[Samba] sites and services and automatic creation of replication connections in NTDS Settings

Zerwes, Klaus zerwes at rosalux.de
Fri Oct 31 08:00:27 MDT 2014 

Hello.

I want to test a multi-site setup w/ replication to a central DC only.

In a test scenario I have set up a central samba4 DC (sernet-samba 4.1.12-9).

For provisioning I have used the --site=central, so no Default-First-Site-Name has been created on provisioning, just 'central'.

In AD Site & Services I have unchecked the "Bridge all site links" in "Inter-Site Transports > IP"

I have created several Subnets and the corresponding sites.
Routing between siteX and siteN is disabled, only the central site is reachable.

In the next step I have deleted the DEFAULTIPSITELINK and created several Inter-Site Transports Site Links:
centra-site1, central-site2, ... only containing central DC location and siteX with the default cost of 100.

For the join command I use the appropriate --site=siteX for each DC. After the join the new DC appears in the right siteX -> Server location in RSAT "AD Site & Services".
But after the join of Site1DC and Site2DC for both a replication link to the OtherSiteDC is automatically created in addition to the expected CentralDC replication link in NTDS Settings.
And this unwanted replication link shows up in showrepl (as expected w/ error WERR_CONNECTION_REFUSED as there is no direct connection between the sites)

Deleting the unwanted replication link in RSAT "AD Site & Services" has no effect, it will automatically re-appear later (named <automatically generated> again).
On all DCs running 'samba-tool drs kcc' issues no errors but has no effect on recreating the 

How do I get the expected behavior of creating replication links only for DCs located in one site or connected with a site-link?
If there is no way of doing the right kcc topology automatically, I do not mind to perform soma manual steps to achieve the desired replication topology.

expected:
site1 ⇄ central ⇄ site2

and not:
site1 ⇄ site2
  ⇅           ⇅
central  ⇄ /

Adding the next DC in site3 raises the number of wrong replication links:
site1DC: site2DC + site3DC
site2DC: site1DC + site3DC
site3DC: site1DC + site2DC
and so on.

The test has the goal to examine the replication using one headquarter aka. central and 20 branch sites.
As nearly all setups are automatized (preseed and puppet), it would just cost some time but less work to test everything with different options.

Thanks for all hints in advanced ... maybe I just have a knot in my head and someone will be so kind to loosen it for me ...

Regards
Klaus

More information about the samba mailing list