[Samba] Planing infrastructure - request for advice

Piotr Adamcio adamcios at wp.pl
Fri Mar 7 14:22:10 UTC 2025 

I need to plan this solution properly. I have 3 entities in 3 different 
locations, with approximately 50 computers in each entity. Each entity 
currently uses its own files on its own server. However, there are 
people who travel between entities and need to have access to all files 
regardless of the entity. The entities are connected by VPN, and access 
is available. The point is that I have set up a Domain Controller for 
testing and I would like to have a central database of users and groups 
that the company uses. However, the infrastructure must be resistant to 
internet problems. So, in my plan, I set up 1 PDC (for the main list, 
which I provisioned with the command: |samba-tool domain provision 
--use-rfc2307 --option="ad dc functional level = 2016" 
--function-level=2016 --interactive --option="dns forwarder = 
192.168.xx.xx" --option="winbind enum groups = Yes" --option="winbind 
enum users = Yes"|) and 3 BDCs (which I added with this command: 
|samba-tool domain join dom.lan DC -U administrator --realm=DOM.LAN -W 
DOM --option="ad dc functional level = 2016" --function-level=2016 
--use-rfc2307 --option="winbind enum groups = Yes" --option="winbind 
enum users = Yes)|) on which I was sharing files.

 From what I understand from other post, should I also add 3 Unix domain 
members on which I share files? Is that correct? File shares should NOT 
be created on BDCs, right? And then, should I keep profiles and network 
shares on these file servers? So, should I use |idmap| with |autorid| on 
these Unix domain members? The goal is that internet outages (which 
happen) do not block access to network shares, so in each entity I must 
ensure a BDC?


Entity 1 ----------------------- VPN ----------------------- Entity 2 
----------------------- VPN ----------------------- Entity 3
     | |                                                           |
     +--- PDC (Domain Controller) +--- BDC (Domain 
Controller)                                +--- BDC (Domain Controller)
     | |                                                           |
     +--- File Server (Unix Domain Member) +--- File Server (Unix Domain 
Member)                       +--- File Server (Unix Domain Member)
     | |                                                           |
     +--- ~50 Computers +--- ~50 
Computers                                          +--- ~50 Computers


Is this a good direction, or is it overcomplicating things?

Then, between the DC servers, I must synchronize sysvol and idmap.ldb, 
and unix domain members(fileservers)  must use idmap rid or autorid?

Any other suggestions? ideas?

More information about the samba mailing list