yvan.masson at openmailbox.org
2016-Feb-19 10:01 UTC
[Samba] Restoring single DC virtual machine
Hi, I plan to install one Samba4 DC on a virtual machine to provide services for less than 50 users: - centralized authentication on 2 or 3 Linux servers - LDAP authentication on an ownCloud server - I do not think that I will join Windows computers to the domain, but maybe one day. I know it is better to install more than one DC to have replication, but in a so small setup, would it be possible to rely only on VM restoration in case of a problem (physical server broken, wrong manipulation on AD LDAP…)? I have read https://wiki.samba.org/index.php/Backup_and_restore_an_Samba_AD_DC, but it is still noted as a draft. I have also read https://technet.microsoft.com/en-us/library/d2cae85b-41ac-497f-8cd1-5fbaa6740ff and it seems that the problems, when restoring a VM backup, comes only from replication between DC. This makes me think that it would be OK, but what do you think ? Regards, Yvan
Hai, I do it like this, and the site : https://wiki.samba.org/index.php/Backup_and_restore_an_Samba_AD_DC is draft, but works fine, get the samba_backup script,adjust where needed. Below is tested and in production environment and works fine. 1) full backup of the VM, monthly done of the DC with FSMO roles. I do stop the server for this backup, to avoid problems with locked db's. or open files. ), and i have 2 dc's so only a small auth delay in the network with authentication. And i do weekly snapshots, while dc is running, here i dont care about openfiles. This is handled by the samba_backup script. 2) incremental backups for /etc ( daily ) 3) separated backup of the samba data. ( with the samba4_backup script ) ( 4 times a day ) Note, i have a very clean server as DC with only samba and bind9 installed. Backup time is very short, because the full server backup is only 1.2Gb. Like : Filesystem Size Used Avail Use% Mounted on rootfs 6.1G 1.2G 4.7G 20% / Restore options. ! In case of multiple DC's (and i have 2 DC's now, and are increasing to 4)! Restore options now are in the following situations. 1) DC not working anymore, ( multiple DC's ) - on the other DC, get the FSMO roles. - remove the old DC from the domain, install a new DC. 2) VM server dead ( and multple DC's are gone ) - restore full backup of the VM. ( the DC with FSMO roles ) - restore /etc/ - stop samba, restore the samba backuped data. - start samba - install the other dc's again. 3) VM server running, Guest VM dead. ( and only one DC ) - restore full backup of the VM. ( the DC with FSMO roles ) - restore /etc/ - stop samba, restore the samba backuped data. - start samba Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > yvan.masson at openmailbox.org > Verzonden: vrijdag 19 februari 2016 11:01 > Aan: samba at lists.samba.org > Onderwerp: [Samba] Restoring single DC virtual machine > > Hi, > > I plan to install one Samba4 DC on a virtual machine to provide services > for > less than 50 users: > - centralized authentication on 2 or 3 Linux servers > - LDAP authentication on an ownCloud server > - I do not think that I will join Windows computers to the domain, but > maybe > one day. > > I know it is better to install more than one DC to have replication, but > in a > so small setup, would it be possible to rely only on VM restoration in > case of > a problem (physical server broken, wrong manipulation on AD LDAP…)? > > I have read > https://wiki.samba.org/index.php/Backup_and_restore_an_Samba_AD_DC, > but it is still noted as a draft. > I have also read > https://technet.microsoft.com/en-us/library/d2cae85b-41ac-497f-8cd1- > 5fbaa6740ff > and it seems that the problems, when restoring a VM backup, comes only > from > replication between DC. > > This makes me think that it would be OK, but what do you think ? > > Regards, > Yvan > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba
Hello Yvan, Am 19.02.2016 um 11:01 schrieb yvan.masson at openmailbox.org:> I plan to install one Samba4 DC on a virtual machine to provide services > for > less than 50 users: > - centralized authentication on 2 or 3 Linux servers > - LDAP authentication on an ownCloud server > - I do not think that I will join Windows computers to the domain, but > maybe > one day.You'r AD is just an LDAP backend for users/authentication? If you're having no clients (machine pw changes in the meantime) in that domain and only one DC (replication issues), it should be fine when restoring a snapshot. The only thing that could happen is, that users may had changed their pw in the meantime. Regards, Marc
Le dimanche 21 février 2016 à 20:31 +0100, Marc Muehlfeld a écrit :> Hello Yvan, > > Am 19.02.2016 um 11:01 schrieb yvan.masson at openmailbox.org: > > I plan to install one Samba4 DC on a virtual machine to provide > > services > > for > > less than 50 users: > > - centralized authentication on 2 or 3 Linux servers > > - LDAP authentication on an ownCloud server > > - I do not think that I will join Windows computers to the domain, > > but > > maybe > > one day. > > > You'r AD is just an LDAP backend for users/authentication? > > If you're having no clients (machine pw changes in the meantime) in > that > domain and only one DC (replication issues), it should be fine when > restoring a snapshot. The only thing that could happen is, that users > may had changed their pw in the meantime. > > Regards, > MarcThanks for your answers. Indeed, the purpose of this DC is a LDAP to authenticate a few users against: compared to other available solutions (OpenLDAP, 389DS or FreeIPA), samba seems to be the best choice. The fact that snapshots are sufficient for backup confirms that Samba as a DC can be simple to use and administer. Regards, Yvan -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 819 bytes Desc: This is a digitally signed message part URL: <http://lists.samba.org/pipermail/samba/attachments/20160223/3c4a2657/signature.sig>