On Fri, 27 Feb 2015, mete bilgin wrote:
2015-02-27 12:23 GMT+02:00 Alexander Bokovoy <aboko...@redhat.com>:

On Fri, 27 Feb 2015, mete bilgin wrote:

[0000] 85 A6 68 FD 0D BF 20 B8                            ..h... .
s4_tevent: Schedule immediate event "tevent_req_trigger": 0x7fed9c4e2a90
s4_tevent: Run immediate event "tevent_req_trigger": 0x7fed9c4e2a90
s4_tevent: Destroying timer event 0x7fed9c0487b0 "tevent_req_timedout"
s4_tevent: Destroying timer event 0x7fed9c044ed0 "dcerpc_timeout_handler"
s4_tevent: Schedule immediate event "tevent_req_trigger": 0x7fed9c4e2760
s4_tevent: Run immediate event "tevent_req_trigger": 0x7fed9c4e2760
    netr_LogonControl2Ex: struct netr_LogonControl2Ex
       out: struct netr_LogonControl2Ex
           query                    : *
               query                    : union
               info2                    : *
                   info2: struct netr_NETLOGON_INFO_2
                       flags                    : 0x00000080 (128)
                              0: NETLOGON_REPLICATION_NEEDED
                              0: NETLOGON_REPLICATION_IN_PROGRESS
                              0: NETLOGON_FULL_SYNC_REPLICATION
                              0: NETLOGON_REDO_NEEDED
                              0: NETLOGON_HAS_IP
                              0: NETLOGON_HAS_TIMESERV
                              0: NETLOGON_DNS_UPDATE_FAILURE
                              1: NETLOGON_VERIFY_STATUS_RETURNED
                       pdc_connection_status    : WERR_NO_LOGON_SERVERS
                       trusted_dc_name          : *
                           trusted_dc_name          : ''
                       tc_connection_status     : WERR_NO_LOGON_SERVERS
           result                   : WERR_OK

Here is the result -- AD DC was unable to reach IPA DC. Check your
firewall and DNS records.

For DNS, make sure you can resolve SRV record _ldap._tcp.IPADOMAIN.COM
from AD DC console.

For firewall, see

/ Alexander Bokovoy


I think get entry for replication server. That's the problem. I remove the
replica on dns server.
Yes, you can temporarily remove the entry for a replica from the SRV

Alternative would be to run ipa-adtrust-install on that replica too.


Server:  UnKnown
Address:  ::1

Non-authoritative answer:
_ldap._tcp.bilyoner.com SRV service location:
         priority       = 0
         weight         = 100
         port           = 389
         svr hostname   = ipa02.ipadomain.com
_ldap._tcp.bilyoner.com SRV service location:
         priority       = 0
         weight         = 100
         port           = 389
         svr hostname   = ipa01.domain.com

ipa02.ipadomain.com      internet address =
ipa01.ipadomain.com      internet address =

/ Alexander Bokovoy

Manage your subscription for the Freeipa-users mailing list:
Go To http://freeipa.org for more info on the project

Reply via email to