[Samba] Re: PDC, BDCs - how do you synchronize roaming profiles?

Tomasz Chmielewski mangoo at mch.one.pl
Sat Dec 11 13:19:19 GMT 2004 

Jim C. wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> | Or perhaps I don't understand something?
> 
> Just a guess but a BDC is probably going to do the same thing with the
> files that the LDAP backend would do.  I.E. replicate the data from the
> server.

But how should it be done?

I have read the whole Samba Guide, and I think I didn't find a clue on 
that - it seems for me that using configurations similar to these 
presented in Samba Guide would result in different roaming profiles on 
each domain controller.

File replication is a different thing than LDAP replication:

- files are big, LDAP queries are just a hundred bytes each,
- file operations are read and write, LDAP are read mostly,
- LDAP is one read/write master server and multiple read-only slaves,
- with PDC and BDCs files can be read from and written to each server 
(PDC, BDC1, BDC2 etc.) - there is no "central" server which takes care 
of everything.


So, now imagine this situation:

We have a university/school facility with two buildings. Additionally, 
there is a campus nearby with 4 buildings. So 6 buildings in total.
They are connected together using VPN over internet link - 1 Mbit 
down/upload in each building.

Students have classes in each building, which means they should be able 
to log in and use their roaming profiles in each building, and also in 
each building in a campus.

To keep traffic to the minimum, there is a domain controller + LDAP 
slave in each building: from 09.00-11.00 student Joe has classes in 
building A, so he uses domain controller (DC-A) in that building, and 
from 11.15-14.00 he has classes in building B (and therefore, uses 
DC-B). After that he makes his homework in the campus - so after each 
logout, his profile should be immediately replicated to other domain 
controllers in other buildings.

With LDAP it is easy: master controlls everything: for example when user 
changes his/her password, slave gives this change to the master, which 
replicates the data to other slaves. When master is unavailable (link 
down or master server down) user will be notified that the password 
can't be changed.


This is not the case with files.

Even if I use some handmade scripts which use rsync to upload files to 
other DCs after user logs out, this will obviously fail when one DC is 
down for some time or internet link/VPN is down:

- at 11.00 user Joe finishes his classes in building A, logs out, 
profile with important data is uploaded to other DCs,
- as there is no connection between building A and B (roadwork workers 
just broke the internet link between buildings), this results in 
different profiles in building A and B,
- at 11.15 logs in in building B, notices (or not), that his important 
data is incomplete,
- at 14.00 he logs out in building B, internet link is back, so his 
incomplete data from building B overwrites important, complete data in 
building A,
- we have data corruption, user confusion, students and staff loosing 
their data, admins fired etc. etc.


So here comes my question again: how should the profiles be synchronized 
between domain controllers? What are the best ways to do it? What are 
your experiences?

Hope the post wasn't too long :) but I think that the problem is not a 
trivial one, too.


Tomek

More information about the samba mailing list