[Samba] maximum ad domain controller unavialability time

Denis CARDON dcardon at tranquil.it
Tue Apr 14 09:39:37 UTC 2020

Hi Alex,

> A DC is never "removed" automatically from AD, but, at least from the 
> Windows perspective, the longest period would be the tombstone lifetime. 
> After this has passed, the DC would have objects "lingering", as the 
> deletion of an object could have already occurred at other DCs and then 
> the marker of the deletion itself removed, which of course means there 
> is no way to communicate the deletion after this final point. 

Good explanation!

 >I believe
> Windows automatically blocks replication and disables the netlogon 
> service when it detects such a situation. I'm not sure what samba would do.

 From my experience, Samba-AD replication would continue until it comes 
to an incoherence (eg. trying to replicate an attribute change on an 
entry that has been deleted and expunged), and then replication would 
fail until consistency if fixed. When replication fails that way it does 
not block netlogon process on Samba and it still open session, and it 
may have local updates.



> Alex
> On 14/04/2020 09:37, Zhuchenko Valery via samba wrote:
>> Hi, all.
>> What is greatest period for AD DC (non FSMO) can be unavailable, for
>> example, because network segment is unavailable for long time (3, 4 
>> weeks)?
>> Is the controller will be removed from AD automatically?
>> And what to do after this network segment will become available?
>> I have read about tombstoneLifeTime attribute of Directory Service
>> (Configuration, Services, Windows NT), which default value is 180 days.
>> But what is about replication?
>> Thank you for your explanation.
>> Best regards,
>> Valery

More information about the samba mailing list