Difference between revisions of "Samba-tool ldapcmp"

(Refresh ldapcmp page. It's meanwhile integrated in samba-tool)
m (Filter non-synced attributes)
 
(4 intermediate revisions by 2 users not shown)
Line 1: Line 1:
 
= Introduction =
 
= Introduction =
  
samba-tool provides a subcommand for testing LDAP replication between Domain Controllers - regarless if they are running Samba or Windows or mixed.
+
samba-tool provides a subcommand for testing LDAP replication between Domain Controllers - regardless if they are running Samba or Windows or mixed.
 
 
 
 
 
 
 
 
  
 
= Restrictions =
 
= Restrictions =
Line 13: Line 9:
 
* It compares values of attributes of objects returned only by wild-card search so no hidden attributes are processed.
 
* It compares values of attributes of objects returned only by wild-card search so no hidden attributes are processed.
  
* There are certain amount of attributes being ignored explicitly in the script source that have always different values on corresponding objects in two separate DCs.
+
* Certain attributes are explicitly ignored, these are non replicating attributes and they always have different values on the corresponding objects in separate DCs.
 
 
 
 
 
 
 
 
  
 
= How to use? =
 
= How to use? =
Line 32: Line 24:
 
  # samba-tool ldapcmp ldap://DC1 ldap://DC2 -Uadministrator dnsdomain
 
  # samba-tool ldapcmp ldap://DC1 ldap://DC2 -Uadministrator dnsdomain
 
  # samba-tool ldapcmp ldap://DC1 ldap://DC2 -Uadministrator dnsforest
 
  # samba-tool ldapcmp ldap://DC1 ldap://DC2 -Uadministrator dnsforest
 +
 +
= Filter non-synced attributes =
 +
 +
* Some attribute are [https://lists.samba.org/archive/samba/2012-September/169136.html known to be different between dc], you can filter them out with the "--filter" switch
 +
 +
* Example without any filter on a perfectly working replication:
 +
 +
'''# samba-tool ldapcmp ldap://DC1 ldap://DC2 -Uadministrator domain'''
 +
  Password for [SAMDOM\administrator]:
 +
 +
* Comparing [DOMAIN] context...
 +
 +
* Objects to be compared: 308
 +
 +
Comparing:
 +
'CN=Builtin,DC=samdom,DC=example,DC=com' [ldap://DC1]
 +
'CN=Builtin,DC=samdom,DC=example,DC=com' [ldap://DC2]
 +
    Attributes found only in ldap://DC1:
 +
        serverState
 +
    FAILED
 +
 +
Comparing:
 +
'DC=samdom,DC=example,DC=com' [ldap://DC1]
 +
'DC=samdom,DC=example,DC=com' [ldap://DC2]
 +
    Attributes found only in ldap://DC1:
 +
        serverState
 +
        msDS-NcType
 +
    FAILED
 +
 +
* Result for [DOMAIN]: FAILURE
 +
 +
SUMMARY
 +
---------
 +
 +
Attributes found only in ldap://DC1:
 +
 +
    msDS-NcType
 +
    serverState
 +
ERROR: Compare failed: -1
 +
 +
* And with the filter:
 +
 +
'''# samba-tool ldapcmp ldap://DC1 ldap://DC2 -Uadministrator domain --filter=msDS-NcType,serverState'''
 +
Password for [SAMDOM\administrator]:
 +
 +
* Comparing [DOMAIN] context...
 +
 +
* Objects to be compared: 308
 +
 +
* Result for [DOMAIN]: SUCCESS
 +
 +
* An other attribute is not synced in the "CONFIGURATION" context: '''subrefs''', so the correct check with the filter for the whole setup is:
 +
 +
'''# samba-tool ldapcmp ldap://DC1 ldap://DC2 -Uadministrator --filter=msDS-NcType,serverState,subrefs'''

Latest revision as of 21:12, 29 July 2015

Introduction

samba-tool provides a subcommand for testing LDAP replication between Domain Controllers - regardless if they are running Samba or Windows or mixed.

Restrictions

  • The comparisation works via LDAP. So the LDAP server must be up and accessible at port 389.
  • It compares values of attributes of objects returned only by wild-card search so no hidden attributes are processed.
  • Certain attributes are explicitly ignored, these are non replicating attributes and they always have different values on the corresponding objects in separate DCs.

How to use?

  • Compare the entire directory on Domain Controller DC1 and DC2:
# samba-tool ldapcmp ldap://DC1 ldap://DC2 -Uadministrator
  • Compare single AD partitions on Domain Controller DC1 and DC2:
# samba-tool ldapcmp ldap://DC1 ldap://DC2 -Uadministrator domain
# samba-tool ldapcmp ldap://DC1 ldap://DC2 -Uadministrator configuration
# samba-tool ldapcmp ldap://DC1 ldap://DC2 -Uadministrator schema
# samba-tool ldapcmp ldap://DC1 ldap://DC2 -Uadministrator dnsdomain
# samba-tool ldapcmp ldap://DC1 ldap://DC2 -Uadministrator dnsforest

Filter non-synced attributes

  • Example without any filter on a perfectly working replication:
# samba-tool ldapcmp ldap://DC1 ldap://DC2 -Uadministrator domain
 Password for [SAMDOM\administrator]:

* Comparing [DOMAIN] context...

* Objects to be compared: 308

Comparing:
'CN=Builtin,DC=samdom,DC=example,DC=com' [ldap://DC1]
'CN=Builtin,DC=samdom,DC=example,DC=com' [ldap://DC2]
    Attributes found only in ldap://DC1:
        serverState
    FAILED

Comparing:
'DC=samdom,DC=example,DC=com' [ldap://DC1]
'DC=samdom,DC=example,DC=com' [ldap://DC2]
    Attributes found only in ldap://DC1:
        serverState
        msDS-NcType
    FAILED

* Result for [DOMAIN]: FAILURE

SUMMARY
---------

Attributes found only in ldap://DC1:

    msDS-NcType
    serverState
ERROR: Compare failed: -1
  • And with the filter:
# samba-tool ldapcmp ldap://DC1 ldap://DC2 -Uadministrator domain --filter=msDS-NcType,serverState
Password for [SAMDOM\administrator]:

* Comparing [DOMAIN] context...

* Objects to be compared: 308

* Result for [DOMAIN]: SUCCESS
  • An other attribute is not synced in the "CONFIGURATION" context: subrefs, so the correct check with the filter for the whole setup is:
# samba-tool ldapcmp ldap://DC1 ldap://DC2 -Uadministrator --filter=msDS-NcType,serverState,subrefs