This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
Pages: [1]
1
Directory and Authentication / Replication Failing due to Schema Mismatch
« on: October 03, 2019, 08:50:38 pm »
Hi All,
I had a prior replication issue I was unable to resolve: https://forum.zentyal.org/index.php/topic,33655.0.html
I ended up demoting that instance of Zentyal and installing a fresh version. Things worked well for a few weeks but now I have encountered a new issue.
I joined a server in a Branch Office to AD, and it looks like the Zentyal server handled the request. If I connect to that DC and check, I see the computer object. But it does not seem to be replicating to other DC's.
Event viewer now complains about a schema mismatch.
If I force replication from Windows servers to Windows servers all is fine. If I force replication from a Windows Server To the Zen server all is fine. If I try to replicate FROM the Zen server I get the issue above.
I'm not having much luck tracking this one down. Any help appreciated.
Thanks!
----Update
I tried running
I had a prior replication issue I was unable to resolve: https://forum.zentyal.org/index.php/topic,33655.0.html
I ended up demoting that instance of Zentyal and installing a fresh version. Things worked well for a few weeks but now I have encountered a new issue.
I joined a server in a Branch Office to AD, and it looks like the Zentyal server handled the request. If I connect to that DC and check, I see the computer object. But it does not seem to be replicating to other DC's.
Event viewer now complains about a schema mismatch.
Quote
Replication of application directory partition DC=gardien,DC=com from source 40502013-4ca6-435c-b40b-cf265a649a10 (zenserver.domain.com) has been aborted. Replication requires consistent schema but last attempt to synchronize the schema had failed. It is crucial that schema replication functions properly. See previous errors for more diagnostics. If this issue persists, please contact Microsoft Product Support Services for assistance. Error 8418: The replication operation failed because of a schema mismatch between the servers involved..
If I force replication from Windows servers to Windows servers all is fine. If I force replication from a Windows Server To the Zen server all is fine. If I try to replicate FROM the Zen server I get the issue above.
I'm not having much luck tracking this one down. Any help appreciated.
Thanks!
----Update
I tried running
Code: [Select]
samba-tool drs replicate --full-sync
to force the Zentayal DC to start a fresh replication but the issue persists.
2
Directory and Authentication / Re: Lingering Object errors reported on Zentyal member Domain Controller
« on: August 15, 2019, 05:22:09 pm »
Hi!
Thanks again for the advise.
I have run the manual replication a few times now.
Unfortunately the error still shows up from the Windows DC
Meanwhile samba-tool drs showrepl shows no errors
To me it seems as though MS AD is checking for consistency inside the deleted Items folders but Samba AD is disregarding that folder.
Thanks again for the advise.
I have run the manual replication a few times now.
Unfortunately the error still shows up from the Windows DC
Quote
Active Directory Domain Services Replication encountered the existence of objects in the following partition that have been deleted from the local domain controllers (DCs) Active Directory Domain Services database. Not all direct or transitive replication partners replicated in the deletion before the tombstone lifetime number of days passed. Objects that have been deleted and garbage collected from an Active Directory Domain Services partition but still exist in the writable partitions of other DCs in the same domain, or read-only partitions of global catalog servers in other domains in the forest are known as "lingering objects".
Source domain controller:
4e851e84-f1a2-4f88-a252-ce2fc2dc40f5._msdcs.company.com <--- this is the Zentyal DC-
Object:
DC=122\0ADEL:e6508b9b-c06f-420f-b2a0-87ebff728ee5,CN=Deleted Objects,DC=ForestDnsZones,DC=company,DC=com
Object GUID:
e6508b9b-c06f-420f-b2a0-87ebff728ee5 This event is being logged because the source DC contains a lingering object which does not exist on the local DCs Active Directory Domain Services database. This replication attempt has been blocked.
Meanwhile samba-tool drs showrepl shows no errors
Quote
root@torvmdcz01:~# samba-tool drs showrepl
ldb_wrap open of secrets.ldb
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
Using binding ncacn_ip_tcp:torvmdcz01.company.com[,seal]
resolve_lmhosts: Attempting lmhosts lookup for name torvmdcz01.company.com<0x20>
resolve_lmhosts: Attempting lmhosts lookup for name torvmdcz01.company.com<0x20>
resolve_lmhosts: Attempting lmhosts lookup for name torvmdcz01.company.com<0x20>
CA-TOR-SITE\TORVMDCZ01
DSA Options: 0x00000001
DSA object GUID: 4e851e84-f1a2-4f88-a252-ce2fc2dc40f5
DSA invocationId: 7c54fa1e-166c-4354-87d9-5ab7c04a5d30
==== INBOUND NEIGHBORS ====
DC=ForestDnsZones,DC=company,DC=com
CA-TOR-SITE\TORVMDC01 via RPC
DSA object GUID: 0ca674bc-46aa-4647-9658-b76d75b5dc42
Last attempt @ Thu Aug 15 11:07:18 2019 EDT was successful
0 consecutive failure(s).
Last success @ Thu Aug 15 11:07:18 2019 EDT
DC=company,DC=com
CA-TOR-SITE\TORVMDC01 via RPC
DSA object GUID: 0ca674bc-46aa-4647-9658-b76d75b5dc42
Last attempt @ Thu Aug 15 11:09:06 2019 EDT was successful
0 consecutive failure(s).
Last success @ Thu Aug 15 11:09:06 2019 EDT
DC=company,DC=com
G-SITE\GARSGVMDC01 via RPC
DSA object GUID: 982d5579-19f2-4388-b86a-4262de974456
Last attempt @ Thu Aug 15 11:09:25 2019 EDT was successful
0 consecutive failure(s).
Last success @ Thu Aug 15 11:09:25 2019 EDT
DC=company,DC=com
TW-SG-SITE\GARTYNVMDC01 via RPC
DSA object GUID: 35f096bf-779d-4e86-a78d-94df0bee08e3
Last attempt @ Thu Aug 15 11:09:04 2019 EDT was successful
0 consecutive failure(s).
Last success @ Thu Aug 15 11:09:04 2019 EDT
CN=Schema,CN=Configuration,DC=company,DC=com
CA-TOR-SITE\TORVMDC01 via RPC
DSA object GUID: 0ca674bc-46aa-4647-9658-b76d75b5dc42
Last attempt @ Thu Aug 15 11:07:22 2019 EDT was successful
0 consecutive failure(s).
Last success @ Thu Aug 15 11:07:22 2019 EDT
DC=DomainDnsZones,DC=company,DC=com
CA-TOR-SITE\TORVMDC01 via RPC
DSA object GUID: 0ca674bc-46aa-4647-9658-b76d75b5dc42
Last attempt @ Thu Aug 15 11:07:20 2019 EDT was successful
0 consecutive failure(s).
Last success @ Thu Aug 15 11:07:20 2019 EDT
DC=DomainDnsZones,DC=company,DC=com
TW-SG-SITE\GARTYNVMDC01 via RPC
DSA object GUID: 35f096bf-779d-4e86-a78d-94df0bee08e3
Last attempt @ Thu Aug 15 11:08:04 2019 EDT was successful
0 consecutive failure(s).
Last success @ Thu Aug 15 11:08:04 2019 EDT
CN=Configuration,DC=company,DC=com
CA-TOR-SITE\TORVMDC01 via RPC
DSA object GUID: 0ca674bc-46aa-4647-9658-b76d75b5dc42
Last attempt @ Thu Aug 15 11:07:22 2019 EDT was successful
0 consecutive failure(s).
Last success @ Thu Aug 15 11:07:22 2019 EDT
==== OUTBOUND NEIGHBORS ====
DC=ForestDnsZones,DC=company,DC=com
CA-TOR-SITE\TORVMDC01 via RPC
DSA object GUID: 0ca674bc-46aa-4647-9658-b76d75b5dc42
Last attempt @ Thu Aug 15 11:06:20 2019 EDT was successful
0 consecutive failure(s).
Last success @ Thu Aug 15 11:06:20 2019 EDT
DC=company,DC=com
CA-TOR-SITE\TORVMDC01 via RPC
DSA object GUID: 0ca674bc-46aa-4647-9658-b76d75b5dc42
Last attempt @ Thu Aug 15 11:05:04 2019 EDT was successful
0 consecutive failure(s).
Last success @ Thu Aug 15 11:05:04 2019 EDT
CN=Schema,CN=Configuration,DC=company,DC=com
CA-TOR-SITE\TORVMDC01 via RPC
DSA object GUID: 0ca674bc-46aa-4647-9658-b76d75b5dc42
Last attempt @ Tue Aug 13 15:32:07 2019 EDT was successful
0 consecutive failure(s).
Last success @ Tue Aug 13 15:32:07 2019 EDT
DC=DomainDnsZones,DC=company,DC=com
CA-TOR-SITE\TORVMDC01 via RPC
DSA object GUID: 0ca674bc-46aa-4647-9658-b76d75b5dc42
Last attempt @ Thu Aug 15 11:08:06 2019 EDT was successful
0 consecutive failure(s).
Last success @ Thu Aug 15 11:08:06 2019 EDT
CN=Configuration,DC=company,DC=com
CA-TOR-SITE\TORVMDC01 via RPC
DSA object GUID: 0ca674bc-46aa-4647-9658-b76d75b5dc42
Last attempt @ Thu Aug 15 11:02:54 2019 EDT was successful
0 consecutive failure(s).
Last success @ Thu Aug 15 11:02:54 2019 EDT
==== KCC CONNECTION OBJECTS ====
Connection --
Connection name: 7d472401-ab78-4c4c-9ae5-4056aafb87c3
Enabled : TRUE
Server DNS name : TORVMDC01.company.com
Server DN name : CN=NTDS Settings,CN=TORVMDC01,CN=Servers,CN=CA-TOR-SITE,CN=Sites,CN=Configuration,DC=company,DC=com
TransportType: RPC
options: 0x00000001
Warning: No NC replicated for Connection!
To me it seems as though MS AD is checking for consistency inside the deleted Items folders but Samba AD is disregarding that folder.
3
Directory and Authentication / Re: Lingering Object errors reported on Zentyal member Domain Controller
« on: August 14, 2019, 04:08:03 pm »
I wanted to follow up with this and hope it gets bumped, but I tried to delete the lingering objects with ldbdel and hit another roadblock
ran - ldbdel --show-deleted -H /var/lib/samba/private/sam.ldb "DC=devicename\0ADEL:419bf462-9b46-49e9-8f5b-e2f4a0dbcd68,CN=Deleted Objects,DC=DomainDnsZones,DC=gardien,DC=com"
with the result:
delete of 'DC=devicename\[/i]0ADEL:419bf462-9b46-49e9-8f5b-e2f4a0dbcd68,CN=Deleted Objects,DC=DomainDnsZones,DC=gardien,DC=com ' failed - (Unwilling to perform) Refusing to delete tombstone object DC=devicename\0ADEL:419bf462-9b46-49e9-8f5b-e2f4a0db cd68,CN=Deleted Objects,DC=DomainDnsZones,DC=gardien,DC=com. This check is to prevent corruption of the replicated state.
I could not get past this point. I tried adding a -f flag to force things but that didn't work.
I still have no way to remove these lingering objects unfortunately.
ran - ldbdel --show-deleted -H /var/lib/samba/private/sam.ldb "DC=devicename\0ADEL:419bf462-9b46-49e9-8f5b-e2f4a0dbcd68,CN=Deleted Objects,DC=DomainDnsZones,DC=gardien,DC=com"
with the result:
delete of 'DC=devicename\[/i]0ADEL:419bf462-9b46-49e9-8f5b-e2f4a0dbcd68,CN=Deleted Objects,DC=DomainDnsZones,DC=gardien,DC=com ' failed - (Unwilling to perform) Refusing to delete tombstone object DC=devicename\0ADEL:419bf462-9b46-49e9-8f5b-e2f4a0db cd68,CN=Deleted Objects,DC=DomainDnsZones,DC=gardien,DC=com. This check is to prevent corruption of the replicated state.
I could not get past this point. I tried adding a -f flag to force things but that didn't work.
I still have no way to remove these lingering objects unfortunately.
4
Directory and Authentication / Re: Lingering Object errors reported on Zentyal member Domain Controller
« on: June 26, 2019, 11:05:07 pm »
Thank you for the advice I will give this a shot. Is there any chance you could point me in the right direction with using this tool specific to Zentyal and my issue? I've never edited LDAP entries in Linux directly before and reading this guide it looks like I have a lot to learn.
5
Directory and Authentication / Lingering Object errors reported on Zentyal member Domain Controller
« on: June 26, 2019, 09:23:54 pm »
Hi All,
We have a Zentyal 6 Server acting as an additional DC in our Windows AD domain.
Recently Windows has started to report an error that some objects contained in within the Zen DC are now Lingering Objects. So far my attempts to remove these objects have been thwarted at every pass.
"Active Directory Domain Services Replication encountered the existence of objects in the following partition that have been deleted from the local domain controllers (DCs) Active Directory Domain Services database. Not all direct or transitive replication partners replicated in the deletion before the tombstone lifetime number of days passed. Objects that have been deleted and garbage collected from an Active Directory Domain Services partition but still exist in the writable partitions of other DCs in the same domain, or read-only partitions of global catalog servers in other domains in the forest are known as "lingering objects".
I was initially able to connect to the Zentyal server using ADSIedit and remove the objects. However, that has just moved the objects to a Deleted Items container, except no matter how hard I try I cannot find that container on the Zen server using ldp.exe or ADSIEdit.
I have tried the command "repadmin /removelingeringobjects <Source DC> <Destination DC DSA GUID> <NC>". but cannot seem to make it work.
Any other advice for how I might remove the lingering object shown below?
"Source domain controller:
4e851e84-f1a2-4f88-a252-ce2fc2dc40f5._msdcs.domain.com <---this is the guid for the Zentyal DC)
Object:
DC=SGADMIN\0ACNF:7fd5fd14-2a31-4335-94f4-be8f5c1c667e\0ADEL:7fd5fd14-2a31-4335-94f4-be8f5c1c667e,CN=Deleted Objects,DC=DomainDnsZones,DC=domain,DC=com
Object GUID:
7fd5fd14-2a31-4335-94f4-be8f5c1c667e This event is being logged because the source DC contains a lingering object which does not exist on the local DCs Active Directory Domain Services database. This replication attempt has been blocked.
The best solution to this problem is to identify and remove all lingering objects in the forest."
Thank you
We have a Zentyal 6 Server acting as an additional DC in our Windows AD domain.
Recently Windows has started to report an error that some objects contained in within the Zen DC are now Lingering Objects. So far my attempts to remove these objects have been thwarted at every pass.
"Active Directory Domain Services Replication encountered the existence of objects in the following partition that have been deleted from the local domain controllers (DCs) Active Directory Domain Services database. Not all direct or transitive replication partners replicated in the deletion before the tombstone lifetime number of days passed. Objects that have been deleted and garbage collected from an Active Directory Domain Services partition but still exist in the writable partitions of other DCs in the same domain, or read-only partitions of global catalog servers in other domains in the forest are known as "lingering objects".
I was initially able to connect to the Zentyal server using ADSIedit and remove the objects. However, that has just moved the objects to a Deleted Items container, except no matter how hard I try I cannot find that container on the Zen server using ldp.exe or ADSIEdit.
I have tried the command "repadmin /removelingeringobjects <Source DC> <Destination DC DSA GUID> <NC>". but cannot seem to make it work.
Any other advice for how I might remove the lingering object shown below?
"Source domain controller:
4e851e84-f1a2-4f88-a252-ce2fc2dc40f5._msdcs.domain.com <---this is the guid for the Zentyal DC)
Object:
DC=SGADMIN\0ACNF:7fd5fd14-2a31-4335-94f4-be8f5c1c667e\0ADEL:7fd5fd14-2a31-4335-94f4-be8f5c1c667e,CN=Deleted Objects,DC=DomainDnsZones,DC=domain,DC=com
Object GUID:
7fd5fd14-2a31-4335-94f4-be8f5c1c667e This event is being logged because the source DC contains a lingering object which does not exist on the local DCs Active Directory Domain Services database. This replication attempt has been blocked.
The best solution to this problem is to identify and remove all lingering objects in the forest."
Thank you
Pages: [1]