I need to plan this solution properly. I have 3 entities in 3 different locations, with approximately 50 computers in each entity. Each entity currently uses its own files on its own server. However, there are people who travel between entities and need to have access to all files regardless of the entity. The entities are connected by VPN, and access is available. The point is that I have set up a Domain Controller for testing and I would like to have a central database of users and groups that the company uses. However, the infrastructure must be resistant to internet problems. So, in my plan, I set up 1 PDC (for the main list, which I provisioned with the command: |samba-tool domain provision --use-rfc2307 --option="ad dc functional level = 2016" --function-level=2016 --interactive --option="dns forwarder = 192.168.xx.xx" --option="winbind enum groups = Yes" --option="winbind enum users = Yes"|) and 3 BDCs (which I added with this command: |samba-tool domain join dom.lan DC -U administrator --realm=DOM.LAN -W DOM --option="ad dc functional level = 2016" --function-level=2016 --use-rfc2307 --option="winbind enum groups = Yes" --option="winbind enum users = Yes)|) on which I was sharing files. From what I understand from other post, should I also add 3 Unix domain members on which I share files? Is that correct? File shares should NOT be created on BDCs, right? And then, should I keep profiles and network shares on these file servers? So, should I use |idmap| with |autorid| on these Unix domain members? The goal is that internet outages (which happen) do not block access to network shares, so in each entity I must ensure a BDC? Entity 1 ----------------------- VPN ----------------------- Entity 2 ----------------------- VPN ----------------------- Entity 3 ??? | |?????????????????????????????????????????????????????????? | ??? +--- PDC (Domain Controller) +--- BDC (Domain Controller)??????????????????????????????? +--- BDC (Domain Controller) ??? | |?????????????????????????????????????????????????????????? | ??? +--- File Server (Unix Domain Member) +--- File Server (Unix Domain Member)?????????????????????? +--- File Server (Unix Domain Member) ??? | |?????????????????????????????????????????????????????????? | ??? +--- ~50 Computers +--- ~50 Computers????????????????????????????????????????? +--- ~50 Computers Is this a good direction, or is it overcomplicating things? Then, between the DC servers, I must synchronize sysvol and idmap.ldb, and unix domain members(fileservers)? must use idmap rid or autorid? Any other suggestions? ideas?
On Fri, 7 Mar 2025 15:22:10 +0100 Piotr Adamcio via samba <samba at lists.samba.org> wrote:> I need to plan this solution properly. I have 3 entities in 3 > different locations, with approximately 50 computers in each entity. > Each entity currently uses its own files on its own server. However, > there are people who travel between entities and need to have access > to all files regardless of the entity. The entities are connected by > VPN, and access is available. The point is that I have set up a > Domain Controller for testing and I would like to have a central > database of users and groups that the company uses. However, the > infrastructure must be resistant to internet problems. So, in my > plan, I set up 1 PDC (for the main list, which I provisioned with the > command: |samba-tool domain provision --use-rfc2307 --option="ad dc > functional level = 2016" --function-level=2016 --interactive > --option="dns forwarder = 192.168.xx.xx" --option="winbind enum > groups = Yes" --option="winbind enum users = Yes"|) and 3 BDCs (which > I added with this command: |samba-tool domain join dom.lan DC -U > administrator --realm=DOM.LAN -W DOM --option="ad dc functional level > = 2016" --function-level=2016 --use-rfc2307 --option="winbind enum > groups = Yes" --option="winbind enum users = Yes)|) on which I was > sharing files. > > From what I understand from other post, should I also add 3 Unix > domain members on which I share files? Is that correct? File shares > should NOT be created on BDCs, right? And then, should I keep > profiles and network shares on these file servers? So, should I use > |idmap| with |autorid| on these Unix domain members? The goal is that > internet outages (which happen) do not block access to network > shares, so in each entity I must ensure a BDC? > > > Entity 1 ----------------------- VPN ----------------------- Entity 2 > ----------------------- VPN ----------------------- Entity 3 > ??? | |?????????????????????????????????????????????????????????? | > ??? +--- PDC (Domain Controller) +--- BDC (Domain > Controller)??????????????????????????????? +--- BDC (Domain > Controller) | | > ??? | +--- File Server (Unix Domain Member) +--- File Server (Unix > Domain Member)?????????????????????? +--- File Server (Unix Domain > Member) | | > | +--- ~50 Computers +--- ~50 > Computers????????????????????????????????????????? +--- ~50 Computers > > > Is this a good direction, or is it overcomplicating things? > > Then, between the DC servers, I must synchronize sysvol and > idmap.ldb, and unix domain members(fileservers)? must use idmap rid > or autorid? > > Any other suggestions? ideas?OK, for a start, please stop calling them 'PDC' or 'BDC', they are all just 'DCs', it is just that one or more of them hold FSMO roles (yes I know that one of the FSMO roles is called 'PDC_Emulator' but it is meaningless in AD). I think you might understand your setup better in AD terms, if you stop thinking about 'entities' and think in terms of 'Sites' and yes, you really need at least one DC (more is better) in each 'site'. You are quite correct, you shouldn't use a DC as a fileserver, while you can get one to work as a fileserver, there are numerous reasons why it isn't a good idea. Turning to profiles, are you referring to Windows roaming profiles ? If so, I would give up on that idea now, the profiles have to be stored on a PC somewhere and dragged to the PC across the network, then put back again. this is bad enough across a local network, but it is going to be a lot worse from one site to another over the internet. Please do not use the 'winbind enum' lines you do not need them, you also do not need '--use-rfc2307' if you are going to use 'autorid' and speaking of that, I personally would use the 'rid' idmap backend on Unix domain members. I cannot recommend using your registered dns domain (I take it that 'dom.lan' is your dns domain sanitised) for the AD dns domain, use a subdomain instead e.g. 'ad.dom.lan'. I think I hear more questions ;-) Rowland
I would follow this guide exactly: http://samba.bigbird.es/doku.php?id=samba:start Do not use --use-rfc2307, not even during provisioning. If you?re unsure whether you need it (and you really don?t), then you don?t need it. I strongly recommend using KVM VMs for domain controllers (DCs), even if they must reside on your member servers. You?ll appreciate the ability to create full backups before upgrading. For your organization?s size, 5GB of disk space and 512MB of RAM are more than sufficient for your DCs. User RID for your file servers. Don?t use roaming profiles. They?ll hog your network. Regards. On 7 Mar 2025 at 14:22 +0000, Piotr Adamcio via samba <samba at lists.samba.org>, wrote:> I need to plan this solution properly. I have 3 entities in 3 different > locations, with approximately 50 computers in each entity. Each entity > currently uses its own files on its own server. However, there are > people who travel between entities and need to have access to all files > regardless of the entity. The entities are connected by VPN, and access > is available. The point is that I have set up a Domain Controller for > testing and I would like to have a central database of users and groups > that the company uses. However, the infrastructure must be resistant to > internet problems. So, in my plan, I set up 1 PDC (for the main list, > which I provisioned with the command: |samba-tool domain provision > --use-rfc2307 --option="ad dc functional level = 2016" > --function-level=2016 --interactive --option="dns forwarder > 192.168.xx.xx" --option="winbind enum groups = Yes" --option="winbind > enum users = Yes"|) and 3 BDCs (which I added with this command: > |samba-tool domain join dom.lan DC -U administrator --realm=DOM.LAN -W > DOM --option="ad dc functional level = 2016" --function-level=2016 > --use-rfc2307 --option="winbind enum groups = Yes" --option="winbind > enum users = Yes)|) on which I was sharing files. > > From what I understand from other post, should I also add 3 Unix domain > members on which I share files? Is that correct? File shares should NOT > be created on BDCs, right? And then, should I keep profiles and network > shares on these file servers? So, should I use |idmap| with |autorid| on > these Unix domain members? The goal is that internet outages (which > happen) do not block access to network shares, so in each entity I must > ensure a BDC? > > > Entity 1 ----------------------- VPN ----------------------- Entity 2 > ----------------------- VPN ----------------------- Entity 3 > ??? | |?????????????????????????????????????????????????????????? | > ??? +--- PDC (Domain Controller) +--- BDC (Domain > Controller)??????????????????????????????? +--- BDC (Domain Controller) > ??? | |?????????????????????????????????????????????????????????? | > ??? +--- File Server (Unix Domain Member) +--- File Server (Unix Domain > Member)?????????????????????? +--- File Server (Unix Domain Member) > ??? | |?????????????????????????????????????????????????????????? | > ??? +--- ~50 Computers +--- ~50 > Computers????????????????????????????????????????? +--- ~50 Computers > > > Is this a good direction, or is it overcomplicating things? > > Then, between the DC servers, I must synchronize sysvol and idmap.ldb, > and unix domain members(fileservers)? must use idmap rid or autorid? > > Any other suggestions? ideas? > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >