[Samba] Re: PDC, BDCs - how do you synchronize roaming profiles?
Tomasz Chmielewski
mangoo at mch.one.pl
Sat Dec 11 13:19:19 GMT 2004
Jim C. wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> | Or perhaps I don't understand something?
>
> Just a guess but a BDC is probably going to do the same thing with the
> files that the LDAP backend would do. I.E. replicate the data from the
> server.
But how should it be done?
I have read the whole Samba Guide, and I think I didn't find a clue on
that - it seems for me that using configurations similar to these
presented in Samba Guide would result in different roaming profiles on
each domain controller.
File replication is a different thing than LDAP replication:
- files are big, LDAP queries are just a hundred bytes each,
- file operations are read and write, LDAP are read mostly,
- LDAP is one read/write master server and multiple read-only slaves,
- with PDC and BDCs files can be read from and written to each server
(PDC, BDC1, BDC2 etc.) - there is no "central" server which takes care
of everything.
So, now imagine this situation:
We have a university/school facility with two buildings. Additionally,
there is a campus nearby with 4 buildings. So 6 buildings in total.
They are connected together using VPN over internet link - 1 Mbit
down/upload in each building.
Students have classes in each building, which means they should be able
to log in and use their roaming profiles in each building, and also in
each building in a campus.
To keep traffic to the minimum, there is a domain controller + LDAP
slave in each building: from 09.00-11.00 student Joe has classes in
building A, so he uses domain controller (DC-A) in that building, and
from 11.15-14.00 he has classes in building B (and therefore, uses
DC-B). After that he makes his homework in the campus - so after each
logout, his profile should be immediately replicated to other domain
controllers in other buildings.
With LDAP it is easy: master controlls everything: for example when user
changes his/her password, slave gives this change to the master, which
replicates the data to other slaves. When master is unavailable (link
down or master server down) user will be notified that the password
can't be changed.
This is not the case with files.
Even if I use some handmade scripts which use rsync to upload files to
other DCs after user logs out, this will obviously fail when one DC is
down for some time or internet link/VPN is down:
- at 11.00 user Joe finishes his classes in building A, logs out,
profile with important data is uploaded to other DCs,
- as there is no connection between building A and B (roadwork workers
just broke the internet link between buildings), this results in
different profiles in building A and B,
- at 11.15 logs in in building B, notices (or not), that his important
data is incomplete,
- at 14.00 he logs out in building B, internet link is back, so his
incomplete data from building B overwrites important, complete data in
building A,
- we have data corruption, user confusion, students and staff loosing
their data, admins fired etc. etc.
So here comes my question again: how should the profiles be synchronized
between domain controllers? What are the best ways to do it? What are
your experiences?
Hope the post wasn't too long :) but I think that the problem is not a
trivial one, too.
Tomek
More information about the samba
mailing list