Hello, I have a PDC with master ldap backend and a BDC with slave ldap backend (both are SaMBa 3.2 on Debian Lenny). I want to install an additional SaMBa server on an another site (on Debian Squeeze). The two sites is connected with VPN (on not so reliable ADSL lines). I read an interesting network scenario in the Samba Guide chapter 6: theoretically it is possible to install one PDC on both site, with the same domain, server name, and SID. I like this idea, but: is there anyone who tried that, have experience with it? Thank you, in advance.
> > > > > > On Friday 09/07/2010 at 4:36 am, Tam?s Pisch wrote: >> Hello, >> >> I have a PDC with master ldap backend and a BDC with slave ldap >> backend >> (both are SaMBa 3.2 on Debian Lenny). I want to install an additional >> SaMBa >> server on an another site (on Debian Squeeze). The two sites is >> connected >> with VPN (on not so reliable ADSL lines). I read an interesting >> network >> scenario in the Samba Guide chapter 6: theoretically it is possible to >> install one PDC on both site, with the same domain, server name, and >> SID. I >> like this idea, but: is there anyone who tried that, have experience >> with >> it? > > No, but your best option is to simply use LDAP replication and install > an LDAP server on the remote location server. This way, auth traffic > on the remote is always local (saving bandwidth) and is available > regardless of the link being up or down. Do the same with DNS, and > you'll be quite happy with the results as will your users. >> >> >> >> Thank you, in advance. >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >
> > SNIP > > I think the multi-master replication sort-of defeats the purpose of > the PDC in the remote office - multi-master replication means the > information must be sent to both servers anyway. If I recall > correctly, I think Chapter 6 refers to running BDC's in each remote > office, and only one PDC... > > I played with this once, and I got it working by setting up a PDC and > BDC in the main office, a BDC (not PDC) in the remote office, and > using LDAP's new multi-master replication to keep everything in sync. > Throw in your DNS database, and It works, it's cool, but I think it > was so not worth the effort (unless you have nothing better to do with > your 20% time). I spent a whole lot of time making sure the configs > were perfect for the mult-master replication.I found it quite simple. But I had a rather extensive use of NTLM auth stuff going on as well.> > > > The thing that threw the monkey-wrench is DNS and DHCP...I ended up > putting all the DHCP information into the LDAP as well, with defined > IP addresses for every MAC, because DHCPd updates the DNS when a new > user requests an IP address. Since I put a DHCP server on both sides > of the VPN, I needed multi-master replication for the DNS information > so the computers could find each other. In the end, I dumped the MAC > addresses from my hardware catalog into the LDAP, and preassigned all > the IP's to reduce the number of writes to the LDAP server.Well, I'll just say there are many ways to skin a cat, and leave it at that.> > > > > I found it is much easier to set up two separate domains and have them > trust each other, using different branches of the same LDAP tree. > Then, let one server write to one branch, the other server write to > the other branch, and do multi-master replication between them. That > way, there is no worrying about simultaneous updates or any of that > jazz. Not as cool...or as elegant, but it made my life easier by > isolating problems. I did the same for the DNS information, setting > up separate zones for each physical office. Since the information was > in the same tree, it was much easier to configure mail servers and > other services needing directory information, and since I did not > delegate the branches, the mail server (only in the main office) did > not need to read off my remote directories over VPN. > > Of course, my users only visited each others' offices "occasionally". > If you have tons of movement between the offices, a one-domain > solution may be forced upon you... > > > > On Fri, Jul 9, 2010 at 8:58 AM, <tms3 at tms3.com> wrote: >> >> >> >> >>> >>> >>> >>> >>> >>> >>> On Friday 09/07/2010 at 4:36 am, Tam?s Pisch wrote: >>>> >>>> >>>> Hello, >>>> >>>> I have a PDC with master ldap backend and a BDC with slave ldap >>>> backend >>>> (both are SaMBa 3.2 on Debian Lenny). I want to install an additional >>>> SaMBa >>>> server on an another site (on Debian Squeeze). The two sites is >>>> connected >>>> with VPN (on not so reliable ADSL lines). I read an interesting >>>> network >>>> scenario in the Samba Guide chapter 6: theoretically it is possible to >>>> install one PDC on both site, with the same domain, server name, and >>>> SID. >>>> I >>>> like this idea, but: is there anyone who tried that, have experience >>>> with >>>> it? >>> >>> No, but your best option is to simply use LDAP replication and install >>> an >>> LDAP server on the remote location server. This way, auth traffic on >>> the >>> remote is always local (saving bandwidth) and is available regardless >>> of the >>> link being up or down. Do the same with DNS, and you'll be quite >>> happy with >>> the results as will your users. >>>> >>>> >>>> >>>> >>>> Thank you, in advance. >>>> -- >>>> To unsubscribe from this list go to the following URL and read the >>>> instructions: https://lists.samba.org/mailman/options/samba >>> >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba > > > > -- > ---- > Scott Grizzard > Scott at ScottGrizzard.com > http://www.ScottGrizzard.com
> > > How did you get it working like that so quickly?This site has an EXCELLENT primer on it: http://www.zytrax.com/books/ldap/ch7/ As well, openldap's site http://www.openldap.org/ If you only have 2 ldap servers, you can use the simpler master slave setup as well. It's just that if you start needing more ldap servers, you'd need to reconfigure again.> > Did you get it > working with two primary domain controllers?No. This is not recommended, and I don't play in production environments...much. Never tried it in the lab either.> > (As opposed to one PDC > and two BDC's?) > > How did you manage to resolve the DNS update issue?Honestly, I have no idea what DNS problems the other responder had. The only DNS issues I had was making the W2k3 domain play nice with bind9 and vis-a-versa. Further, if you want locked IP's for workstations via mac, there are many ways of doing this. dhcpd.conf for instance. But to each his own. Updates are sent to the master DNS, if it's unavailable no update, so if you're forcing new IPs from dhcp every reboot, or every xxx seconds then, during wan outages you might have issues, I suppose. Depends on how badly you need name service resolution of client workstations.> > > > On Fri, Jul 9, 2010 at 12:58 PM, <tms3 at tms3.com> wrote: >> >> >> >> >> >>> >>> >>> SNIP >>> >>> I think the multi-master replication sort-of defeats the purpose of >>> the PDC in the remote office - multi-master replication means the >>> information must be sent to both servers anyway. If I recall >>> correctly, I think Chapter 6 refers to running BDC's in each remote >>> office, and only one PDC... >>> >>> I played with this once, and I got it working by setting up a PDC and >>> BDC in the main office, a BDC (not PDC) in the remote office, and >>> using LDAP's new multi-master replication to keep everything in sync. >>> Throw in your DNS database, and It works, it's cool, but I think it >>> was so not worth the effort (unless you have nothing better to do with >>> your 20% time). I spent a whole lot of time making sure the configs >>> were perfect for the mult-master replication. >> >> I found it quite simple. But I had a rather extensive use of NTLM auth >> stuff >> going on as well. >>> >>> >>> >>> >>> The thing that threw the monkey-wrench is DNS and DHCP...I ended up >>> putting all the DHCP information into the LDAP as well, with defined >>> IP addresses for every MAC, because DHCPd updates the DNS when a new >>> user requests an IP address. Since I put a DHCP server on both sides >>> of the VPN, I needed multi-master replication for the DNS information >>> so the computers could find each other. In the end, I dumped the MAC >>> addresses from my hardware catalog into the LDAP, and preassigned all >>> the IP's to reduce the number of writes to the LDAP server. >> >> Well, I'll just say there are many ways to skin a cat, and leave it at >> that. >>> >>> >>> >>> >>> >>> I found it is much easier to set up two separate domains and have them >>> trust each other, using different branches of the same LDAP tree. >>> Then, let one server write to one branch, the other server write to >>> the other branch, and do multi-master replication between them. That >>> way, there is no worrying about simultaneous updates or any of that >>> jazz. Not as cool...or as elegant, but it made my life easier by >>> isolating problems. I did the same for the DNS information, setting >>> up separate zones for each physical office. Since the information was >>> in the same tree, it was much easier to configure mail servers and >>> other services needing directory information, and since I did not >>> delegate the branches, the mail server (only in the main office) did >>> not need to read off my remote directories over VPN. >>> >>> Of course, my users only visited each others' offices "occasionally". >>> If you have tons of movement between the offices, a one-domain >>> solution may be forced upon you... >>> >>> >>> >>> On Fri, Jul 9, 2010 at 8:58 AM, <tms3 at tms3.com> wrote: >>>> >>>> >>>> >>>> >>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> On Friday 09/07/2010 at 4:36 am, Tam?s Pisch wrote: >>>>>> >>>>>> >>>>>> >>>>>> Hello, >>>>>> >>>>>> I have a PDC with master ldap backend and a BDC with slave ldap >>>>>> backend >>>>>> (both are SaMBa 3.2 on Debian Lenny). I want to install an additional >>>>>> SaMBa >>>>>> server on an another site (on Debian Squeeze). The two sites is >>>>>> connected >>>>>> with VPN (on not so reliable ADSL lines). I read an interesting >>>>>> network >>>>>> scenario in the Samba Guide chapter 6: theoretically it is possible to >>>>>> install one PDC on both site, with the same domain, server name, and >>>>>> SID. >>>>>> I >>>>>> like this idea, but: is there anyone who tried that, have experience >>>>>> with >>>>>> it? >>>>> >>>>> No, but your best option is to simply use LDAP replication and install >>>>> an >>>>> LDAP server on the remote location server. This way, auth traffic on >>>>> the >>>>> remote is always local (saving bandwidth) and is available regardless >>>>> of >>>>> the >>>>> link being up or down. Do the same with DNS, and you'll be quite >>>>> happy >>>>> with >>>>> the results as will your users. >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> Thank you, in advance. >>>>>> -- >>>>>> To unsubscribe from this list go to the following URL and read the >>>>>> instructions: https://lists.samba.org/mailman/options/samba >>>>> >>>> >>>> -- >>>> To unsubscribe from this list go to the following URL and read the >>>> instructions: https://lists.samba.org/mailman/options/samba >>> >>> >>> >>> -- >>> ---- >>> Scott Grizzard >>> Scott at ScottGrizzard.com >>> http://www.ScottGrizzard.com >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba > > > > -- > ---- > Scott Grizzard > Scott at ScottGrizzard.com > http://www.ScottGrizzard.com
> I have a PDC with master ldap backend and a BDC with slave ldap backend > (both are SaMBa 3.2 on Debian Lenny). I want to install an additional SaMBa > server on an another site (on Debian Squeeze). The two sites is connected > with VPN (on not so reliable ADSL lines). I read an interesting network > scenario in the Samba Guide chapter 6: theoretically it is possible to > install one PDC on both site, with the same domain, server name, and SID. I > like this idea, but: is there anyone who tried that, have experience with > it? > > No, but your best option is to simply use LDAP replication and install an > LDAP server on the remote location server. This way, auth traffic on the > remote is always local (saving bandwidth) and is available regardless of the > link being up or down. Do the same with DNS, and you'll be quite happy with > the results as will your users. > > Thanks. Of course, local LDAP and DNS is fundamental. My problem is themodifications (user and machine account passwords). It is written to the master LDAP server. As Scott wrote me, I could set up multi-master replication, but it is very hard.
> > --- Original message --- > Subject: Re: [Samba] two PDCs > From: Scott Grizzard <scott at scottgrizzard.com> > To: Tam?s Pisch <pischta at gmail.com> > Cc: <samba at lists.samba.org> > Date: Monday, 12/07/2010 12:38 AM > >> >> Of course, my users only visited each others' offices "occasionally". >>> >>> If you have tons of movement between the offices, a one-domain >>> solution may be forced upon you... >>> >>> Unfortunately, a lot of users are roaming users (teachers with laptop, >>> and >> users). My plan is that I will set up separate profile shares on both >> side, >> but at least they can use their own username and even change their >> password. >> So, I would like to try the multi-PDC scenario with master and slave >> LDAP >> server, but I worry about a little.It makes very little sense to have multiple PDC's, and only adds to both administrative and user confusion IMHO. Give the present workings of OpenLDAP, just pick a replication strategy the makes sense and use a single domain. I've built and run a single domain on a 15 node VPN with multi-master OpenLDAP backend, and it is remarkably resilient.> >> >> >> > > How are you intending to keep roaming profiles in sync (the files on > the server, not the stuff in LDAP)? Are you going to use rsync?Unless users jump from office to office, why bother. I would set road warriors with local profiles and and sync their stuff in a manner appropriate to there schedules/primary location.> > > > ---- > Scott Grizzard > Scott at ScottGrizzard.com > http://www.ScottGrizzard.com > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba
> > About multi-master replication. Scott wrote that he had to deal with > it a > lot, so he didn't recommended that. But, I need one domain, because a > lot of > users uses both site. So, I have the following options: > 1. PDCs on each site, with the same domain, as chapter 6 describes.Look, I'm not sure if my emails are getting through or not, but drop this multi PDC thing. It's just more complexity. You need some sort of LDAP replication because you want authentication done locally. Multi-master is more difficult to set up, but more flexible. There are other schemes. I had some 16 servers setup this way and had very few difficulties. It is quite resilient and reliable. Here is a good primer: http://www.zytrax.com/books/ldap/ch7/> > a. Master LDAP server in the HQ, and slave in the branch site, > according > to the SaMBa guide. > b. Branch site uses master LDAP server too. It looks tepmting, > but > difficult/dangerous to me. > 2. PDC on the HQ, BDC on the branch site > a. branch site uses slave LDAP server. > b. Branch site uses master LDAP server too. > In 1/a and 2/a, the VPN outage could be problem. Am I right?No, the b's are the problem if the VPN is down. They're calling the "master" which is at the other end of the VPN. The a's have a slave copy. All is good, unless they need to write to LDAP. How much LDAP writing goes on in the branch?> > As i know, only > PDC writes to the LDAP database. Is that true?No. If you're using smbldap-tools, the ldap calls are made via smbldap_bind.conf. So with multi-master this whole dual PDC thing is fairly useless. See, Multi-master...all are writable. Question: 1. Which office writes to LDAP? 2. Who does the writing? 3. Is there likely to be a mutually exclusive write, at approximately the same instant, during a VPN outage?> > Because in case of VPN > outage, this situation has the same drawback. > So, my main problem is the unreliable ADSL line. Can we live with > slave > server in the branch office?Yes, using Replication refreshOnly or Replication refreshAndPersist. You can truly go apeshit with this stuff, making only pieces of the DIT available to branches. Very nifty once you get it down.> > >> >> >> How are you intending to keep roaming profiles in sync (the files on >> the server, not the stuff in LDAP)? Are you going to use rsync? >> >> Unless users jump from office to office, why bother. I would set road >> warriors with local profiles and and sync their stuff in a manner >> appropriate to there schedules/primary location. >> > > Students will have that problem, but they have to bow to it. > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba