[Samba] Question about domain controller replication limit

Andrew Bartlett abartlet at samba.org
Tue Oct 9 23:54:48 UTC 2018 

On Tue, 2018-10-09 at 11:24 +0100, Rowland Penny via samba wrote:
> On Tue, 9 Oct 2018 11:53:35 +0200
> Fabio Fantoni via samba <samba at lists.samba.org> wrote:
> 
> > Hi, I tried a fast search about domain controller replication limit 
> > without find without finding an answer.
> > 
> > Can someone tell me if there are time limit of correct
> > synchronization of domain controller turned off for a long time (like
> > some days)? If yes what should be the time limit and what is better
> > do when need to poweron domain controller that has passed that time?
> > 
> > Can there be issue with one domain controller restored from backup or
> > it will be simply resynchronized? Can there be different with windows 
> > domain controller (and there are different if it is the pdc or not)? 
> 
> What PDC ? are you running an NT4-style DC as well ?
> No I thought not, it is just your first DC and just because it is your
> first DC doesn't mean it holds any FSMO roles.
> 
> Will the person who decided that calling the first DC a 'PDC' was a
> good idea, please identify themselves, I could then explain to them why
> calling it a 'PDC' is a stupid idea ;-)
> 
> > (where is more probable restore for other issue not related to domain 
> > itself)
> > 
> > I know there was important drs changes in samba 4.5, if the answer
> > are different based on samba version the answer can be about
> > samba>=4.5
> > 
> > Thanks for any reply and sorry for my bad english.
> 
> An AD DC really needs to be on 24/7, but it can probably handle being
> off for a short while, replication should fix any changes. Being off
> for a number of days is a different thing, what if numerous changes
> have been done on other DCs, these may clog up your network whilst
> they are replicated. There is always the possibility that the
> replication could go the wrong way and new entries could be removed on
> the other DCs, this is unlikely, but possible. 
> 
> If you plan on turning off a DC for a long time, you should also plan
> to demote it before you turn it off.

Specifically, a 'long time' is the tomebone lifetime, which can be
configured but is 180 days by default.  It will catch up within that
time.  

Restoring from backups should only be done with Samba 4.9 and the
backup and restore tools we added there.  Don't restore a DC to an
earlier snapshot or backup by any other means.

In general, follow Rowland's advise and keep DCs online, it is just
simpler and for your core network service, simple is good.

Andrew Bartlett

-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the samba mailing list