[Samba] Secondary domain controller and promotion
Marc Muehlfeld
mmuehlfeld at samba.org
Tue Jun 17 13:07:22 MDT 2014
Hello Brian,
Am 17.06.2014 10:49, schrieb Brian Candler:
> https://wiki.samba.org/index.php/Join_a_domain_as_a_DC
> (1) This document talks about adding Samba as a slave to "an existing
> Active Directory domain" (presumably running Windows).
It's not saying that it will be a slave. AD DC are multi-master. Byside
the FSME roles, each DC is eqal.
> Is it the same to process to add a second Samba machine to an existing
> Samba 4 domain?
No.
DC:
https://wiki.samba.org/index.php/Join_a_domain_as_a_DC#Joining_the_existing_domain_as_a_DC
# samba-tool domain join .....
Member Servers:
https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server#Joining_a_Member_Server_to_the_domain
# net [rpc|ads] join -U administrator
> (2) Is there any sort of 'master-slave' relationship between the
> original DC and the one you added later? Or is it a full multi-master
> setup? (except for Sysvol replication that is)
See above.
> If the original is 'master' then how would you go about promoting the
> second one in the event the first one fails?
The clients find the DCs via DNS entries. See:
http://standalonelabs.wordpress.com/2011/05/08/what-is-the-_msdcs-subdomain/
Your AD will continue working, even if the DC is temporary offline. The
only "limitations" will occour, if this DC contains one or more of the 5
FSMO roles. See:
https://wiki.samba.org/index.php/Flexible_Single-Master_Operations_%28FSMO%29_roles
Just an example about what happens if a DC with a FSMO role is down
(almost nothing, in most cases :-)): Lets say it was the DC with the RID
master role, that is down: Each DC has a pool of (500, if I'm right)
RIDs he can use, e. g. when a new user is created. If the RID master is
down, then if the pool of your second DC is empty, you can't create new
users or join machines on this DC any more. If you have more DCs, than
you have to create the next users on a different DCs, because each DC
has a separate RID pool. And when all pools on all DCs are used, then
you can't create new stuff in your domain, that uses RIDs, until the RID
master comes back, to let the others as him for new ranges for their RID
pool.
> (3) If the original server needs to be removed permanently, how do you
> "unjoin" it from the domain, e.g. so that the new master doesn't attempt
> to replicate to it any more
If the machine is still alive to demote itself, you have luck:
https://wiki.samba.org/index.php/Demote_a_Samba_DC
BUT: If the machine is completely broken, you have a huge problem! The
demote of foreign machines is not implemented in samba-tool yet. And
demoting via the Windows way IS BROKEN:
https://bugzilla.samba.org/show_bug.cgi?id=10595
So currently no way to remove this machine.
> (4) Is it possible to migrate a Windows 2003 domain to Samba 4 by:
> - adding Samba 4 to the existing Windows domain
> - making it the master
> - copying sysvol
> - retiring the Windows server?
Almost:
- adding a Samba DC to the existing domain
- copy sysvol
- demote the windows server
Regards,
Marc
More information about the samba
mailing list