[Samba] Multiple PDCs, Single Domain

[John H Terpstra]

On Tue, 16 Sep 2003, Matt Schillinger wrote:

> On Mon, 2003-09-15 at 15:44, Michael Heironimus wrote:
> > On Mon, Sep 15, 2003 at 10:34:22AM -0500, Matt Schillinger wrote:
> > > > I have to admit that I don't see why you can't live live one PDC and X
> > > > BDCs. You would have construct your LDAP servers this way anyway. If a
> > > > PDC goes down (or the connection breaks) the BDC would still be able
> > > > process logons on his own.
> > > >
> > > The only Problem here is resources. The plan is that there are already
> > > machines that can be used as PDC, one per building. However, there isn't
> > > budget for a BDC per building, so the hope was to have a single BDC at
> > > the main building.. I can see that this would be difficult, particularly
> > > if ports 137-139 were blocked at T1 Router.
> >
> > You're trying to do it backwards. You want one PDC and multiple BDC's,
> > not the other way around. Take the machines that are slated for PDC use
> > and just use them as BDC's instead. You would do the same thing with
> > Windows servers, one PDC in the main building and a BDC at each remote
> > site.
> >
> I understand what the standard would be, but the reason that I'm trying
> 'backwards' is that I want to keep authentication traffic off of the T-1
> connections that are used for internet/interbuilding traffic.
>
> So far, all i've come up with is to have no BDC, and have multiple PDC,
> each at their own building, with only WINS for the building, and no
> other buildings.. LDAP can still be centralized and replicated to each
> PDC.  That's not the nicest (I'd like for clients to be able to browse
> the entire network), but i'm seeing alot of problems with the idea (such
> as who authenticates a request for Machine 'a' in building '1', when it
> wants a share from Machine 'b' in building '2' --- And, how do you
> prevent browsing data from saying that there's a PDC on each building??
> Static Entries for PDCs??), so if it doesn't work right, i guess there's
> no choice.
>
> It is Obviously easier to do it the 'forward' way.
>
> I guess on that line, if someone could perhaps explain how much traffic
> i can expect out of authentication requests for say, 100 users /
> building (100/T-1).. Would a T-1 support such traffic without affecting
> the usability of internet?

Windows NT 3.51 was a dog compared with NT4 and Win2K. I installed my
first big network using 3.51. It had 11 branch offices connected via a 64k
ISDN link. We had 3500 users. Each branch had at least one BDC. Head
office had 1 PDC and three BDCs. With WINS running correctly the total
background communications traffic averaged around 9.7 kbps. The larget
branch had 140 users on a 256k ISDN link, but it had 64k ISDN links
running to mulitple branches more distant from head office than it was.

Does that answer your question well enough?


> Thanks for all your help and prompt responses,
>
> Matt Schillinger
> mschilli at vss.fsi.com
>
>
> > To do what I think you want, you probably want a central LDAP server and
> > Samba PDC in your main building. In each remote building run a slave
> > LDAP server replicating from the main one and a Samba BDC. Look at
> > chapter 6 of the Samba-HOWTO-Collection document, it has a pretty
> > thorough description of how all this works.


- John T.
-- 
John H Terpstra
Email: jht at samba.org