[Samba] updates of repsFrom/repsTo attributes (was : Re: replPropertyMetaData & KCC issues after updating to Samba 4.5.0)

Wed Sep 28 16:41:46 UTC 2016

On 9/28/2016 1:25 AM, garming at catalyst.net.nz wrote:
>>
>> Wasn't aware of this. Thank you for the info. If I was to delete the
>> incorrect respsFrom/repsTo attributes, wouldn't the KCC just
>> regenerate them over time once the KCC check and ISTG check kicked in?
>
> As long as the topology doesn't change or DCs which are not 
> bridgeheads do not go offline, there should be basically zero 
> additional reps over time. How often they build up over time is an 
> open question (when DCs do go offline), I can't test every setup and 
> I'm sure there are edge cases. However if there are these additional 
> links for when you have spuriously unreliable DCs, they work just as 
> well as a fallback.
>
> The interSiteTopologyFailover attribute seems to be on the 
> NTDS-Site-Settings class. By default it probably isn't defined, but 
> the internal default value in both Samba and Windows is 2 hours.
>
> The ITSG is not the same as the bridgehead server. The ITSG is a 
> single DC in the site which coordinates all the DCs and picks 
> bridgehead servers in the site to talk to other sites (at some DC 
> bridgehead arbitrarily chosen on the other end). The reason I ask who 
> the ITSG was is because if the ITSG is dead, it is reasonable to 
> expect that there is no current coordinator who is site-aware, and so 
> no fallback has occurred yet.

This is what seems to be stumbling me, however I think I understand a 
bit better. Samba isn't defining a bridgehead server(which I do not 
want). I was under the impression the owner of the ISTG was in fact a 
bridgehead server. Reading this link 
https://support.microsoft.com/en-us/kb/224815 tells me 'The domain 
controller holding this role may not necessarily also be a bridgehead 
server'.  To verify I queried for the CN 'Bridgehead-Server-List-BL' 
which is also not set. Is this hard coded in Samba and I'm unable to see 
it or is this not the correct attribute to confirm?

The link also references how a DC alerts other DC's that a ISTG has gone 
down in a site. This is the critical component I was worried about. Is 
this feature currently implemented in Samba? On a Microsoft DC you can 
alert how often you want to check for the ISTG in a registry setting. Do 
you have plans to add this as a option for the smb.conf?

I will also point out Samba did correctly set the ISTG for my sites to 
DC1. The first DC I joined to that site. After deleting the NTDS 
connections, I see that my second DC in a site was chosen as the ISTG. 
This tells me some sort of check may be happening to switch the ISTG?

Based on all this it appears the new KCC does in fact work correctly 
with a few minor issues relating to the replications To and From. Thanks 
for the hard work.

>
> Cheers,
>
> Garming

-- 
-James