-------------------------------------------- On Mon, 3/6/17, lingpanda101 via samba <samba at lists.samba.org> wrote: Subject: Re: [Samba] DC site replication issue ? To: samba at lists.samba.org Date: Monday, March 6, 2017, 9:20 AM On 3/6/2017 9:56 AM, Mircea Husz via samba wrote: > All, > > I'm migrating a samba3 domain to a new samba4 AD version 4.5.5. Did a fair amount of testing on isolated vlans including two sites and replication between two domain controllers. > > I'm now rolling out DCs intended to become production shortly. One is in Chicago, the other in NY, and each is configured in its own timezone with NTP synching up. > > I am looking at a potential replication issue and want to know if the message from 'samba-tool drs showrepl' is indicative of trouble. > > The 'Inbound neighbors' list looks correct on both CH and NY DCs. The 'Outbound neighbors' list on both DCs shows 'Last attempt @ NTTIME(0) was successful'. I listed the full output at the bottom of this post. > > The logs don't have overt error messages, although I admit I don't understand everything that gets logged. I looked at levels 3, 5, and 10. > > I tested replication by adding a DNS entry, adding an account, then deleting the test account, and all that gets replicated to the other DC. So it seems to work fine. > > Also I used the ldapcmp tool, which came back with the only difference being the uppercase vs lowercase bug between cn and CN, dc and DC as per this report: > https://bugzilla.samba.org/show_bug.cgi?id=12399 > > Forcing replication returns with success: 'Replicate from CH1-AD-V01 to NY4-AD-V01 was successful.' > > So my questions are: > 1 - Do others with DCs in multiple sites get an actual time entry in the Outbound neighbors list instead of '@ NTTIME(0)' ? > > 2 - Is replication used in production with three or more sites and timezones and is it reliable ? I'd like to know if going to production with such a setup is generally recommended based on real-life deployments. > > Thank you for all input. > > The output from 'samba-tool drs showrepl': > > CH1\CH1-AD-V01 > DSA Options: 0x00000001 > DSA object GUID: ae57ed96-5b4a-4d86-befd-027711adfe26 > DSA invocationId: cf59ac10-c027-4a45-8df5-218c88433fdd > > ==== INBOUND NEIGHBORS === > > DC=ForestDnsZones,DC=ad,DC=corp,DC=com > NY4\NY4-AD-V01 via RPC > DSA object GUID: b7aea0b6-f0fa-477c-a44d-96a8b005450d > Last attempt @ Fri Mar 3 11:23:46 2017 CST was successful > 0 consecutive failure(s). > Last success @ Fri Mar 3 11:23:46 2017 CST > > DC=DomainDnsZones,DC=ad,DC=corp,DC=com > NY4\NY4-AD-V01 via RPC > DSA object GUID: b7aea0b6-f0fa-477c-a44d-96a8b005450d > Last attempt @ Fri Mar 3 11:23:46 2017 CST was successful > 0 consecutive failure(s). > Last success @ Fri Mar 3 11:23:46 2017 CST > > DC=ad,DC=corp,DC=com > NY4\NY4-AD-V01 via RPC > DSA object GUID: b7aea0b6-f0fa-477c-a44d-96a8b005450d > Last attempt @ Fri Mar 3 11:23:46 2017 CST was successful > 0 consecutive failure(s). > Last success @ Fri Mar 3 11:23:46 2017 CST > > CN=Schema,CN=Configuration,DC=ad,DC=corp,DC=com > NY4\NY4-AD-V01 via RPC > DSA object GUID: b7aea0b6-f0fa-477c-a44d-96a8b005450d > Last attempt @ Fri Mar 3 11:23:47 2017 CST was successful > 0 consecutive failure(s). > Last success @ Fri Mar 3 11:23:47 2017 CST > > CN=Configuration,DC=ad,DC=corp,DC=com > NY4\NY4-AD-V01 via RPC > DSA object GUID: b7aea0b6-f0fa-477c-a44d-96a8b005450d > Last attempt @ Fri Mar 3 11:23:47 2017 CST was successful > 0 consecutive failure(s). > Last success @ Fri Mar 3 11:23:47 2017 CST > > ==== OUTBOUND NEIGHBORS === > > DC=ForestDnsZones,DC=ad,DC=corp,DC=com > NY4\NY4-AD-V01 via RPC > DSA object GUID: b7aea0b6-f0fa-477c-a44d-96a8b005450d > Last attempt @ NTTIME(0) was successful > 0 consecutive failure(s). > Last success @ NTTIME(0) > > DC=DomainDnsZones,DC=ad,DC=corp,DC=com > NY4\NY4-AD-V01 via RPC > DSA object GUID: b7aea0b6-f0fa-477c-a44d-96a8b005450d > Last attempt @ NTTIME(0) was successful > 0 consecutive failure(s). > Last success @ NTTIME(0) > > DC=ad,DC=corp,DC=com > NY4\NY4-AD-V01 via RPC > DSA object GUID: b7aea0b6-f0fa-477c-a44d-96a8b005450d > Last attempt @ NTTIME(0) was successful > 0 consecutive failure(s). > Last success @ NTTIME(0) > > CN=Schema,CN=Configuration,DC=ad,DC=corp,DC=com > NY4\NY4-AD-V01 via RPC > DSA object GUID: b7aea0b6-f0fa-477c-a44d-96a8b005450d > Last attempt @ NTTIME(0) was successful > 0 consecutive failure(s). > Last success @ NTTIME(0) > > CN=Configuration,DC=ad,DC=corp,DC=com > NY4\NY4-AD-V01 via RPC > DSA object GUID: b7aea0b6-f0fa-477c-a44d-96a8b005450d > Last attempt @ NTTIME(0) was successful > 0 consecutive failure(s). > Last success @ NTTIME(0) > > === KCC CONNECTION OBJECTS === > > Connection -- > Connection name: 2ab1b199-31a6-48d9-a87e-4aa10e8a2594 > Enabled : TRUE > Server DNS name : ny4-ad-v01.ad.corp.com > Server DN name : CN=NTDS Settings,CN=NY4-AD-V01,CN=Servers,CN=NY4,CN=Sites,CN=Configuration,DC=ad,DC=corp,DC=com > TransportType: RPC > options: 0x00000001 > Warning: No NC replicated for Connection! > > Thanks, > -Mike > I can only answer number 1. I have the same behavior with no reporting of the time stamp on Outbound Neighbors. -- - James Aside from the lack of timestamp, how long has replication worked in your setup ? Thanks, -Mike -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
On 3/6/2017 12:53 PM, Mircea Husz wrote:> -------------------------------------------- > On Mon, 3/6/17, lingpanda101 via samba <samba at lists.samba.org> wrote: > > Subject: Re: [Samba] DC site replication issue ? > To: samba at lists.samba.org > Date: Monday, March 6, 2017, 9:20 AM > > On 3/6/2017 9:56 AM, > Mircea Husz via samba wrote: > > All, > > > > I'm migrating a > samba3 domain to a new samba4 AD version 4.5.5. Did a fair > amount of testing on isolated vlans including two sites and > replication between two domain controllers. > > > > I'm now rolling > out DCs intended to become production shortly. One is in > Chicago, the other in NY, and each is configured in its own > timezone with NTP synching up. > > > > I am looking at a potential replication > issue and want to know if the message from 'samba-tool > drs showrepl' is indicative of trouble. > > > > The 'Inbound > neighbors' list looks correct on both CH and NY DCs. The > 'Outbound neighbors' list on both DCs shows > 'Last attempt @ NTTIME(0) was successful'. I listed > the full output at the bottom of this post. > > > > The logs don't > have overt error messages, although I admit I don't > understand everything that gets logged. I looked at levels > 3, 5, and 10. > > > > I > tested replication by adding a DNS entry, adding an account, > then deleting the test account, and all that gets replicated > to the other DC. So it seems to work fine. > > > > Also I used the > ldapcmp tool, which came back with the only difference being > the uppercase vs lowercase bug between cn and CN, dc and DC > as per this report: > > https://bugzilla.samba.org/show_bug.cgi?id=12399 > > > > Forcing replication > returns with success: 'Replicate from CH1-AD-V01 to > NY4-AD-V01 was successful.' > > > > So my questions are: > > > 1 - Do others with DCs in multiple sites get an actual time > entry in the Outbound neighbors list instead of '@ > NTTIME(0)' ? > > > > 2 > - Is replication used in production with three or more sites > and timezones and is it reliable ? I'd like to know if > going to production with such a setup is generally > recommended based on real-life deployments. > > > > Thank you for all > input. > > > > The output > from 'samba-tool drs showrepl': > > > > CH1\CH1-AD-V01 > > DSA Options: 0x00000001 > > DSA object GUID: > ae57ed96-5b4a-4d86-befd-027711adfe26 > > > DSA invocationId: cf59ac10-c027-4a45-8df5-218c88433fdd > > > > ==== INBOUND > NEIGHBORS ===> > > > > DC=ForestDnsZones,DC=ad,DC=corp,DC=com > > > NY4\NY4-AD-V01 via RPC > > DSA object GUID: > b7aea0b6-f0fa-477c-a44d-96a8b005450d > > > Last attempt @ Fri Mar 3 11:23:46 2017 CST was > successful > > 0 consecutive failure(s). > > Last success @ Fri Mar 3 11:23:46 2017 > CST > > > > > DC=DomainDnsZones,DC=ad,DC=corp,DC=com > > > NY4\NY4-AD-V01 via RPC > > DSA object GUID: > b7aea0b6-f0fa-477c-a44d-96a8b005450d > > > Last attempt @ Fri Mar 3 11:23:46 2017 CST was > successful > > 0 consecutive failure(s). > > Last success @ Fri Mar 3 11:23:46 2017 > CST > > > > > DC=ad,DC=corp,DC=com > > NY4\NY4-AD-V01 via > RPC > > DSA object GUID: > b7aea0b6-f0fa-477c-a44d-96a8b005450d > > > Last attempt @ Fri Mar 3 11:23:46 2017 CST was > successful > > 0 consecutive failure(s). > > Last success @ Fri Mar 3 11:23:46 2017 > CST > > > > > CN=Schema,CN=Configuration,DC=ad,DC=corp,DC=com > > NY4\NY4-AD-V01 via RPC > > DSA object GUID: > b7aea0b6-f0fa-477c-a44d-96a8b005450d > > > Last attempt @ Fri Mar 3 11:23:47 2017 CST was > successful > > 0 consecutive failure(s). > > Last success @ Fri Mar 3 11:23:47 2017 > CST > > > > > CN=Configuration,DC=ad,DC=corp,DC=com > > > NY4\NY4-AD-V01 via RPC > > DSA object GUID: > b7aea0b6-f0fa-477c-a44d-96a8b005450d > > > Last attempt @ Fri Mar 3 11:23:47 2017 CST was > successful > > 0 consecutive failure(s). > > Last success @ Fri Mar 3 11:23:47 2017 > CST > > > > ==== OUTBOUND > NEIGHBORS ===> > > > > DC=ForestDnsZones,DC=ad,DC=corp,DC=com > > > NY4\NY4-AD-V01 via RPC > > DSA object GUID: > b7aea0b6-f0fa-477c-a44d-96a8b005450d > > > Last attempt @ NTTIME(0) was successful > > > 0 consecutive failure(s). > > Last success > @ NTTIME(0) > > > > > DC=DomainDnsZones,DC=ad,DC=corp,DC=com > > > NY4\NY4-AD-V01 via RPC > > DSA object GUID: > b7aea0b6-f0fa-477c-a44d-96a8b005450d > > > Last attempt @ NTTIME(0) was successful > > > 0 consecutive failure(s). > > Last success > @ NTTIME(0) > > > > > DC=ad,DC=corp,DC=com > > NY4\NY4-AD-V01 via > RPC > > DSA object GUID: > b7aea0b6-f0fa-477c-a44d-96a8b005450d > > > Last attempt @ NTTIME(0) was successful > > > 0 consecutive failure(s). > > Last success > @ NTTIME(0) > > > > > CN=Schema,CN=Configuration,DC=ad,DC=corp,DC=com > > NY4\NY4-AD-V01 via RPC > > DSA object GUID: > b7aea0b6-f0fa-477c-a44d-96a8b005450d > > > Last attempt @ NTTIME(0) was successful > > > 0 consecutive failure(s). > > Last success > @ NTTIME(0) > > > > > CN=Configuration,DC=ad,DC=corp,DC=com > > > NY4\NY4-AD-V01 via RPC > > DSA object GUID: > b7aea0b6-f0fa-477c-a44d-96a8b005450d > > > Last attempt @ NTTIME(0) was successful > > > 0 consecutive failure(s). > > Last success > @ NTTIME(0) > > > > ===> KCC CONNECTION OBJECTS ===> > > > Connection -- > > > Connection name: 2ab1b199-31a6-48d9-a87e-4aa10e8a2594 > > Enabled : TRUE > > Server DNS name : > ny4-ad-v01.ad.corp.com > > Server DN name > : CN=NTDS > Settings,CN=NY4-AD-V01,CN=Servers,CN=NY4,CN=Sites,CN=Configuration,DC=ad,DC=corp,DC=com > > TransportType: RPC > > > options: 0x00000001 > > Warning: No NC > replicated for Connection! > > > > Thanks, > > -Mike > > > > I can > only answer number 1. I have the same behavior with no > reporting > of the time stamp on Outbound > Neighbors. > > -- > - James > > > Aside from the lack of timestamp, how long has replication worked in your setup ? > > Thanks, > -Mike > > > -- > To unsubscribe from this > list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >I have been using Samba since 2012 version 4.0 as a DC. Replication has never been a issue aside from my own misunderstanding of how Samba operates. My replication partners are contained within a MAN and not a WAN. My network consists of 6 DC's across 3 sites. I can't comment on time zone concerns however. The only issue I see if any is Sysvol replication. Make sure not to forget this step. https://wiki.samba.org/index.php/SysVol_replication_(DFS-R) -- - James
On Mon, 2017-03-06 at 15:48 -0500, lingpanda101 via samba wrote:> On 3/6/2017 12:53 PM, Mircea Husz wrote: > > > > -------------------------------------------- > > On Mon, 3/6/17, lingpanda101 via samba <samba at lists.samba.org> > > wrote: > > > > Subject: Re: [Samba] DC site replication issue ? > > To: samba at lists.samba.org > > Date: Monday, March 6, 2017, 9:20 AM > > > > On 3/6/2017 9:56 AM, > > Mircea Husz via samba wrote: > > > All, > > > > > > I'm migrating a > > samba3 domain to a new samba4 AD version 4.5.5. Did a fair > > amount of testing on isolated vlans including two sites and > > replication between two domain controllers. > > > > > > I'm now rolling > > out DCs intended to become production shortly. One is in > > Chicago, the other in NY, and each is configured in its own > > timezone with NTP synching up. > > > > > > I am looking at a potential replication > > issue and want to know if the message from 'samba-tool > > drs showrepl' is indicative of trouble. > > > > > > The 'Inbound > > neighbors' list looks correct on both CH and NY DCs. The > > 'Outbound neighbors' list on both DCs shows > > 'Last attempt @ NTTIME(0) was successful'. I listed > > the full output at the bottom of this post. > > > > > > The logs don't > > have overt error messages, although I admit I don't > > understand everything that gets logged. I looked at levels > > 3, 5, and 10. > > > > > > I > > tested replication by adding a DNS entry, adding an account, > > then deleting the test account, and all that gets replicated > > to the other DC. So it seems to work fine. > > > > > > Also I used the > > ldapcmp tool, which came back with the only difference being > > the uppercase vs lowercase bug between cn and CN, dc and DC > > as per this report: > > > https://bugzilla.samba.org/show_bug.cgi?id=12399 > > > > > > Forcing replication > > returns with success: 'Replicate from CH1-AD-V01 to > > NY4-AD-V01 was successful.' > > > > > > So my questions are: > > > > > 1 - Do others with DCs in multiple sites get an actual time > > entry in the Outbound neighbors list instead of '@ > > NTTIME(0)' ? > > > > > > 2 > > - Is replication used in production with three or more sites > > and timezones and is it reliable ? I'd like to know if > > going to production with such a setup is generally > > recommended based on real-life deployments. > > > > > > Thank you for all > > input. > > > > > > The output > > from 'samba-tool drs showrepl': > > > > > > CH1\CH1-AD-V01 > > > DSA Options: 0x00000001 > > > DSA object GUID: > > ae57ed96-5b4a-4d86-befd-027711adfe26 > > > > > DSA invocationId: cf59ac10-c027-4a45-8df5-218c88433fdd > > > > > > ==== INBOUND > > NEIGHBORS ===> > > > > > > > DC=ForestDnsZones,DC=ad,DC=corp,DC=com > > > > > NY4\NY4-AD-V01 via RPC > > > DSA object GUID: > > b7aea0b6-f0fa-477c-a44d-96a8b005450d > > > > > Last attempt @ Fri Mar 3 11:23:46 2017 CST was > > successful > > > 0 consecutive failure(s). > > > Last success @ Fri Mar 3 11:23:46 2017 > > CST > > > > > > > > DC=DomainDnsZones,DC=ad,DC=corp,DC=com > > > > > NY4\NY4-AD-V01 via RPC > > > DSA object GUID: > > b7aea0b6-f0fa-477c-a44d-96a8b005450d > > > > > Last attempt @ Fri Mar 3 11:23:46 2017 CST was > > successful > > > 0 consecutive failure(s). > > > Last success @ Fri Mar 3 11:23:46 2017 > > CST > > > > > > > > DC=ad,DC=corp,DC=com > > > NY4\NY4-AD-V01 via > > RPC > > > DSA object GUID: > > b7aea0b6-f0fa-477c-a44d-96a8b005450d > > > > > Last attempt @ Fri Mar 3 11:23:46 2017 CST was > > successful > > > 0 consecutive failure(s). > > > Last success @ Fri Mar 3 11:23:46 2017 > > CST > > > > > > > > CN=Schema,CN=Configuration,DC=ad,DC=corp,DC=com > > > NY4\NY4-AD-V01 via RPC > > > DSA object GUID: > > b7aea0b6-f0fa-477c-a44d-96a8b005450d > > > > > Last attempt @ Fri Mar 3 11:23:47 2017 CST was > > successful > > > 0 consecutive failure(s). > > > Last success @ Fri Mar 3 11:23:47 2017 > > CST > > > > > > > > CN=Configuration,DC=ad,DC=corp,DC=com > > > > > NY4\NY4-AD-V01 via RPC > > > DSA object GUID: > > b7aea0b6-f0fa-477c-a44d-96a8b005450d > > > > > Last attempt @ Fri Mar 3 11:23:47 2017 CST was > > successful > > > 0 consecutive failure(s). > > > Last success @ Fri Mar 3 11:23:47 2017 > > CST > > > > > > ==== OUTBOUND > > NEIGHBORS ===> > > > > > > > DC=ForestDnsZones,DC=ad,DC=corp,DC=com > > > > > NY4\NY4-AD-V01 via RPC > > > DSA object GUID: > > b7aea0b6-f0fa-477c-a44d-96a8b005450d > > > > > Last attempt @ NTTIME(0) was successful > > > > > 0 consecutive failure(s). > > > Last success > > @ NTTIME(0) > > > > > > > > DC=DomainDnsZones,DC=ad,DC=corp,DC=com > > > > > NY4\NY4-AD-V01 via RPC > > > DSA object GUID: > > b7aea0b6-f0fa-477c-a44d-96a8b005450d > > > > > Last attempt @ NTTIME(0) was successful > > > > > 0 consecutive failure(s). > > > Last success > > @ NTTIME(0) > > > > > > > > DC=ad,DC=corp,DC=com > > > NY4\NY4-AD-V01 via > > RPC > > > DSA object GUID: > > b7aea0b6-f0fa-477c-a44d-96a8b005450d > > > > > Last attempt @ NTTIME(0) was successful > > > > > 0 consecutive failure(s). > > > Last success > > @ NTTIME(0) > > > > > > > > CN=Schema,CN=Configuration,DC=ad,DC=corp,DC=com > > > NY4\NY4-AD-V01 via RPC > > > DSA object GUID: > > b7aea0b6-f0fa-477c-a44d-96a8b005450d > > > > > Last attempt @ NTTIME(0) was successful > > > > > 0 consecutive failure(s). > > > Last success > > @ NTTIME(0) > > > > > > > > CN=Configuration,DC=ad,DC=corp,DC=com > > > > > NY4\NY4-AD-V01 via RPC > > > DSA object GUID: > > b7aea0b6-f0fa-477c-a44d-96a8b005450d > > > > > Last attempt @ NTTIME(0) was successful > > > > > 0 consecutive failure(s). > > > Last success > > @ NTTIME(0) > > > > > > ===> > KCC CONNECTION OBJECTS ===> > > > > > Connection -- > > > > > Connection name: 2ab1b199-31a6-48d9-a87e-4aa10e8a2594 > > > Enabled : TRUE > > > Server DNS name : > > ny4-ad-v01.ad.corp.com > > > Server DN name > > : CN=NTDS > > Settings,CN=NY4-AD- > > V01,CN=Servers,CN=NY4,CN=Sites,CN=Configuration,DC=ad,DC=corp,DC=co > > m > > > TransportType: RPC > > > > > options: 0x00000001 > > > Warning: No NC > > replicated for Connection! > > > > > > Thanks, > > > -Mike > > > > > > > I can > > only answer number 1. I have the same behavior with no > > reporting > > of the time stamp on Outbound > > Neighbors. > > > > -- > > - James > > > > > > Aside from the lack of timestamp, how long has replication worked > > in your setup ? > > > > Thanks, > > -Mike > > > > > > -- > > To unsubscribe from this > > list go to the following URL and read the > > instructions: https://lists.samba.org/mailman/options/samba > > > > I have been using Samba since 2012 version 4.0 as a DC. Replication > has > never been a issue aside from my own misunderstanding of how Samba > operates. My replication partners are contained within a MAN and not > a > WAN. My network consists of 6 DC's across 3 sites. I can't comment > on > time zone concerns however. The only issue I see if any is Sysvol > replication. Make sure not to forget this step. > > https://wiki.samba.org/index.php/SysVol_replication_(DFS-R) > > -- > - James >If it works for 6 DCs such that you've never had an issue, that's great to know. I hope that your experience is typical. It also means that the lack of timestamp I observe is not necessarily due to the timezone difference. I'm still wondering if anyone is seeing a timestamps in the outbound neigbhors list. -Mike