[Samba] updates of repsFrom/repsTo attributes (was : Re: replPropertyMetaData & KCC issues after updating to Samba 4.5.0)

lingpanda101 at gmail.com lingpanda101 at gmail.com
Wed Sep 28 19:45:46 UTC 2016 

On 9/28/2016 12:41 PM, lingpanda101--- via samba wrote:
> On 9/28/2016 1:25 AM, garming at catalyst.net.nz wrote:
>>>
>>> Wasn't aware of this. Thank you for the info. If I was to delete the
>>> incorrect respsFrom/repsTo attributes, wouldn't the KCC just
>>> regenerate them over time once the KCC check and ISTG check kicked in?
>>
>> As long as the topology doesn't change or DCs which are not 
>> bridgeheads do not go offline, there should be basically zero 
>> additional reps over time. How often they build up over time is an 
>> open question (when DCs do go offline), I can't test every setup and 
>> I'm sure there are edge cases. However if there are these additional 
>> links for when you have spuriously unreliable DCs, they work just as 
>> well as a fallback.
>>
>> The interSiteTopologyFailover attribute seems to be on the 
>> NTDS-Site-Settings class. By default it probably isn't defined, but 
>> the internal default value in both Samba and Windows is 2 hours.
>>
>> The ITSG is not the same as the bridgehead server. The ITSG is a 
>> single DC in the site which coordinates all the DCs and picks 
>> bridgehead servers in the site to talk to other sites (at some DC 
>> bridgehead arbitrarily chosen on the other end). The reason I ask who 
>> the ITSG was is because if the ITSG is dead, it is reasonable to 
>> expect that there is no current coordinator who is site-aware, and so 
>> no fallback has occurred yet.
>
> This is what seems to be stumbling me, however I think I understand a 
> bit better. Samba isn't defining a bridgehead server(which I do not 
> want). I was under the impression the owner of the ISTG was in fact a 
> bridgehead server. Reading this link 
> https://support.microsoft.com/en-us/kb/224815 tells me 'The domain 
> controller holding this role may not necessarily also be a bridgehead 
> server'.  To verify I queried for the CN 'Bridgehead-Server-List-BL' 
> which is also not set. Is this hard coded in Samba and I'm unable to 
> see it or is this not the correct attribute to confirm?
>
> The link also references how a DC alerts other DC's that a ISTG has 
> gone down in a site. This is the critical component I was worried 
> about. Is this feature currently implemented in Samba? On a Microsoft 
> DC you can alert how often you want to check for the ISTG in a 
> registry setting. Do you have plans to add this as a option for the 
> smb.conf?
>
> I will also point out Samba did correctly set the ISTG for my sites to 
> DC1. The first DC I joined to that site. After deleting the NTDS 
> connections, I see that my second DC in a site was chosen as the ISTG. 
> This tells me some sort of check may be happening to switch the ISTG?
>
> Based on all this it appears the new KCC does in fact work correctly 
> with a few minor issues relating to the replications To and From. 
> Thanks for the hard work.
>
>
>
>
>>
>> Cheers,
>>
>> Garming
>
>
>

I was mistaken on another point. I ran 'samba_kcc --debug' and saw 
mention of bridgehead server. Reading additional documentation I see a 
difference between a 'bridgehead server' and a 'preferred bridgehead 
server'. It's the preferred bridgehead sever I do not want defined. This 
is all starting to become clearer.

-- 
-James

More information about the samba mailing list