Why would I want Active Directory (rather, how to argue against it?)
Brian J. Murrell
brian at interlinx.bc.ca
Sat Apr 26 05:56:21 GMT 2003
I think I understand what Active Directory is all about. I understand
LDAP and I understand Kerberos. I can see how AD (well, Kerberos
actually) enables single-sign-on (I assume it deals in tickets with the
Windows clients as standard Kerberos clients do) and can make life easy in
a large network (which, IIRC was one of the design goals of Kerberos in
the first place).
But lets say I have a smallish network where I only need a couple of file
& print servers (and the need for even a couple is only for redundancy --
PDC and BDC(s)) and I am using W2K right now. What arguments could I
likely face when I propose replacing those with Samba (2.2 or 3.0) PDC and
The way I see it, I can build a Samba PDC/BDC pair and use some hackery to
replicate the passwd databases between the two (a utility based on dnotify
or even fam could be quite helpful here to avoid polling for file
changes), or even better, use LDAP on the DCs and replicate from the PDC
to the BDCs and provide all of the redundancy and distributed access of a
Windows PDC/BDC network.
So what else does AD do in a W2K AD network? Does Exchange use the
Kerberos tickets AD hands out? If I replace the W2K servers with Samba
servers will Exchange cease to allow users in? Or will they need to
re-authenticate to the Exchange server? Where will it get it's
authentication data from if the W2K AD DCs go away?
What likely future impact could this have with other MS/AD based servers?
Could I find myself having to put W2K AD back in to get other services to
As you might be able to determine, my actual operational experience in an
MS network is slim-to-none (way closer to none than slim) so any
experiences/opinions would be welcome.
More information about the samba