samba - Nov 2022 - Replication between Samba DCs (on different sites)?

> > I'm trying to create another VM, with a 3rd DC, to see if having a
> > DC in the same site will help...
>
> So, I created a second DC on the same Site as our first DC.  And
> it instantly enabled and activated replication, samba-tool drs showrepl
> shows active connections between the two DCs, and changes made on one
> of the DCs becomes immediately visible on the other.
>
> But the replication between two DCs in diferent sites does not seem to
> be enabled.  What is the way to enable it?
>
Are AD Sites configured?  If so, I believe that individual links also need
to be specified between the sites.

14.11.2022 20:45, Kris Lou via samba wrote:
>>> I'm trying to create another VM, with a 3rd DC, to see if
having a
>>> DC in the same site will help...
>>
>> So, I created a second DC on the same Site as our first DC.  And
>> it instantly enabled and activated replication, samba-tool drs showrepl
>> shows active connections between the two DCs, and changes made on one
>> of the DCs becomes immediately visible on the other.
>>
>> But the replication between two DCs in diferent sites does not seem to
>> be enabled.  What is the way to enable it?
>>
> 
> Are AD Sites configured?
Yes, there are 2 sites, as described in my first email. Machines are correctly
finding their home sites and choose the nearby logon server based on the
local IP addresses.
>      If so, I believe that individual links also need
> to be specified between the sites.
Well, I guessed this much. The question is how?

Thank you!

/mjt

14.11.2022 20:45, Kris Lou via samba ?????:
>>> I'm trying to create another VM, with a 3rd DC, to see if
having a
>>> DC in the same site will help...
>>
>> So, I created a second DC on the same Site as our first DC.  And
>> it instantly enabled and activated replication, samba-tool drs showrepl
>> shows active connections between the two DCs, and changes made on one
>> of the DCs becomes immediately visible on the other.
>>
>> But the replication between two DCs in diferent sites does not seem to
>> be enabled.  What is the way to enable it?
> 
> Are AD Sites configured?  If so, I believe that individual links also need
> to be specified between the sites.
Ok. It looks like the transport works, or appears to. But the replication
doesn't.

On one side/site, it shows:

SVDCP# samba-tool drs showrepl
Pereslavl-Office\SVDCP
DSA Options: 0x00000001
DSA object GUID: 59c9c7d7-d099-4191-a322-7f03403988a4
DSA invocationId: 843ecc66-03a4-43dd-816e-b9d242b4a3d9

==== INBOUND NEIGHBORS ===
DC=tls,DC=msk,DC=ru
	Moscow-Office\AI via RPC
		DSA object GUID: 91a56cbe-38b3-493c-b132-d1042d0aa021
		Last attempt @ Mon Nov 14 23:07:31 2022 MSK was successful
		0 consecutive failure(s).
		Last success @ Mon Nov 14 23:07:31 2022 MSK
...
==== OUTBOUND NEIGHBORS ===
==== KCC CONNECTION OBJECTS ===
Connection --
	Connection name: AI
	Enabled        : TRUE
	Server DNS name : ai.tls.msk.ru
	Server DN name  : CN=NTDS
Settings,CN=AI,CN=Servers,CN=Moscow-Office,CN=Sites,CN=Configuration,DC=tls,DC=msk,DC=ru
		TransportType: RPC
		options: 0x00000000
Warning: No NC replicated for Connection!
Connection --
	Connection name: be0ce147-739a-4725-aaa2-33686eee44cb
	Enabled        : TRUE
	Server DNS name : ai.tls.msk.ru
	Server DN name  : CN=NTDS
Settings,CN=AI,CN=Servers,CN=Moscow-Office,CN=Sites,CN=Configuration,DC=tls,DC=msk,DC=ru
		TransportType: RPC
		options: 0x00000001
Warning: No NC replicated for Connection!

which looks promising (the dots ".." shows similar entries for 4 other
partitions).


But on the other side, it does not:

AI# samba-tool drs showrepl
Moscow-Office\AI
DSA Options: 0x00000001
DSA object GUID: 91a56cbe-38b3-493c-b132-d1042d0aa021
DSA invocationId: 1cf73086-45c7-434e-a078-775c7f52bb0a

==== INBOUND NEIGHBORS ===
DC=tls,DC=msk,DC=ru
	Pereslavl-Office\SVDCP via RPC
		DSA object GUID: 59c9c7d7-d099-4191-a322-7f03403988a4
		Last attempt @ Mon Nov 14 23:09:48 2022 MSK failed, result 2
(WERR_FILE_NOT_FOUND)
		6 consecutive failure(s).
		Last success @ NTTIME(0)
...
==== OUTBOUND NEIGHBORS ===
DC=tls,DC=msk,DC=ru
	Pereslavl-Office\SVDCP via RPC
		DSA object GUID: 59c9c7d7-d099-4191-a322-7f03403988a4
		Last attempt @ Mon Nov 14 23:12:34 2022 MSK failed, result 2
(WERR_FILE_NOT_FOUND)
		1 consecutive failure(s).
		Last success @ NTTIME(0)
...
==== KCC CONNECTION OBJECTS ===
Connection --
	Connection name: SVDCP
	Enabled        : TRUE
	Server DNS name : svdcp.tls.msk.ru
	Server DN name  : CN=NTDS
Settings,CN=SVDCP,CN=Servers,CN=Pereslavl-Office,CN=Sites,CN=Configuration,DC=tls,DC=msk,DC=ru
		TransportType: RPC
		options: 0x00000000
Warning: No NC replicated for Connection!


It is interesting the first one shows only inbound connections, all
successful, while the other shows both, and all unsuccessful.

I don't see what to do with these now..

Which file it can't find, where to look for any clues?


I tried 'samba-tool drs replicate' manually on AI, but it also shows
this
error:

AI# samba-tool drs replicate ai svdcp
'CN=Configuration,DC=tls,DC=msk,DC=ru'
ERROR(<class 'samba.drs_utils.drsException'>): DsReplicaSync
failed - drsException: DsReplicaSync failed (2, 'WERR_FILE_NOT_FOUND')
   File "/usr/lib/python3/dist-packages/samba/netcmd/drs.py", line
570, in run
     drs_utils.sendDsReplicaSync(server_bind, server_bind_handle,
source_dsa_guid, NC, req_options)
   File "/usr/lib/python3/dist-packages/samba/drs_utils.py", line 92,
in sendDsReplicaSync
     raise drsException("DsReplicaSync failed %s" % estr)

Re-creating the second DC gives the same results.

Where to come from here, how to debug this?

Thanks!

/mjt