[Samba] preparing for a new site with an extra domain controller
Rowland Penny
rpenny at samba.org
Mon Dec 16 11:23:01 UTC 2024
On Mon, 16 Dec 2024 10:33:59 +0100
"Stefan G. Weichinger via samba" <samba at lists.samba.org> wrote:
> Am 12.12.24 um 10:48 schrieb Stefan G. Weichinger via samba:
> > Am 10.12.24 um 15:10 schrieb Luis Peromarta via samba:
> >> No issue, sync will continue next time network is up.
> >
> > great
> >
> > As I prepare that I also hit the fact that I should switch from
> > one- directional sysvol-sync to bi/multidirectional sync via unison
> > or osync.
> >
> > That means I have to switch over the existing syncing also, right
> > now we do the basic rsync-syncing. I will do that first, after
> > backups and rtfm.
>
> switched over to unison, looks good
>
> Now I prepare joining the third DC. That will happen after sending
> the appliance to the new site, to have the correct IPs and routing
> etc in place.
>
> (AFAIK changing IPs after joining is bad, so I will only start the
> joining when it's in the correct place)
>
> -
>
> I read howtos like:
> https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory
>
> I have joined Samba DCs in the past, so I think I got that part
> right, but let me quote something that is written a bit misleading.
>
> Keep in mind that I am not a native speaker, my first language is
> german.
>
> In the section "Built-in User & Group ID Mappings" there's that red
> block telling me:
>
> "You need to sync idmap.ldb when you first join a new DC and then
> regularly, to ensure the IDs remain constant, you do not need to sync
> idmap.ldb every time you sync SysVol but as stated in the mailing
> list it should be done periodically."
>
> So what?
>
> 1) sync it at first
> 2) do not sync it every time with sysvol
> 3) sync it periodically
I am now not entirely convinced that '3' is required if you only use
the DC in the recommended way, that is only for authentication and no
shares other than sysvol & netlogon.
The 'idmap_ldb' backend, that a DC uses, allocates the IDs on a first
come basis and because the AD admin users & groups generally do not get
the same IDs on all DCs, then you need to ensure that these users &
groups have the same IDs on all DCs. The way to do this is to sync
idmap.ldb from the DC that holds the 'main' Sysvol to all others. Now,
as the users that you want to have the same IDs on all DCs only get
their ID once, it doesn't really matter that your main users have
different IDs, they aren't really used on the DCs, Windows and Unix
domain members ensure they are known on those machines.
Rowland
>
> I don't do 3) for years in two sites ... and afaik it didn't hurt
>
> How often is "periodically" ? daily/weekly/monthly ?
>
> Why not provide an example or add that to the "SysVol replication"
> cron-jobs (or as similar instructions) as well, if it's necessary?
>
> to me it's a bit unclear and could be easily missed (as mentioned I
> don't do it so far)
>
> thoughts? explanation?
>
> just my 2 cents, maybe the docs could be improved here. thanks all!
>
>
>
>
More information about the samba
mailing list