[Samba] Samba4 multiple DCs replication

Julien TEHERY julien.tehery at openevents.fr
Wed Nov 21 15:45:31 UTC 2018 

Le 19/11/2018 à 15:00, Julien TEHERY via samba a écrit :
> Le 19/11/2018 à 12:33, Julien TEHERY via samba a écrit :
>> Le 19/11/2018 à 11:14, Marco Gaiarin via samba a écrit :
>>> Mandi! Julien TEHERY via samba
>>>    In chel di` si favelave...
>>>
>>>> Is there a good pratice when adding new remote DCs in terms of 
>>>> replication
>>>> topology?
>>> I think you have to define a topology of the domain, using ADSS:
>>>
>>>     https://blogs.technet.microsoft.com/canitpro/2015/03/03/step-by-step-setting-up-active-directory-sites-subnets-site-links/ 
>>>
>>>
>>> defining links and weight.
>>>
>> Right, I allready had this kind of setup.
>> I created 3 remote sites and subnets assigned to those sites.
>> Remote DC's have been joined with the " --site" option.
>>
>> I even tried to setup Site Links, but it doesn't help.
>>
>> Here is my topology
>>
>> Main Site:
>> DC1
>> DC2 => well replicated from DC1
>> DC3 => well replicated from DC1
>>
>> Remote_Site_1
>> DC4 => tries to replicate from DC2, but fails with 
>> WERR_FILE_NOT_FOUND error
>> (even manually with samba-tool drs replicate DC4 DC1 DC=mydomain,DC=lan)
>>
>> Remote_Site_2
>> DC5 => well replicated from DC1
>>
>> Remote_Site_3
>> DC6 => well replicated from DC1, but sometimes fails trying to 
>> replicate from DC3...
>>
>>
>>
>> I tried demoted DC4 several times and rejoined it, whithout success.
>> Each time it fails with ths machine (i checked network and dns 
>> settings, nothing's wrong)
>>
>>
>> So from what i see "drs showrepl" shows me that sometimes a remote DC 
>> tries to DC1, sometimes not, and i would like to control it.
>>
>>
>>
> Even tried in ADUC to remove re create NTDS settings or remove 
> automatically generated ones, whithout success.
> I don't know what's going wrong with DC4, but it's the only DC i 
> cannot sync manually from DC1.
> I purged every single drop of samba on it an re installed it from 
> scratch, and and it still does the same for it (even with 
> --remove-other-dead-server demotion and dbcheck on DC1).
> I guess I'm gonna try to install another machine as I don't know what 
> to do here

Another thing i noticed about replication:
Actually,  If I change a user password from DC1 with "samba-tool user 
myuser", password is successfully changed and replicated to the other 
DCs. (local and remote sites)
But if i change it from DC5 or DC6, password is not replicated although 
"drs showrepl" seems fine on DC5 (but no outbound neiighbors)

Here is the output of it:

[root at dc5 ~]# samba-tool drs showrepl
REMOTESITE2\DC5
DSA Options: 0x00000001
DSA object GUID: 988d3cea-bcb8-4e71-be1f-faddb0408d62
DSA invocationId: 2a23d6a7-d797-4348-b948-3fdc7069f50d

==== INBOUND NEIGHBORS ====

DC=DomainDnsZones,DC=mydomain,DC=lan
         MAINSITE\DC1 via RPC
                 DSA object GUID: d000aecf-6767-45b0-b69b-7ce4a4716507
                 Last attempt @ Wed Nov 21 16:34:15 2018 CET was successful
                 0 consecutive failure(s).
                 Last success @ Wed Nov 21 16:34:15 2018 CET

CN=Configuration,DC=mydomain,DC=lan
         MAINSITE\DC1 via RPC
                 DSA object GUID: d000aecf-6767-45b0-b69b-7ce4a4716507
                 Last attempt @ Wed Nov 21 16:34:15 2018 CET was successful
                 0 consecutive failure(s).
                 Last success @ Wed Nov 21 16:34:15 2018 CET

DC=ForestDnsZones,DC=mydomain,DC=lan
         MAINSITE\DC1 via RPC
                 DSA object GUID: d000aecf-6767-45b0-b69b-7ce4a4716507
                 Last attempt @ Wed Nov 21 16:34:15 2018 CET was successful
                 0 consecutive failure(s).
                 Last success @ Wed Nov 21 16:34:15 2018 CET

CN=Schema,CN=Configuration,DC=mydomain,DC=lan
         MAINSITE\DC1 via RPC
                 DSA object GUID: d000aecf-6767-45b0-b69b-7ce4a4716507
                 Last attempt @ Wed Nov 21 16:34:15 2018 CET was successful
                 0 consecutive failure(s).
                 Last success @ Wed Nov 21 16:34:15 2018 CET

DC=mydomain,DC=lan
         MAINSITE\DC1 via RPC
                 DSA object GUID: d000aecf-6767-45b0-b69b-7ce4a4716507
                 Last attempt @ Wed Nov 21 16:34:29 2018 CET was successful
                 0 consecutive failure(s).
                 Last success @ Wed Nov 21 16:34:29 2018 CET

==== OUTBOUND NEIGHBORS ====

==== KCC CONNECTION OBJECTS ====


Is it simply that outbound connection must be set up? If yes how to do it?
I tried to make it work through ADUC console whitout success

More information about the samba mailing list