Le 19/11/2018 à 12:33, Julien TEHERY via samba a écrit :> Le 19/11/2018 à 11:14, Marco Gaiarin via samba a écrit : >> Mandi! Julien TEHERY via samba >> In chel di` si favelave... >> >>> Is there a good pratice when adding new remote DCs in terms of >>> replication >>> topology? >> I think you have to define a topology of the domain, using ADSS: >> >> https://blogs.technet.microsoft.com/canitpro/2015/03/03/step-by-step-setting-up-active-directory-sites-subnets-site-links/ >> >> >> defining links and weight. >> > Right, I allready had this kind of setup. > I created 3 remote sites and subnets assigned to those sites. > Remote DC's have been joined with the " --site" option. > > I even tried to setup Site Links, but it doesn't help. > > Here is my topology > > Main Site: > DC1 > DC2 => well replicated from DC1 > DC3 => well replicated from DC1 > > Remote_Site_1 > DC4 => tries to replicate from DC2, but fails with WERR_FILE_NOT_FOUND > error > (even manually with samba-tool drs replicate DC4 DC1 DC=mydomain,DC=lan) > > Remote_Site_2 > DC5 => well replicated from DC1 > > Remote_Site_3 > DC6 => well replicated from DC1, but sometimes fails trying to > replicate from DC3... > > > > I tried demoted DC4 several times and rejoined it, whithout success. > Each time it fails with ths machine (i checked network and dns > settings, nothing's wrong) > > > So from what i see "drs showrepl" shows me that sometimes a remote DC > tries to DC1, sometimes not, and i would like to control it. > > >Even tried in ADUC to remove re create NTDS settings or remove automatically generated ones, whithout success. I don't know what's going wrong with DC4, but it's the only DC i cannot sync manually from DC1. I purged every single drop of samba on it an re installed it from scratch, and and it still does the same for it (even with --remove-other-dead-server demotion and dbcheck on DC1). I guess I'm gonna try to install another machine as I don't know what to do here.
Le 19/11/2018 à 15:00, Julien TEHERY via samba a écrit :> Le 19/11/2018 à 12:33, Julien TEHERY via samba a écrit : >> Le 19/11/2018 à 11:14, Marco Gaiarin via samba a écrit : >>> Mandi! Julien TEHERY via samba >>> In chel di` si favelave... >>> >>>> Is there a good pratice when adding new remote DCs in terms of >>>> replication >>>> topology? >>> I think you have to define a topology of the domain, using ADSS: >>> >>> https://blogs.technet.microsoft.com/canitpro/2015/03/03/step-by-step-setting-up-active-directory-sites-subnets-site-links/ >>> >>> >>> defining links and weight. >>> >> Right, I allready had this kind of setup. >> I created 3 remote sites and subnets assigned to those sites. >> Remote DC's have been joined with the " --site" option. >> >> I even tried to setup Site Links, but it doesn't help. >> >> Here is my topology >> >> Main Site: >> DC1 >> DC2 => well replicated from DC1 >> DC3 => well replicated from DC1 >> >> Remote_Site_1 >> DC4 => tries to replicate from DC2, but fails with >> WERR_FILE_NOT_FOUND error >> (even manually with samba-tool drs replicate DC4 DC1 DC=mydomain,DC=lan) >> >> Remote_Site_2 >> DC5 => well replicated from DC1 >> >> Remote_Site_3 >> DC6 => well replicated from DC1, but sometimes fails trying to >> replicate from DC3... >> >> >> >> I tried demoted DC4 several times and rejoined it, whithout success. >> Each time it fails with ths machine (i checked network and dns >> settings, nothing's wrong) >> >> >> So from what i see "drs showrepl" shows me that sometimes a remote DC >> tries to DC1, sometimes not, and i would like to control it. >> >> >> > Even tried in ADUC to remove re create NTDS settings or remove > automatically generated ones, whithout success. > I don't know what's going wrong with DC4, but it's the only DC i > cannot sync manually from DC1. > I purged every single drop of samba on it an re installed it from > scratch, and and it still does the same for it (even with > --remove-other-dead-server demotion and dbcheck on DC1). > I guess I'm gonna try to install another machine as I don't know what > to do hereAnother thing i noticed about replication: Actually, If I change a user password from DC1 with "samba-tool user myuser", password is successfully changed and replicated to the other DCs. (local and remote sites) But if i change it from DC5 or DC6, password is not replicated although "drs showrepl" seems fine on DC5 (but no outbound neiighbors) Here is the output of it: [root at dc5 ~]# samba-tool drs showrepl REMOTESITE2\DC5 DSA Options: 0x00000001 DSA object GUID: 988d3cea-bcb8-4e71-be1f-faddb0408d62 DSA invocationId: 2a23d6a7-d797-4348-b948-3fdc7069f50d ==== INBOUND NEIGHBORS === DC=DomainDnsZones,DC=mydomain,DC=lan MAINSITE\DC1 via RPC DSA object GUID: d000aecf-6767-45b0-b69b-7ce4a4716507 Last attempt @ Wed Nov 21 16:34:15 2018 CET was successful 0 consecutive failure(s). Last success @ Wed Nov 21 16:34:15 2018 CET CN=Configuration,DC=mydomain,DC=lan MAINSITE\DC1 via RPC DSA object GUID: d000aecf-6767-45b0-b69b-7ce4a4716507 Last attempt @ Wed Nov 21 16:34:15 2018 CET was successful 0 consecutive failure(s). Last success @ Wed Nov 21 16:34:15 2018 CET DC=ForestDnsZones,DC=mydomain,DC=lan MAINSITE\DC1 via RPC DSA object GUID: d000aecf-6767-45b0-b69b-7ce4a4716507 Last attempt @ Wed Nov 21 16:34:15 2018 CET was successful 0 consecutive failure(s). Last success @ Wed Nov 21 16:34:15 2018 CET CN=Schema,CN=Configuration,DC=mydomain,DC=lan MAINSITE\DC1 via RPC DSA object GUID: d000aecf-6767-45b0-b69b-7ce4a4716507 Last attempt @ Wed Nov 21 16:34:15 2018 CET was successful 0 consecutive failure(s). Last success @ Wed Nov 21 16:34:15 2018 CET DC=mydomain,DC=lan MAINSITE\DC1 via RPC DSA object GUID: d000aecf-6767-45b0-b69b-7ce4a4716507 Last attempt @ Wed Nov 21 16:34:29 2018 CET was successful 0 consecutive failure(s). Last success @ Wed Nov 21 16:34:29 2018 CET ==== OUTBOUND NEIGHBORS === ==== KCC CONNECTION OBJECTS === Is it simply that outbound connection must be set up? If yes how to do it? I tried to make it work through ADUC console whitout success
Cordialement, Doe Corp <https://www.openevents.fr/> <https://www.facebook.com/OPENevents-172305449504004/> <https://twitter.com/SocOPENevents> <https://www.linkedin.com/company/openevents/> Julien Téhéry Ingénieur Systèmes & Réseaux | OPENevents 15 avenue de l'Europe 86170 Neuville de Poitou phone : +33 5 49 62 26 03 <tel:+33549622603> mail : julien.tehery at openevents.fr <mailto:julien.tehery at openevents.fr> hotline : ticket at openevents.fr <mailto:ticket at openevents.fr> | +33 5 49 62 26 07 <tel:+33549622607> commercial : commercial at openevents.fr <mailto:commercial at openevents.fr> Le 21/11/2018 à 16:45, Julien TEHERY via samba a écrit :> Le 19/11/2018 à 15:00, Julien TEHERY via samba a écrit : >> Le 19/11/2018 à 12:33, Julien TEHERY via samba a écrit : >>> Le 19/11/2018 à 11:14, Marco Gaiarin via samba a écrit : >>>> Mandi! Julien TEHERY via samba >>>> In chel di` si favelave... >>>> >>>>> Is there a good pratice when adding new remote DCs in terms of >>>>> replication >>>>> topology? >>>> I think you have to define a topology of the domain, using ADSS: >>>> >>>> https://blogs.technet.microsoft.com/canitpro/2015/03/03/step-by-step-setting-up-active-directory-sites-subnets-site-links/ >>>> >>>> >>>> defining links and weight. >>>> >>> Right, I allready had this kind of setup. >>> I created 3 remote sites and subnets assigned to those sites. >>> Remote DC's have been joined with the " --site" option. >>> >>> I even tried to setup Site Links, but it doesn't help. >>> >>> Here is my topology >>> >>> Main Site: >>> DC1 >>> DC2 => well replicated from DC1 >>> DC3 => well replicated from DC1 >>> >>> Remote_Site_1 >>> DC4 => tries to replicate from DC2, but fails with >>> WERR_FILE_NOT_FOUND error >>> (even manually with samba-tool drs replicate DC4 DC1 >>> DC=mydomain,DC=lan) >>> >>> Remote_Site_2 >>> DC5 => well replicated from DC1 >>> >>> Remote_Site_3 >>> DC6 => well replicated from DC1, but sometimes fails trying to >>> replicate from DC3... >>> >>> >>> >>> I tried demoted DC4 several times and rejoined it, whithout success. >>> Each time it fails with ths machine (i checked network and dns >>> settings, nothing's wrong) >>> >>> >>> So from what i see "drs showrepl" shows me that sometimes a remote >>> DC tries to DC1, sometimes not, and i would like to control it. >>> >>> >>> >> Even tried in ADUC to remove re create NTDS settings or remove >> automatically generated ones, whithout success. >> I don't know what's going wrong with DC4, but it's the only DC i >> cannot sync manually from DC1. >> I purged every single drop of samba on it an re installed it from >> scratch, and and it still does the same for it (even with >> --remove-other-dead-server demotion and dbcheck on DC1). >> I guess I'm gonna try to install another machine as I don't know what >> to do here > > Another thing i noticed about replication: > Actually, If I change a user password from DC1 with "samba-tool user > myuser", password is successfully changed and replicated to the other > DCs. (local and remote sites) > But if i change it from DC5 or DC6, password is not replicated > although "drs showrepl" seems fine on DC5 (but no outbound neiighbors) > > Here is the output of it: > > [root at dc5 ~]# samba-tool drs showrepl > REMOTESITE2\DC5 > DSA Options: 0x00000001 > DSA object GUID: 988d3cea-bcb8-4e71-be1f-faddb0408d62 > DSA invocationId: 2a23d6a7-d797-4348-b948-3fdc7069f50d > > ==== INBOUND NEIGHBORS ===> > DC=DomainDnsZones,DC=mydomain,DC=lan > MAINSITE\DC1 via RPC > DSA object GUID: d000aecf-6767-45b0-b69b-7ce4a4716507 > Last attempt @ Wed Nov 21 16:34:15 2018 CET was > successful > 0 consecutive failure(s). > Last success @ Wed Nov 21 16:34:15 2018 CET > > CN=Configuration,DC=mydomain,DC=lan > MAINSITE\DC1 via RPC > DSA object GUID: d000aecf-6767-45b0-b69b-7ce4a4716507 > Last attempt @ Wed Nov 21 16:34:15 2018 CET was > successful > 0 consecutive failure(s). > Last success @ Wed Nov 21 16:34:15 2018 CET > > DC=ForestDnsZones,DC=mydomain,DC=lan > MAINSITE\DC1 via RPC > DSA object GUID: d000aecf-6767-45b0-b69b-7ce4a4716507 > Last attempt @ Wed Nov 21 16:34:15 2018 CET was > successful > 0 consecutive failure(s). > Last success @ Wed Nov 21 16:34:15 2018 CET > > CN=Schema,CN=Configuration,DC=mydomain,DC=lan > MAINSITE\DC1 via RPC > DSA object GUID: d000aecf-6767-45b0-b69b-7ce4a4716507 > Last attempt @ Wed Nov 21 16:34:15 2018 CET was > successful > 0 consecutive failure(s). > Last success @ Wed Nov 21 16:34:15 2018 CET > > DC=mydomain,DC=lan > MAINSITE\DC1 via RPC > DSA object GUID: d000aecf-6767-45b0-b69b-7ce4a4716507 > Last attempt @ Wed Nov 21 16:34:29 2018 CET was > successful > 0 consecutive failure(s). > Last success @ Wed Nov 21 16:34:29 2018 CET > > ==== OUTBOUND NEIGHBORS ===> > ==== KCC CONNECTION OBJECTS ===> > > Is it simply that outbound connection must be set up? If yes how to do > it? > I tried to make it work through ADUC console whitout successAnother thing, I see that only DC1 has OUTBOUND NEIGHBORS (all failed with an WERR_FILE_NOT_FOUND error) All the other DCs have only an INBOUND NEIGHBORS and no OUTBOUND NEIGHBORS