Tranquil IT Forum

Hello,

I'm getting numerous errors on a BDC3:

UpdateRefs failed with WERR_DS_DRA_ACCESS_DENIED/NT code 0xc0002105 for 447da004-332f-42e7-90f9-7703dfe80125._msdcs.lyceeader.eu DC=DomainDnsZones,DC=lyceeader,DC=eu
[2018/10/20 07:54:09.599058, 0] ../source4/dsdb/repl/drepl_out_helpers.c:1087(dreplsrv_update_refs_done).

I have a correct ADBDC1 with the fsmo role on the second BDC2, which also correctly points to ADBDC1. BDC3 (the one with the problems) also correctly points to ADBDC1.


This error occurs every time. I haven't understood the reason for this for a few seconds, and my internet searches haven't yielded anything that points me toward a convincing solution. Do you have any ideas?
Thank you in advance,
sincerely,
Eric

Hello Eric,

Eric wrote: ↑Oct 20, 2018 - 8:01 AM I have many errors on a BDC3

As a reminder, it's best to avoid AD server names like PDC and BDC. In Active Directory, all RWDCs (i.e., DCs that are not RODCs) are considered equal; there are no Primary DCs or Backup DCs. With FSMO roles, some DCs are indeed more equal than others (to paraphrase George Orwell), but the PDC/BDC distinction doesn't exist as it does in NT4.

With the concept of RODC, Microsoft has recreated an equivalent of the BDC concept.

Eric wrote: ↑Oct 20, 2018 - 08:01 UpdateRefs failed with WERR_DS_DRA_ACCESS_DENIED/NT code 0xc0002105 for 447da004-332f-42e7-90f9-7703dfe80125._msdcs.lyceeader.eu DC=DomainDnsZones,DC=lyceeader,DC=eu
[2018/10/20 07:54:09.599058, 0] ../source4/dsdb/repl/drepl_out_helpers.c:1087(dreplsrv_update_refs_done)

I have a correct ADBDC1 with the fsmo role on the second BDC2. The fsmo role correctly points to ADBDC1 and then BDC3 (the one that has (Problems) clearly points to ADBDC1.

This error occurs every second; I don't understand the reason, and internet searches haven't yielded anything that points me toward a viable solution. Do you have any ideas?

FSMO roles are very rarely the source of a problem. If only the DomainDnsZones partition is causing an issue, the best solution is to demote it and rejoin it. To demote it, simply stop Samba, clean the /var/lib/samba directory (you will need to recreate the empty /var/lib/samba/private directory afterward), and then run `samba-tool domain demote --remove-other-dead-server=BDC3` on ADBDC1.

Sincerely,

Denis

Hello,
Thank you so much for your help.

Hello Eric,

Eric wrote: ↑
October 20, 2018, 8:01 AM
I have many errors on a BDC3.

As a reminder, it is best to avoid AD server names like PDC and BDC. Indeed, in Active Directory, all RWDCs (i.e., DCs that are not RODCs) are all equal; there is no Primary DC and Backup DC. With FSMO roles, there are indeed DCs that are more equal than others (to paraphrase G. Orwell), but there is no PDC/BDC distinction like in NT4.

With the concept of RODC, Microsoft has recreated an equivalent of the BDC concept.

Eric wrote: ↑
October 20, 2018, 08:01
UpdateRefs failed with WERR_DS_DRA_ACCESS_DENIED/NT code 0xc0002105 for 447da004-332f-42e7-90f9-7703dfe80125._msdcs.lyceeader.eu DC=DomainDnsZones,DC=lyceeader,DC=eu
[2018/10/20 07:54:09.599058, 0] ../source4/dsdb/repl/drepl_out_helpers.c:1087(dreplsrv_update_refs_done)

I have a correct ADBDC1 with the fsmo role on the second BDC2. The fsmo role correctly points to ADBDC1 and then BDC3 (the one with theproblem (problems) does indeed point to ADBDC1.

This error occurs every second; I don't understand the reason, and internet searches haven't yielded anything that points me toward a viable solution. Do you have any ideas?

FSMO roles are very rarely the source of a problem. If only the DomainDnsZones partition is causing the issue, the best solution is to demote it and rejoin it. To demote it, simply stop Samba, clean the /var/lib/samba directory (you'll need to recreate the empty /var/lib/samba/private directory afterward), then run `samba-tool domain demote --remove-other-dead-server=BDC3` on ADBDC1.


Any further clarification on the last part?
For the remote, you just need to stop Samba, clean the /var/lib/samba directory (you'll need to recreate the empty /var/lib/samba/private directory afterward). Is this done on BDC3? Then I rejoin it to the domain by pointing it to ADBDC1.
I didn't quite grasp the difference.



Excuse me for using BDC names; it's easier for everyone in the department.

Regards
,
Eric.

Hello Eric,

Give us a call at the office, +33240975755. I'm afraid you won't get the help you're looking for on your issue, and I suspect you're a relatively large organization that therefore deserves support through dedicated channels.

My hunch is that you're dealing with leftover issues from an upgrade from a 10+ year old Samba3-NT4 to Samba-AD without any cleanup, which is understandable since such a cleanup is difficult to document reliably.

Indeed, Samba3-NT4, like Windows NT, was very permissive, and these technologies allowed for both good and bad creative work. Samba-AD, which replicates the behavior of MSAD, allows much less creativity; it's more rigid, and its operation is thus more secure. Overall, this is a positive thing, and this rigidity benefits everyone. This history can therefore cause undesirable side effects if you have old, non-compliant objects that you're carrying over to Active Directory after an upgrade.

With Microsoft Active Directory, the creativity once permitted with NT4 was progressively curtailed with MSAD2000, then 2003, 2008, and so on. Here, between an old Samba3-NT4, admittedly kept up-to-date but still in NT4 mode, and Samba-AD, you've made a huge generational leap; it requires much more rigor to ensure it works well right away. At TIS, we have this experience.

Sincerely,

Vincent C