Hi Martin,
- No firewall
- Version 4.1.17-Debian
- role transfer: The requested FSMO operation failed. The current FSMO
holder could not be contacted.
- replication error is: 8452, The naming context is in the process of being
removed or is not replicated from the specified server
root@sandbox:~# samba-tool fsmo show
InfrastructureMasterRole owner: CN=NTDS
Settings,CN=AD,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=bgroup,DC=local
RidAllocationMasterRole owner: CN=NTDS
Settings,CN=AD,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=bgroup,DC=local
PdcEmulationMasterRole owner: CN=NTDS
Settings,CN=AD,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=bgroup,DC=local
DomainNamingMasterRole owner: CN=NTDS
Settings,CN=AD,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=bgroup,DC=local
SchemaMasterRole owner: CN=NTDS
Settings,CN=BDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=bgroup,DC=local
root@sandbox:~# samba-tool drs showrepl
Default-First-Site-Name\SANDBOX
DSA Options: 0x00000000
DSA object GUID: c020e470-aa0e-4e80-aa20-a0b6a5244b10
DSA invocationId: 2c50db5f-7cc1-498d-9fbf-d1ee228ffcb7
==== INBOUND NEIGHBORS ====
DC=bgroup,DC=local
Default-First-Site-Name\AD via RPC
DSA object GUID: 34cf4523-ea8b-472a-8328-f7879350885e
Last attempt @ Fri Mar 20 14:17:34 2015 CET was successful
0 consecutive failure(s).
Last success @ Fri Mar 20 14:17:34 2015 CET
DC=bgroup,DC=local
Default-First-Site-Name\BDC via RPC
DSA object GUID: 681d15df-1059-4916-87c8-66b6bdf7b849
Last attempt @ Fri Mar 20 14:30:39 2015 CET failed, result 121
(WERR_SEM_TIMEOUT)
13 consecutive failure(s).
Last success @ Fri Mar 20 14:04:11 2015 CET
DC=bgroup,DC=local
Default-First-Site-Name\WEB1 via RPC
DSA object GUID: cb9e5d7b-0767-431d-8a9e-5117587e6aec
Last attempt @ Fri Mar 20 14:18:34 2015 CET failed, result 2
(WERR_BADFILE)
213 consecutive failure(s).
Last success @ NTTIME(0)
CN=Configuration,DC=bgroup,DC=local
Default-First-Site-Name\AD via RPC
DSA object GUID: 34cf4523-ea8b-472a-8328-f7879350885e
Last attempt @ Fri Mar 20 14:18:35 2015 CET was successful
0 consecutive failure(s).
Last success @ Fri Mar 20 14:18:35 2015 CET
CN=Configuration,DC=bgroup,DC=local
Default-First-Site-Name\BDC via RPC
DSA object GUID: 681d15df-1059-4916-87c8-66b6bdf7b849
Last attempt @ Fri Mar 20 14:28:39 2015 CET failed, result 121
(WERR_SEM_TIMEOUT)
3 consecutive failure(s).
Last success @ Fri Mar 20 14:00:37 2015 CET
CN=Configuration,DC=bgroup,DC=local
Default-First-Site-Name\QDC via RPC
DSA object GUID: 223858ab-f682-4210-8ee1-060195de93c4
Last attempt @ Fri Mar 20 14:19:35 2015 CET failed, result 2
(WERR_BADFILE)
215 consecutive failure(s).
Last success @ NTTIME(0)
CN=Configuration,DC=bgroup,DC=local
Default-First-Site-Name\WEB1 via RPC
DSA object GUID: cb9e5d7b-0767-431d-8a9e-5117587e6aec
Last attempt @ Fri Mar 20 14:19:36 2015 CET failed, result 2
(WERR_BADFILE)
213 consecutive failure(s).
Last success @ NTTIME(0)
DC=DomainDnsZones,DC=bgroup,DC=local
Default-First-Site-Name\AD via RPC
DSA object GUID: 34cf4523-ea8b-472a-8328-f7879350885e
Last attempt @ Fri Mar 20 14:15:32 2015 CET was successful
0 consecutive failure(s).
Last success @ Fri Mar 20 14:15:32 2015 CET
DC=DomainDnsZones,DC=bgroup,DC=local
Default-First-Site-Name\WEB1 via RPC
DSA object GUID: cb9e5d7b-0767-431d-8a9e-5117587e6aec
Last attempt @ Fri Mar 20 14:15:32 2015 CET failed, result 2
(WERR_BADFILE)
213 consecutive failure(s).
Last success @ NTTIME(0)
DC=DomainDnsZones,DC=bgroup,DC=local
Default-First-Site-Name\BDC via RPC
DSA object GUID: 681d15df-1059-4916-87c8-66b6bdf7b849
Last attempt @ Fri Mar 20 14:31:39 2015 CET failed, result 121
(WERR_SEM_TIMEOUT)
6 consecutive failure(s).
Last success @ Fri Mar 20 14:03:24 2015 CET
CN=Schema,CN=Configuration,DC=bgroup,DC=local
Default-First-Site-Name\AD via RPC
DSA object GUID: 34cf4523-ea8b-472a-8328-f7879350885e
Last attempt @ Fri Mar 20 14:19:36 2015 CET was successful
0 consecutive failure(s).
Last success @ Fri Mar 20 14:19:36 2015 CET
CN=Schema,CN=Configuration,DC=bgroup,DC=local
Default-First-Site-Name\BDC via RPC
DSA object GUID: 681d15df-1059-4916-87c8-66b6bdf7b849
Last attempt @ Fri Mar 20 14:20:36 2015 CET failed, result 121
(WERR_SEM_TIMEOUT)
2 consecutive failure(s).
Last success @ Fri Mar 20 14:00:38 2015 CET
CN=Schema,CN=Configuration,DC=bgroup,DC=local
Default-First-Site-Name\QDC via RPC
DSA object GUID: 223858ab-f682-4210-8ee1-060195de93c4
Last attempt @ Fri Mar 20 14:20:36 2015 CET failed, result 2
(WERR_BADFILE)
215 consecutive failure(s).
Last success @ NTTIME(0)
CN=Schema,CN=Configuration,DC=bgroup,DC=local
Default-First-Site-Name\WEB1 via RPC
DSA object GUID: cb9e5d7b-0767-431d-8a9e-5117587e6aec
Last attempt @ Fri Mar 20 14:20:37 2015 CET failed, result 2
(WERR_BADFILE)
213 consecutive failure(s).
Last success @ NTTIME(0)
DC=ForestDnsZones,DC=bgroup,DC=local
Default-First-Site-Name\AD via RPC
DSA object GUID: 34cf4523-ea8b-472a-8328-f7879350885e
Last attempt @ Fri Mar 20 14:16:33 2015 CET was successful
0 consecutive failure(s).
Last success @ Fri Mar 20 14:16:33 2015 CET
DC=ForestDnsZones,DC=bgroup,DC=local
Default-First-Site-Name\WEB1 via RPC
DSA object GUID: cb9e5d7b-0767-431d-8a9e-5117587e6aec
Last attempt @ Fri Mar 20 14:16:33 2015 CET failed, result 2
(WERR_BADFILE)
213 consecutive failure(s).
Last success @ NTTIME(0)
DC=ForestDnsZones,DC=bgroup,DC=local
Default-First-Site-Name\BDC via RPC
DSA object GUID: 681d15df-1059-4916-87c8-66b6bdf7b849
Last attempt @ Fri Mar 20 14:32:39 2015 CET failed, result 121
(WERR_SEM_TIMEOUT)
5 consecutive failure(s).
Last success @ Fri Mar 20 14:03:18 2015 CET
==== OUTBOUND NEIGHBORS ====
DC=bgroup,DC=local
Default-First-Site-Name\BDC via RPC
DSA object GUID: 681d15df-1059-4916-87c8-66b6bdf7b849
Last attempt @ Fri Mar 20 14:15:31 2015 CET failed, result 121
(WERR_SEM_TIMEOUT)
14 consecutive failure(s).
Last success @ Fri Mar 20 14:00:39 2015 CET
CN=Configuration,DC=bgroup,DC=local
Default-First-Site-Name\BDC via RPC
DSA object GUID: 681d15df-1059-4916-87c8-66b6bdf7b849
Last attempt @ Fri Mar 20 13:40:40 2015 CET was successful
0 consecutive failure(s).
Last success @ Fri Mar 20 13:40:40 2015 CET
CN=Schema,CN=Configuration,DC=bgroup,DC=local
Default-First-Site-Name\BDC via RPC
DSA object GUID: 681d15df-1059-4916-87c8-66b6bdf7b849
Last attempt @ Fri Mar 20 13:13:05 2015 CET was successful
0 consecutive failure(s).
Last success @ Fri Mar 20 13:13:05 2015 CET
==== KCC CONNECTION OBJECTS ====
Connection --
Connection name: 1b378285-869b-4426-b382-eb1c7f88398d
Enabled : TRUE
Server DNS name :
Server DN name : CN=NTDS
Settings,CN=QDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=bgroup,DC=local
TransportType: RPC
options: 0x00000001
Warning: No NC replicated for Connection!
Connection --
Connection name: 94fe4865-1083-4dfe-954c-8333a11f5a12
Enabled : TRUE
Server DNS name : web1.bgroup.local
Server DN name : CN=NTDS
Settings,CN=WEB1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=bgroup,DC=local
TransportType: RPC
options: 0x00000001
Warning: No NC replicated for Connection!
Connection --
Connection name: a2ef32de-8072-48fb-93dc-e2fb8df637ec
Enabled : TRUE
Server DNS name : AD.bgroup.local
Server DN name : CN=NTDS
Settings,CN=AD,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=bgroup,DC=local
TransportType: RPC
options: 0x00000001
Warning: No NC replicated for Connection!
Connection --
Connection name: cae9657b-8b9d-435e-b6a2-55ad6527893e
Enabled : TRUE
Server DNS name : BDC.bgroup.local
Server DN name : CN=NTDS
Settings,CN=BDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=bgroup,DC=local
TransportType: RPC
options: 0x00000001
Warning: No NC replicated for Connection!
2015-03-20 14:15 GMT+01:00 Martin Simovic <[email protected]>:
> Hi Daniel,
>
> Following information would help:
>
> - Is your samba4 server on same subnet as your windows AD controller? Is
> there any firewall in between the two?
> - What is your exact samba version?
> - I assume you are using "same-tool fsmo seize” to transfer the role back
> to Windows AD? Do you get any errors?
> - What is the output of "samba-tool fsmo show” ?
> - What symptoms you experience to judge replication is not working?
> - What is the output of “samba-tool drs showrepl” ?
>
> Best Regards
> Martin.
>
>
>
> On 20 Mar 2015, at 13:57, Dániel L. <[email protected]> wrote:
>
> Hi Martin,
>
> I ve transfered the schema master role to samba4, and managed to extend
> the schema with openchange provision,
> but I cant retransfer the master to the original windows ad,
> And the replication wont work.
> Any suggestions?
>
> Thanks again,
> Daniel
>
> 2015-03-17 19:33 GMT+01:00 Martin Simovic <[email protected]>:
>
>> Hi Daniel,
>>
>> I understand the exchange schema provisioning can be done two ways:
>>
>> 1. Running openchange_provision on Linux DC
>> 2. Running exchange setup on Windows DC
>>
>> Whichever one you choose, the result should be the same. You can use only
>> one approach though, not both at the same time.
>>
>> I think you misread Julian’s post from openchange mailing list. The issue
>> was, that the user was trying to run openchange_provision on read-only
>> domain controller (RODC) which is not possible. Furthermore, it is
>> explained that samba4 DC must be master to be able to extend the schema OR
>> schema must be extended on another (master) domain controller. This in your
>> case would be your Windows DC.
>>
>> I would like to add a third option: transfer the master role to Linux DC,
>> extend the schema (openchange_provision) and then cease the role back to
>> Windows DC. The result should be the same.
>> I have used the third (myself invented) approach since it was easier for
>> me to run schema extension from Linux DC, using linux command line tools
>> rather then learning how this is done from Windows environment.
>>
>> Needless to say, I backed up my AD before and after every step taken.
>> That should answer your (legitimate) worries, broken AD is the worst
>> nightmare I admit!
>>
>> Best Regards
>> Martin.
>>
>>
>> On 17 Mar 2015, at 18:44, Dániel L. <[email protected]> wrote:
>>
>> Hello Martin,
>>
>> Thank You for the answer.
>> Im afraid, the openchange provision tool will mess up the AD structure.
>> All our system relies on it.
>> As suggested in the following openchange mailing, the openchange
>> provisioning of active directory should be avoided, and
>> the schema extension should be made by the exchange setup on the windows
>> side:
>> http://mailman.openchange.org/pipermail/devel/2013-February/005554.html
>>
>>
>> https://technet.microsoft.com/en-us/library/bb125224%28v=exchg.150%29.aspx#Step1
>>
>> whats your opinion on this?
>>
>> Thank again,
>> Daniel
>>
>> 2015-03-17 16:25 GMT+01:00 Martin Simovic <[email protected]>:
>>
>>> Hi,
>>>
>>> I don’t know about any existing howto related to this scenario, yet I
>>> think I can help since at our site we’re running exactly the same setup.
>>> To be able to extend AD schema on Linux DC it needs to be promoted to
>>> schema master. You can use standard AD management tools GUI or command line
>>> from Linux DC - samba-tool fsmo does the job.
>>>
>>> After you extended the AD schema you can cease the role back to Windows
>>> AD controller. Just a note, you better be running at least Samba 4.1 series
>>> on Linux DC, older versions (4.0.X) were having problems with fsmo
>>> transfers. Still, it’s always a good idea to backup your AD before applying
>>> any changes to it.
>>>
>>> Hope this helps,
>>>
>>> Best Regards
>>> Martin Simovic
>>>
>>>
>>>
>>>
>>> > On 17 Mar 2015, at 11:50, Dániel L. <[email protected]>
>>> wrote:
>>> >
>>> > Dear Sogo Users,
>>> >
>>> >
>>> > We have an existing Active Directory server, which we use for central
>>> authentication.
>>> > Id like to implement Openchange& Sogo with native Outlook support.
>>> >
>>> > So Ive installed Samba4 and joined it to the Active Directorfy as a DC.
>>> > Unfortunately, the "openchange_provision --standalone" command wont
>>> work, because the samba4 DC is not master.
>>> > Is it safe to promote samba4 to master DC and promote back to Active
>>> directory,
>>> > or is there a solution to extend active directory's schema with
>>> exchange schema (without installing exchange itself)?
>>> >
>>> >
>>> > Is there any working HowTo on this outhere?
>>> > Any help is appreciated,
>>> >
>>> > Thank You in advance,
>>> > Daniel
>>>
>>>
>>
>>
>
>
--
[email protected]
https://inverse.ca/sogo/lists
