Noel Kelly
2003-Apr-26 08:03 UTC
[Samba] Why would I want Active Directory (rather, how to ar gue against it?)
I asked the same questions Brian when we upgraded our network from a Novell NDS/Windows NT environment to Windows 2000 a couple of years ago. I thought it overly complex and expensive. Admittedly the Samba PDC emulation was not as advanced as it is now, but I could see nothing wrong with using a simple NT domain model and Samba PDCs as the customer had <100 users. The big arguments for were based on the control ADS gives you over the workstations. All these policies and software installs and so on. It is true to a degree that workstation management can be more finely tuned but it also makes it inherently complex. Since the original Office deployment was botched (Office was assigned to the workstations rather than the users) we have now spent an inordinate amount of time resolving this as there are differnet versions of Office licensed (Standard, Pro etc) to different users (and Office is the worst package I have ever seen for uninstallation - just dreadful and M$'s Office Kill utility wipes out more than just Office leaving you with a crippled workstation! Really stupid having to rebuild all these workstations). Another thing which was pushed for was ACLs. This really stuffed things up with the Samba side as our kernels were totally unstable with the early ACL patches. It got really messy until we just binned ACLs. Now administration is far easier and the Samba file/print servers have been up for +350 days. About once every 6months we might have to reload winbindd to flush out stale domain info but otherwise the admins rarely turn on the consoles. One of the two ADS DCs is stable and operates as the Exchange 5.5 server as well but the original ADS server is shafted. Once again it was something done in the original migration whereby we had a third DC for staging. This was removed from ADS properly and so on but this DC refuses to let it go so a reboot of it takes hours to complete as it contemplates it navel. I can hear all the ADS experts proclaiming about planning and testing and I can assure you that we did all of that. It was all doen by the book and the new network was built completely from scratch. We have since installed Samba PDCs at smaller companies and they just run and run. The NT domain model has its faults but for small companies there is no reason to use ADS - it is just overkill. Samba and LDAP are the way to go (forget ACLs as well unless you have a very good reason to use them. Instabilties and backups aside, the Windows ACL management is primitive - Novell had excellent ACL management where you could see everything on one screen but I have seen nothing like that for Windoze platforms). HTH Noel -----Original Message----- From: Brian J. Murrell [mailto:brian@interlinx.bc.ca] Sent: Saturday, April 26, 2003 6:56 AM To: samba@lists.samba.org Subject: [Samba] Why would I want Active Directory (rather, how to argue against it?) I think I understand what Active Directory is all about. I understand LDAP and I understand Kerberos. I can see how AD (well, Kerberos actually) enables single-sign-on (I assume it deals in tickets with the Windows clients as standard Kerberos clients do) and can make life easy in a large network (which, IIRC was one of the design goals of Kerberos in the first place). But lets say I have a smallish network where I only need a couple of file & print servers (and the need for even a couple is only for redundancy -- PDC and BDC(s)) and I am using W2K right now. What arguments could I likely face when I propose replacing those with Samba (2.2 or 3.0) PDC and BDC(s)? The way I see it, I can build a Samba PDC/BDC pair and use some hackery to replicate the passwd databases between the two (a utility based on dnotify or even fam could be quite helpful here to avoid polling for file changes), or even better, use LDAP on the DCs and replicate from the PDC to the BDCs and provide all of the redundancy and distributed access of a Windows PDC/BDC network. So what else does AD do in a W2K AD network? Does Exchange use the Kerberos tickets AD hands out? If I replace the W2K servers with Samba servers will Exchange cease to allow users in? Or will they need to re-authenticate to the Exchange server? Where will it get it's authentication data from if the W2K AD DCs go away? What likely future impact could this have with other MS/AD based servers? Could I find myself having to put W2K AD back in to get other services to work again? As you might be able to determine, my actual operational experience in an MS network is slim-to-none (way closer to none than slim) so any experiences/opinions would be welcome. Thanx, b. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Maybe Matching Threads
- Re: Why would I want Active Directory (rather, how t o argue against it?)
- Why would I want Active Directory (rather, how to argue against it?)
- unusual use of Samba for authentication of W2k??
- Re: Trusting and trusted domain (home mapping) problem
- Problems authentication with NT PDCs in security = se rver (was security = user)