On 23/11/2022 19:10, Michael Tokarev via samba wrote:> 23.11.2022 20:02, Rowland Penny via samba wrote:
>> On 23/11/2022 16:04, Michael Tokarev via samba wrote:
>>
>>> Are you sure DC3 and DC4 *have* to replicate between each other?
>>
>> Yes, all DC's have to replicate to all other DC's
>>
>>> I'm new to this stuff, but I had to add extra links
>>
>> You shouldn't have to, Samba should add them for you.
>
> Does it add all to all links, ie, one link with two DCs,
> 3 links with 3 DCs, 6 links with 4 DCs and so on (hopefully
> I counted it correctly), so every DC is connected to every
> other DC (provided everything is on the same site)?
>
>>> (how is that,
>>> NTDS? I forgot) between two out of 3 DCs here in order to enable
>>> replication between them. In "Sites and Subnets" snap,
under each
>>> DC, there's one more level with the links. Some links are
created
>>> automatically, some have to be created explicitly.? I don't
know
>>> if that's how it is supposed to work, but this is what I've
seen
>>> when doing experiments here.
>>
>> You seem to be having problems, oh yes, aren't you the person using
>> unbound ?
>
> Yeah, I did have problems. For example, Windows explorer crashes
> when opening "Security" tab of a file located on a DC.? Is it due
> to unbound, are you sure?
>
> The rest was no problem, just minor annoyances.? For example, user IDs
> were different on different servers because I didn't copy idmap.tdb,
> and bug in samba-tool ntacl sysvolcheck vs sysvolreset.? Is this due
> to unbound too?
>
> SPN must be unique, - I didn't know this.? Is it due to unbound?
>
> ..
>>> - I'd
>>> avoid this one because of a very simple reason: if replication to
>>> this DC doesn't work for some reason, DNS replication
doesn't work
>>> too, so it wont see new names in the net (which might be required
>>> for the replication to work).? This is one of the reasons I
don't
>>> use samba-provided DNS,
>>
>> No, that is one of the reasons you are having problems with
replication.
>
> Which problems? I don't know problems I have with replication.
> So far, replication works here fine, multiple sities, multiple
> DCs in each. Changes are propagated to all the network quite
> rapidly.
>
>>> - to keep it simple and avoid such sort
>>> of issues.? DNS is already well set up with replication and
>>> reservation to ensure it is always working.? YMMV.
>>
>> It does, my domain works.
>
> What it and what it does? The fact that your domain work - this
> is excellent. My domain works too, quite well. This too is
> excellent.
>
> /mjt
>
Samba stores dns records in AD and when you join a new DC, at first
start (and every 10 minutes after that) a python script is run
'samba_dnsupdate', this adds any missing records found in the file
'dns_update_list'. Because you are using unbound, your records are
incomplete, they are very probably in AD, but unbound doesn't read the
records in AD. Because unbound doesn't know all the records, it is very
probable that this is causing some of your problems.
I cannot make you use the recommended method, but would urge you to do
so. You are not the first to use an external dns server in the way you
are and you are not the first to have problems because you do.
Rowland