On 20/10/2020 19:56, Christian Naumer via samba wrote:> > Am 20.10.20 um 19:36 schrieb Rowland penny via samba: >> On 20/10/2020 17:46, Stefano Vargiu wrote: >>> Sorry, I don't get it. >>> >>> You?mean a domain member as opposed to a domain controller? >>> In which way is it?going?to help? >>> >> You should really only use a Samba AD DC for authentication, so the best >> idea would be to add a Unix domain member to the domain and install >> openvpn or freeradius or some other program that will do what you >> require. This is know to work and I am sure, if you do decide to go down >> this path, that you will get help here. > I don't think this is what the OP wanted to do. He wanted to connect two > DCs in two different offices with a VPN. > > However, the way he wanted to do it (Rowland is absolutely correct here) > is not possible in AD. As he has used the same subnets on the the two > sites if I understand this correctly. > You need two different subnets at your two sites. You router/firewall > needs to connect the two sites and route the traffic from one two the > other DC. They need to have different IPs. > > REgards > > Christian >If that is what the OP wants, then yes, I did totally misunderstand :-[ But apart from that, everything else I said was correct. If the DC's are at separate places, then not only does he need to use different subnets, he needs to use different 'sites' in AD and probably 2 DC's at each site. I have never done what is being proposed, but I think the idea is that you set up VPN between the two locations and then the the two DC's talk to each other down the VPN link. Rowland
I didn't know the concept of site in AD: thank you for pointing that out to me, I'll read about it. I'm also going to avoid the same subnets on the two sites, but honestly I'll try to keep the multi-homed configuration because I always used it (at least in single master configurations), always worked and I never had problems with it: I think it's enough that all the IPs of the domain controller are reachable (through appropriate routing) from any subnets served by it. Thank you Stefano Il giorno mar 20 ott 2020 alle ore 21:14 Rowland penny via samba < samba at lists.samba.org> ha scritto:> On 20/10/2020 19:56, Christian Naumer via samba wrote: > > > > Am 20.10.20 um 19:36 schrieb Rowland penny via samba: > >> On 20/10/2020 17:46, Stefano Vargiu wrote: > >>> Sorry, I don't get it. > >>> > >>> You mean a domain member as opposed to a domain controller? > >>> In which way is it going to help? > >>> > >> You should really only use a Samba AD DC for authentication, so the best > >> idea would be to add a Unix domain member to the domain and install > >> openvpn or freeradius or some other program that will do what you > >> require. This is know to work and I am sure, if you do decide to go down > >> this path, that you will get help here. > > I don't think this is what the OP wanted to do. He wanted to connect two > > DCs in two different offices with a VPN. > > > > However, the way he wanted to do it (Rowland is absolutely correct here) > > is not possible in AD. As he has used the same subnets on the the two > > sites if I understand this correctly. > > You need two different subnets at your two sites. You router/firewall > > needs to connect the two sites and route the traffic from one two the > > other DC. They need to have different IPs. > > > > REgards > > > > Christian > > > If that is what the OP wants, then yes, I did totally misunderstand :-[ > > But apart from that, everything else I said was correct. If the DC's are > at separate places, then not only does he need to use different subnets, > he needs to use different 'sites' in AD and probably 2 DC's at each site. > > I have never done what is being proposed, but I think the idea is that > you set up VPN between the two locations and then the the two DC's talk > to each other down the VPN link. > > Rowland > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
On 20/10/2020 22:09, Stefano Vargiu via samba wrote:> I didn't know the concept of site in AD: thank you for pointing that out to > me, I'll read about it. > I'm also going to avoid the same subnets on the two sites, but honestly > I'll try to keep the multi-homed configuration because I always used it (at > least in single master configurations), always worked and I never had > problems with it: I think it's enough that all the IPs of the domain > controller are reachable (through appropriate routing) from any subnets > served by it. > > Thank you > Stefano >You can do as you wish, but I will say it again, just in case you missed it, Active Directory Domain Controllers do not like being being multi-homed, they can only have one hostname, so which Ipaddress do you link to that ? What you could is, use one IP and then use a CNAME for the other IP. Rowland