[Samba] Active directory and multiple forests

mathias dufresne infractory at gmail.com
Mon Nov 21 10:52:04 UTC 2016


(it was unadvised to use .local as top level domain, so below I replaced
.local by .tld)

Domains and domain controllers (DC) are different things.

One domain should contain several DCs (for failover). In one domain DC
replicate themselves against others DCs. This replication is full
replication because all DCs in the same domain must contain the very same
database (modulo time needed to replicate changes).
No special configuration in that, once a DC join its domain it starts to
replicate with others DC.
Using AD sites grant to chose how this replication happens but this does
not change the fact all DCs will replicate in a way that they all have the
same DB.

Now when several domains are aggregated (what you described in your
example):
domain.tld has 3 DCs: DC1, DC2, DC3.
They belong to domain.tld so their FQDN are:
dc1.domain.tld
dc2.domain.tld
dc3.domain.tld
They all host one instance of "domain.tld" full database.

affiliate.domain.tld has 2 DCs (lazy me)
they belong to affiliate.domain.tld so their FQDN are:
dc1.affiliate.domain.tld
dc2.affiliate.domain.tld
They all host one instance of "affiliate.domain.tld" full database.

You can aggregate domains using "trust relationship". When domains are
relied using trusts they share some information of others domains but not
all information.
With a trust relationship between these two domains
dc1.affiliate.domain.tld will still contain same information as
dc2.affiliate.domain.tld, these information are the whole DB of affiliate
domain + some information of domain.tld
Same for domain.tld: dc1.domain.tld contains same DB as dc2.domain.tld and
dc3.domain.tld and these 3 DCs contain all information for domain.tld + a
small part of affiliate domain.

Now there are different kind of trust relationship and Samba does not yet
manage them all, for now Samba can only do bi-directional and transitive
trusts. There is also "external trusts" and "forest trusts" but I'm not
familiar enough with these concepts to speak about them. So I don't know if
Samba make difference between them two or not or if the created trust is
forest or external.

Perhaps I missed some information but I believe Samba can do only
bi-directional and transitive trust (according to 4.3.0 changelog) and when
I create a different trust and display it (using samba-tool domain trust
list) it shows "Transitive[No]  Direction[INCOMING]".

I expect this to be only cosmetic, that the trust is in fact bi-directional
and transitive.

Anyway, to answer you shortly, yes you can aggregate domains. No you can't
do everything a MS AD domain is able to do in that domain. No all DC accros
different domains do not share all data of all domains.

2016-11-16 13:53 GMT+01:00 vinifa via samba <samba at lists.samba.org>:

> Hello, colleagues! I have the same question as our friend, I almost know
> the
> answer, but I would like to hear from you here on the list. Does samba 4
> work with the domain forest system?
>
> Ex: domain.local >> affiliate.domain.local >>> affiliate2.domain.local
>
> From what I've seen it does not do this, only being replicated domain, DC1,
> DC2 and DC3 are all domain controllers. I'm waiting for the answer and
> thank
> you all.
>
>
>
> --
> View this message in context: http://samba.2283325.n4.
> nabble.com/Active-directory-and-multiple-forests-tp2434978p4711027.html
> Sent from the Samba - General mailing list archive at Nabble.com.
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba


More information about the samba mailing list