[Samba] Extending the AD schema
Andrew Bartlett
abartlet at samba.org
Mon Sep 5 07:55:59 UTC 2016
On Mon, 2016-09-05 at 10:23 +1000, John Gardeniers via samba wrote:
> We're looking at implementing Sudoers LDAP on our Samba 4 AD domain.
> While this worked perfectly in a test environment previously, I am
> always extremely nervous about the possibility of stuffing things up
> on
> production.
>
> Given a domain with multiple DCs (two in our case), should I do add
> the
> schema extension with all DCs on line or should one by taken off line
> to
> provide an emergency backup in case things go wrong? In this case
> will
> the schema extension reliably propagate to the DC which was off line
> at
> the time?
>
> Way back (maybe 13 years or so ago) when I was managing a pure
> Windows
> AD environment I asked a similar question and received advise pretty
> much evenly distributed between those two methods.
I would make the change with Samba 4.5 once it comes out. We fixed a
lot of schema bugs with that release.
Unlike a windows DC, making backups of and restoring just the sam.ldb
files on a Samba DC is really easy, so do that too.
Once you do that, online should be fine.
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
More information about the samba
mailing list