[cifs-protocol] 117060115827644 Question about DRS client behaviour with linked attributes

Sreekanth Nadendla srenaden at microsoft.com
Thu Jun 8 21:35:57 UTC 2017 

Hello Tim, below is the summary of the answer for your questions about Linked Value Replication. I have created separate incidents to investigate your questions from yesterday’s e-mail below. Will start separate thread for that.

1) Does the client always replicate the partitions in parallel? i.e. it can't replicate them in series because it can't commit an entire partition until it has received portions of another partition.

-- This is an implementation detail. You could come with your own scheme of replicating partitions and managing references until complete details are obtained. Multiple transactions may be necessary before you have all the changes. Protocol doesn't place any requirements as to how this can be achieved.

2) When the DRS_GET_TGT flag is set in the ReplicateNCRequestMsg, Windows does not resolve a target object that is in another partition.  What happens when the client encounters a linked attribute with an unknown target object? ProcessLinkValue() in the MS-DRSR seems to imply the client will ignore it (if it's already tried with GET_TGT). So how does the client ensure that it receives the linked attribute eventually?

--- Correct, Windows does not resolve a target object that is in another partition. It is up to an implementation to tolerate this and “remember” the reference.  Protocol does not require anything in particular about when or even if the referred-to object is ever replicated. Nothing in protocol requires a DC to actually have an instance of an object in order to have a value of an attribute on some object that refers to that object.

Additional References: https://technet.microsoft.com/en-us/library/cc772726(v=ws.10).aspx

Regards,
Sreekanth Nadendla
Microsoft Windows Open Specifications

From: Sreekanth Nadendla
Sent: Thursday, June 8, 2017 5:30 PM
To: "Sreekanth Nadendla" <srenaden at microsoft.com>
Cc: "cifs-protocol at lists.samba.org" <cifs-protocol at lists.samba.org>; "MSSolve Case Email" <casemail at microsoft.com>
Subject: [REG:117060115827644] Re: 117060115827644 Question about DRS client behaviour with linked attributes


Hi Sreekanth,

Thanks for the link. I'd already seen that article (or one very similar), but it does provide a lot of useful information about replication.

The Docs issues I mentioned in the conference call are as follows:

1). A fortnight ago, I raised a minor issue with MS-DRSR 4.1.10.6.14 ProcessLinkValue(). i.e. https://msdn.microsoft.com/en-us/library/dd207759.aspx

In the following block of code that checks the link target, it looks like it's missing a null check for targetObject.

targetObject = GetDSNameFromAttrVal(replValinf.attrTyp, replValInf.pAval)
if ((IsRecycleBinEnabled() and targetObject!isRecycled) or
    (not IsRecycleBinEnabled() and targetObject!isDeleted)) then
    if (DRS_GET_TGT in ulMoreFlags) then
        /* nothing to do */
        return 0
    else
        return ERROR_DS_DRA_RECYCLED_TARGET
endif

Presumably it should also return ERROR_DS_DRA_RECYCLED_TARGET if targetObject is null, as this is what triggers the use of the DRS_GET_TGT flag.

2). Related to this, the error code used here isn't documented, i.e. it isn't listed on https://msdn.microsoft.com/en-us/library/cc231199.aspx

I think it should be something like:

ERROR_DS_DRA_RECYCLED_TARGET            0x000021BF

Thanks for your help.

Tim
On 08/06/17 09:56, Sreekanth Nadendla wrote:

Hello Tim, below is the article I mentioned and it provides some useful details about Linked value replication scenarios.

https://technet.microsoft.com/en-us/library/cc772726(v=ws.10).aspx





Regards,

Sreekanth Nadendla

Microsoft Windows Open Specifications



-----Original Message-----

From: Sreekanth Nadendla

Sent: Thursday, June 1, 2017 5:03 PM

To: 'Tim Beale' <timbeale at catalyst.net.nz><mailto:timbeale at catalyst.net.nz>

Cc: cifs-protocol at lists.samba.org<mailto:cifs-protocol at lists.samba.org>; MSSolve Case Email <casemail at microsoft.com><mailto:casemail at microsoft.com>

Subject: 117060115827644 Question about DRS client behaviour with linked attributes



Hello Tim, I will be assisting you with this issue.



Regards,

Sreekanth Nadendla

Microsoft Windows Open Specifications



-----Original Message-----

From: Tim Beale [mailto:timbeale at catalyst.net.nz]

Sent: Wednesday, May 31, 2017 8:18 PM

To: Interoperability Documentation Help <dochelp at microsoft.com><mailto:dochelp at microsoft.com>; cifs-protocol at lists.samba.org<mailto:cifs-protocol at lists.samba.org>

Subject: Question about DRS client behaviour with linked attributes



Hi,



We're trying to add DRS GET_TGT support to Samba and have a question about the behaviour of linked attributes. We noticed that you can sometimes get linked attributes that span a partition.



For example you can have an object in the Configuration partition with a linked attribute to an object in the Domain partition:

dn:

CN=RWDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=SAMDOM,DC=EXAMPLE,DC=COM

serverReference: CN=RWDC,OU=Domain Controllers,DC=SAMDOM,DC=EXAMPLE,DC=COM



And you can also have an object in the Domain partition with a linked attribute to an object in the Configuration partition:

dn: CN=RWDC,CN=Topology,CN=Domain System Volume,CN=DFSR-GlobalSettings,CN=System,DC=SAMDOM,DC=EXAMPLE,DC=COM

serverReference: CN=NTDS

Settings,CN=RWDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=SAMDOM,DC=EXAMPLE,DC=COM



From what I could see from testing, when the DRS_GET_TGT flag is set in the ReplicateNCRequestMsg, Windows does not resolve a target object that is in another partition.



This results in a cyclical dependency between the partitions being replicated, E.g. you can't commit all the linked attributes in the Domain partition until all the objects in the Configuration partition have been received, but you can't commit all the linked attributes in the Configuration partition until all the objects in the Domain partition have been received. This problem could be resolved if you manage to replicate the target object before the link is replicated.



My question is: how does the Windows replication behaviour resolve this problem?

- Does this mean the client always has to replicate the partitions in parallel? i.e. it can't replicate them in series because it can't commit an entire partition until it has received portions of another partition.

- What happens when the client encounters a linked attribute with an unknown target object? ProcessLinkValue() in the MS-DRSR seems to imply the client will ignore it (if it's already tried with GET_TGT). So how does the client ensure that it receives the linked attribute eventually?



Thanks for your help.



Tim



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.samba.org/pipermail/cifs-protocol/attachments/20170608/b76decd1/attachment-0001.html>

More information about the cifs-protocol mailing list