samba-users May 2010 archive
Main Archive Page > Month Archives  > samba-users archives
samba-users: Re: [Samba] Problems with W2K8R2 <-> S4 repli

Re: [Samba] Problems with W2K8R2 <-> S4 replication&In-Reply-To=<>

From: Michael Wood <esiotrot_at_nospam>
Date: Tue May 25 2010 - 06:48:34 GMT
To: "Dmitry A. Khromov" <>

On 23 May 2010 19:32, Dmitry A. Khromov <> wrote:
> Michael Wood <> wrote:
>>I am not sure if this is the problem, but make sure the time is
>>correct on both machines. I got what I think were similar errors when
>>my VM decided to get 2 hours out of sync with reality.
> Time is synchronized via NTP and kinit works fine, however, I've done
> ntpdate with dc0 for sure:
> dc1 samba # ntpdate
> 23 May 20:37:21 ntpdate[28533]: adjust time server offset
> -0.016606 sec
> Also I've noticed that after successful initial (first run after net
> vampire) DNS records update I get the following in my samba.log:
> --------------------------------------
> dc1 samba # cat var/samba.log | grep -A 2 -B 1 TSIG
> [Sun May 23 14:02:18 2010 MSD, 0
> ../../lib/util/util_runcmd.c:288:samba_runcmd_io_handler()]
> /usr/local/samba/sbin/samba_dnsupdate: ; TSIG error with server: tsig verify
> failure
> [Sun May 23 14:02:18 2010 MSD, 0
> ../../lib/util/util_runcmd.c:288:samba_runcmd_io_handler()]
> /usr/local/samba/sbin/samba_dnsupdate: update failed: REFUSED
> ----------[output truncated]----------

These are because your dynamic DNS updates are not correctly
configured. I am not sure exactly how to configure this correctly. I
thought I had it working and then found later that it actually wasn't.
 I suspect you will need to read the bind9 documentation and you might
have to turn up named's debug level.

> Also, I've tried to rejoin Samba (by deleting /usr/local/samba entirely,
> invoking "metadata cleanup" in ntdsutil, deleting computer object in AD U&C
> and cleaning up DNS entries), result is slightly different - the log still
> floods with errors (more than 6 hours already). And yes, at least part of
> replication is working - I may modify users/computers objects in AD U&C and
> the changes will be synchronized in tens of seconds. However - I still want
> to try Samba as the only DC in domain (and need to transfer roles before
> demoting dc0).

-- Michael Wood <> -- To unsubscribe from this list go to the following URL and read the instructions: