samba - Dec 2014 - sites and subnets

We had a samba 4.1.9 AD DC running since July. We have 3 campuses and
brought up a secondary AD  at another campus. This setup seemed to be
running as expected. We could see our primary AD DC authenticating requests
fine. We could see the secondary AD authenticating requests as well at our
second campus.

Then we started experiencing bandwidth issues between our campuses. Our
metro-etherlink should have delivered 5 mbps but dropped to have very
sporadic performance. As we worked with our telecom provider to stabilize
this, we thought we might also improve things by using the AD sites and
services tool to define where our subnets were and hopefully control which
DC handled auth requests.

About this same time we notice that DNS queries were timing out. We pointed
all DNS requests to our firewall. We forward requests for our AD domain to
our primary AD DC. This helped a lot. However we then identified our AD DC
as the problem for dns requests. It would time out frequently.

Over a couple of weeks we notices performance degrading rapidly on our AD
DC. We found samba would consume 99% cpu -- and start to grow in memory
consumption.

The big question is could the sites and services tool have triggered some
bug in samba ? So much time has elapse I don't see that it is possible to
go back and trouble shoot that way we should.

I'm just wondering if there are any known issues with sites and services --
or possible issues that could have arisen because of this tool .


-- 
David Bear
mobile: (602) 903-6476

Hello David,

     Currently use Sites and Services across 4 sites. We do not 
experience the issues you are describing. Running Samba 4.1.13. I do 
know the option to turn off 'Bridge All Site Links' does not work. Using
internal DNS with Google or Open DNS to forward queries.

On 12/29/2014 6:26 PM, David Bear wrote:
> We had a samba 4.1.9 AD DC running since July. We have 3 campuses and
> brought up a secondary AD  at another campus. This setup seemed to be
> running as expected. We could see our primary AD DC authenticating requests
> fine. We could see the secondary AD authenticating requests as well at our
> second campus.
>
> Then we started experiencing bandwidth issues between our campuses. Our
> metro-etherlink should have delivered 5 mbps but dropped to have very
> sporadic performance. As we worked with our telecom provider to stabilize
> this, we thought we might also improve things by using the AD sites and
> services tool to define where our subnets were and hopefully control which
> DC handled auth requests.
>
> About this same time we notice that DNS queries were timing out. We pointed
> all DNS requests to our firewall. We forward requests for our AD domain to
> our primary AD DC. This helped a lot. However we then identified our AD DC
> as the problem for dns requests. It would time out frequently.
>
> Over a couple of weeks we notices performance degrading rapidly on our AD
> DC. We found samba would consume 99% cpu -- and start to grow in memory
> consumption.
>
> The big question is could the sites and services tool have triggered some
> bug in samba ? So much time has elapse I don't see that it is possible
to
> go back and trouble shoot that way we should.
>
> I'm just wondering if there are any known issues with sites and
services --
> or possible issues that could have arisen because of this tool .
>
>
-- 
-James

Hello David,

Am 30.12.2014 um 00:26 schrieb David Bear:
> The big question is could the sites and services tool have triggered some
> bug in samba ? So much time has elapse I don't see that it is possible
to
> go back and trouble shoot that way we should.
> 
> I'm just wondering if there are any known issues with sites and
services --
> or possible issues that could have arisen because of this tool .
I can't confirm any problems. I introduced a second site at work around
4.1.12 and haven't seen any problems yet. Can you update all DCs to the
latest version?

Here's the documentation, that works here:
https://wiki.samba.org/index.php/Active_Directory_Sites


Regards,
Marc

On 12/30/2014 10:55 AM, Marc Muehlfeld wrote:
> Hello David,
>
> Am 30.12.2014 um 00:26 schrieb David Bear:
>> The big question is could the sites and services tool have triggered
some
>> bug in samba ? So much time has elapse I don't see that it is
possible to
>> go back and trouble shoot that way we should.
>>
>> I'm just wondering if there are any known issues with sites and
services --
>> or possible issues that could have arisen because of this tool .
> I can't confirm any problems. I introduced a second site at work around
> 4.1.12 and haven't seen any problems yet. Can you update all DCs to the
> latest version?
>
> Here's the documentation, that works here:
> https://wiki.samba.org/index.php/Active_Directory_Sites
Okay -- thanks for this pointer.

One more question -- using sites and services, if you rename 
'default-first-site' to something else, are the results bad?

I think we did rename it to our our location name -- which generated an 
error AFTER trying to join another machine to the AD. After renaming it 
back to default-first-site, we were able to join machines normally.

I'm not sure what happens deep down with these
commands.
>
>
> Regards,
> Marc

-- 
David Bear
602-903-6476