samba - Oct 2024 - Problem with a domain controller that is located in a separate site

Adam,

 

When you have one DC in a site, the sole DC automatically considers itself a
bridgehead server to other DC?s once the site links have been setup.  Should be
no need to manually configure this.

 

I see you have NTDS connections for WIN2019-2 and Samba on each DC. In theory
you shouldn?t be having an issue with no outbound neighbors. What I would do is
delete the automatically generated NTDS connections for WIN2019-2 and Samba on
each DC. Let the KCC regenerate and see if outbound neighbor replication begins.

 

The KCC may take time to create these connections once you delete. You can force
the KCC check, but I wouldn?t do so at this stage. Let it gracefully create.

 

Do Samba logs show any errors with replication? 

 

-James

 

 

From: Adam Abramson <abramsona30 at gmail.com> 
Sent: Friday, October 11, 2024 10:41 AM
To: james.atwell365 at gmail.com
Cc: samba at lists.samba.org
Subject: Re: [Samba] Problem with a domain controller that is located in a
separate site

 

OK, I'm sending a screenshot specifically from win2019-2 .  Looking at all
the connections, they are of course displayed

https://ibb.co/Qbz3PZz

 

On Fri, Oct 11, 2024 at 5:36?PM James Atwell via samba <samba at
lists.samba.org> wrote:

Thanks for the images, however I need to see your NTDS settings for server
WIN2019-2. If you open this, you should see automatically generated connections
to servers in Default-First-Site-Name and Test-Samba sites. This assumes you
have servers in Default-First-Site-Name. Otherwise you should just see the Samba
server.



-James



From: Adam Abramson <abramsona30 at gmail.com <mailto:abramsona30 at
gmail.com> >
Sent: Friday, October 11, 2024 9:50 AM
To: james.atwell365 at gmail.com <mailto:james.atwell365 at gmail.com> 
Cc: samba at lists.samba.org <mailto:samba at lists.samba.org> 
Subject: Re: [Samba] Problem with a domain controller that is located in a
separate site



in my case, there is exactly one controller in the site and therefore the
attribute is not filled in. in your case, it seems to me that your repsFrom
repsTo attributes are filled because there are 2 controllers in the site
, but on the windows side, even when 1 controller is filled, both attributes are
filled



On Fri, Oct 11, 2024 at 4:44?PM James Atwell via samba <samba at
lists.samba.org <mailto:samba at lists.samba.org>  <mailto:samba at
lists.samba.org <mailto:samba at lists.samba.org> > > wrote:

Adam,



While you?re confirming your sites and services setup. See the link for how I
have my sites setup. I have sanitized some if it and it?s from a Samba only
environment but should still be setup similarly for Samba or mixed environments.



https://ibb.co/hZPJkxw



I have 2 DC?s per site. The Site ?D? and Server ?D5? has outbound neighbors of
?D4? and S6? of site ?S?.   Site ?S? if I was to show you its NTDS settings for
server ?S6?,has automatically generated connections to server ?D5? in site ?D?.
If for whatever reason the KCC did not auto create, I would manually need to
create the connections to site ?D? for server ?D5? if I wanted it to be an
outbound neighbor.



-James





From: Adam Abramson <abramsona30 at gmail.com <mailto:abramsona30 at
gmail.com>  <mailto:abramsona30 at gmail.com <mailto:abramsona30 at
gmail.com> > >
Sent: Friday, October 11, 2024 8:48 AM
To: james.atwell365 at gmail.com <mailto:james.atwell365 at gmail.com> 
<mailto:james.atwell365 at gmail.com <mailto:james.atwell365 at
gmail.com> >
Cc: samba at lists.samba.org <mailto:samba at lists.samba.org> 
<mailto:samba at lists.samba.org <mailto:samba at lists.samba.org> >
Subject: Re: [Samba] Problem with a domain controller that is located in a
separate site



Hi, James, yes, I set up sites through the sites and services tool. It's not
that it's fully connected replication, but that the RepsTo attribute, under
equal conditions with windows, is not filled on the samba side, which in turn
entails that the outbound neighbors are not displayed on the samba side. But let
me clarify that I even made each server (there is only one in each site) a
bridgehead, that is, connections should be built and the attributes of repsTo
repsFrom should be fully filled even if the domain controller is alone on its
site. Maybe I'm wrong and can you tell me where my mistake is? In the
correspondence above, there are screenshots with the difference of attributes
between windows and samba



On Fri, Oct 11, 2024 at 3:37?PM James Atwell via samba <samba at
lists.samba.org <mailto:samba at lists.samba.org>  <mailto:samba at
lists.samba.org <mailto:samba at lists.samba.org> >  <mailto:samba
at lists.samba.org <mailto:samba at lists.samba.org>  <mailto:samba at
lists.samba.org <mailto:samba at lists.samba.org> > > > wrote:


> -----Original Message-----
> From: samba <samba-bounces at lists.samba.org <mailto:samba-bounces
at lists.samba.org>  <mailto:samba-bounces at lists.samba.org
<mailto:samba-bounces at lists.samba.org> >  <mailto:samba-bounces
at lists.samba.org <mailto:samba-bounces at lists.samba.org> 
<mailto:samba-bounces at lists.samba.org <mailto:samba-bounces at
lists.samba.org> > > > On Behalf Of Adam
> Abramson via samba
> Sent: Friday, October 11, 2024 6:26 AM
> To: samba at lists.samba.org <mailto:samba at lists.samba.org> 
<mailto:samba at lists.samba.org <mailto:samba at lists.samba.org> >
<mailto:samba at lists.samba.org <mailto:samba at lists.samba.org> 
<mailto:samba at lists.samba.org <mailto:samba at lists.samba.org> >
>
> Subject: Re: [Samba] Problem with a domain controller that is located in a
> separate site
> 
> Thanks a lot Rowland I hope we will fix this issue soon
> 
> On Fri, Oct 11, 2024 at 1:14?PM Rowland Penny via samba <
> samba at lists.samba.org <mailto:samba at lists.samba.org> 
<mailto:samba at lists.samba.org <mailto:samba at lists.samba.org> >
<mailto:samba at lists.samba.org <mailto:samba at lists.samba.org> 
<mailto:samba at lists.samba.org <mailto:samba at lists.samba.org> >
> > wrote:
> 
> > On Fri, 11 Oct 2024 13:06:40 +0300
> > Adam Abramson <abramsona30 at gmail.com <mailto:abramsona30 at
gmail.com>  <mailto:abramsona30 at gmail.com <mailto:abramsona30 at
gmail.com> >  <mailto:abramsona30 at gmail.com <mailto:abramsona30
at gmail.com>  <mailto:abramsona30 at gmail.com <mailto:abramsona30 at
gmail.com> > > > wrote:
> >
> > > yes, above I have attached screenshots of testing from the
windows
> > > side, which show the difference between the behavior of samba and
> > > windows servers, on windows this attribute is filled in although
> > > these servers are also located on separate sites, I think that
this
> > > difference in operation is problematic to some extent possible,
tell
> > > me where I can leave a bug report
> > >
> >
> > https://bugzilla.samba.org/
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
> >
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
Hi Adam,

Apologies as I might have overlooked you stating this but did you setup your
sites using Active Directory Sites & Services Tool? This tool is necessary
for correct site replication.

Prior to Samba 4.5, I believe full mesh replication was the standard. In 4.5
https://www.samba.org/samba/history/samba-4.5.0.html  samba introduced KCC
improvements for sparse network replication. At that time, you could use the
command "kccsrv:samba_kcc = yes" in your smb.conf to turn this on and
off. Setting this to off will result in full mesh replication. I advise against
turning this off especially in larger networks. Instead, I would look to
properly configure sites and services.




-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba



-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

I will send the kcc data on Monday, but in my experience it seems to me
that everything will be the same, there are no hints of problems with
replication in the logs

On Fri, Oct 11, 2024 at 6:37?PM James Atwell via samba <
samba at lists.samba.org> wrote:
> Adam,
>
>
>
> When you have one DC in a site, the sole DC automatically considers itself
> a bridgehead server to other DC?s once the site links have been setup.
> Should be no need to manually configure this.
>
>
>
> I see you have NTDS connections for WIN2019-2 and Samba on each DC. In
> theory you shouldn?t be having an issue with no outbound neighbors. What I
> would do is delete the automatically generated NTDS connections for
> WIN2019-2 and Samba on each DC. Let the KCC regenerate and see if outbound
> neighbor replication begins.
>
>
>
> The KCC may take time to create these connections once you delete. You can
> force the KCC check, but I wouldn?t do so at this stage. Let it gracefully
> create.
>
>
>
> Do Samba logs show any errors with replication?
>
>
>
> -James
>
>
>
>
>
> From: Adam Abramson <abramsona30 at gmail.com>
> Sent: Friday, October 11, 2024 10:41 AM
> To: james.atwell365 at gmail.com
> Cc: samba at lists.samba.org
> Subject: Re: [Samba] Problem with a domain controller that is located in a
> separate site
>
>
>
> OK, I'm sending a screenshot specifically from win2019-2 .  Looking at
all
> the connections, they are of course displayed
>
> https://ibb.co/Qbz3PZz
>
>
>
> On Fri, Oct 11, 2024 at 5:36?PM James Atwell via samba <
> samba at lists.samba.org> wrote:
>
> Thanks for the images, however I need to see your NTDS settings for server
> WIN2019-2. If you open this, you should see automatically generated
> connections to servers in Default-First-Site-Name and Test-Samba sites.
> This assumes you have servers in Default-First-Site-Name. Otherwise you
> should just see the Samba server.
>
>
>
> -James
>
>
>
> From: Adam Abramson <abramsona30 at gmail.com <mailto:abramsona30 at
gmail.com>
> >
> Sent: Friday, October 11, 2024 9:50 AM
> To: james.atwell365 at gmail.com <mailto:james.atwell365 at
gmail.com>
> Cc: samba at lists.samba.org <mailto:samba at lists.samba.org>
> Subject: Re: [Samba] Problem with a domain controller that is located in a
> separate site
>
>
>
> in my case, there is exactly one controller in the site and therefore the
> attribute is not filled in. in your case, it seems to me that your repsFrom
> repsTo attributes are filled because there are 2 controllers in the site
> , but on the windows side, even when 1 controller is filled, both
> attributes are filled
>
>
>
> On Fri, Oct 11, 2024 at 4:44?PM James Atwell via samba <
> samba at lists.samba.org <mailto:samba at lists.samba.org> 
<mailto:
> samba at lists.samba.org <mailto:samba at lists.samba.org> > >
wrote:
>
> Adam,
>
>
>
> While you?re confirming your sites and services setup. See the link for
> how I have my sites setup. I have sanitized some if it and it?s from a
> Samba only environment but should still be setup similarly for Samba or
> mixed environments.
>
>
>
> https://ibb.co/hZPJkxw
>
>
>
> I have 2 DC?s per site. The Site ?D? and Server ?D5? has outbound
> neighbors of ?D4? and S6? of site ?S?.   Site ?S? if I was to show you its
> NTDS settings for server ?S6?,has automatically generated connections to
> server ?D5? in site ?D?. If for whatever reason the KCC did not auto
> create, I would manually need to create the connections to site ?D? for
> server ?D5? if I wanted it to be an outbound neighbor.
>
>
>
> -James
>
>
>
>
>
> From: Adam Abramson <abramsona30 at gmail.com <mailto:abramsona30 at
gmail.com>
> <mailto:abramsona30 at gmail.com <mailto:abramsona30 at gmail.com>
> >
> Sent: Friday, October 11, 2024 8:48 AM
> To: james.atwell365 at gmail.com <mailto:james.atwell365 at
gmail.com>  <mailto:
> james.atwell365 at gmail.com <mailto:james.atwell365 at gmail.com>
>
> Cc: samba at lists.samba.org <mailto:samba at lists.samba.org> 
<mailto:
> samba at lists.samba.org <mailto:samba at lists.samba.org> >
> Subject: Re: [Samba] Problem with a domain controller that is located in a
> separate site
>
>
>
> Hi, James, yes, I set up sites through the sites and services tool.
It's
> not that it's fully connected replication, but that the RepsTo
attribute,
> under equal conditions with windows, is not filled on the samba side, which
> in turn entails that the outbound neighbors are not displayed on the samba
> side. But let me clarify that I even made each server (there is only one in
> each site) a bridgehead, that is, connections should be built and the
> attributes of repsTo repsFrom should be fully filled even if the domain
> controller is alone on its site. Maybe I'm wrong and can you tell me
where
> my mistake is? In the correspondence above, there are screenshots with the
> difference of attributes between windows and samba
>
>
>
> On Fri, Oct 11, 2024 at 3:37?PM James Atwell via samba <
> samba at lists.samba.org <mailto:samba at lists.samba.org> 
<mailto:
> samba at lists.samba.org <mailto:samba at lists.samba.org> > 
<mailto:
> samba at lists.samba.org <mailto:samba at lists.samba.org> 
<mailto:
> samba at lists.samba.org <mailto:samba at lists.samba.org> > >
> wrote:
>
>
>
> > -----Original Message-----
> > From: samba <samba-bounces at lists.samba.org <mailto:
> samba-bounces at lists.samba.org>  <mailto:samba-bounces at
lists.samba.org
> <mailto:samba-bounces at lists.samba.org> >  <mailto:
> samba-bounces at lists.samba.org <mailto:samba-bounces at
lists.samba.org>
> <mailto:samba-bounces at lists.samba.org <mailto:
> samba-bounces at lists.samba.org> > > > On Behalf Of Adam
> > Abramson via samba
> > Sent: Friday, October 11, 2024 6:26 AM
> > To: samba at lists.samba.org <mailto:samba at lists.samba.org> 
<mailto:
> samba at lists.samba.org <mailto:samba at lists.samba.org> > 
<mailto:
> samba at lists.samba.org <mailto:samba at lists.samba.org> 
<mailto:
> samba at lists.samba.org <mailto:samba at lists.samba.org> > >
> > Subject: Re: [Samba] Problem with a domain controller that is located
in
> a
> > separate site
> >
> > Thanks a lot Rowland I hope we will fix this issue soon
> >
> > On Fri, Oct 11, 2024 at 1:14?PM Rowland Penny via samba <
> > samba at lists.samba.org <mailto:samba at lists.samba.org> 
<mailto:
> samba at lists.samba.org <mailto:samba at lists.samba.org> > 
<mailto:
> samba at lists.samba.org <mailto:samba at lists.samba.org> 
<mailto:
> samba at lists.samba.org <mailto:samba at lists.samba.org> > >
> wrote:
> >
> > > On Fri, 11 Oct 2024 13:06:40 +0300
> > > Adam Abramson <abramsona30 at gmail.com <mailto:abramsona30
at gmail.com>
> <mailto:abramsona30 at gmail.com <mailto:abramsona30 at gmail.com>
>  <mailto:
> abramsona30 at gmail.com <mailto:abramsona30 at gmail.com> 
<mailto:
> abramsona30 at gmail.com <mailto:abramsona30 at gmail.com> > >
> wrote:
> > >
> > > > yes, above I have attached screenshots of testing from the
windows
> > > > side, which show the difference between the behavior of
samba and
> > > > windows servers, on windows this attribute is filled in
although
> > > > these servers are also located on separate sites, I think
that this
> > > > difference in operation is problematic to some extent
possible, tell
> > > > me where I can leave a bug report
> > > >
> > >
> > > https://bugzilla.samba.org/
> > >
> > > --
> > > To unsubscribe from this list go to the following URL and read
the
> > > instructions:  https://lists.samba.org/mailman/options/samba
> > >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
>
> Hi Adam,
>
> Apologies as I might have overlooked you stating this but did you setup
> your sites using Active Directory Sites & Services Tool? This tool is
> necessary for correct site replication.
>
> Prior to Samba 4.5, I believe full mesh replication was the standard. In
> 4.5 https://www.samba.org/samba/history/samba-4.5.0.html  samba
> introduced KCC improvements for sparse network replication. At that time,
> you could use the command "kccsrv:samba_kcc = yes" in your
smb.conf to turn
> this on and off. Setting this to off will result in full mesh replication.
> I advise against turning this off especially in larger networks. Instead, I
> would look to properly configure sites and services.
>
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

On Fri, 11 Oct 2024 11:37:15 -0400
James Atwell via samba <samba at lists.samba.org> wrote:
 
> Do Samba logs show any errors with replication? 
Probably not, because in his initial post, he said replication was
working, but 'repsTo' wasn't populated.

Rowland