6.1.7601] Copyright (c) 2009 Microsoft Corporation. All rights reserved.

C:\Windows\system32>repadmin /replicate dc samba dc=xxxxx,dc=com Sync from samba to dc completed successfully.

Roles:

NetDOM /query FSMO Schema master samba.xxxxx.com Domain naming master samba.xxxxx.com PDC
samba.xxxxx.com RID pool manager samba.xxxxx.com Infrastructure master samba.xxxxx.com The command completed successfully.

How do I make the normal automatic 15 minutes AD replication work without creating jobs in scheduler & etc.? I plan to made the Windows DC=dc a main one & the CentOS=samba a secondary, so I want everything to work as normally as possible :)

Here's the dcdiag from dc (WinSrv2008R2SP1):

C:\Windows\system32>dcdiag

Directory Server Diagnosis

Performing initial setup:    Trying to find home server...    Home Server = DC    * Identified AD Forest.    Done gathering initial info.

Doing initial required tests

   Testing server: Default-First-Site-Name\DC
      Starting test: Connectivity
         ......................... DC passed test Connectivity

Doing primary tests

   Testing server: Default-First-Site-Name\DC
      Starting test: Advertising
         Warning: DC is not advertising as a time server.
         ......................... DC failed test Advertising
      Starting test: FrsEvent
         There are warning or error events within the last 24 hours after the SYSVOL has been shared.  Failing SYSVOL replication problems may cause Group Policy problems.
         ......................... DC failed test FrsEvent
      Starting test: DFSREvent
         ......................... DC passed test DFSREvent
      Starting test: SysVolCheck
         ......................... DC passed test SysVolCheck
      Starting test: KccEvent
         ......................... DC passed test KccEvent
      Starting test: KnowsOfRoleHolders
         ......................... DC passed test KnowsOfRoleHolders
      Starting test: MachineAccount
         ......................... DC passed test MachineAccount
      Starting test: NCSecDesc
         ......................... DC passed test NCSecDesc
      Starting test: NetLogons
         ......................... DC passed test NetLogons
      Starting test: ObjectsReplicated
         ......................... DC passed test ObjectsReplicated
      Starting test: Replications
         ......................... DC passed test Replications
      Starting test: RidManager
         ......................... DC passed test RidManager
      Starting test: Services
         ......................... DC passed test Services
      Starting test: SystemLog
         An error event occurred.  EventID: 0xC0001B61
            Time Generated: 04/25/2017   13:34:13
            Event String: A timeout was reached (30000 milliseconds) while waiting for the File Replication service to connect.
         An error event occurred.  EventID: 0xC0001B61
            Time Generated: 04/25/2017   13:34:24
            Event String: A timeout was reached (30000 milliseconds) while waiting for the File Replication service to connect.
         An error event occurred.  EventID: 0xC0001B61
            Time Generated: 04/25/2017   13:37:59
            Event String: A timeout was reached (30000 milliseconds) while waiting for the File Replication service to connect.
         An error event occurred.  EventID: 0x0000165B
            Time Generated: 04/25/2017   13:38:16
            Event String:
            The session setup from computer 'XXNODE-16-PC' failed because the security database does not contain a trust account 'XXNODE-16-PC$' referenced by the specified computer.
         An error event occurred.  EventID: 0xC0001B61
            Time Generated: 04/25/2017   13:41:07
            Event String: A timeout was reached (30000 milliseconds) while waiting for the File Replication service to connect.
         An error event occurred.  EventID: 0xC0001B61
            Time Generated: 04/25/2017   13:41:18
            Event String: A timeout was reached (30000 milliseconds) while waiting for the File Replication service to connect.
         An error event occurred.  EventID: 0xC0001B61
            Time Generated: 04/25/2017   13:41:37
            Event String: A timeout was reached (30000 milliseconds) while waiting for the File Replication service to connect.
         An error event occurred.  EventID: 0x000016AD
            Time Generated: 04/25/2017   13:43:03
            Event String: The session setup from the computer XXNODE-16-PC failed to authenticate. The following error occurred:
         ......................... DC failed test SystemLog
      Starting test: VerifyReferences
         Some objects relating to the DC DC have problems:
            [1] Problem: Missing Expected Value
             Base Object: CN=NTDS Settings,CN=DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=xxxxx,DC=com
             Base Object Description: "DSA Object"
             Value Object Attribute Name: serverReferenceBL
             Value Object Description: "SYSVOL FRS Member Object"
             Recommended Action: See Knowledge Base Article: Q312862

            [1] Problem: Missing Expected Value
             Base Object: CN=DC,OU=Domain Controllers,DC=xxxxx,DC=com
             Base Object Description: "DC Account Object"
             Value Object Attribute Name: frsComputerReferenceBL
             Value Object Description: "SYSVOL FRS Member Object"
             Recommended Action: See Knowledge Base Article: Q312862

         ......................... DC failed test VerifyReferences


   Running partition tests on : ForestDnsZones
      Starting test: CheckSDRefDom
            The application directory partition DC=ForestDnsZones,DC=xxxxx,DC=com is missing a security descriptor reference domain.  The administrator should set the msDS-SD-Reference-Domain
            attribute on the cross reference object CN=5cb6f429-dfba-45e5-914f-82a6b2a10fb4,CN=Partitions,CN=Configuration,DC=xxxxx,DC=com to the DN of a domain.
         ......................... ForestDnsZones failed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test CrossRefValidation

   Running partition tests on : DomainDnsZones
      Starting test: CheckSDRefDom
            The application directory partition DC=DomainDnsZones,DC=xxxxx,DC=com is missing a security descriptor reference domain.  The administrator should set the msDS-SD-Reference-Domain
            attribute on the cross reference object CN=fb322730-c969-4fa2-8ba8-cff0ac78969d,CN=Partitions,CN=Configuration,DC=xxxxx,DC=com to the DN of a domain.
         ......................... DomainDnsZones failed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test CrossRefValidation

   Running partition tests on : Schema
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation

   Running partition tests on : Configuration
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation

   Running partition tests on : xxxxx
      Starting test: CheckSDRefDom
         ......................... xxxxx passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... xxxxx passed test CrossRefValidation

   Running enterprise tests on : xxxxx.com
      Starting test: LocatorCheck
         ......................... xxxxx.com passed test LocatorCheck
      Starting test: Intersite
         ......................... xxxxx.com passed test Intersite
music2myear
  • 1,905
  • 3
  • 27
  • 51
GTXBxaKgCANmT9D9
  • 415
  • 1
  • 7
  • 16
  • Samba states that is is not supported: `Samba Active Directory Domain Controllers currently don't support SysVol replication through Distributed File System Replication (DFS-R). ` – Greg Askew Apr 25 '17 at 12:17
  • My original post states that Sysvol is copied using robocopy, strictly according to samba.org manual: https://wiki.samba.org/index.php/Robocopy_based_SysVol_replication_workaround I'm asking about Active Directory replication. Here's what Sysvol: https://social.technet.microsoft.com/wiki/contents/articles/24160.active-directory-back-to-basics-sysvol.aspx & https://social.technet.microsoft.com/wiki/contents/articles/8548.sysvol-and-netlogon-share-importance-in-active-directory.aspx – GTXBxaKgCANmT9D9 Apr 25 '17 at 12:36
  • Active Directory uses Sites and Site Links to determine which domain controllers replicate with each other. Do you have a Site with a Site Link and a Connection between the two domain controllers created and configured? – Greg Askew Apr 25 '17 at 14:21

0 Answers0