[Samba] Multiple domain and trust relationship

Marc Muehlfeld mmuehlfeld at samba.org
Wed Oct 14 21:02:05 UTC 2015


Hello Klaus,


Am 12.10.2015 um 23:34 schrieb Klaus Hartnegg:
> Different domains have advantages if the network connection is bad, and
> if local admins want to create new ad objects themselves, e.g. new
> users.

This is also possible with AD sites. Even if the network connection is
temporary offline.

Each DC has a RID pool (default 500 RIDs). Until it's empty, you can
create new objects. The pool is already refreshed if it's reaches half
(if I'm right). So usually you have at least 250 unused RIDs on each DC,
when the connection to the RID master gets disconnected.




> Separate domains also allow to have the (fsmo role) pdc-emulator
> local on each site, which should always be reachable.

Why? I see no big problem if the PDC emulator is offline.

The client's on that site can't sync their time with that host. If you
set an other/additional NTP server via GPO for that site, this isn't a
problem anyway. The only real trouble I see is, that you can't login on
pre-Win2k machines (NT4), if you still have some.

https://wiki.samba.org/index.php/Flexible_Single-Master_Operations_%28FSMO%29_roles


Regards,
Marc



More information about the samba mailing list