Author Topic: Broken Sysvol Replication as Additional Domain Controler in Windows Environment  (Read 5458 times)

The Knew Guy

  • Zen Apprentice
  • *
  • Posts: 8
  • Karma: +0/-0
    • View Profile
disclaimer: There are many questions in this post, but the bolded ones are the main ones I need help with.

Synopsis:
In my workplace, I have implemented a Zentyal server as an additional domain controller.  Following Zental-Samba 3.5.4, joining my domain FINALLY works.  However, that being said, I am still having problems with my environment that seem to only be fixed by turning the Zentyal box off.

My only interest at this point is to use Zentyal as a Samba based file server.  I'm running ACL's unmanaged in the /etc/zentyal/samba.conf file and it's working well for me.  A day or two after installing and joining successfully to the domain, however, DC replication issues begin to surface.  This wouldn't be a problem, except Zentyal seems to INSIST on being a global catalog (logon) server, which is not something I want.  Especially if it cannot successfully replicate itself to windows based domain controllers.  My two Win2k3 boxes both have errors on inbound replication from the Zentyal server.  Error 8442 specifically on the DC=domain,DC=tld and on the CN=Configuration,DC=domain,DC=tld containers.  I also get errors about schema mismatch.

What happens after this replication failure issue surfaces, is I start getting logon failures and computer trust issues across my network.  People who ARE logged suddenly cannot access shares on the W2k3 boxes, other users get messages about "Trust account" not found for the workstation they are on.  The computer account exists, but seems to have failed to replicate to Zentyal for whatever reason, even though, the replication shows as successful.

Questions:
Eventually, I may run nothing but Zentyal servers once my 2k3 boxes are out of support, but until then, What can I do to make Zentyal not answer logon requests? or Is there a magic cron job I can create to manually fix the sysvol replication and make the logons work?

Other Thoughts:
On a side note, why would Zentyal even talk about or recommend the possibility of Zentyal as an additional domain controller is Samba 4 does not yet support replication of the sysvol share, and why not disable being a logon server or a global catalog server until the replication issue is fixed upstream by the Samba folks?  Why not incorporate options into the web interface to allow the user to check/uncheck "Make Zentyal a Global Catalog server" under AD join or LDAP options?

Or maybe I'm not fully understanding the problem?  Because on the web interface, I can see group policy objects and links.  Is it reading those locally, or from another domain controller.  Why does computer/user authentication fail when computers bind to the Zentyal DC on startup?  Is this also because of the failed replication or schema mismatch?

edmund085

  • Zen Monk
  • **
  • Posts: 53
  • Karma: +0/-1
  • Keep Calm and Press Ctrl + Alt + Del
    • View Profile
Having the same problem with the replication. My windows server 2008 R2 Datacenter is also giving the same error. 

Code: [Select]
Replication of application directory partition DC=domain,DC=tld from source (some numbers with letters) (zentyal server) has been aborted. Replication requires consistent schema but last attempt to synchornize the schema had failed. It is crucial that schema replication functions properly. See previous errors for more diagnostics. If this issue persists, please contact Microsoft Product Support Services for assistance. Error 8418: The replication operation failed because of a schema mismatch between the servers involved..

kernevil

  • Zen Apprentice
  • *
  • Posts: 31
  • Karma: +10/-0
    • View Profile
Is your server a 2003 or 2003 R2? The sysvol is synced by zentyal using a script which pulls the sysvol content from the server you join each 15 min.

The Knew Guy

  • Zen Apprentice
  • *
  • Posts: 8
  • Karma: +0/-0
    • View Profile
Is your server a 2003 or 2003 R2? The sysvol is synced by zentyal using a script which pulls the sysvol content from the server you join each 15 min.

Yes, this I can believe, but the problem is the inbound replication from zentyal to the w2k3 servers.  Since it does not work, it causes problems when users are authenticated against the zentyal box.  So what happens is this.

  • Zentyal joins domain, and all machines replicate happily
  • Shortly after joining, inbound replication from Zentyal to Windows Server fails, schema mismatch
  • Zentyal responds to Active Directory logon requests from computer and user accounts
  • Since zentyal isn't replicating inbound, user or computer accounts that authenticate against it are "untrusted" when trying to access shares or other resources on the w2k3 servers

In my eyes, the only thing that makes sense is either that Zentyal only be promoted as a RODC - something that Samba 4 does not yet support; or that Zentyal NOT be allowed to participate in domain updates or answer logon requests, unless it is the only domain controller, or unless the entire environment is Samba, (in which case we can use rsync as described here→https://wiki.samba.org/index.php/SysVol_Replication
« Last Edit: August 14, 2014, 04:20:18 pm by The Knew Guy »