[Samba] Multiple PDCs, Single Domain

Matt Schillinger mschilli at vss.fsi.com
Tue Sep 16 14:26:49 GMT 2003

On Mon, 2003-09-15 at 15:44, Michael Heironimus wrote:
> On Mon, Sep 15, 2003 at 10:34:22AM -0500, Matt Schillinger wrote:
> > > I have to admit that I don't see why you can't live live one PDC and X
> > > BDCs. You would have construct your LDAP servers this way anyway. If a
> > > PDC goes down (or the connection breaks) the BDC would still be able
> > > process logons on his own.
> > > 
> > The only Problem here is resources. The plan is that there are already
> > machines that can be used as PDC, one per building. However, there isn't
> > budget for a BDC per building, so the hope was to have a single BDC at
> > the main building.. I can see that this would be difficult, particularly
> > if ports 137-139 were blocked at T1 Router.
> You're trying to do it backwards. You want one PDC and multiple BDC's,
> not the other way around. Take the machines that are slated for PDC use
> and just use them as BDC's instead. You would do the same thing with
> Windows servers, one PDC in the main building and a BDC at each remote
> site.
I understand what the standard would be, but the reason that I'm trying
'backwards' is that I want to keep authentication traffic off of the T-1
connections that are used for internet/interbuilding traffic.

So far, all i've come up with is to have no BDC, and have multiple PDC,
each at their own building, with only WINS for the building, and no
other buildings.. LDAP can still be centralized and replicated to each
PDC.  That's not the nicest (I'd like for clients to be able to browse
the entire network), but i'm seeing alot of problems with the idea (such
as who authenticates a request for Machine 'a' in building '1', when it
wants a share from Machine 'b' in building '2' --- And, how do you
prevent browsing data from saying that there's a PDC on each building??
Static Entries for PDCs??), so if it doesn't work right, i guess there's
no choice.

It is Obviously easier to do it the 'forward' way.

I guess on that line, if someone could perhaps explain how much traffic
i can expect out of authentication requests for say, 100 users /
building (100/T-1).. Would a T-1 support such traffic without affecting
the usability of internet?

Thanks for all your help and prompt responses,

Matt Schillinger
mschilli at vss.fsi.com

> To do what I think you want, you probably want a central LDAP server and
> Samba PDC in your main building. In each remote building run a slave
> LDAP server replicating from the main one and a Samba BDC. Look at
> chapter 6 of the Samba-HOWTO-Collection document, it has a pretty
> thorough description of how all this works.
> -- 
> Michael Heironimus
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  http://lists.samba.org/mailman/listinfo/samba

More information about the samba mailing list