Hello guys, i use Samba 4 AD (4.2.1) for a small company. I use a domain which is a subdomain of our internal DNS domain ( directory.mydomain.io) Now my company will open several sites in different countries. I was wondering what is the actual limitations of Samba4 concerning the multi domain (i'm not a Windows guy and have very limited knowledge about AD). I read about trust relationship limitations (can be trusted but cannot trust) so does this mean that for the moment i'm stuck with one domain? What is my option considering multisites, could i continue to use only one domain (with RODC for example)? Thanks
Multi-sites AD does not mean multi-domain AD. You do not must build trust relationship. Building an AD for a company is not trivial. It's a structural piece of IT which must be thought. Needing RTFM and understanding why you would go into some direction or another. Trust relationships can be what you need, but not necessarily. It depends on what you need. Microsoft does not advice to use trust relationship if not needed, that's why you must first understand what they are, why they could be useful for you, why they are not and finally make your own decision. According to your company needs and possibilities. Samba 4.3.x comes with initial support of these trust relationships, with some limitations (see at least 4.3.0 changelog). I have no real idea about what are able previous versions of Samba regarding this feature, except there is much more limitations. Lot of companies are using one AD domain on multi-sites, so to answer you shortly: you can have one domain for multiple sites. Is it what you need? I can't tell, you only can. Cheers, mathias 2015-10-08 18:20 GMT+02:00 Julien Deloubes <julien.deloubes at gmail.com>:> Hello guys, > i use Samba 4 AD (4.2.1) for a small company. > I use a domain which is a subdomain of our internal DNS domain ( > directory.mydomain.io) > Now my company will open several sites in different countries. > I was wondering what is the actual limitations of Samba4 concerning the > multi domain (i'm not a Windows guy and have very limited knowledge about > AD). > I read about trust relationship limitations (can be trusted but cannot > trust) so does this mean that for the moment i'm stuck with one domain? > > What is my option considering multisites, could i continue to use only one > domain (with RODC for example)? > > Thanks > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
Thanks Mathias, will read some MS docs about that. My concern was mainly about scalability, is my simple internal domain could evolve to something bigger and what will be the best way to do that. 2015-10-12 11:08 GMT+02:00 mathias dufresne <infractory at gmail.com>:> Multi-sites AD does not mean multi-domain AD. You do not must build trust > relationship. > > Building an AD for a company is not trivial. It's a structural piece of IT > which must be thought. Needing RTFM and understanding why you would go into > some direction or another. > > Trust relationships can be what you need, but not necessarily. It depends > on what you need. > > Microsoft does not advice to use trust relationship if not needed, that's > why you must first understand what they are, why they could be useful for > you, why they are not and finally make your own decision. According to your > company needs and possibilities. > > Samba 4.3.x comes with initial support of these trust relationships, with > some limitations (see at least 4.3.0 changelog). I have no real idea about > what are able previous versions of Samba regarding this feature, except > there is much more limitations. > > Lot of companies are using one AD domain on multi-sites, so to answer you > shortly: you can have one domain for multiple sites. Is it what you need? I > can't tell, you only can. > > Cheers, > > mathias > > 2015-10-08 18:20 GMT+02:00 Julien Deloubes <julien.deloubes at gmail.com>: > > > Hello guys, > > i use Samba 4 AD (4.2.1) for a small company. > > I use a domain which is a subdomain of our internal DNS domain ( > > directory.mydomain.io) > > Now my company will open several sites in different countries. > > I was wondering what is the actual limitations of Samba4 concerning the > > multi domain (i'm not a Windows guy and have very limited knowledge about > > AD). > > I read about trust relationship limitations (can be trusted but cannot > > trust) so does this mean that for the moment i'm stuck with one domain? > > > > What is my option considering multisites, could i continue to use only > one > > domain (with RODC for example)? > > > > Thanks > > -- > > To unsubscribe from this list go to the following URL and read the > > instructions: https://lists.samba.org/mailman/options/samba > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
Am 08.10.2015 um 18:20 schrieb Julien Deloubes:> Now my company will open several sites in different countries. > I was wondering what is the actual limitations of Samba4 concerning the > multi domain (i'm not a Windows guy and have very limited knowledge about > AD). > I read about trust relationship limitations (can be trusted but cannot > trust) so does this mean that for the moment i'm stuck with one domain?Different sites do not necessarily need different domains. It depends on how good the network connection between the servers is, where you have admins, and which admins want to do which tasks. Different domains have advantages if the network connection is bad, and if local admins want to create new ad objects themselves, e.g. new users. Separate domains also allow to have the (fsmo role) pdc-emulator local on each site, which should always be reachable. If your use case allows to use readonly domain controllers, then you do not need multiple domains, even with bad network connection. But then new users might have to wait a bit, before they get their account. Trust is said to have been improved in samba 4.3, but I do not fully understand what the text from the release notes means. Klaus
Thanks Klaus, this lead to another question: how good is the RODC support as for now (4.3.0) can i put that in production? Thanks 2015-10-12 23:34 GMT+02:00 Klaus Hartnegg <hartnegg at uni-freiburg.de>:> Am 08.10.2015 um 18:20 schrieb Julien Deloubes: > >> Now my company will open several sites in different countries. >> I was wondering what is the actual limitations of Samba4 concerning the >> multi domain (i'm not a Windows guy and have very limited knowledge about >> AD). >> I read about trust relationship limitations (can be trusted but cannot >> trust) so does this mean that for the moment i'm stuck with one domain? >> > > Different sites do not necessarily need different domains. It depends on > how good the network connection between the servers is, where you have > admins, and which admins want to do which tasks. > > Different domains have advantages if the network connection is bad, and if > local admins want to create new ad objects themselves, e.g. new users. > Separate domains also allow to have the (fsmo role) pdc-emulator local on > each site, which should always be reachable. > > If your use case allows to use readonly domain controllers, then you do > not need multiple domains, even with bad network connection. But then new > users might have to wait a bit, before they get their account. > > Trust is said to have been improved in samba 4.3, but I do not fully > understand what the text from the release notes means. > > Klaus > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
Hello Julien, Am 08.10.2015 um 18:20 schrieb Julien Deloubes:> i use Samba 4 AD (4.2.1) for a small company. > I use a domain which is a subdomain of our internal DNS domain ( > directory.mydomain.io) > Now my company will open several sites in different countries. > I was wondering what is the actual limitations of Samba4 concerning the > multi domain (i'm not a Windows guy and have very limited knowledge about > AD). > I read about trust relationship limitations (can be trusted but cannot > trust) so does this mean that for the moment i'm stuck with one domain? > > What is my option considering multisites, could i continue to use only one > domain (with RODC for example)?Some parts of the AD trust support were introduced in 4.3, but it's not completely done. In most cases, using AD sites is the easier and less complex way, than different domains or subdomains. https://wiki.samba.org/index.php/Active_Directory_Sites Each site should have at least one DC, so you're on the save side, if the connection temporary is offline. But even it is offline, each site is able to work. You can e. g. create new objects (users, etc.), even if the network is disconnected. When it's back, everything gets in sync again. Only the DC(s) owning a FSMO role are having some special functions. If they can't be reached, some things are temporary not possible to do or only on sites, where the FSMO role owner is. Have a look at https://wiki.samba.org/index.php/Flexible_Single-Master_Operations_%28FSMO%29_roles There you have a good overview, about the roles, what their job is and what happens, if it's offline or not reachable. Regards, Marc
Hello Klaus, Am 12.10.2015 um 23:34 schrieb Klaus Hartnegg:> Different domains have advantages if the network connection is bad, and > if local admins want to create new ad objects themselves, e.g. new > users.This is also possible with AD sites. Even if the network connection is temporary offline. Each DC has a RID pool (default 500 RIDs). Until it's empty, you can create new objects. The pool is already refreshed if it's reaches half (if I'm right). So usually you have at least 250 unused RIDs on each DC, when the connection to the RID master gets disconnected.> Separate domains also allow to have the (fsmo role) pdc-emulator > local on each site, which should always be reachable.Why? I see no big problem if the PDC emulator is offline. The client's on that site can't sync their time with that host. If you set an other/additional NTP server via GPO for that site, this isn't a problem anyway. The only real trouble I see is, that you can't login on pre-Win2k machines (NT4), if you still have some. https://wiki.samba.org/index.php/Flexible_Single-Master_Operations_%28FSMO%29_roles Regards, Marc