23.11.2022 20:02, Rowland Penny via samba wrote:> On 23/11/2022 16:04, Michael Tokarev via samba wrote: > >> Are you sure DC3 and DC4 *have* to replicate between each other? > > Yes, all DC's have to replicate to all other DC's > >> I'm new to this stuff, but I had to add extra links > > You shouldn't have to, Samba should add them for you.Does it add all to all links, ie, one link with two DCs, 3 links with 3 DCs, 6 links with 4 DCs and so on (hopefully I counted it correctly), so every DC is connected to every other DC (provided everything is on the same site)?>> (how is that, >> NTDS? I forgot) between two out of 3 DCs here in order to enable >> replication between them. In "Sites and Subnets" snap, under each >> DC, there's one more level with the links. Some links are created >> automatically, some have to be created explicitly.? I don't know >> if that's how it is supposed to work, but this is what I've seen >> when doing experiments here. > > You seem to be having problems, oh yes, aren't you the person using unbound ?Yeah, I did have problems. For example, Windows explorer crashes when opening "Security" tab of a file located on a DC. Is it due to unbound, are you sure? The rest was no problem, just minor annoyances. For example, user IDs were different on different servers because I didn't copy idmap.tdb, and bug in samba-tool ntacl sysvolcheck vs sysvolreset. Is this due to unbound too? SPN must be unique, - I didn't know this. Is it due to unbound? ..>> - I'd >> avoid this one because of a very simple reason: if replication to >> this DC doesn't work for some reason, DNS replication doesn't work >> too, so it wont see new names in the net (which might be required >> for the replication to work).? This is one of the reasons I don't >> use samba-provided DNS, > > No, that is one of the reasons you are having problems with replication.Which problems? I don't know problems I have with replication. So far, replication works here fine, multiple sities, multiple DCs in each. Changes are propagated to all the network quite rapidly.>> - to keep it simple and avoid such sort >> of issues.? DNS is already well set up with replication and >> reservation to ensure it is always working.? YMMV. > > It does, my domain works.What it and what it does? The fact that your domain work - this is excellent. My domain works too, quite well. This too is excellent. /mjt
On 23/11/2022 19:10, Michael Tokarev via samba wrote:> 23.11.2022 20:02, Rowland Penny via samba wrote: >> On 23/11/2022 16:04, Michael Tokarev via samba wrote: >> >>> Are you sure DC3 and DC4 *have* to replicate between each other? >> >> Yes, all DC's have to replicate to all other DC's >> >>> I'm new to this stuff, but I had to add extra links >> >> You shouldn't have to, Samba should add them for you. > > Does it add all to all links, ie, one link with two DCs, > 3 links with 3 DCs, 6 links with 4 DCs and so on (hopefully > I counted it correctly), so every DC is connected to every > other DC (provided everything is on the same site)? > >>> (how is that, >>> NTDS? I forgot) between two out of 3 DCs here in order to enable >>> replication between them. In "Sites and Subnets" snap, under each >>> DC, there's one more level with the links. Some links are created >>> automatically, some have to be created explicitly.? I don't know >>> if that's how it is supposed to work, but this is what I've seen >>> when doing experiments here. >> >> You seem to be having problems, oh yes, aren't you the person using >> unbound ? > > Yeah, I did have problems. For example, Windows explorer crashes > when opening "Security" tab of a file located on a DC.? Is it due > to unbound, are you sure? > > The rest was no problem, just minor annoyances.? For example, user IDs > were different on different servers because I didn't copy idmap.tdb, > and bug in samba-tool ntacl sysvolcheck vs sysvolreset.? Is this due > to unbound too? > > SPN must be unique, - I didn't know this.? Is it due to unbound? > > .. >>> - I'd >>> avoid this one because of a very simple reason: if replication to >>> this DC doesn't work for some reason, DNS replication doesn't work >>> too, so it wont see new names in the net (which might be required >>> for the replication to work).? This is one of the reasons I don't >>> use samba-provided DNS, >> >> No, that is one of the reasons you are having problems with replication. > > Which problems? I don't know problems I have with replication. > So far, replication works here fine, multiple sities, multiple > DCs in each. Changes are propagated to all the network quite > rapidly. > >>> - to keep it simple and avoid such sort >>> of issues.? DNS is already well set up with replication and >>> reservation to ensure it is always working.? YMMV. >> >> It does, my domain works. > > What it and what it does? The fact that your domain work - this > is excellent. My domain works too, quite well. This too is > excellent. > > /mjt >Samba stores dns records in AD and when you join a new DC, at first start (and every 10 minutes after that) a python script is run 'samba_dnsupdate', this adds any missing records found in the file 'dns_update_list'. Because you are using unbound, your records are incomplete, they are very probably in AD, but unbound doesn't read the records in AD. Because unbound doesn't know all the records, it is very probable that this is causing some of your problems. I cannot make you use the recommended method, but would urge you to do so. You are not the first to use an external dns server in the way you are and you are not the first to have problems because you do. Rowland
About samba always using a "full mesh". Read the changelog of samba 4.5: " KCC improvements for sparse network replication The Samba KCC will now be the default knowledge consistency checker in Samba AD. Instead of using full mesh replication between every DC, the KCC will set up connections to optimize replication latency and cost (using site links to calculate the routes). This change should allow larger domains to function significantly better in terms of replication traffic and the time spent performing DRS replication" Taken from here: https://wiki.samba.org/index.php/Samba_4.5_Features_added/changed#KCC_improvements_for_sparse_network_replication Regards Christian Am 23. November 2022 20:10:26 MEZ schrieb Michael Tokarev via samba <samba at lists.samba.org>:>23.11.2022 20:02, Rowland Penny via samba wrote: >> On 23/11/2022 16:04, Michael Tokarev via samba wrote: >> >>> Are you sure DC3 and DC4 *have* to replicate between each other? >> >> Yes, all DC's have to replicate to all other DC's >> >>> I'm new to this stuff, but I had to add extra links >> >> You shouldn't have to, Samba should add them for you. > >Does it add all to all links, ie, one link with two DCs, >3 links with 3 DCs, 6 links with 4 DCs and so on (hopefully >I counted it correctly), so every DC is connected to every >other DC (provided everything is on the same site)? > >>> (how is that, >>> NTDS? I forgot) between two out of 3 DCs here in order to enable >>> replication between them. In "Sites and Subnets" snap, under each >>> DC, there's one more level with the links. Some links are created >>> automatically, some have to be created explicitly.? I don't know >>> if that's how it is supposed to work, but this is what I've seen >>> when doing experiments here. >> >> You seem to be having problems, oh yes, aren't you the person using unbound ? > >Yeah, I did have problems. For example, Windows explorer crashes >when opening "Security" tab of a file located on a DC. Is it due >to unbound, are you sure? > >The rest was no problem, just minor annoyances. For example, user IDs >were different on different servers because I didn't copy idmap.tdb, >and bug in samba-tool ntacl sysvolcheck vs sysvolreset. Is this due >to unbound too? > >SPN must be unique, - I didn't know this. Is it due to unbound? > >.. >>> - I'd >>> avoid this one because of a very simple reason: if replication to >>> this DC doesn't work for some reason, DNS replication doesn't work >>> too, so it wont see new names in the net (which might be required >>> for the replication to work).? This is one of the reasons I don't >>> use samba-provided DNS, >> >> No, that is one of the reasons you are having problems with replication. > >Which problems? I don't know problems I have with replication. >So far, replication works here fine, multiple sities, multiple >DCs in each. Changes are propagated to all the network quite >rapidly. > >>> - to keep it simple and avoid such sort >>> of issues.? DNS is already well set up with replication and >>> reservation to ensure it is always working.? YMMV. >> >> It does, my domain works. > >What it and what it does? The fact that your domain work - this >is excellent. My domain works too, quite well. This too is >excellent. > >/mjt >-- Dr. Christian Naumer Vice President Unit Head Bioprocess Development BRAIN Biotech AG Darmstaedter Str. 34-36 64673 Zwingenberg, Germany T: +49 6251 9331-30 F: +49 6251 9331-11 cn at brain-biotech.com www.brain-biotech.com Sitz der Gesellschaft: Zwingenberg | Bergstrasse Registergericht AG Darmstadt | HRB 24758 Vorstand: Adriaan Moelker (Vorstandsvorsitzender) | Michael Schneiders Aufsichtsratsvorsitzender: Dr. Georg Kellinghusen