[Samba] Why would I want Active Directory (rather, how to ar gue against it?)

Noel Kelly nkelly at citrusnetworks.net
Sat Apr 26 08:03:30 GMT 2003

I asked the same questions Brian when we upgraded our network from a Novell
NDS/Windows NT environment to Windows 2000 a couple of years ago.  I thought
it overly complex and expensive.  Admittedly the Samba PDC emulation was not
as advanced as it is now, but I could see nothing wrong with using a simple
NT domain model and Samba PDCs as the customer had <100 users.

The big arguments for were based on the control ADS gives you over the
workstations.  All these policies and software installs and so on.  It is
true to a degree that workstation management can be more finely tuned but it
also makes it inherently complex.  Since the original Office deployment was
botched (Office was assigned to the workstations rather than the users) we
have now spent an inordinate amount of time resolving this as there are
differnet versions of Office licensed (Standard, Pro etc) to different users
(and Office is the worst package I have ever seen for uninstallation - just
dreadful and M$'s Office Kill utility wipes out more than just Office
leaving you with a crippled workstation!  Really stupid having to rebuild
all these workstations).

Another thing which was pushed for was ACLs.  This really stuffed things up
with the Samba side as our kernels were totally unstable with the early ACL
patches.  It got really messy until we just binned ACLs.  Now administration
is far easier and the Samba file/print servers have been up for +350 days.
About once every 6months we might have to reload winbindd to flush out stale
domain info but otherwise the admins rarely turn on the consoles.

One of the two ADS DCs is stable and operates as the Exchange 5.5 server as
well but the original ADS server is shafted.  Once again it was something
done in the original migration whereby we had a third DC for staging.  This
was removed from ADS properly and so on but this DC refuses to let it go so
a reboot of it takes hours to complete as it contemplates it navel.

I can hear all the ADS experts proclaiming about planning and testing and I
can assure you that we did all of that.  It was all doen by the book and the
new network was built completely from scratch.

We have since installed Samba PDCs at smaller companies and they just run
and run.  The NT domain model has its faults but for small companies there
is no reason to use ADS - it is just overkill.  Samba and LDAP are the way
to go (forget ACLs as well unless you have a very good reason to use them.
Instabilties and backups aside, the Windows ACL management is primitive -
Novell had excellent ACL management where you could see everything on one
screen but I have seen nothing like that for Windoze platforms).


-----Original Message-----
From: Brian J. Murrell [mailto:brian at interlinx.bc.ca]
Sent: Saturday, April 26, 2003 6:56 AM
To: samba at lists.samba.org
Subject: [Samba] Why would I want Active Directory (rather, how to argue
against it?)

I think I understand what Active Directory is all about.  I understand
LDAP and I understand Kerberos.  I can see how AD (well, Kerberos
actually) enables single-sign-on (I assume it deals in tickets with the
Windows clients as standard Kerberos clients do) and can make life easy in
a large network (which, IIRC was one of the design goals of Kerberos in
the first place).

But lets say I have a smallish network where I only need a couple of file
& print servers (and the need for even a couple is only for redundancy --
PDC and BDC(s)) and I am using W2K right now.  What arguments could I
likely face when I propose replacing those with Samba (2.2 or 3.0) PDC and

The way I see it, I can build a Samba PDC/BDC pair and use some hackery to
replicate the passwd databases between the two (a utility based on dnotify
or even fam could be quite helpful here to avoid polling for file
changes), or even better, use LDAP on the DCs and replicate from the PDC
to the BDCs and provide all of the redundancy and distributed access of a
Windows PDC/BDC network.

So what else does AD do in a W2K AD network?  Does Exchange use the
Kerberos tickets AD hands out?  If I replace the W2K servers with Samba
servers will Exchange cease to allow users in?  Or will they need to
re-authenticate to the Exchange server?  Where will it get it's
authentication data from if the W2K AD DCs go away?

What likely future impact could this have with other MS/AD based servers? 
Could I find myself having to put W2K AD back in to get other services to
work again?

As you might be able to determine, my actual operational experience in an
MS network is slim-to-none (way closer to none than slim) so any
experiences/opinions would be welcome.


To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

More information about the samba mailing list