[Samba] preparing for a new site with an extra domain controller
Stefan G. Weichinger
lists at xunil.at
Tue Dec 17 08:01:55 UTC 2024
Am 16.12.24 um 12:23 schrieb Rowland Penny via samba:
> On Mon, 16 Dec 2024 10:33:59 +0100
> "Stefan G. Weichinger via samba" <samba at lists.samba.org> wrote:
>> 1) sync it at first
>> 2) do not sync it every time with sysvol
>> 3) sync it periodically
>
> I am now not entirely convinced that '3' is required if you only use
> the DC in the recommended way, that is only for authentication and no
> shares other than sysvol & netlogon.
I run them this way.
> The 'idmap_ldb' backend, that a DC uses, allocates the IDs on a first
> come basis and because the AD admin users & groups generally do not get
> the same IDs on all DCs, then you need to ensure that these users &
> groups have the same IDs on all DCs. The way to do this is to sync
> idmap.ldb from the DC that holds the 'main' Sysvol to all others. Now,
> as the users that you want to have the same IDs on all DCs only get
> their ID once, it doesn't really matter that your main users have
> different IDs, they aren't really used on the DCs, Windows and Unix
> domain members ensure they are known on those machines.
Does /var/lib/samba/private/idmap.ldb (path on debian) contain all the
users?
If I don't resync it I assume it is updated by the ad-replication within
samba, right? Otherwise new users wouldn't be distributed.
(just wondering)
OK, I will start that third DC as I did start the second: run steps 1)
and 2)
thanks!
More information about the samba
mailing list