Zhuchenko Valery
2020-Apr-14 08:37 UTC
[Samba] maximum ad domain controller unavialability time
Hi, all. What is greatest period for AD DC (non FSMO) can be unavailable, for example, because network segment is unavailable for long time (3, 4 weeks)? Is the controller will be removed from AD automatically? And what to do after this network segment will become available? I have read about tombstoneLifeTime attribute of Directory Service (Configuration, Services, Windows NT), which default value is 180 days. But what is about replication? Thank you for your explanation. Best regards, Valery
L.P.H. van Belle
2020-Apr-14 09:00 UTC
[Samba] maximum ad domain controller unavialability time
Why would you have a server (DC) that long powered off, it for sure will give delays and less response of the network. But you could turn it off as long as you want, once it powers up it will sync the AD again. So no, the controller is not removed from you domain. You need todo that manualy. I suggest you read: https://wiki.samba.org/index.php/Demoting_a_Samba_AD_DC And not, dont forget if pc's/servers that have there DNS pointed to that server. If so, adjust that also. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Zhuchenko Valery via samba > Verzonden: dinsdag 14 april 2020 10:38 > Aan: samba at lists.samba.org > Onderwerp: [Samba] maximum ad domain controller unavialability time > > Hi, all. > > What is greatest period for AD DC (non FSMO) can be unavailable, for > example, because network segment is unavailable for long time > (3, 4 weeks)? > Is the controller will be removed from AD automatically? > And what to do after this network segment will become available? > > I have read about tombstoneLifeTime attribute of Directory Service > (Configuration, Services, Windows NT), which default value is > 180 days. > But what is about replication? > > Thank you for your explanation. > > Best regards, > Valery > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >
Alex MacCuish
2020-Apr-14 09:02 UTC
[Samba] maximum ad domain controller unavialability time
HI Valery A DC is never "removed" automatically from AD, but, at least from the Windows perspective, the longest period would be the tombstone lifetime. After this has passed, the DC would have objects "lingering", as the deletion of an object could have already occurred at other DCs and then the marker of the deletion itself removed, which of course means there is no way to communicate the deletion after this final point. I believe Windows automatically blocks replication and disables the netlogon service when it detects such a situation. I'm not sure what samba would do. Alex On 14/04/2020 09:37, Zhuchenko Valery via samba wrote:> Hi, all. > > What is greatest period for AD DC (non FSMO) can be unavailable, for > example, because network segment is unavailable for long time (3, 4 weeks)? > Is the controller will be removed from AD automatically? > And what to do after this network segment will become available? > > I have read about tombstoneLifeTime attribute of Directory Service > (Configuration, Services, Windows NT), which default value is 180 days. > But what is about replication? > > Thank you for your explanation. > > Best regards, > Valery >
Rowland penny
2020-Apr-14 09:25 UTC
[Samba] maximum ad domain controller unavialability time
On 14/04/2020 10:00, L.P.H. van Belle via samba wrote:> Why would you have a server (DC) that long powered off, it for sure will give delays and less response of the network. > But you could turn it off as long as you want, once it powers up it will sync the AD again. >Replication is a two way thing, so I wouldn't recommend turning one off for any length of time. If you turned off a DC for a period of time and, during this time, users, groups and computers were removed from AD, then when you turn the DC back on again, you may find them coming back again ;-) If you are going to turn off a DC for any length of time, I would demote it first. Rowland
Denis CARDON
2020-Apr-14 09:39 UTC
[Samba] maximum ad domain controller unavialability time
Hi Alex,> A DC is never "removed" automatically from AD, but, at least from the > Windows perspective, the longest period would be the tombstone lifetime. > After this has passed, the DC would have objects "lingering", as the > deletion of an object could have already occurred at other DCs and then > the marker of the deletion itself removed, which of course means there > is no way to communicate the deletion after this final point.Good explanation! >I believe> Windows automatically blocks replication and disables the netlogon > service when it detects such a situation. I'm not sure what samba would do.From my experience, Samba-AD replication would continue until it comes to an incoherence (eg. trying to replicate an attribute change on an entry that has been deleted and expunged), and then replication would fail until consistency if fixed. When replication fails that way it does not block netlogon process on Samba and it still open session, and it may have local updates. Cheers, Denis> > Alex > > On 14/04/2020 09:37, Zhuchenko Valery via samba wrote: >> Hi, all. >> >> What is greatest period for AD DC (non FSMO) can be unavailable, for >> example, because network segment is unavailable for long time (3, 4 >> weeks)? >> Is the controller will be removed from AD automatically? >> And what to do after this network segment will become available? >> >> I have read about tombstoneLifeTime attribute of Directory Service >> (Configuration, Services, Windows NT), which default value is 180 days. >> But what is about replication? >> >> Thank you for your explanation. >> >> Best regards, >> Valery >> >
Zhuchenko Valery
2020-Apr-14 13:20 UTC
[Samba] maximum ad domain controller unavialability time
I speak about working controller, not about powered off, but network segment doesn't available to other controllers, for pdc emulator, and controller is available for workstations at this network segment. 14.04.2020 13:00, L.P.H. van Belle via samba ?????:> Why would you have a server (DC) that long powered off, it for sure will give delays and less response of the network. > But you could turn it off as long as you want, once it powers up it will sync the AD again. > > So no, the controller is not removed from you domain. You need todo that manualy. > I suggest you read: > https://wiki.samba.org/index.php/Demoting_a_Samba_AD_DC > > And not, dont forget if pc's/servers that have there DNS pointed to that server. > If so, adjust that also. > > > Greetz, > > Louis > >> -----Oorspronkelijk bericht----- >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens >> Zhuchenko Valery via samba >> Verzonden: dinsdag 14 april 2020 10:38 >> Aan: samba at lists.samba.org >> Onderwerp: [Samba] maximum ad domain controller unavialability time >> >> Hi, all. >> >> What is greatest period for AD DC (non FSMO) can be unavailable, for >> example, because network segment is unavailable for long time >> (3, 4 weeks)? >> Is the controller will be removed from AD automatically? >> And what to do after this network segment will become available? >> >> I have read about tombstoneLifeTime attribute of Directory Service >> (Configuration, Services, Windows NT), which default value is >> 180 days. >> But what is about replication? >> >> Thank you for your explanation. >> >> Best regards, >> Valery >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >> >> >