samba - Dec 2021 - occasional interSiteTopologyGenerator differences between DCs

Hi,

I am doing regular automated runs of samba-tool ldapcmp, to make sure 
that all our DC's serve the same data. They run samba 4.13.14 on buster.

Since a couple of weeks, we are getting intermittant failures on the 
interSiteTopologyGenerator. These differences appear and also disappear 
'automatically' again. They usually stay for a couple of hours, 
sometimes less.

They look like this:
> * Comparing [DOMAIN] context...
> 
> * Objects to be compared: 2002
> 
> * Result for [DOMAIN]: SUCCESS
> 
> * Comparing [CONFIGURATION] context...
> 
> * Objects to be compared: 1737
> 
> Comparing:
> 'CN=NTDS SITE
SETTINGS,CN=DEFAULT-FIRST-SITE-NAME,CN=SITES,CN=CONFIGURATION,DC=SAMBA,DC=COMPANY,DC=COM'
[ldap://sambadc4.samba.domain.com]
> 'CN=NTDS SITE
SETTINGS,CN=DEFAULT-FIRST-SITE-NAME,CN=SITES,CN=CONFIGURATION,DC=SAMBA,DC=COMPANY,DC=COM'
[ldap://sambadc3.samba.domain.com]
>     Difference in attribute values:
>         interSiteTopologyGenerator => 
> [b'CN=NTDS
Settings,CN=WINDC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samba,DC=company,DC=com']
> [b'CN=NTDS
Settings,CN=SAMBADC3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samba,DC=company,DC=com']
> 
>     FAILED
> 
> * Result for [CONFIGURATION]: FAILURE
> 
> SUMMARY
> ---------
> 
> Attributes with different values:
> 
>     interSiteTopologyGenerator
> 
> * Comparing [SCHEMA] context...
> 
> * Objects to be compared: 1739
> 
> * Result for [SCHEMA]: SUCCESS
> 
> * Comparing [DNSDOMAIN] context...
> 
> * Objects to be compared: 305
> 
> * Result for [DNSDOMAIN]: SUCCESS
> 
> * Comparing [DNSFOREST] context...
> 
> * Objects to be compared: 21
> 
> * Result for [DNSFOREST]: SUCCESS
> 
I'm not too woried, since everything works, and the situation always 
proves to be only temporarily. We would not even have noticed this 
occasional discrepancy, if we were not running the regular ldapcmp 
though cron.

But can anyone explain why this is happening, and perhaps how we could 
prevent this?

Best,
MJ

Hai Mourik-Jan, 

You changed FSMO roles? 

The english explanation i saw.. 

The intersite topology generator is an Active Directory process 
that defines the replication between sites on a network. 

A single domain controller in each site is automatically designated
to be the intersite topology generator. Because this action is performed
by the intersite topology generator, you are not required to take any 
action to determine the replication topology and bridgehead server roles.

The domain controller that holds the intersite topology generator role performs
two functions:

?? It automatically selects one or more domain controllers to 
become bridgehead servers. This way, if a bridgehead server 
becomes unavailable, it automatically selects another bridgehead server, 
if possible.

?? It runs the KCC to determine the replication topology and resultant 
connection objects that the bridgehead servers can use to communicate 
with bridgehead servers of other sites.


Only why does it change server, i suspect the following but im not sure.. 
Lets say DC1 is the intersite topology generator, and your going to updated
your servers. At some point, DC1 is not reachable, so, automaticly it changes
to an other server.  

That could explain it, but again, im not sure on this one.. 
Below some steps you can look into how things are set now. 


i suggest, read everything first before change anything, since, 
this should be done automaticly. 

-----------------------------------------------
You can create a preferred bridgehead server, 
perform the following steps: 

1. Open Active Directory Sites and Services, expand Sites, 
expand the site that contains the server that you want to configure, 
expand Servers, and then in the console tree, right-click the 
domain controller that you want to make a preferred bridgehead server, 
and then click Properties.

2. Choose the inter-site transport or transports to designate the computer
 a preferred bridgehead server, click Add, and then click OK.

-----------------------------------------------
Procedure for forcing the KCC to run
To refresh replication topology, first determine whether you want to 
refresh the replication topology between sites or the replication topology
within a site.

?? To regenerate it between sites, run the KCC on the domain controller that 
holds the intersite topology generator role.
?? To regenerate it within a site, run the KCC on any domain controller that 
is not the intersite topology generator.

To determine the domain controller that holds the role of the intersite topology
generator in the site, perform the following steps:
1. In Active Directory Sites and Services, expand Sites, and then select the
site.
2. In the details pane, right-click NTDS Site Settings, and then click
Properties.

The site and server that holds the intersite topology generator role appears on 
the properties page under Inter-Site Topology Generator.
To force the KCC to run, perform the following steps:

1. In Active Directory Sites and Services, in the console tree, expand Sites, 
expand the site that contains the server on which you want to run the KCC, 
expand Servers, and then select the server object for the domain controller 
that you want to run the KCC on.

2. In the details pane, right-click NTDS Settings, click All Tasks, and then 
click Check Replication Topology.

-----------------------------------------------
Procedure To force replication over a connection, perform the following steps:

1. In Active Directory Sites and Services, expand the domain controller for the 
site that contains the connection that you use to replicate directory
information.

2. In the console tree, click NTDS Settings.

3. In the details pane, right-click the connection that you use to replicate 
directory information, and then click Replicate Now.



I hope above helps a bit. 

Greetz, 

Louis

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens mj via samba
> Verzonden: dinsdag 7 december 2021 10:22
> Aan: samba at lists.samba.org
> Onderwerp: [Samba] occasional interSiteTopologyGenerator 
> differences between DCs
> 
> Hi,
> 
> I am doing regular automated runs of samba-tool ldapcmp, to make sure 
> that all our DC's serve the same data. They run samba 4.13.14 
> on buster.
> 
> Since a couple of weeks, we are getting intermittant failures on the 
> interSiteTopologyGenerator. These differences appear and also 
> disappear 
> 'automatically' again. They usually stay for a couple of hours, 
> sometimes less.
> 
> They look like this:
> 
> > * Comparing [DOMAIN] context...
> > 
> > * Objects to be compared: 2002
> > 
> > * Result for [DOMAIN]: SUCCESS
> > 
> > * Comparing [CONFIGURATION] context...
> > 
> > * Objects to be compared: 1737
> > 
> > Comparing:
> > 'CN=NTDS SITE 
> SETTINGS,CN=DEFAULT-FIRST-SITE-NAME,CN=SITES,CN=CONFIGURATION,
> DC=SAMBA,DC=COMPANY,DC=COM' [ldap://sambadc4.samba.domain.com]
> > 'CN=NTDS SITE 
> SETTINGS,CN=DEFAULT-FIRST-SITE-NAME,CN=SITES,CN=CONFIGURATION,
> DC=SAMBA,DC=COMPANY,DC=COM' [ldap://sambadc3.samba.domain.com]
> >     Difference in attribute values:
> >         interSiteTopologyGenerator => 
> > [b'CN=NTDS 
> Settings,CN=WINDC2,CN=Servers,CN=Default-First-Site-Name,CN=Si
> tes,CN=Configuration,DC=samba,DC=company,DC=com']
> > [b'CN=NTDS 
> Settings,CN=SAMBADC3,CN=Servers,CN=Default-First-Site-Name,CN>
Sites,CN=Configuration,DC=samba,DC=company,DC=com']
> > 
> >     FAILED
> > 
> > * Result for [CONFIGURATION]: FAILURE
> > 
> > SUMMARY
> > ---------
> > 
> > Attributes with different values:
> > 
> >     interSiteTopologyGenerator
> > 
> > * Comparing [SCHEMA] context...
> > 
> > * Objects to be compared: 1739
> > 
> > * Result for [SCHEMA]: SUCCESS
> > 
> > * Comparing [DNSDOMAIN] context...
> > 
> > * Objects to be compared: 305
> > 
> > * Result for [DNSDOMAIN]: SUCCESS
> > 
> > * Comparing [DNSFOREST] context...
> > 
> > * Objects to be compared: 21
> > 
> > * Result for [DNSFOREST]: SUCCESS
> > 
> 
> I'm not too woried, since everything works, and the situation always 
> proves to be only temporarily. We would not even have noticed this 
> occasional discrepancy, if we were not running the regular ldapcmp 
> though cron.
> 
> But can anyone explain why this is happening, and perhaps how 
> we could 
> prevent this?
> 
> Best,
> MJ
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
>

On 7/12/21 10:22 pm, mj via samba wrote:
> Hi,
> 
> I am doing regular automated runs of samba-tool ldapcmp, to make sure 
> that all our DC's serve the same data. They run samba 4.13.14 on
buster.
> 
> Since a couple of weeks, we are getting intermittant failures on the 
> interSiteTopologyGenerator. These differences appear and also disappear 
> 'automatically' again. They usually stay for a couple of hours, 
> sometimes less.
This might be caused by a changes for bug 14876, which is part of 
CVE-2020-25722, neither of which have a description that is helpful in 
this case:

https://bugzilla.samba.org/show_bug.cgi?id=14876
https://www.samba.org/samba/security/CVE-2020-25722.html

Essentially, the AD database is a bit more careful about checking all 
the values it might return, giving it more chances to [noticeably] fail 
if things go wrong.

I haven't properly looked at the code paths, but it looks like we would 
see different behaviour now if there were somehow duplicate entries for 
fsmo roles (or perhaps other discrepancies).
>> ??????? interSiteTopologyGenerator => [b'CN=NTDS 
>>
Settings,CN=WINDC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samba,DC=company,DC=com']
Assuming this is a Windows DC, are you able to find out what it thinks 
is the ISTG?

Douglas