[Samba] Optimizing Samba servers roles in multi server network

[Andreas Heinlein]

Am 17.01.2018 um 15:08 schrieb Prunk Dump via samba:

> -> + many other services ( like puppet, apt-cacher ...)
> My question is, there is another reason not using AD DC as file server
> ? Is there performance issue ?

This has already been discussed on this list recently.

First there is security - any other service running on the DC could make
it vulnerable for attack. You say this is a high school network - I'd
say you should expect that any exploit that can be found on the Internet
will probably be tried out against your servers. Especially if there is
valuable data on them. "Valuable" could also mean, say, solutions for
any upcoming tests and exams and the like.

Then there is the performance issue - because of these security reasons,
any traffic to/from DCs is usually required to be cryptographically
signed. This also means "normal" file sharing if you use your DC as a
file server. This will put quite a load on your server, especially if it
doesn't have hardware support for it. Traffic to non-DC file servers is
usually not signed. You could turn signing off altogether, but I would
strongly adivse against it.

I also wouldn't stick with a single DC in such an environment - when
it's gone, your network is effectively down. You would have to restore
from backup, which will take time. Think about virtual machines, I'd run
a small VM with a samba DC on every server. If your servers are too weak
for full virtualization, LXC containers might be a solution.

Bye,

Andreas