samba - Dec 2024 - Recently joined RODC looses machine accounts

Hi, i have some problems with a recently joined Read Only Domain controller.

I had 2 Domain Controllers based on Windows Server 2019 (hosts vmw2srvdc1 an
vmw2srvdc2).
I and i recently added a new site (PSN) and Read Only DC in this second site
based on samba (host lvsrvdc).

Then i added a fileserver joining as domain member (host lvsrv39) the same site
as the new RODC (lvsrvdc).
Performing the join seem ok, but in few hours the new domain member apparently
looses his domain account.

I wrote apparently because the issue seems only with the new RODC.

I checked with testjoin command:

root at psn-lvsrv39:~# net ads testjoin
kerberos_kinit_password PSN-LVSRV39$@INTRA.COMUNE.TRENTO.IT failed: Client not
found in Kerberos database
Join to domain is not valid: LDAP_INVALID_CREDENTIALS

This happens if i direct the test towards Read write DC in other site (--server
vmw2srvdc1)
root at psn-lvsrv39:~# net ads testjoin --server vmw2srvdc1
kerberos_kinit_password PSN-LVSRV39$@INTRA.COMUNE.TRENTO.IT failed: Client not
found in Kerberos database
kerberos_kinit_password PSN-LVSRV39$@INTRA.COMUNE.TRENTO.IT failed: Client not
found in Kerberos database
Join is OK

If i explicitly send the testjoin towards Read Only DC in the same site
(--server lvsrvdc) i see the error
root at psn-lvsrv39:~# net ads testjoin --server lvsrvdc
kerberos_kinit_password PSN-LVSRV39$@INTRA.COMUNE.TRENTO.IT failed: Client not
found in Kerberos database
Join to domain is not valid: LDAP_INVALID_CREDENTIALS


So i suspect some replica problems between RODC an both RW DC's. But i'm
not sure how to check.
The samba-tool drs showrepl command gives me different results based on whether
I add a domain administrator user or not.

Samba tool drs showrepl output on RODC:

root at lvsrvdc:~# samba-tool drs showrepl
ERROR(runtime): DsReplicaGetInfo of type 0 failed - (8453,
'WERR_DS_DRA_ACCESS_DENIED')

root at lvsrvdc:~# samba-tool drs kcc
ERROR(runtime): DsExecuteKCC failed - (8453,
'WERR_DS_DRA_ACCESS_DENIED')

root at lvsrvdc:~# samba-tool drs showrepl -U adminmit
Password for [INTRA\adminmit]:
PSN\LVSRVDC
DSA Options: 0x00000025
DSA object GUID: 7bd5241d-14b1-4bfa-a2af-2fa7a08d5b92
DSA invocationId: 36d43f9c-23e9-482a-a084-cfeddbe41c55

==== INBOUND NEIGHBORS ===
==== OUTBOUND NEIGHBORS ===
==== KCC CONNECTION OBJECTS ===
Connection --
	Connection name: VMW2SRVDC1
	Enabled        : TRUE
	Server DNS name : vmw2srvdc1.intra.comune.trento.it
	Server DN name  : CN=NTDS
Settings,CN=VMW2SRVDC1,CN=Servers,CN=TRENTO,CN=Sites,CN=Configuration,DC=intra,DC=comune,DC=trento,DC=it
		TransportType: RPC
		options: 0x00000000
Warning: No NC replicated for Connection!
Connection --
	Connection name: RODC Connection (FRS)
	Enabled        : TRUE
	Server DNS name : vmw2srvdc2.intra.comune.trento.it
	Server DN name  : CN=NTDS
Settings,CN=VMW2SRVDC2,CN=Servers,CN=TRENTO,CN=Sites,CN=Configuration,DC=intra,DC=comune,DC=trento,DC=it
		TransportType: RPC
		options: 0x00000041
Warning: No NC replicated for Connection!


-- 
Mitja Tav?ar

On Tue, 3 Dec 2024 09:15:36 +0100
Mitja Tav?ar via samba <samba at lists.samba.org> wrote:
> Hi, i have some problems with a recently joined Read Only Domain
> controller.
> 
> I had 2 Domain Controllers based on Windows Server 2019 (hosts
> vmw2srvdc1 an vmw2srvdc2). I and i recently added a new site (PSN)
> and Read Only DC in this second site based on samba (host lvsrvdc).
I know that RODCs sound like a good idea, except for two things, they
were only really designed for a small site user base, but more
importantly, what happens if the site link goes down for any
considerable period ?

You also haven't told us what Linux distro you are using and how you
set up the RODC and fileserver, what is in their smb.conf files for
instance ?

Rowland