[cifs-protocol] 114082011718474 When creating a subdomain, who fills in hasPartialReplicaNCs?

Sreekanth Nadendla srenaden at microsoft.com
Thu Sep 4 10:05:08 MDT 2014

Apologies, the answer provided below is for your question on how to trigger replication from Samba DC. Incident # 114082011718474. Corrected in the subject.

Sreekanth Nadendla
Microsoft Windows Open Specifications

-----Original Message-----
From: Sreekanth Nadendla 
Sent: Thursday, September 4, 2014 12:01 PM
To: Andrew Bartlett
Cc: cifs-protocol at samba.org; MSSolve Case Email
Subject: RE: 114082011718524 NTLM username / password routing on member servers and on an AD DC

Hello Andrew,                        
Domain Controller maintains the state of hasPartialReplicaNCs, msDS-HasInstantiatedNCs. When there are changes to be replicated, it can happen in the following two ways.

1) Scheduled Replication.
2) Event-Driven Replication.

From MS-ADTS   
When an originating or replicated update occurs in the NC replica on the server, the server notifies each destination DC that has an entry in repsTo. The server notifies the destination DC by calling method IDL_DRSReplicaSync. The destination DC contacts the server and requests it to provide updates—this is event-driven replication as described in section

For a description of what needs to happen to replicate changes from Samba DC side, please review MS-ADTS  "Scheduled and Event-Driven Replication".  Note the reference to MS-DRSR which provides protocol details on how to perform replication between domain controllers.

Some Helpful Resources

Replicas subtypes are defined in:
[MS-ADTS] NC, NC Replica

Some general use cases are described in:
[MS-ADOD] 2.7.5 Directory Replication

Let me know if you have further questions.

Sreekanth Nadendla
Microsoft Windows Open Specifications

-----Original Message-----
From: Andrew Bartlett [mailto:abartlet at samba.org] 
Sent: Tuesday, August 19, 2014 11:12 PM
To: Interoperability Documentation Help
Cc: cifs-protocol at samba.org
Subject: When creating a subdomain, who fills in hasPartialReplicaNCs?

I've got Samba to the point where Samba can be a subdomain to a windows AD domain, something we have been working on for a number of years.

As context, we did some work on this at a number of previous plugfest events, and this work has been mostly to re-animate this effort, and to make it useful to end users, by having it also work for NTLM authentication.  

I've got to the point where Samba and windows both seem to think they are in a trusted domain situation, and Samba can authenticate with an account from the Windows parent domain using both NTLM and Kerberos.

Next, I need to replicate the Samba domain
(sub.ad.ruth.wgtn.cat-it.co.nz) to the AD domain (ad.ruth.wgtn.cat-it.co.nz), and vice-verca, because the both DCs should be a GC.  How do I instigate that?  

"MS-ATDS DC and Partial Replica NCs Replicas" describes the end state, and it seems Windows (perhaps after a time) replicates in the Samba state, but what causes the initial replication and the update of hasPartialReplicaNCs and msDS-HasInstantiatedNCs?

I note that this was partially answered in 112062456011515 here:

However, I'm still a little unclear on what I should be doing to trigger this on the Samba side of things.


Andrew Bartlett

Andrew Bartlett
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the cifs-protocol mailing list