[Samba] will BDC work if PDC crashes?

rruegner robert at ruegner.org
Sun Nov 21 19:52:41 GMT 2004

Hi, sounds good
i have a equal setup with 3 offices which works nice since one year.
but it depends deeply to the quality of your network ( vpn limits )
think of traveling users the mount their profiles form their
home bdcs or home networks, so having good connect is a must, and let 
not rise their profiles over a limit of 10-30 MB
All this stuff is not really samba depend its more a question of the 
quality of your network lines and general planing a win domain.
I would not recommend to replicate users homes and profiles from pdc to 
the bdcs.
Normally a user has his home office , when he comes to new one
longer for lets say 3 months , you should migrate his home and profile
to the new office.
For sure if you have super netowrk lines you can do it with nfs or 
permanent replicating etc.
But for most cases this isnt the case.
cause you have no control of the users inlog time and behavior ( think 
of global time zones ) you will run in heavy replication problems and 
cant make sure that the user gots the last version of his profile and so on.
But maybe someone has a solution for this , i dont have one.

i did it like this:
one main office with the master ldap pdc
hosting homes and profiles of the users main office,
limit their profiles with policies, stoped caching of profiles
for workstations ( laptops are allowed to cache profiles )
Master Dns and own net with own dhcp server, with one dynamic open net 
vpn via openvpn ( 1,5 MB line ) from firewall to firewall
which does content filter and www caching too.
In the other offices
a own firewall-openvpn-own-internal-net dhcp server
with one dynamic open range dhcp for laptops
one ldap slave samba bdc hosting this office users and profiles
and also a slave dns from the master dns.
limit their profiles with policies, stoped caching of profiles
for workstations ( laptops are allowed to cache profiles )
in this setup every office can have his own netlogon script
related to their needs.
I used pptpd for dial in for home workers on every office firewall.

If you want totally be independed to crashes , you can think
of making own domains for every office and establish trusts between 
them, which works nice too, so every office has his pdc dns and dhcp.

As i said before it depends hardly on your needs and your network lines
which solution you should use so there s no complete answer to your 
I recommend to study the samba book deeply as it has very good examples.
In principle all your needs can be done.
Maybe some other samba users will give you mor tips to your planned setup.
I started mine with installing a firewall, bdc ( pdc ) ,and one win 
client behind in all offices and did all the tests which i needed
and then switched the allready installed office networks to the new 
firewall on a seperated nic, so migration could be done one computer 
after the other and only small interupts were feelable to the users.
and they were able to work nearly every time during migration.

I have ca. 100 Users and 100 Machines in 3 offices no critical error 
passed in the last 10 month.
Best Regards

Tomasz Chmielewski schrieb:
> rruegner wrote:
>> Hi,
>> if you replicated the ldap data base to the slave ldap and setup
>> the bdc to use the slave ldap auth will work.
>> If you setup the users profiles and homes hosted to the bdc
>> machine this will work too.
>> Usally your pdc is in an other office over vpn
>> so the users in this office should have their homes on the bdc.
>> But there are serveral other setups thinkable, you will have the profile
>> and homes if the machine on which they are hosted is connectable by 
>> the win client machines so it could be i.e a nas server too.
>> If you want a redundant setup pdc bdc with homes and profiles
>> you have to do a permanent replication from the pdc ( if your homes 
>> are there ) to the bdc.
>> You can also yous a 3 machine and mount homes and profiles via nfs
>> to the bdc and the pdc....
>> So there are many setups you can use, choose what fits best to your 
>> needs.
> Actually, I'm still planning and testing my setup.
> It will be the following setup:
> 1) almost 20 offices in different cities, possibly connected using VPN 
> over internet
> 2) in each office one [Samba Domain Controller + OpenLDAP slave server 
> on one machine] and about 30 workstations
> 3) in one central location [OpenLDAP master server and Samba Domain 
> Controller on one machine]
> Now this is supposed to have the following features:
> 1) users can log in in any office (easy with LDAP replication)
> 2) users' roaming profiles backed up to this central Samba Domain 
> Controller each night
> Now here comes the tricky part:
> If a machine running [Samba Domain Controller + OpenLDAP slave] in any 
> of the offices crashes, users should be able to log into that central 
> [OpenLDAP master server and Samba Domain Controller on one machine].
> Is it possible? If so, how?
> Any comments appreciated.
> Tomek

More information about the samba mailing list