[Samba] Samba4 multiple DCs replication

Julien TEHERY julien.tehery at openevents.fr
Wed Nov 21 16:33:28 UTC 2018 

Cordialement,
Doe Corp
<https://www.openevents.fr/> 
<https://www.facebook.com/OPENevents-172305449504004/> 
<https://twitter.com/SocOPENevents> 
<https://www.linkedin.com/company/openevents/>
	
Julien Téhéry
Ingénieur Systèmes & Réseaux | OPENevents
15 avenue de l'Europe
86170 Neuville de Poitou
phone : +33 5 49 62 26 03 <tel:+33549622603>
mail : julien.tehery at openevents.fr <mailto:julien.tehery at openevents.fr>
hotline : ticket at openevents.fr <mailto:ticket at openevents.fr> | +33 5 49 
62 26 07 <tel:+33549622607>
commercial : commercial at openevents.fr <mailto:commercial at openevents.fr>

Le 21/11/2018 à 16:45, Julien TEHERY via samba a écrit :
> Le 19/11/2018 à 15:00, Julien TEHERY via samba a écrit :
>> Le 19/11/2018 à 12:33, Julien TEHERY via samba a écrit :
>>> Le 19/11/2018 à 11:14, Marco Gaiarin via samba a écrit :
>>>> Mandi! Julien TEHERY via samba
>>>>    In chel di` si favelave...
>>>>
>>>>> Is there a good pratice when adding new remote DCs in terms of 
>>>>> replication
>>>>> topology?
>>>> I think you have to define a topology of the domain, using ADSS:
>>>>
>>>>     https://blogs.technet.microsoft.com/canitpro/2015/03/03/step-by-step-setting-up-active-directory-sites-subnets-site-links/ 
>>>>
>>>>
>>>> defining links and weight.
>>>>
>>> Right, I allready had this kind of setup.
>>> I created 3 remote sites and subnets assigned to those sites.
>>> Remote DC's have been joined with the " --site" option.
>>>
>>> I even tried to setup Site Links, but it doesn't help.
>>>
>>> Here is my topology
>>>
>>> Main Site:
>>> DC1
>>> DC2 => well replicated from DC1
>>> DC3 => well replicated from DC1
>>>
>>> Remote_Site_1
>>> DC4 => tries to replicate from DC2, but fails with 
>>> WERR_FILE_NOT_FOUND error
>>> (even manually with samba-tool drs replicate DC4 DC1 
>>> DC=mydomain,DC=lan)
>>>
>>> Remote_Site_2
>>> DC5 => well replicated from DC1
>>>
>>> Remote_Site_3
>>> DC6 => well replicated from DC1, but sometimes fails trying to 
>>> replicate from DC3...
>>>
>>>
>>>
>>> I tried demoted DC4 several times and rejoined it, whithout success.
>>> Each time it fails with ths machine (i checked network and dns 
>>> settings, nothing's wrong)
>>>
>>>
>>> So from what i see "drs showrepl" shows me that sometimes a remote 
>>> DC tries to DC1, sometimes not, and i would like to control it.
>>>
>>>
>>>
>> Even tried in ADUC to remove re create NTDS settings or remove 
>> automatically generated ones, whithout success.
>> I don't know what's going wrong with DC4, but it's the only DC i 
>> cannot sync manually from DC1.
>> I purged every single drop of samba on it an re installed it from 
>> scratch, and and it still does the same for it (even with 
>> --remove-other-dead-server demotion and dbcheck on DC1).
>> I guess I'm gonna try to install another machine as I don't know what 
>> to do here
>
> Another thing i noticed about replication:
> Actually,  If I change a user password from DC1 with "samba-tool user 
> myuser", password is successfully changed and replicated to the other 
> DCs. (local and remote sites)
> But if i change it from DC5 or DC6, password is not replicated 
> although "drs showrepl" seems fine on DC5 (but no outbound neiighbors)
>
> Here is the output of it:
>
> [root at dc5 ~]# samba-tool drs showrepl
> REMOTESITE2\DC5
> DSA Options: 0x00000001
> DSA object GUID: 988d3cea-bcb8-4e71-be1f-faddb0408d62
> DSA invocationId: 2a23d6a7-d797-4348-b948-3fdc7069f50d
>
> ==== INBOUND NEIGHBORS ====
>
> DC=DomainDnsZones,DC=mydomain,DC=lan
>         MAINSITE\DC1 via RPC
>                 DSA object GUID: d000aecf-6767-45b0-b69b-7ce4a4716507
>                 Last attempt @ Wed Nov 21 16:34:15 2018 CET was 
> successful
>                 0 consecutive failure(s).
>                 Last success @ Wed Nov 21 16:34:15 2018 CET
>
> CN=Configuration,DC=mydomain,DC=lan
>         MAINSITE\DC1 via RPC
>                 DSA object GUID: d000aecf-6767-45b0-b69b-7ce4a4716507
>                 Last attempt @ Wed Nov 21 16:34:15 2018 CET was 
> successful
>                 0 consecutive failure(s).
>                 Last success @ Wed Nov 21 16:34:15 2018 CET
>
> DC=ForestDnsZones,DC=mydomain,DC=lan
>         MAINSITE\DC1 via RPC
>                 DSA object GUID: d000aecf-6767-45b0-b69b-7ce4a4716507
>                 Last attempt @ Wed Nov 21 16:34:15 2018 CET was 
> successful
>                 0 consecutive failure(s).
>                 Last success @ Wed Nov 21 16:34:15 2018 CET
>
> CN=Schema,CN=Configuration,DC=mydomain,DC=lan
>         MAINSITE\DC1 via RPC
>                 DSA object GUID: d000aecf-6767-45b0-b69b-7ce4a4716507
>                 Last attempt @ Wed Nov 21 16:34:15 2018 CET was 
> successful
>                 0 consecutive failure(s).
>                 Last success @ Wed Nov 21 16:34:15 2018 CET
>
> DC=mydomain,DC=lan
>         MAINSITE\DC1 via RPC
>                 DSA object GUID: d000aecf-6767-45b0-b69b-7ce4a4716507
>                 Last attempt @ Wed Nov 21 16:34:29 2018 CET was 
> successful
>                 0 consecutive failure(s).
>                 Last success @ Wed Nov 21 16:34:29 2018 CET
>
> ==== OUTBOUND NEIGHBORS ====
>
> ==== KCC CONNECTION OBJECTS ====
>
>
> Is it simply that outbound connection must be set up? If yes how to do 
> it?
> I tried to make it work through ADUC console whitout success

Another thing, I see that only DC1 has OUTBOUND NEIGHBORS (all failed 
with an WERR_FILE_NOT_FOUND error)
All the other DCs have only an INBOUND NEIGHBORS and no OUTBOUND NEIGHBORS

More information about the samba mailing list