[Samba] updates of repsFrom/repsTo attributes (was : Re: replPropertyMetaData & KCC issues after updating to Samba 4.5.0)
lingpanda101 at gmail.com
lingpanda101 at gmail.com
Wed Sep 28 19:45:46 UTC 2016
On 9/28/2016 12:41 PM, lingpanda101--- via samba wrote:
> On 9/28/2016 1:25 AM, garming at catalyst.net.nz wrote:
>>> Wasn't aware of this. Thank you for the info. If I was to delete the
>>> incorrect respsFrom/repsTo attributes, wouldn't the KCC just
>>> regenerate them over time once the KCC check and ISTG check kicked in?
>> As long as the topology doesn't change or DCs which are not
>> bridgeheads do not go offline, there should be basically zero
>> additional reps over time. How often they build up over time is an
>> open question (when DCs do go offline), I can't test every setup and
>> I'm sure there are edge cases. However if there are these additional
>> links for when you have spuriously unreliable DCs, they work just as
>> well as a fallback.
>> The interSiteTopologyFailover attribute seems to be on the
>> NTDS-Site-Settings class. By default it probably isn't defined, but
>> the internal default value in both Samba and Windows is 2 hours.
>> The ITSG is not the same as the bridgehead server. The ITSG is a
>> single DC in the site which coordinates all the DCs and picks
>> bridgehead servers in the site to talk to other sites (at some DC
>> bridgehead arbitrarily chosen on the other end). The reason I ask who
>> the ITSG was is because if the ITSG is dead, it is reasonable to
>> expect that there is no current coordinator who is site-aware, and so
>> no fallback has occurred yet.
> This is what seems to be stumbling me, however I think I understand a
> bit better. Samba isn't defining a bridgehead server(which I do not
> want). I was under the impression the owner of the ISTG was in fact a
> bridgehead server. Reading this link
> https://support.microsoft.com/en-us/kb/224815 tells me 'The domain
> controller holding this role may not necessarily also be a bridgehead
> server'. To verify I queried for the CN 'Bridgehead-Server-List-BL'
> which is also not set. Is this hard coded in Samba and I'm unable to
> see it or is this not the correct attribute to confirm?
> The link also references how a DC alerts other DC's that a ISTG has
> gone down in a site. This is the critical component I was worried
> about. Is this feature currently implemented in Samba? On a Microsoft
> DC you can alert how often you want to check for the ISTG in a
> registry setting. Do you have plans to add this as a option for the
> I will also point out Samba did correctly set the ISTG for my sites to
> DC1. The first DC I joined to that site. After deleting the NTDS
> connections, I see that my second DC in a site was chosen as the ISTG.
> This tells me some sort of check may be happening to switch the ISTG?
> Based on all this it appears the new KCC does in fact work correctly
> with a few minor issues relating to the replications To and From.
> Thanks for the hard work.
I was mistaken on another point. I ran 'samba_kcc --debug' and saw
mention of bridgehead server. Reading additional documentation I see a
difference between a 'bridgehead server' and a 'preferred bridgehead
server'. It's the preferred bridgehead sever I do not want defined. This
is all starting to become clearer.
More information about the samba