Zentyal Forum, Linux Small Business Server

Zentyal Server => Installation and Upgrades => Topic started by: The Knew Guy on August 14, 2014, 01:33:23 am

Title: Broken Sysvol Replication as Additional Domain Controler in Windows Environment
Post by: The Knew Guy on August 14, 2014, 01:33:23 am
disclaimer: There are many questions in this post, but the bolded ones are the main ones I need help with.

Synopsis:
In my workplace, I have implemented a Zentyal server as an additional domain controller.  Following Zental-Samba 3.5.4, joining my domain FINALLY works.  However, that being said, I am still having problems with my environment that seem to only be fixed by turning the Zentyal box off.

My only interest at this point is to use Zentyal as a Samba based file server.  I'm running ACL's unmanaged in the /etc/zentyal/samba.conf file and it's working well for me.  A day or two after installing and joining successfully to the domain, however, DC replication issues begin to surface.  This wouldn't be a problem, except Zentyal seems to INSIST on being a global catalog (logon) server, which is not something I want.  Especially if it cannot successfully replicate itself to windows based domain controllers.  My two Win2k3 boxes both have errors on inbound replication from the Zentyal server.  Error 8442 specifically on the DC=domain,DC=tld and on the CN=Configuration,DC=domain,DC=tld containers.  I also get errors about schema mismatch.

What happens after this replication failure issue surfaces, is I start getting logon failures and computer trust issues across my network.  People who ARE logged suddenly cannot access shares on the W2k3 boxes, other users get messages about "Trust account" not found for the workstation they are on.  The computer account exists, but seems to have failed to replicate to Zentyal for whatever reason, even though, the replication shows as successful.

Questions:
Eventually, I may run nothing but Zentyal servers once my 2k3 boxes are out of support, but until then, What can I do to make Zentyal not answer logon requests? or Is there a magic cron job I can create to manually fix the sysvol replication and make the logons work?

Other Thoughts:
On a side note, why would Zentyal even talk about or recommend the possibility of Zentyal as an additional domain controller is Samba 4 does not yet support replication of the sysvol share, and why not disable being a logon server or a global catalog server until the replication issue is fixed upstream by the Samba folks?  Why not incorporate options into the web interface to allow the user to check/uncheck "Make Zentyal a Global Catalog server" under AD join or LDAP options?

Or maybe I'm not fully understanding the problem?  Because on the web interface, I can see group policy objects and links.  Is it reading those locally, or from another domain controller.  Why does computer/user authentication fail when computers bind to the Zentyal DC on startup?  Is this also because of the failed replication or schema mismatch?
Title: Re: Broken Sysvol Replication as Additional Domain Controler in Windows Environment
Post by: edmund085 on August 14, 2014, 05:53:59 am
Having the same problem with the replication. My windows server 2008 R2 Datacenter is also giving the same error. 

Code: [Select]
Replication of application directory partition DC=domain,DC=tld from source (some numbers with letters) (zentyal server) has been aborted. Replication requires consistent schema but last attempt to synchornize the schema had failed. It is crucial that schema replication functions properly. See previous errors for more diagnostics. If this issue persists, please contact Microsoft Product Support Services for assistance. Error 8418: The replication operation failed because of a schema mismatch between the servers involved..
Title: Re: Broken Sysvol Replication as Additional Domain Controler in Windows Environment
Post by: kernevil on August 14, 2014, 09:04:12 am
Is your server a 2003 or 2003 R2? The sysvol is synced by zentyal using a script which pulls the sysvol content from the server you join each 15 min.
Title: Re: Broken Sysvol Replication as Additional Domain Controler in Windows Environment
Post by: The Knew Guy on August 14, 2014, 04:12:37 pm
Is your server a 2003 or 2003 R2? The sysvol is synced by zentyal using a script which pulls the sysvol content from the server you join each 15 min.

Yes, this I can believe, but the problem is the inbound replication from zentyal to the w2k3 servers.  Since it does not work, it causes problems when users are authenticated against the zentyal box.  So what happens is this.


In my eyes, the only thing that makes sense is either that Zentyal only be promoted as a RODC - something that Samba 4 does not yet support; or that Zentyal NOT be allowed to participate in domain updates or answer logon requests, unless it is the only domain controller, or unless the entire environment is Samba, (in which case we can use rsync as described here→https://wiki.samba.org/index.php/SysVol_Replication (https://wiki.samba.org/index.php/SysVol_Replication)