[Samba] Re: PDC, BDCs - how do you synchronize roaming profiles?

John H Terpstra jht at Samba.Org
Sat Dec 11 22:10:03 GMT 2004 

On Saturday 11 December 2004 13:06, Tomasz Chmielewski wrote:
> gints neimanis wrote:
> > Tomasz Chmielewski wrote:
> >> As a consequence, this also means, that on each server there has to be
> >> a copy of a profile of a given user, right?
> >
> > No, not right. The user roaming profile is stored only on one server.
>
> So what is the sense of having BDCs? I guess the biggest load happens
> when the profiles are copied; when there are hundreds of users, one PDC
> (on which the profiles are stored) would be much overloaded.

Tomasz,

An NT4 PDC is a master authentication database server. It is undesirable to 
have network logon traffic run over a routed network. The purpose of the BDC 
is to permit a single security domain (context) and still permit all network 
logon traffic to be handled on the local network segment.

At some time in the future Samba me be able to handle full authentication 
datebase synchronization (like NT4 PDC/BDC combinations can do). At this time 
it does not, however there can be only on PDC per domain (security context). 
The benefit of a single domain is that it helps keep to a minimum the number 
of interdomain trusts required.

Authentication is entirely orthogonal to MS Windows client profile handling.
Both in NT4 as well as with Samba, the location of the use desktop profile is 
set in the user account record in the authentication database. NT4 does not 
replicate or synchronize desktop profiles - nor does Samba. Where on earth 
did you obtain the idea that this ought to happen?

>
> Besides, Samba Guide chapter 7 ("Distributed 2000 users network")
> describes a setup when users are located in New York, London etc.
> different locations, which sounds just silly if roaming profiles were
> stored for example in New York only.

The notion that all roaming profiles are stored on a central server and that 
profiles are transferred over a wide-area link at login time is not one I 
have created. Where did you get such a notion? I would not call that silly, 
I'd call that insane and completely unworkable.

Windows NT4/2KX profiles can be many gigabytes in size, particularly if 
network administrators have not attempted to manage the network environment. 
Microsoft's ZAW (Zero Administration Windows) program was designed to show 
network administrators how to lock down the desktop profile so that logins 
involve a minimum of network traffic and users get good network 
responsiveness.

>
> > Maybe you may rename the each SAMBA server in each location in the same
> > NetBIOS name, but the profile directory on each server is fetched from
> > the central server over NFS.
>
> I don't think giving the same NetBIOS name for different machines is a
> good idea.

Agreed.

>
> Fetching profiles each time from a central server when user logs in /
> logs out doesn't seem to be good idea for me - what if company/school
> etc. has two or more buildings, and they are connected only by a slow
> VPN over internet/wireless etc.?

The answer is: Practice good account management. Locate the users' profile on 
a server close to where the user is - preferably on the same network segment.
I a user roams across multiple network segments and the wide-area bandwith can 
not handle the roaming profile then do exempt that user from having a roaming 
profile and instead store the profile locally on the workstation (or 
notebook) that is used by this user.

Cheers,
John T.
-- 
John H Terpstra
Samba-Team Member
Phone: +1 (650) 580-8668

Author:
The Official Samba-3 HOWTO & Reference Guide, ISBN: 0131453556
Samba-3 by Example, ISBN: 0131472216
Hardening Linux, ISBN: 0072254971
Other books in production.

More information about the samba mailing list