Fabio Fantoni
2018-Oct-09 09:53 UTC
[Samba] Question about domain controller replication limit
Hi, I tried a fast search about domain controller replication limit without find without finding an answer. Can someone tell me if there are time limit of correct synchronization of domain controller turned off for a long time (like some days)? If yes what should be the time limit and what is better do when need to poweron domain controller that has passed that time? Can there be issue with one domain controller restored from backup or it will be simply resynchronized? Can there be different with windows domain controller (and there are different if it is the pdc or not)? (where is more probable restore for other issue not related to domain itself) I know there was important drs changes in samba 4.5, if the answer are different based on samba version the answer can be about samba>=4.5 Thanks for any reply and sorry for my bad english. --- Questa e-mail รจ stata controllata per individuare virus con Avast antivirus. https://www.avast.com/antivirus
Rowland Penny
2018-Oct-09 10:24 UTC
[Samba] Question about domain controller replication limit
On Tue, 9 Oct 2018 11:53:35 +0200 Fabio Fantoni via samba <samba at lists.samba.org> wrote:> Hi, I tried a fast search about domain controller replication limit > without find without finding an answer. > > Can someone tell me if there are time limit of correct > synchronization of domain controller turned off for a long time (like > some days)? If yes what should be the time limit and what is better > do when need to poweron domain controller that has passed that time? > > Can there be issue with one domain controller restored from backup or > it will be simply resynchronized? Can there be different with windows > domain controller (and there are different if it is the pdc or not)?What PDC ? are you running an NT4-style DC as well ? No I thought not, it is just your first DC and just because it is your first DC doesn't mean it holds any FSMO roles. Will the person who decided that calling the first DC a 'PDC' was a good idea, please identify themselves, I could then explain to them why calling it a 'PDC' is a stupid idea ;-)> (where is more probable restore for other issue not related to domain > itself) > > I know there was important drs changes in samba 4.5, if the answer > are different based on samba version the answer can be about > samba>=4.5 > > Thanks for any reply and sorry for my bad english.An AD DC really needs to be on 24/7, but it can probably handle being off for a short while, replication should fix any changes. Being off for a number of days is a different thing, what if numerous changes have been done on other DCs, these may clog up your network whilst they are replicated. There is always the possibility that the replication could go the wrong way and new entries could be removed on the other DCs, this is unlikely, but possible. If you plan on turning off a DC for a long time, you should also plan to demote it before you turn it off. Rowland
Andrew Bartlett
2018-Oct-09 23:54 UTC
[Samba] Question about domain controller replication limit
On Tue, 2018-10-09 at 11:24 +0100, Rowland Penny via samba wrote:> On Tue, 9 Oct 2018 11:53:35 +0200 > Fabio Fantoni via samba <samba at lists.samba.org> wrote: > > > Hi, I tried a fast search about domain controller replication limit > > without find without finding an answer. > > > > Can someone tell me if there are time limit of correct > > synchronization of domain controller turned off for a long time (like > > some days)? If yes what should be the time limit and what is better > > do when need to poweron domain controller that has passed that time? > > > > Can there be issue with one domain controller restored from backup or > > it will be simply resynchronized? Can there be different with windows > > domain controller (and there are different if it is the pdc or not)? > > What PDC ? are you running an NT4-style DC as well ? > No I thought not, it is just your first DC and just because it is your > first DC doesn't mean it holds any FSMO roles. > > Will the person who decided that calling the first DC a 'PDC' was a > good idea, please identify themselves, I could then explain to them why > calling it a 'PDC' is a stupid idea ;-) > > > (where is more probable restore for other issue not related to domain > > itself) > > > > I know there was important drs changes in samba 4.5, if the answer > > are different based on samba version the answer can be about > > samba>=4.5 > > > > Thanks for any reply and sorry for my bad english. > > An AD DC really needs to be on 24/7, but it can probably handle being > off for a short while, replication should fix any changes. Being off > for a number of days is a different thing, what if numerous changes > have been done on other DCs, these may clog up your network whilst > they are replicated. There is always the possibility that the > replication could go the wrong way and new entries could be removed on > the other DCs, this is unlikely, but possible. > > If you plan on turning off a DC for a long time, you should also plan > to demote it before you turn it off.Specifically, a 'long time' is the tomebone lifetime, which can be configured but is 180 days by default. It will catch up within that time. Restoring from backups should only be done with Samba 4.9 and the backup and restore tools we added there. Don't restore a DC to an earlier snapshot or backup by any other means. In general, follow Rowland's advise and keep DCs online, it is just simpler and for your core network service, simple is good. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
Seemingly Similar Threads
- Question about domain controller replication limit
- Unable to add additional domain controller - uncaught exception - LDAP error 10 on join
- Unable to add additional domain controller - uncaught exception - LDAP error 10 on join
- Unable to add additional domain controller - uncaught exception - LDAP error 10 on join
- [PATCH RESEND] tools/libxl: Disable useless empty floppy drive with qemu-xen