Hi! In Option "Inter-Site Transports", i have only one the name "DEFAULTIPSITELINK" , in properties Sites in this link: Matriz Filial Matriz -> site with DC1 and DC2 Filail -> site With DC3 Regards; On 17-05-2018 13:12, lingpanda101 wrote:> On 5/17/2018 12:07 PM, Carlos wrote: >> Hi! >> >> Thanks for answer. >> >> But, i allowed all ports in my firewall... >> >> I tested, shutdown my DC1 >> >> DC2 dont comunication with DC3 >> >> I create user in DC2, dont replication with DC3... >> I waited more in 20 minutes >> >> Why ?? >> >> Regards; >> >> >> On 17-05-2018 12:01, lingpanda101 wrote: >>> On 5/17/2018 10:30 AM, Carlos via samba wrote: >>>> Hi! >>>> >>>> I have 2 DC, now add one more DC, but all dcs dont view between they. >>>> >>>> New DC is "DC2" >>>> >>>> DC1 - vlan10 -> OK to DC3(Connectad by openvpn) >>>> >>>> DC1 -> vlan10 -> OK to DC2(vlan50) >>>> >>>> DC2-> vlan50 -> OK to DC1(vlan10) >>>> >>>> DC2-> Openvpn -> Dont "see" DC3 >>>> >>>> DC3 -> Openvpn -> OK to DC1(vlan10) >>>> >>>> DC3 -> Openvpn -> Dont "view" DC2(vlan50) >>>> >>>> All version Dcs Samba 4.7.7 >>>> Firewall is allow between they. >>>> >>>> ----- >>>> >>>> DC1 >>>> >>>> samba-tool drs showrepl >>>> >>>> I see only DC2 and DC3 is OK >>>> Is correct. >>>> >>>> DC2 >>>> >>>> samba-tool drs showrepl >>>> >>>> I see only DC1 >>>> >>>> DC3 >>>> >>>> samba-tool drs showrepl >>>> >>>> I see only DC1 >>>> ------------------------ >>>> >>>> Any Ideia ? >>>> >>>> >>>> Regards >>>> >>>> >>> Carlos, >>> >>> This is normal if your firewall is working correctly. The KCC >>> checks and creates replication links to optimize latency and cost >>> where needed. You can override this and create a full mesh topology >>> with the following in your smb.conf under 'Global'. >>> >>> kccsrv:samba_kcc=No >>> >>> I advise not doing this but instead ensure sites and services are >>> setup correctly for your IP Inter-Site-Transports. You can define >>> cost and interval for the links here. >>> >>> >>> -James >>> >>> >> > Did you verify you have the Inter-Site Transports configured properly > in Active Directory Sites and Services snap in? > > -James >
Hi! In "NTDS settings" created new connection for: DC2 ->DC3 DC3 -> DC2 All OK, I tested with option kccsrv:samba_kcc=No is ok too. But in my DC2, a received one erro: May 17 16:54:44 dc2 samba[10421]: [2018/05/17 16:54:44.543336, 0] ../source4/dsdb/repl/drepl_out_helpers.c:1087(dreplsrv_update_refs_done) May 17 16:54:44 dc2 samba[10421]: UpdateRefs failed with WERR_DS_DRA_ACCESS_DENIED/NT code 0xc0002105 for 24079507-bf7b-4c96-b107-cd22d7680011._msdcs.XXXXXX DC=DomainDnsZones,DC=XXX,DC=XXX,DC=XXX,DC=XXX But 24079507-bf7b-4c96-b107-cd22d7680011._msdcs.XXXXXXX is DC2.... Any ideia ? Regards; On 17-05-2018 13:55, Carlos wrote:> Hi! > > In Option "Inter-Site Transports", i have only one the name > "DEFAULTIPSITELINK" , in properties > > Sites in this link: > > Matriz > Filial > > Matriz -> site with DC1 and DC2 > Filail -> site With DC3 > > Regards; > > > On 17-05-2018 13:12, lingpanda101 wrote: >> On 5/17/2018 12:07 PM, Carlos wrote: >>> Hi! >>> >>> Thanks for answer. >>> >>> But, i allowed all ports in my firewall... >>> >>> I tested, shutdown my DC1 >>> >>> DC2 dont comunication with DC3 >>> >>> I create user in DC2, dont replication with DC3... >>> I waited more in 20 minutes >>> >>> Why ?? >>> >>> Regards; >>> >>> >>> On 17-05-2018 12:01, lingpanda101 wrote: >>>> On 5/17/2018 10:30 AM, Carlos via samba wrote: >>>>> Hi! >>>>> >>>>> I have 2 DC, now add one more DC, but all dcs dont view between they. >>>>> >>>>> New DC is "DC2" >>>>> >>>>> DC1 - vlan10 -> OK to DC3(Connectad by openvpn) >>>>> >>>>> DC1 -> vlan10 -> OK to DC2(vlan50) >>>>> >>>>> DC2-> vlan50 -> OK to DC1(vlan10) >>>>> >>>>> DC2-> Openvpn -> Dont "see" DC3 >>>>> >>>>> DC3 -> Openvpn -> OK to DC1(vlan10) >>>>> >>>>> DC3 -> Openvpn -> Dont "view" DC2(vlan50) >>>>> >>>>> All version Dcs Samba 4.7.7 >>>>> Firewall is allow between they. >>>>> >>>>> ----- >>>>> >>>>> DC1 >>>>> >>>>> samba-tool drs showrepl >>>>> >>>>> I see only DC2 and DC3 is OK >>>>> Is correct. >>>>> >>>>> DC2 >>>>> >>>>> samba-tool drs showrepl >>>>> >>>>> I see only DC1 >>>>> >>>>> DC3 >>>>> >>>>> samba-tool drs showrepl >>>>> >>>>> I see only DC1 >>>>> ------------------------ >>>>> >>>>> Any Ideia ? >>>>> >>>>> >>>>> Regards >>>>> >>>>> >>>> Carlos, >>>> >>>> This is normal if your firewall is working correctly. The KCC >>>> checks and creates replication links to optimize latency and cost >>>> where needed. You can override this and create a full mesh topology >>>> with the following in your smb.conf under 'Global'. >>>> >>>> kccsrv:samba_kcc=No >>>> >>>> I advise not doing this but instead ensure sites and services are >>>> setup correctly for your IP Inter-Site-Transports. You can define >>>> cost and interval for the links here. >>>> >>>> >>>> -James >>>> >>>> >>> >> Did you verify you have the Inter-Site Transports configured properly >> in Active Directory Sites and Services snap in? >> >> -James >> >
On 5/17/2018 3:58 PM, Carlos wrote:> > Hi! > > In "NTDS settings" created new connection for: > > DC2 ->DC3 > > DC3 -> DC2 > > All OK, > > I tested with option > > kccsrv:samba_kcc=No > > is ok too. > > But in my DC2, a received one erro: > > May 17 16:54:44 dc2 samba[10421]: [2018/05/17 16:54:44.543336, 0] > ../source4/dsdb/repl/drepl_out_helpers.c:1087(dreplsrv_update_refs_done) > May 17 16:54:44 dc2 samba[10421]: UpdateRefs failed with > WERR_DS_DRA_ACCESS_DENIED/NT code 0xc0002105 for > 24079507-bf7b-4c96-b107-cd22d7680011._msdcs.XXXXXX > DC=DomainDnsZones,DC=XXX,DC=XXX,DC=XXX,DC=XXX > > But 24079507-bf7b-4c96-b107-cd22d7680011._msdcs.XXXXXXX is DC2.... > > Any ideia ? > > Regards; > > On 17-05-2018 13:55, Carlos wrote: >> Hi! >> >> In Option "Inter-Site Transports", i have only one the name >> "DEFAULTIPSITELINK" , in properties >> >> Sites in this link: >> >> Matriz >> Filial >> >> Matriz -> site with DC1 and DC2 >> Filail -> site With DC3 >> >> Regards; >> >> >> On 17-05-2018 13:12, lingpanda101 wrote: >>> On 5/17/2018 12:07 PM, Carlos wrote: >>>> Hi! >>>> >>>> Thanks for answer. >>>> >>>> But, i allowed all ports in my firewall... >>>> >>>> I tested, shutdown my DC1 >>>> >>>> DC2 dont comunication with DC3 >>>> >>>> I create user in DC2, dont replication with DC3... >>>> I waited more in 20 minutes >>>> >>>> Why ?? >>>> >>>> Regards; >>>> >>>> >>>> On 17-05-2018 12:01, lingpanda101 wrote: >>>>> On 5/17/2018 10:30 AM, Carlos via samba wrote: >>>>>> Hi! >>>>>> >>>>>> I have 2 DC, now add one more DC, but all dcs dont view between >>>>>> they. >>>>>> >>>>>> New DC is "DC2" >>>>>> >>>>>> DC1 - vlan10 -> OK to DC3(Connectad by openvpn) >>>>>> >>>>>> DC1 -> vlan10 -> OK to DC2(vlan50) >>>>>> >>>>>> DC2-> vlan50 -> OK to DC1(vlan10) >>>>>> >>>>>> DC2-> Openvpn -> Dont "see" DC3 >>>>>> >>>>>> DC3 -> Openvpn -> OK to DC1(vlan10) >>>>>> >>>>>> DC3 -> Openvpn -> Dont "view" DC2(vlan50) >>>>>> >>>>>> All version Dcs Samba 4.7.7 >>>>>> Firewall is allow between they. >>>>>> >>>>>> ----- >>>>>> >>>>>> DC1 >>>>>> >>>>>> samba-tool drs showrepl >>>>>> >>>>>> I see only DC2 and DC3 is OK >>>>>> Is correct. >>>>>> >>>>>> DC2 >>>>>> >>>>>> samba-tool drs showrepl >>>>>> >>>>>> I see only DC1 >>>>>> >>>>>> DC3 >>>>>> >>>>>> samba-tool drs showrepl >>>>>> >>>>>> I see only DC1 >>>>>> ------------------------ >>>>>> >>>>>> Any Ideia ? >>>>>> >>>>>> >>>>>> Regards >>>>>> >>>>>> >>>>> Carlos, >>>>> >>>>> This is normal if your firewall is working correctly. The KCC >>>>> checks and creates replication links to optimize latency and cost >>>>> where needed. You can override this and create a full mesh >>>>> topology with the following in your smb.conf under 'Global'. >>>>> >>>>> kccsrv:samba_kcc=No >>>>> >>>>> I advise not doing this but instead ensure sites and services are >>>>> setup correctly for your IP Inter-Site-Transports. You can define >>>>> cost and interval for the links here. >>>>> >>>>> >>>>> -James >>>>> >>>>> >>>> >>> Did you verify you have the Inter-Site Transports configured >>> properly in Active Directory Sites and Services snap in? >>> >>> -James >>> >> >Carlos, You are doing a lot of things that go against best practice. Do not manually create the links. let the KCC handle that function. -- -- James
On Thu, 17 May 2018 16:58:13 -0300 Carlos via samba <samba at lists.samba.org> wrote:> Hi! > > In "NTDS settings" created new connection for: > > DC2 ->DC3 > > DC3 -> DC2 > > All OK, > > I tested with option > > kccsrv:samba_kcc=No > > is ok too. > > But in my DC2, a received one erro: > > May 17 16:54:44 dc2 samba[10421]: [2018/05/17 16:54:44.543336, 0] > ../source4/dsdb/repl/drepl_out_helpers.c:1087(dreplsrv_update_refs_done) > May 17 16:54:44 dc2 samba[10421]: UpdateRefs failed with > WERR_DS_DRA_ACCESS_DENIED/NT code 0xc0002105 for > 24079507-bf7b-4c96-b107-cd22d7680011._msdcs.XXXXXX > DC=DomainDnsZones,DC=XXX,DC=XXX,DC=XXX,DC=XXX > > But 24079507-bf7b-4c96-b107-cd22d7680011._msdcs.XXXXXXX is DC2.... > > Any ideia ? >You are using SITES, every DC shouldn't replicate to every DC. You should have replication between DCs in each site and between sites. This is how it is supposed to work, you have just changed it back to how Samba AD used to work, before somebody made it work correctly. Rowland