[Samba] two PDCs

Scott Grizzard scott at scottgrizzard.com
Fri Jul 9 08:14:41 MDT 2010

I think the multi-master replication sort-of defeats the purpose of
the PDC in the remote office - multi-master replication means the
information must be sent to both servers anyway.  If I recall
correctly, I think Chapter 6 refers to running BDC's in each remote
office, and only one PDC...

I played with this once, and I got it working by setting up a PDC and
BDC in the main office, a BDC (not PDC) in the remote office, and
using LDAP's new multi-master replication to keep everything in sync.
Throw in your DNS database, and It works, it's cool, but I think it
was so not worth the effort (unless you have nothing better to do with
your 20% time).  I spent a whole lot of time making sure the configs
were perfect for the mult-master replication.

The thing that threw the monkey-wrench is DNS and DHCP...I ended up
putting all the DHCP information into the LDAP as well, with defined
IP addresses for every MAC, because DHCPd updates the DNS when a new
user requests an IP address.  Since I put a DHCP server on both sides
of the VPN, I needed multi-master replication for the DNS information
so the computers could find each other.  In the end, I dumped the MAC
addresses from my hardware catalog into the LDAP, and preassigned all
the IP's to reduce the number of writes to the LDAP server.

I found it is much easier to set up two separate domains and have them
trust each other, using different branches of the same LDAP tree.
Then, let one server write to one branch, the other server write to
the other branch, and do multi-master replication between them.  That
way, there is no worrying about simultaneous updates or any of that
jazz.  Not as cool...or as elegant, but it made my life easier by
isolating problems.  I did the same for the DNS information, setting
up separate zones for each physical office.  Since the information was
in the same tree, it was much easier to configure mail servers and
other services needing directory information, and since I did not
delegate the branches, the mail server (only in the main office) did
not need to read off my remote directories over VPN.

Of course, my users only visited each others' offices "occasionally".
If you have tons of movement between the offices, a one-domain
solution may be forced upon you...

On Fri, Jul 9, 2010 at 8:58 AM,  <tms3 at tms3.com> wrote:
>> On Friday 09/07/2010 at 4:36 am, Tamás Pisch  wrote:
>>> Hello,
>>> I have a PDC with master ldap backend and a BDC with slave ldap backend
>>> (both are SaMBa 3.2 on Debian Lenny). I want to install an additional
>>> SaMBa
>>> server on an another site (on Debian Squeeze). The two sites is connected
>>> with VPN (on not so reliable ADSL lines). I read an interesting network
>>> scenario in the Samba Guide chapter 6: theoretically it is possible to
>>> install one PDC on both site, with the same domain, server name, and SID.
>>> I
>>> like this idea, but: is there anyone who tried that, have experience with
>>> it?
>> No, but your best option is to simply use LDAP replication and install an
>> LDAP server on the remote location server.  This way, auth traffic on the
>> remote is always local (saving bandwidth) and is available regardless of the
>> link being up or down.  Do the same with DNS, and you'll be quite happy with
>> the results as will your users.
>>> Thank you, in advance.
>>> --
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions: https://lists.samba.org/mailman/options/samba
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

Scott Grizzard
Scott at ScottGrizzard.com

More information about the samba mailing list