[Samba] Dcs Replication

Thu May 17 20:07:30 UTC 2018

Hi!

This moment only "kccsrv:samba_kcc=No" , I have manually removed links

But error is very strange :-|

May 17 16:54:44 dc2 samba[10421]: [2018/05/17 16:54:44.543336,  0] 
../source4/dsdb/repl/drepl_out_helpers.c:1087(dreplsrv_update_refs_done)
May 17 16:54:44 dc2 samba[10421]:   UpdateRefs failed with 
WERR_DS_DRA_ACCESS_DENIED/NT code 0xc0002105 for 
24079507-bf7b-4c96-b107-cd22d7680011._msdcs.XXXXXX 
DC=DomainDnsZones,DC=XXX,DC=XXX,DC=XXX,DC=XXX

But 24079507-bf7b-4c96-b107-cd22d7680011._msdcs.XXXXXXX is DC2....

Regards;

On 17-05-2018 17:02, lingpanda101 wrote:
> On 5/17/2018 3:58 PM, Carlos wrote:
>>
>> Hi!
>>
>> In "NTDS settings" created new connection for:
>>
>> DC2 ->DC3
>>
>> DC3 -> DC2
>>
>> All OK,
>>
>> I tested with option
>>
>> kccsrv:samba_kcc=No
>>
>> is ok too.
>>
>> But in my DC2, a received one erro:
>>
>> May 17 16:54:44 dc2 samba[10421]: [2018/05/17 16:54:44.543336,  0] 
>> ../source4/dsdb/repl/drepl_out_helpers.c:1087(dreplsrv_update_refs_done)
>> May 17 16:54:44 dc2 samba[10421]:   UpdateRefs failed with 
>> WERR_DS_DRA_ACCESS_DENIED/NT code 0xc0002105 for 
>> 24079507-bf7b-4c96-b107-cd22d7680011._msdcs.XXXXXX 
>> DC=DomainDnsZones,DC=XXX,DC=XXX,DC=XXX,DC=XXX
>>
>> But 24079507-bf7b-4c96-b107-cd22d7680011._msdcs.XXXXXXX is DC2....
>>
>> Any ideia ?
>>
>> Regards;
>>
>> On 17-05-2018 13:55, Carlos wrote:
>>> Hi!
>>>
>>> In Option "Inter-Site Transports", i have only  one the name 
>>> "DEFAULTIPSITELINK" , in properties
>>>
>>> Sites in this link:
>>>
>>> Matriz
>>> Filial
>>>
>>> Matriz -> site with DC1 and DC2
>>> Filail ->  site With DC3
>>>
>>> Regards;
>>>
>>>
>>> On 17-05-2018 13:12, lingpanda101 wrote:
>>>> On 5/17/2018 12:07 PM, Carlos wrote:
>>>>> Hi!
>>>>>
>>>>> Thanks for answer.
>>>>>
>>>>> But, i allowed all ports in my firewall...
>>>>>
>>>>> I tested, shutdown  my DC1
>>>>>
>>>>> DC2 dont comunication with DC3
>>>>>
>>>>> I create user in DC2, dont replication with DC3...
>>>>> I waited more in 20 minutes
>>>>>
>>>>> Why ??
>>>>>
>>>>> Regards;
>>>>>
>>>>>
>>>>> On 17-05-2018 12:01, lingpanda101 wrote:
>>>>>> On 5/17/2018 10:30 AM, Carlos via samba wrote:
>>>>>>> Hi!
>>>>>>>
>>>>>>> I have 2 DC, now add one more DC, but all dcs dont view between 
>>>>>>> they.
>>>>>>>
>>>>>>> New DC is "DC2"
>>>>>>>
>>>>>>> DC1 - vlan10 -> OK to DC3(Connectad by openvpn)
>>>>>>>
>>>>>>> DC1 -> vlan10 -> OK to DC2(vlan50)
>>>>>>>
>>>>>>> DC2-> vlan50 -> OK to DC1(vlan10)
>>>>>>>
>>>>>>> DC2-> Openvpn -> Dont "see" DC3
>>>>>>>
>>>>>>> DC3 -> Openvpn -> OK to DC1(vlan10)
>>>>>>>
>>>>>>> DC3 -> Openvpn -> Dont "view" DC2(vlan50)
>>>>>>>
>>>>>>> All version Dcs Samba 4.7.7
>>>>>>> Firewall is allow  between they.
>>>>>>>
>>>>>>> -----
>>>>>>>
>>>>>>> DC1
>>>>>>>
>>>>>>> samba-tool drs showrepl
>>>>>>>
>>>>>>> I see only DC2 and DC3 is OK
>>>>>>> Is correct.
>>>>>>>
>>>>>>> DC2
>>>>>>>
>>>>>>> samba-tool drs showrepl
>>>>>>>
>>>>>>> I see only DC1
>>>>>>>
>>>>>>> DC3
>>>>>>>
>>>>>>> samba-tool drs showrepl
>>>>>>>
>>>>>>> I see only DC1
>>>>>>> ------------------------
>>>>>>>
>>>>>>> Any Ideia ?
>>>>>>>
>>>>>>>
>>>>>>> Regards
>>>>>>>
>>>>>>>
>>>>>> Carlos,
>>>>>>
>>>>>>     This is normal if your firewall is working correctly. The KCC 
>>>>>> checks and creates replication links to optimize latency and cost 
>>>>>> where needed. You can override this and create a full mesh 
>>>>>> topology with the following in your smb.conf under 'Global'.
>>>>>>
>>>>>> kccsrv:samba_kcc=No
>>>>>>
>>>>>> I advise not doing this but instead ensure sites and services are 
>>>>>> setup correctly for your IP Inter-Site-Transports. You can define 
>>>>>> cost and interval for the links here.
>>>>>>
>>>>>>
>>>>>> -James
>>>>>>
>>>>>>
>>>>>
>>>> Did you verify you have the Inter-Site Transports configured 
>>>> properly in Active Directory Sites and Services snap in?
>>>>
>>>> -James
>>>>
>>>
>>
> Carlos,
>
>     You are doing a lot of things that go against best practice. Do 
> not manually create the links. let the KCC handle that function.
>
> -- 
> --
> James