Hi all We have slowly been migrating our NT4 domain to Samba+OpenLDAP. Today I was told that we were going to to create an AD 'resource' domain, put all of the workstations in it and create a trust relationship between the two domains. In other words the users would be in the Samba+OpenLDAP domain and the workstations in the AD 'resource' domain. If it matters we have about 1750 workstations with about 2000 users. Is this a reasonable model to follow or thing to do? If we do this what sort of pitfalls, if any, should I expect to encounter? Any ideas, opinions, knowledge of this are greatly appreciated. Thanks, John
On Mon, 2006-10-30 at 13:14 -0800, John Little wrote:> Hi all > > We have slowly been migrating our NT4 domain to Samba+OpenLDAP. Today I was told that we were going to to create an AD 'resource' domain, put all of the workstations in it and create a trust relationship between the two domains. In other words the users would be in the Samba+OpenLDAP domain and the workstations in the AD 'resource' domain. If it matters we have about 1750 workstations with about 2000 users. > > Is this a reasonable model to follow or thing to do?It depends on the reasons for creating the resource domain.> If we do this what sort of pitfalls, if any, should I expect to encounter? > Any ideas, opinions, knowledge of this are greatly appreciated.It should work. In fact, I think I even tested it briefly at my site. It will just be an interdomain trust as far as Samba and AD are concerned. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Red Hat Inc. http://redhat.com -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : http://lists.samba.org/archive/samba/attachments/20061101/f714e1a6/attachment.bin
On Wed, 2006-11-01 at 08:04 -0500, John Little wrote:> Hi Andrew.. > > > On Mon, 2006-10-30 at 13:14 -0800, John Little wrote: > > > Hi all > > > > > > We have slowly been migrating our NT4 domain to Samba+OpenLDAP. > > >Today I was told that we were going to to create an AD 'resource' > > >domain, put all of the workstations in it and create a trust > > >relationship between the two domains. In other words the users > > >would be in the Samba+OpenLDAP domain and the workstations in the AD > > >'resource' domain. If it matters we have about 1750 workstations > > >with about 2000 users. > > > > > > Is this a reasonable model to follow or thing to do? > > > > It depends on the reasons for creating the resource domain. > > > > > If we do this what sort of pitfalls, if any, should I expect to encounter? > > > Any ideas, opinions, knowledge of this are greatly appreciated. > > > > It should work. In fact, I think I even tested it briefly at my site. > > It will just be an interdomain trust as far as Samba and AD are > > concerned. > > My concern is that currently the machines are joined to the NT4 domain (AD has > not been implemented as of yet). We have users in the Samba domain > accessing shares on Windows servers joined to the NT4 domain. Occasionally > these users cannot access a share and get a message about the trust > relationship not working. This does not occur when the workstation is > joined to the Samba domain. The workstations are Win XP pro and Win2k. Note > that I am not speaking of logon issues here, just of intermittent share > access issues. > > Since we are a hospital patient safety and care is of utmost priority. > Translated into IS terms doctors and nurses have to access information > quickly and when they need it. Hence my concern about keeping the > workstations on the NT4 or AD domain. > > Are the trust relationships more stable with AD or am I possible missing > something in my setup that would cause the intermittent access issues?I don't think the technology is fundamentally unstable. I had a setup like this for I think a couple of years, with all users being in the Samba domain. If there are issues, I would first chase them down 'as is'. I don't think AD would be more or less stable, but clearly you must validate anything you do to your complete satisfaction (presumably in a realistic test lab environment) before deploying anything to safety critical systems. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Red Hat Inc. http://redhat.com -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : http://lists.samba.org/archive/samba/attachments/20061102/bfb9c066/attachment.bin
Hi Andrew..> On Mon, 2006-10-30 at 13:14 -0800, John Little wrote: > > Hi all > > > > We have slowly been migrating our NT4 domain to Samba+OpenLDAP. > >Today I was told that we were going to to create an AD 'resource' > >domain, put all of the workstations in it and create a trust > >relationship between the two domains. In other words the users > >would be in the Samba+OpenLDAP domain and the workstations in the AD > >'resource' domain. If it matters we have about 1750 workstations > >with about 2000 users. > > > > Is this a reasonable model to follow or thing to do? > > It depends on the reasons for creating the resource domain. > > > If we do this what sort of pitfalls, if any, should I expect to encounter? > > Any ideas, opinions, knowledge of this are greatly appreciated. > > It should work. In fact, I think I even tested it briefly at my site. > It will just be an interdomain trust as far as Samba and AD are > concerned.My concern is that currently the machines are joined to the NT4 domain (AD has not been implemented as of yet). We have users in the Samba domain accessing shares on Windows servers joined to the NT4 domain. Occasionally these users cannot access a share and get a message about the trust relationship not working. This does not occur when the workstation is joined to the Samba domain. The workstations are Win XP pro and Win2k. Note that I am not speaking of logon issues here, just of intermittent share access issues. Since we are a hospital patient safety and care is of utmost priority. Translated into IS terms doctors and nurses have to access information quickly and when they need it. Hence my concern about keeping the workstations on the NT4 or AD domain. Are the trust relationships more stable with AD or am I possible missing something in my setup that would cause the intermittent access issues?> > Andrew BartlettRegards, John Little
Hi Andrew..> On Mon, 2006-10-30 at 13:14 -0800, John Little wrote: > > Hi all > > > > We have slowly been migrating our NT4 domain to Samba+OpenLDAP. > >Today I was told that we were going to to create an AD 'resource' > >domain, put all of the workstations in it and create a trust > >relationship between the two domains. In other words the users > >would be in the Samba+OpenLDAP domain and the workstations in the AD > >'resource' domain. If it matters we have about 1750 workstations > >with about 2000 users. > > > > Is this a reasonable model to follow or thing to do? > > It depends on the reasons for creating the resource domain. > > > If we do this what sort of pitfalls, if any, should I expect to encounter? > > Any ideas, opinions, knowledge of this are greatly appreciated. > > It should work. In fact, I think I even tested it briefly at my site. > It will just be an interdomain trust as far as Samba and AD are > concerned.My concern is that currently the machines are joined to the NT4 domain (AD has not been implemented as of yet). We have users in the Samba domain accessing shares on Windows servers joined to the NT4 domain. Occasionally these users cannot access a share and get a message about the trust relationship not working. This does not occur when the workstation is joined to the Samba domain. The workstations are Win XP pro and Win2k. Note that I am not speaking of logon issues here, just of intermittent share access issues. Since we are a hospital patient safety and care is of utmost priority. Translated into IS terms doctors and nurses have to access information quickly and when they need it. Hence my concern about keeping the workstations on the NT4 or AD domain. Are the trust relationships more stable with AD or am I possible missing something in my setup that would cause the intermittent access issues?> > Andrew BartlettRegards, John Little