Hi there, I would like to know how Samba / Windows determines which domain controller should handle a logon request, and whether there is a way I can affect the process. Here's the situation: I have a school installation running a Samba domain, with a PDC (1.1GHz Celeron, 256 MB RAM) and one BDC (much smaller, 366 with 64 MB RAM), both with RedHat 7.1 and Samba 2.2.5. There are about 80 NT and 2000 workstations, and about 10 98 machines. At first I just had a PDC. Students use different computers from one lesson to the next, and mess with settings a lot, so the choice to use mandatory roaming profiles was an obvious one. Also, some workstations have fairly small hard drives, so I disabled Windows from caching profiles locally. From experience we know that a hard drive can fill up with cached profiles, and Windows falls over. When we tested this everything worked beautifully ... until a class all logged in simultaneously. Suddenly there were 35 simultaneous requests for a 810KB profile, and somewhere there was a bottleneck. I thought the PDC would be able to cope with that, and I thought the network was fast enough to deal with that (100Mbps ethernet), but I was wrong. The workstations eventually timed out, and went back to the login screen, but Samba kept on trying to open new connections, several for each workstation, and the smbd process for each workstation got more and more demanding. They didn't respond to SIGTERM and I had to kill them. So I figured Plan A was to install a BDC. I didn't have another 1.1GHz machine, so I decided to test with a smaller one, see how it affected the PDC's load, and take it from there. So here's my problem: It didn't affect the load much at all! Log 35 users in at the same time, and Samba still grinds to a halt on the PDC, but the BDC only services about 3 or 4 connection requests. In fact, try it with 5 users, and the PDC still gets caught in a vicious smbd process cycle, and the BDC might service 1 request. Is it because the BDC is a significantly slower machine? Even though it's slower, it's underutilised, and the PDC is swamped. I put the BDC on the same switch as the workstations, so traffic-wise, it should be getting the requests sooner than the PDC. Is there a way of increasing the possibility of the BDC servicing a logon request? If I know BDCs are what I need, I'll set up more. Any advice on estimating how many, and CPU and memory requirements would be very welcome. In the meantime, I've adopted a Plan B: I've re-enabled caching profiles. This has solved the worst of the problem, because after a user has logged on once, the profile doesn't need to be transfered again, and all the PDC needs to do is authenticate. But this is not a solution for workstations with small drives, and I'm going to need BDCs to balance peak load. Or maybe I need a Plan C: Maybe the real problem is that the network is so busy that connections are timing out. Then Samba opens a new connection. The new connection times out, so Samba opens a new one, etc, etc. If it's a network traffic problem, then no matter how many BDCs I have pushing out profiles, the network will still be overloaded, and the connections will still time out, and all BDCs will have the same problem as my PDC. Should I just be getting bigger hard drives for the workstations so that cached profiles never get too big? Or get a fibre backbone? If each profile is 810KB, then 10 are about 8MB, or 80Mbits. That should take 1 second across a 100Mbps LAN. (Although I can see it takes a lot more than a second for Windows to load a remote profile.) Is that long enough to time a Samba connection out? I know this is not a forum for network-related issues, but if you have experience in this area, I'd really appreciate the advice. Thanks, Norman.
> I would like to know how Samba / Windows determines which domain > controller should handle a logon request, and whether there is a way I > can affect the process.i heard something like the Workstation takes the first DC which answers - which should be the faster machine.> Here's the situation: I have a school installation running a Samba > domain, with a PDC (1.1GHz Celeron, 256 MB RAM) and one BDC (much > smaller, 366 with 64 MB RAM), both with RedHat 7.1 and Samba 2.2.5. > There are about 80 NT and 2000 workstations, and about 10 98 machines.i think the 386-machine will answer with a little delay.> At first I just had a PDC. Students use different computers from one > lesson to the next, and mess with settings a lot, so the choice to use > mandatory roaming profiles was an obvious one. Also, some workstations > have fairly small hard drives, so I disabled Windows from caching > profiles locally. From experience we know that a hard drive can fill up > with cached profiles, and Windows falls over.OK> When we tested this everything worked beautifully ... until a class all > logged in simultaneously. Suddenly there were 35 simultaneous requests > for a 810KB profile, and somewhere there was a bottleneck. I thought the > PDC would be able to cope with that, and I thought the network was fast > enough to deal with that (100Mbps ethernet), but I was wrong. The > workstations eventually timed out, and went back to the login screen, > but Samba kept on trying to open new connections, several for each > workstation, and the smbd process for each workstation got more and more > demanding. They didn't respond to SIGTERM and I had to kill them.hmm - that sounds strange (and somehow shocks be - i wasn't thinking that samba is such bad, yet)> So I figured Plan A was to install a BDC. I didn't have another 1.1GHz > machine, so I decided to test with a smaller one, see how it affected > the PDC's load, and take it from there.why did you setup a BDC? as far as i know, a BDC has the user-database of the PDC - nothing more - nothing less. the roaming-profiles are strored at the path you specified. if one workstation downloads from the PDC (and of course uploads to the PDC) and the other downloads the profile from the BDC - the copy on the BDC would have to be synced all the time to the profile on the PDC. an auth-request is just a work of milli-seconds - it's not such a big thing. a BDC just allows the user to logon if the PDC is not answering. The Profile is downloaded from a more or less static path - from the server that is the file-server (which should be abled to handle such flood of requests)
> In the meantime, I've adopted a Plan B: I've re-enabled caching > profiles. This has solved the worst of the problem, because after a user > has logged on once, the profile doesn't need to be transfered again, and > all the PDC needs to do is authenticate. But this is not a solution for > workstations with small drives, and I'm going to need BDCs to balance > peak load.umm - you're wrong with this point too. the workstation syncs the profile with the one on the server - but you're right: there's not as much to transfer in this case.
Hi Sven, Thanks for your response.>>I would like to know how Samba / Windows determines which domain >>controller should handle a logon request, and whether there is a way I >>can affect the process. >> >> > >i heard something like the Workstation takes the first DC which answers >- which should be the faster machine. > >I heard something like that too. I was hoping that if my BDC was fast enough, and close enough on the network to the workstations logging on, then it would handle more requests. Maybe my BDC needs to be as fast as my PDC.>>Here's the situation: I have a school installation running a Samba >>domain, with a PDC (1.1GHz Celeron, 256 MB RAM) and one BDC (much >>smaller, 366 with 64 MB RAM), both with RedHat 7.1 and Samba 2.2.5. >>There are about 80 NT and 2000 workstations, and about 10 98 machines. >> >> > >i think the 386-machine will answer with a little delay. > >Sorry, that "366" was a bad typo. It should be "633" -- It's a 633 MHz Celeron with 64 MB RAM, so almost half the speed of the PDC, with a quarter of the RAM. (Although neither the PDC or BDC are using any swap space.) I am using a standard Samba PDC - BDC setup as outlined in the Samba HOWTO, with the PDC as an NIS master, and the BDC an NIS slave to replicate the Linux user password files, and I am using rsync scheduled with crontab to push any changes to smbpasswd and the netlogon and profile shares from the PDC to the BDC automatically. Rsync can work through SSH, and SSH can authenticate with public key encryption, so it doesn't prompt for a password. It is working well: I have tested the replication of the files, and users who change their passwords and machines that are added to the domain are recognised by the BDC. Also, users who log onto the BDC are sent their profile successfully -- using the synchronised local copy of the profile stored on the BDC. Also, users' home directories are stored only on the PDC. The BDC's smb.conf file goes: logon path = \\%L\profiles\default.man logon script = \\%L\netlogon\scripts\logon.bat logon home = \\PDCname\%U home drive = H: And the PDC's smb.conf file goes: logon path = \\%L\profiles\default.man logon script = \\%L\netlogon\scripts\logon.bat logon home = \\%L\%U home drive = H:>>So I figured Plan A was to install a BDC. I didn't have another 1.1GHz >>machine, so I decided to test with a smaller one, see how it affected >>the PDC's load, and take it from there. >> >> > >why did you setup a BDC? as far as i know, a BDC has the user-database >of the PDC - nothing more - nothing less. >Yes, you're right. I was just thinking that if the PDC was overloaded, then if I had a BDC to share the load of logging users on, together both would be able to cope. So all the BDC would need would be an exact copy of the PDC's user database, and copies of the netlogon and profiles shares. Interestingly, Ignacio Coupeau, who has worked a lot with Samba PDCs, with Samba TNG, Samba HEAD and Samba 2.2, and has written very detailed Samba LDAP PDC HOWTOs, instead of using BDCs (which Samba TNG does not support), in his HOWTOs he just has many domains (8), all with their own Samba PDC. Maybe he has a point! Maybe BDCs are not the way to go, and if I want to break up the load I would need several PDCs.>the roaming-profiles are strored at the path you specified. if one >workstation downloads from the PDC (and of course uploads to the PDC) >and the other downloads the profile from the BDC - the copy on the BDC >would have to be synced all the time to the profile on the PDC. >Yes. But the profile is mandatory (and there is only one, used by all users), so workstations never upload back to the PDC or BDC. If there are ever any changes to the profile, it will be because I made them myself, so it is only synced between the PDC and BDC very seldom, and also only needs to be synced between a DC and a workstation when a change has happened.>an auth-request is just a work of milli-seconds - it's not such a big thing. > >a BDC just allows the user to logon if the PDC is not answering. The >Profile is downloaded from a more or less static path - from the server >that is the file-server (which should be abled to handle such flood of >requests) >Hmm. That is a very good point! I should serve the profile from a file server, which doesn't need to be a domain controller at all. Thanks for the help, and sorry my first message wasn't clearer. Regards, Norman.