Verifying the Directory Replication Statuses
Introduction
Directory replication is important in an Active Directory (AD) forest with multiple domain controllers (DC) for fail-over and load balancing.
To optimize replication latency and cost, the knowledge consistency checker (KCC) on Samba and Windows DCs do not create a full-meshed replication topology between all DCs. For further details, see The Samba KCC. |
For replication agreements the KCCs auto-create, the following containers are replicated by default:
DC=Forest_Root_Domain
CN=Configuration,DC=Forest_Root_Domain
CN=Schema,CN=Configuration,DC=Forest_Root_Domain
DC=ForestDnsZones,DC=Forest_Root_Domain
DC=DomainDnsZones,DC=Forest_Root_Domain
Note that if you join a new DC, it can take up to 15 minutes until the KCCs create the connection objects and inbound and outbound replication starts for all containers.
Displaying the Replication Statuses on a Samba DC
The samba-tool drs showrepl
command displays the inbound and outbound replication agreements with other DC in the AD forest. The output is reported from the viewpoint of the Samba DC, on which you run the command.
# samba-tool drs showrepl Default-First-Site-Name\DC2 DSA Options: 0x00000001 DSA object GUID: c14a774f-9732-4ec2-b9fa-2156c95c4e48 DSA invocationId: 7bdb135c-6868-4dd9-9460-33dea4b6b87b ==== INBOUND NEIGHBORS ==== CN=Schema,CN=Configuration,DC=samdom,DC=example,DC=com Default-First-Site-Name\DC1 via RPC DSA object GUID: 4a6bd92a-6612-4b15-aa8c-9ec371e8994f Last attempt @ Sat May 13 02:52:36 2017 CEST was successful 0 consecutive failure(s). Last success @ Sat May 13 02:52:36 2017 CEST DC=DomainDnsZones,DC=samdom,DC=example,DC=com Default-First-Site-Name\DC1 via RPC DSA object GUID: 4a6bd92a-6612-4b15-aa8c-9ec371e8994f Last attempt @ Sat May 13 02:52:36 2017 CEST was successful 0 consecutive failure(s). Last success @ Sat May 13 02:52:36 2017 CEST CN=Configuration,DC=samdom,DC=example,DC=com Default-First-Site-Name\DC1 via RPC DSA object GUID: 4a6bd92a-6612-4b15-aa8c-9ec371e8994f Last attempt @ Sat May 13 02:52:36 2017 CEST was successful 0 consecutive failure(s). Last success @ Sat May 13 02:52:36 2017 CEST DC=ForestDnsZones,DC=samdom,DC=example,DC=com Default-First-Site-Name\DC1 via RPC DSA object GUID: 4a6bd92a-6612-4b15-aa8c-9ec371e8994f Last attempt @ Sat May 13 02:52:36 2017 CEST was successful 0 consecutive failure(s). Last success @ Sat May 13 02:52:36 2017 CEST DC=samdom,DC=example,DC=com Default-First-Site-Name\DC1 via RPC DSA object GUID: 4a6bd92a-6612-4b15-aa8c-9ec371e8994f Last attempt @ Sat May 13 02:52:36 2017 CEST was successful 0 consecutive failure(s). Last success @ Sat May 13 02:52:36 2017 CEST ==== OUTBOUND NEIGHBORS ==== CN=Schema,CN=Configuration,DC=samdom,DC=example,DC=com Default-First-Site-Name\DC1 via RPC DSA object GUID: 4a6bd92a-6612-4b15-aa8c-9ec371e8994f Last attempt @ NTTIME(0) was successful 0 consecutive failure(s). Last success @ NTTIME(0) DC=DomainDnsZones,DC=samdom,DC=example,DC=com Default-First-Site-Name\DC1 via RPC DSA object GUID: 4a6bd92a-6612-4b15-aa8c-9ec371e8994f Last attempt @ NTTIME(0) was successful 0 consecutive failure(s). Last success @ NTTIME(0) CN=Configuration,DC=samdom,DC=example,DC=com Default-First-Site-Name\DC1 via RPC DSA object GUID: 4a6bd92a-6612-4b15-aa8c-9ec371e8994f Last attempt @ NTTIME(0) was successful 0 consecutive failure(s). Last success @ NTTIME(0) DC=ForestDnsZones,DC=samdom,DC=example,DC=com Default-First-Site-Name\DC1 via RPC DSA object GUID: 4a6bd92a-6612-4b15-aa8c-9ec371e8994f Last attempt @ NTTIME(0) was successful 0 consecutive failure(s). Last success @ NTTIME(0) DC=samdom,DC=example,DC=com Default-First-Site-Name\DC1 via RPC DSA object GUID: 4a6bd92a-6612-4b15-aa8c-9ec371e8994f Last attempt @ NTTIME(0) was successful 0 consecutive failure(s). Last success @ NTTIME(0) ==== KCC CONNECTION OBJECTS ==== Connection -- Connection name: fb03f58b-1654-4a02-8e11-f0ea120b60cc Enabled : TRUE Server DNS name : DC1.samdom.example.com Server DN name : CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com TransportType: RPC options: 0x00000001 Warning: No NC replicated for Connection!
For further details about the No NC replicated for Connection!
warning, see FAQ: What does Warning: No NC replicated for Connection! Means.
Displaying the Replication Statuses on a Windows DC
Inbound Replication
To display the inbound replication on a Windows DC:
- Open a command prompt.
- Use the
repadmin
utility to display the inbound connection statuses:
> repadmin /showrepl Repadmin: running command /showrepl against full DC localhost Default-First-Site-Name\Windows-DC DSA Options: IS_GC Site Options: (none) DSA object GUID: aa33af1b-61fe-4f6f-985a-ecbad14d89f4 DSA invocationID: abf82cbc-eebe-4cca-8968-fcc8d0b20d97 ==== INBOUND NEIGHBORS ====================================== DC=samdom,DC=example,DC=com Default-First-Site-Name\Samba-DC via RPC DSA object GUID: 4a6bd92a-6612-4b15-aa8c-9ec371e8994f Last attempt @ 2017-05-13 00:31:16 was successful. CN=Configuration,DC=samdom,DC=example,DC=com Default-First-Site-Name\Samba-DC via RPC DSA object GUID: 4a6bd92a-6612-4b15-aa8c-9ec371e8994f Last attempt @ 2017-05-13 00:31:16 was successful. CN=Schema,CN=Configuration,DC=samdom,DC=example,DC=com Default-First-Site-Name\Samba-DC via RPC DSA object GUID: 4a6bd92a-6612-4b15-aa8c-9ec371e8994f Last attempt @ 2017-05-13 00:31:16 was successful. DC=DomainDnsZones,DC=samdom,DC=example,DC=com Default-First-Site-Name\Samba-DC via RPC DSA object GUID: 4a6bd92a-6612-4b15-aa8c-9ec371e8994f Last attempt @ 2017-05-13 00:31:16 was successful. DC=ForestDnsZones,DC=samdom,DC=example,DC=com Default-First-Site-Name\Samba-DC via RPC DSA object GUID: 4a6bd92a-6612-4b15-aa8c-9ec371e8994f Last attempt @ 2017-05-13 00:31:16 was successful.
Outbound Replication
Windows does not support displaying outbound replication connection statuses. To work around the problem, you can display the statuses of the inbound connections on Samba DCs the Windows DC replicates to:
- Log in to a Samba DC.
- Search the AD for all replication partners of the Windows DC. For example, to display the replication partners of the DC named
Windows-DC
:
# ldbsearch -H /usr/local/samba/private/sam.ldb '(fromServer=*CN=Windows-DC*)' --cross-ncs dn # record 1 dn: CN=aa774afb-cb5a-49ce-8f74-be348c471348,CN=NTDS Settings,CN=Samba-DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com # returned 1 records # 1 entries # 0 referrals
- In the previous example, one replication partner is returned (host name:
Samba-DC
). The host name of replication partner is part of the returned distinguished name (DN).
- Log on to every Samba DC retrieved in the previous step and use
samba-tool
to display the directory replication status. See Displaying the Replication Statuses on a Samba DC.
- Verify that each directory container to replicate is listed for the Windows DC in the
INBOUND NEIGHBORS
section on the Samba DC and the statuses aresuccessful
.