[Samba] Replication between Samba DCs (on different sites)?

Michael Tokarev mjt at tls.msk.ru
Mon Nov 14 18:59:22 UTC 2022 

14.11.2022 21:10, Kris Lou via samba wrote:
>> Well, I guessed this much. The question is how?

> Using RSAT,  I have the Sites specified in Sites -> Inter-Site Transports -> IP.
> 
> Then, under each Site, I have the DC enabled as "a preferred bridgehead
> server for the following transports: IP."
> 
> You might also need to specify an "InterSite Topology Generator" in each
> Site under Sites -> NTDS Site Settings.
> 
> But replication links should be visible under Sites -> Servers -> <DC>
> ->NTDS Settings.

That's interesting.  Actually I found _some_ of that (not NTDS though)
after you mentioned "site links".  And it started to replicate stuff.
But not all of it..  and it is now in an interesting situation.

So, I've 2 sites (MoscowOffice and PereslavlOffice, MO and PO for short).
There were a single DC, AI, in MO.  I've added another DC, svdcp, in PO.
This is where I asked about the inter-site replication and thought about
giving another DC in MO a try, so I created svdcm, in MO.

Now, there are 3 DCs.  And while svdcp and svdcm are replicating between
each other - or seems to be anyway, - ai - the "primary" DC, - is not,
anymore.

On AI, I see:

==== INBOUND NEIGHBORS ====

DC=tls,DC=msk,DC=ru
	Moscow-Office\SVDCM via RPC
		DSA object GUID: 9224007a-37f3-463b-8d1a-539ea506898a
		Last attempt @ Mon Nov 14 21:45:49 2022 MSK failed, result 2 (WERR_FILE_NOT_FOUND)
		15 consecutive failure(s).
		Last success @ NTTIME(0)

(for all 5 groups - DC=DomainDnsZones,DC=tls,DC=msk,DC=ru, etc,
CN=Configuration,DC=tls,DC=msk,DC=ru).

Which file it can't find?  This is inbound, so it must be initiated by
SVDCM, but SVDCM shows:

==== INBOUND NEIGHBORS ====

DC=tls,DC=msk,DC=ru
	Moscow-Office\AI via RPC
		DSA object GUID: 91a56cbe-38b3-493c-b132-d1042d0aa021
		Last attempt @ Mon Nov 14 21:50:34 2022 MSK failed, result 1326 (WERR_LOGON_FAILURE)
		1 consecutive failure(s).
		Last success @ Mon Nov 14 21:35:20 2022 MSK

so it looks like AI can't log in to SVDCM?..  And it shows the same
WERR_LOGON_FAILURE for all of them, - also for SVDCP connections!

And there's no OUTBOUND connections in either of the 3.


I tried to remove the temp/test DC I created (SVDCM), but I can't.

`samba-tool computer delete' refuses to remove it, saying it is a DC
and access is denied.

so I tried to denote it, but it fails:

# samba-tool domain demote -U mjt-adm
Using svdcp.tls.msk.ru as partner server for the demotion
Password for [TLS\mjt-adm]:
Deactivating inbound replication
Asking partner server svdcp.tls.msk.ru to synchronize from us
Error while replicating out last local changes from 'CN=Schema,CN=Configuration,DC=tls,DC=msk,DC=ru' for demotion, re-enabling inbound replication
ERROR(<class 'samba.WERRORError'>): Error while sending a DsReplicaSync for partition 'CN=Schema,CN=Configuration,DC=tls,DC=msk,DC=ru' - (2, 
'WERR_FILE_NOT_FOUND')
   File "/usr/lib/python3/dist-packages/samba/netcmd/domain.py", line 860, in run
     drsuapiBind.DsReplicaSync(drsuapi_handle, 1, req1)


I tried strace'ing it, but I don't see which file it can't find.

I'm afraid this is getting quite weird.. it doesn't really work and can't
be restored into a sane state?

Can a DC be force-deleted from another DC?
What if the machine is physically dead?

Help? :)

Thank you!

/mjt

More information about the samba mailing list