samba - Dec 2024 - samba remote site client authentication and network browsing problem

Hello,
we are testing a dc/rodc configuration with Samba AD, but we are stuck with a
problem that occurs when one  of the writable DCs (the one that was used as a
partner during rodc join) is shutdown:
 
Test configuration:
-          writeable dc and read only dc Samba 4.21 installed on Debian 12, with
two sites configured
-          2 writetable dc named dc-1 and dc-2 on central site
-          1 read only dc named rodc-1 on remote site
-          Active directory sites and services configured as expected (one
central site and one remote site with subnet association)
-          1 remote client windows 10 named remote-1 (in same site as rodc-1)
 
 -          we joined the remote site rodc named rodc-1 using  as replication
partner the writable dc named dc-1
-          we joined the windows 10 client using the read only dc named rodc-1
-          we verified that the remote client use the rodc server as logon
server through nltest /dsgetdc:domain_name
 
Problem:
-          if we browse the network from the remote-1 client with the rodc and
the writable dc used as the rodc replication partner for domain join online,
everything is ok and the network browsing in single sign on works as expected
-          if we browse the network from the remote-1 client with the rodc
online but the writable dc used as the rodc replication partner for domain join
offline, network browsing does not work as espected, and network browsing of
servers in central site (for example dc-2) does not work, with the Windows
client requesting authentication (single sign on still work if browsing using
explorer on read only domain controller, until it is restarted. After the
restart the rodc browsing also does not work anymore)
 - ? -????If we put back online that writable DC, everything goes back to
normal: single sign on works correctly and the windows client can browse every
server
 
Do you have any suggestions?
Thank you for your help

Enrico Manzini

On Tue, 24 Dec 2024 11:38:17 +0000
Manzini Enrico via samba <samba at lists.samba.org> wrote:
> Hello,
> we are testing a dc/rodc configuration with Samba AD, but we are
> stuck with a problem that occurs when one  of the writable DCs (the
> one that was used as a partner during rodc join) is shutdown: Test
> configuration:
> -          writeable dc and read only dc Samba 4.21 installed on
> Debian 12, with two sites configured
> -          2 writetable dc named dc-1 and dc-2 on central site
> -          1 read only dc named rodc-1 on remote site
> -          Active directory sites and services configured as expected
> (one central site and one remote site with subnet association)
> -          1 remote client windows 10 named remote-1 (in same site as
> rodc-1) 
>  -          we joined the remote site rodc named rodc-1 using  as
> replication partner the writable dc named dc-1
> -          we joined the windows 10 client using the read only dc
> named rodc-1
> -          we verified that the remote client use the rodc server as
> logon server through nltest /dsgetdc:domain_name 
> Problem:
> -          if we browse the network from the remote-1 client with the
> rodc and the writable dc used as the rodc replication partner for
> domain join online, everything is ok and the network browsing in
> single sign on works as expected
> -          if we browse the network from the remote-1 client with the
> rodc online but the writable dc used as the rodc replication partner
> for domain join offline, network browsing does not work as espected,
> and network browsing of servers in central site (for example dc-2)
> does not work, with the Windows client requesting authentication
> (single sign on still work if browsing using explorer on read only
> domain controller, until it is restarted. After the restart the rodc
> browsing also does not work anymore)
>  - ? -????If we put back online that writable DC, everything goes
> back to normal: single sign on works correctly and the windows client
> can browse every server Do you have any suggestions?
> Thank you for your help
> 
> Enrico Manzini
First, what is your reason to use an RODC instead of a RWDC ? If it
isn't 'we are afraid the DC might be stolen', then I would give up
on
the RODC and install a RWDC.

Your AD clients must be able to find their records, as do your users,
this mean that, if the network is flaky, machine, user & group records
will have to be replicated to the RODC, but the passwords, by default,
are not. You can force replication of the passwords, but if you do, you
now have something very akin to an RWDC.

So, to put it into a nutshell, I personally would only run an RODC if
it was likely to be stolen (in which case, you would have to ask, why do
we have anything valuable here ?) and if the dns is rock solid to allow
uninterupted communication between the RODC and the other site.

Rowland