Verifying the Directory Replication Statuses

From SambaWiki

Introduction

Directory replication is important in an Active Directory (AD) forest with multiple domain controllers (DC) for fail-over and load balancing.

For replication agreements the KCCs auto-create, the following containers are replicated by default:

  • DC=Forest_Root_Domain
  • CN=Configuration,DC=Forest_Root_Domain
  • CN=Schema,CN=Configuration,DC=Forest_Root_Domain
  • DC=ForestDnsZones,DC=Forest_Root_Domain
  • DC=DomainDnsZones,DC=Forest_Root_Domain

Note that if you join a new DC, it can take up to 15 minutes until the KCCs create the connection objects and inbound and outbound replication starts for all containers.



Displaying the Replication Statuses on a Samba DC

The samba-tool drs showrepl command displays the inbound and outbound replication agreements with other DC in the AD forest. The output is reported from the viewpoint of the Samba DC, on which you run the command.

# samba-tool drs showrepl
Default-First-Site-Name\DC2
DSA Options: 0x00000001
DSA object GUID: c14a774f-9732-4ec2-b9fa-2156c95c4e48
DSA invocationId: 7bdb135c-6868-4dd9-9460-33dea4b6b87b

==== INBOUND NEIGHBORS ====

CN=Schema,CN=Configuration,DC=samdom,DC=example,DC=com
       Default-First-Site-Name\DC1 via RPC
               DSA object GUID: 4a6bd92a-6612-4b15-aa8c-9ec371e8994f
               Last attempt @ Sat May 13 02:52:36 2017 CEST was successful
               0 consecutive failure(s).
               Last success @ Sat May 13 02:52:36 2017 CEST

DC=DomainDnsZones,DC=samdom,DC=example,DC=com
       Default-First-Site-Name\DC1 via RPC
               DSA object GUID: 4a6bd92a-6612-4b15-aa8c-9ec371e8994f
               Last attempt @ Sat May 13 02:52:36 2017 CEST was successful
               0 consecutive failure(s).
               Last success @ Sat May 13 02:52:36 2017 CEST

CN=Configuration,DC=samdom,DC=example,DC=com
       Default-First-Site-Name\DC1 via RPC
               DSA object GUID: 4a6bd92a-6612-4b15-aa8c-9ec371e8994f
               Last attempt @ Sat May 13 02:52:36 2017 CEST was successful
               0 consecutive failure(s).
               Last success @ Sat May 13 02:52:36 2017 CEST

DC=ForestDnsZones,DC=samdom,DC=example,DC=com
       Default-First-Site-Name\DC1 via RPC
               DSA object GUID: 4a6bd92a-6612-4b15-aa8c-9ec371e8994f
               Last attempt @ Sat May 13 02:52:36 2017 CEST was successful
               0 consecutive failure(s).
               Last success @ Sat May 13 02:52:36 2017 CEST

DC=samdom,DC=example,DC=com
       Default-First-Site-Name\DC1 via RPC
               DSA object GUID: 4a6bd92a-6612-4b15-aa8c-9ec371e8994f
               Last attempt @ Sat May 13 02:52:36 2017 CEST was successful
               0 consecutive failure(s).
               Last success @ Sat May 13 02:52:36 2017 CEST

==== OUTBOUND NEIGHBORS ====

CN=Schema,CN=Configuration,DC=samdom,DC=example,DC=com
       Default-First-Site-Name\DC1 via RPC
               DSA object GUID: 4a6bd92a-6612-4b15-aa8c-9ec371e8994f
               Last attempt @ NTTIME(0) was successful
               0 consecutive failure(s).
               Last success @ NTTIME(0)

DC=DomainDnsZones,DC=samdom,DC=example,DC=com
       Default-First-Site-Name\DC1 via RPC
               DSA object GUID: 4a6bd92a-6612-4b15-aa8c-9ec371e8994f
               Last attempt @ NTTIME(0) was successful
               0 consecutive failure(s).
               Last success @ NTTIME(0)

CN=Configuration,DC=samdom,DC=example,DC=com
       Default-First-Site-Name\DC1 via RPC
               DSA object GUID: 4a6bd92a-6612-4b15-aa8c-9ec371e8994f
               Last attempt @ NTTIME(0) was successful
               0 consecutive failure(s).
               Last success @ NTTIME(0)

DC=ForestDnsZones,DC=samdom,DC=example,DC=com
       Default-First-Site-Name\DC1 via RPC
               DSA object GUID: 4a6bd92a-6612-4b15-aa8c-9ec371e8994f
               Last attempt @ NTTIME(0) was successful
               0 consecutive failure(s).
               Last success @ NTTIME(0)

DC=samdom,DC=example,DC=com
       Default-First-Site-Name\DC1 via RPC
               DSA object GUID: 4a6bd92a-6612-4b15-aa8c-9ec371e8994f
               Last attempt @ NTTIME(0) was successful
               0 consecutive failure(s).
               Last success @ NTTIME(0)

==== KCC CONNECTION OBJECTS ====

Connection --
       Connection name: fb03f58b-1654-4a02-8e11-f0ea120b60cc
       Enabled        : TRUE
       Server DNS name : DC1.samdom.example.com
       Server DN name  : CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com
               TransportType: RPC
               options: 0x00000001
Warning: No NC replicated for Connection!

For further details about the No NC replicated for Connection! warning, see FAQ: What does Warning: No NC replicated for Connection! Means.



Displaying the Replication Statuses on a Windows DC

Inbound Replication

To display the inbound replication on a Windows DC:

  • Open a command prompt.
  • Use the repadmin utility to display the inbound connection statuses:
> repadmin /showrepl

Repadmin: running command /showrepl against full DC localhost
Default-First-Site-Name\Windows-DC
DSA Options: IS_GC
Site Options: (none)
DSA object GUID: aa33af1b-61fe-4f6f-985a-ecbad14d89f4
DSA invocationID: abf82cbc-eebe-4cca-8968-fcc8d0b20d97

==== INBOUND NEIGHBORS ======================================

DC=samdom,DC=example,DC=com
    Default-First-Site-Name\Samba-DC via RPC
        DSA object GUID: 4a6bd92a-6612-4b15-aa8c-9ec371e8994f
        Last attempt @ 2017-05-13 00:31:16 was successful.

CN=Configuration,DC=samdom,DC=example,DC=com
    Default-First-Site-Name\Samba-DC via RPC
        DSA object GUID: 4a6bd92a-6612-4b15-aa8c-9ec371e8994f
        Last attempt @ 2017-05-13 00:31:16 was successful.

CN=Schema,CN=Configuration,DC=samdom,DC=example,DC=com
    Default-First-Site-Name\Samba-DC via RPC
        DSA object GUID: 4a6bd92a-6612-4b15-aa8c-9ec371e8994f
        Last attempt @ 2017-05-13 00:31:16 was successful.

DC=DomainDnsZones,DC=samdom,DC=example,DC=com
    Default-First-Site-Name\Samba-DC via RPC
        DSA object GUID: 4a6bd92a-6612-4b15-aa8c-9ec371e8994f
        Last attempt @ 2017-05-13 00:31:16 was successful.

DC=ForestDnsZones,DC=samdom,DC=example,DC=com
    Default-First-Site-Name\Samba-DC via RPC
        DSA object GUID: 4a6bd92a-6612-4b15-aa8c-9ec371e8994f
        Last attempt @ 2017-05-13 00:31:16 was successful.


Outbound Replication

Windows does not support displaying outbound replication connection statuses. To work around the problem, you can display the statuses of the inbound connections on Samba DCs the Windows DC replicates to:

  • Log in to a Samba DC.
  • Search the AD for all replication partners of the Windows DC. For example, to display the replication partners of the DC named Windows-DC:
# ldbsearch -H /usr/local/samba/private/sam.ldb '(fromServer=*CN=Windows-DC*)' --cross-ncs dn
# record 1
dn: CN=aa774afb-cb5a-49ce-8f74-be348c471348,CN=NTDS Settings,CN=Samba-DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com

# returned 1 records
# 1 entries
# 0 referrals
In the previous example, one replication partner is returned (host name: Samba-DC). The host name of replication partner is part of the returned distinguished name (DN).
Verify that each directory container to replicate is listed for the Windows DC in the INBOUND NEIGHBORS section on the Samba DC and the statuses are successful.