We're looking at implementing Sudoers LDAP on our Samba 4 AD domain. While this worked perfectly in a test environment previously, I am always extremely nervous about the possibility of stuffing things up on production. Given a domain with multiple DCs (two in our case), should I do add the schema extension with all DCs on line or should one by taken off line to provide an emergency backup in case things go wrong? In this case will the schema extension reliably propagate to the DC which was off line at the time? Way back (maybe 13 years or so ago) when I was managing a pure Windows AD environment I asked a similar question and received advise pretty much evenly distributed between those two methods. regards, John
On Mon, 2016-09-05 at 10:23 +1000, John Gardeniers via samba wrote:> We're looking at implementing Sudoers LDAP on our Samba 4 AD domain. > While this worked perfectly in a test environment previously, I am > always extremely nervous about the possibility of stuffing things up > on > production. > > Given a domain with multiple DCs (two in our case), should I do add > the > schema extension with all DCs on line or should one by taken off line > to > provide an emergency backup in case things go wrong? In this case > will > the schema extension reliably propagate to the DC which was off line > at > the time? > > Way back (maybe 13 years or so ago) when I was managing a pure > Windows > AD environment I asked a similar question and received advise pretty > much evenly distributed between those two methods.I would make the change with Samba 4.5 once it comes out. We fixed a lot of schema bugs with that release. Unlike a windows DC, making backups of and restoring just the sam.ldb files on a Samba DC is really easy, so do that too. Once you do that, online should be fine. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
Hi Andrew, Thanks for the info. A backup before hand was always on the to do list. ;) Any idea when we can expect 4.5? It's looking like this "urgent" project can be delayed a bit if necessary. regards, John On 05/09/16 17:55, Andrew Bartlett via samba wrote:> On Mon, 2016-09-05 at 10:23 +1000, John Gardeniers via samba wrote: >> We're looking at implementing Sudoers LDAP on our Samba 4 AD domain. >> While this worked perfectly in a test environment previously, I am >> always extremely nervous about the possibility of stuffing things up >> on >> production. >> >> Given a domain with multiple DCs (two in our case), should I do add >> the >> schema extension with all DCs on line or should one by taken off line >> to >> provide an emergency backup in case things go wrong? In this case >> will >> the schema extension reliably propagate to the DC which was off line >> at >> the time? >> >> Way back (maybe 13 years or so ago) when I was managing a pure >> Windows >> AD environment I asked a similar question and received advise pretty >> much evenly distributed between those two methods. > I would make the change with Samba 4.5 once it comes out. We fixed a > lot of schema bugs with that release. > > Unlike a windows DC, making backups of and restoring just the sam.ldb > files on a Samba DC is really easy, so do that too. > > Once you do that, online should be fine. > > Andrew Bartlett >