Re: [Samba] two PDCs

Tue, 13 Jul 2010 05:37:52 -0700 






About multi-master replication. Scott wrote that he had to deal with 
it a
lot, so he didn't recommended that. But, I need one domain, because a 
lot of

users uses both site. So, I have the following options:
1. PDCs on each site, with the same domain, as chapter 6 describes.



Look, I'm not sure if my emails are getting through or not, but drop 
this multi PDC thing.  It's just more complexity.



You need some sort of LDAP replication because you want authentication 
done locally.  Multi-master is more difficult to set up, but more 
flexible. There are other schemes.  I had some 16 servers setup this 
way and had very few difficulties.  It is quite resilient and 
reliable.  Here is a good primer:


http://www.zytrax.com/books/ldap/ch7/




     a. Master LDAP server in the HQ, and slave in the branch site, 
according

to the SaMBa guide.

     b. Branch site uses master LDAP server too. It looks tepmting, 
but

difficult/dangerous to me.
2. PDC on the HQ, BDC on the branch site
     a. branch site uses slave LDAP server.
     b. Branch site uses master LDAP server too.
In 1/a and 2/a, the VPN outage could be problem. Am I right?

No, the b's are the problem if the VPN is down.  They're calling the 
"master" which is at the other end of the VPN.  The a's have a slave 
copy.  All is good, unless they need to write to LDAP.  How much LDAP 
writing goes on in the branch?


As i know, only
PDC writes to the LDAP database. Is that true?

No.  If you're using smbldap-tools, the ldap calls are made via 
smbldap_bind.conf.  So with multi-master this whole dual PDC thing is 
fairly useless.  See, Multi-master...all are writable.


Question:

1.  Which office writes to LDAP?
2.  Who does the writing?

3.  Is there likely to be a mutually exclusive write, at approximately 
the same instant, during a VPN outage?





Because in case of VPN
outage, this situation has the same drawback.

So, my main problem is the unreliable ADSL line. Can we live with 
slave

server in the branch office?



Yes, using Replication refreshOnly or Replication refreshAndPersist.  
You can truly go apeshit with this stuff, making only pieces of the 
DIT available to branches.  Very nifty once you get it down.








How are you intending to keep roaming profiles in sync (the files on
the server, not the stuff in LDAP)? Are you going to use rsync?

Unless users jump from office to office, why bother.  I would set road
warriors with local profiles and and sync their stuff in a manner
appropriate to there schedules/primary location.



Students will have that problem, but they have to bow to it.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba























					Reply via email to