[Samba] two PDCs

tms3 at tms3.com tms3 at tms3.com
Tue Jul 13 06:35:20 MDT 2010

> About multi-master replication. Scott wrote that he had to deal with 
> it a
> lot, so he didn't recommended that. But, I need one domain, because a 
> lot of
> users uses both site. So, I have the following options:
> 1. PDCs on each site, with the same domain, as chapter 6 describes.

Look, I'm not sure if my emails are getting through or not, but drop 
this multi PDC thing.  It's just more complexity.

You need some sort of LDAP replication because you want authentication 
done locally.  Multi-master is more difficult to set up, but more 
flexible. There are other schemes.  I had some 16 servers setup this 
way and had very few difficulties.  It is quite resilient and 
reliable.  Here is a good primer:


>      a. Master LDAP server in the HQ, and slave in the branch site, 
> according
> to the SaMBa guide.
>      b. Branch site uses master LDAP server too. It looks tepmting, 
> but
> difficult/dangerous to me.
> 2. PDC on the HQ, BDC on the branch site
>      a. branch site uses slave LDAP server.
>      b. Branch site uses master LDAP server too.
> In 1/a and 2/a, the VPN outage could be problem. Am I right?
No, the b's are the problem if the VPN is down.  They're calling the 
"master" which is at the other end of the VPN.  The a's have a slave 
copy.  All is good, unless they need to write to LDAP.  How much LDAP 
writing goes on in the branch?
> As i know, only
> PDC writes to the LDAP database. Is that true?
No.  If you're using smbldap-tools, the ldap calls are made via 
smbldap_bind.conf.  So with multi-master this whole dual PDC thing is 
fairly useless.  See, Multi-master...all are writable.


1.  Which office writes to LDAP?
2.  Who does the writing?
3.  Is there likely to be a mutually exclusive write, at approximately 
the same instant, during a VPN outage?

> Because in case of VPN
> outage, this situation has the same drawback.
> So, my main problem is the unreliable ADSL line. Can we live with 
> slave
> server in the branch office?

Yes, using Replication refreshOnly or Replication refreshAndPersist.  
You can truly go apeshit with this stuff, making only pieces of the 
DIT available to branches.  Very nifty once you get it down.

>> How are you intending to keep roaming profiles in sync (the files on
>> the server, not the stuff in LDAP)? Are you going to use rsync?
>> Unless users jump from office to office, why bother.  I would set road
>> warriors with local profiles and and sync their stuff in a manner
>> appropriate to there schedules/primary location.
> Students will have that problem, but they have to bow to it.
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba

More information about the samba mailing list