[Samba] Planing infrastructure - request for advice
Rowland Penny
rpenny at samba.org
Fri Mar 7 15:12:00 UTC 2025
On Fri, 7 Mar 2025 15:22:10 +0100
Piotr Adamcio via samba <samba at lists.samba.org> wrote:
> I need to plan this solution properly. I have 3 entities in 3
> different locations, with approximately 50 computers in each entity.
> Each entity currently uses its own files on its own server. However,
> there are people who travel between entities and need to have access
> to all files regardless of the entity. The entities are connected by
> VPN, and access is available. The point is that I have set up a
> Domain Controller for testing and I would like to have a central
> database of users and groups that the company uses. However, the
> infrastructure must be resistant to internet problems. So, in my
> plan, I set up 1 PDC (for the main list, which I provisioned with the
> command: |samba-tool domain provision --use-rfc2307 --option="ad dc
> functional level = 2016" --function-level=2016 --interactive
> --option="dns forwarder = 192.168.xx.xx" --option="winbind enum
> groups = Yes" --option="winbind enum users = Yes"|) and 3 BDCs (which
> I added with this command: |samba-tool domain join dom.lan DC -U
> administrator --realm=DOM.LAN -W DOM --option="ad dc functional level
> = 2016" --function-level=2016 --use-rfc2307 --option="winbind enum
> groups = Yes" --option="winbind enum users = Yes)|) on which I was
> sharing files.
>
> From what I understand from other post, should I also add 3 Unix
> domain members on which I share files? Is that correct? File shares
> should NOT be created on BDCs, right? And then, should I keep
> profiles and network shares on these file servers? So, should I use
> |idmap| with |autorid| on these Unix domain members? The goal is that
> internet outages (which happen) do not block access to network
> shares, so in each entity I must ensure a BDC?
>
>
> Entity 1 ----------------------- VPN ----------------------- Entity 2
> ----------------------- VPN ----------------------- Entity 3
> | | |
> +--- PDC (Domain Controller) +--- BDC (Domain
> Controller) +--- BDC (Domain
> Controller) | |
> | +--- File Server (Unix Domain Member) +--- File Server (Unix
> Domain Member) +--- File Server (Unix Domain
> Member) | |
> | +--- ~50 Computers +--- ~50
> Computers +--- ~50 Computers
>
>
> Is this a good direction, or is it overcomplicating things?
>
> Then, between the DC servers, I must synchronize sysvol and
> idmap.ldb, and unix domain members(fileservers) must use idmap rid
> or autorid?
>
> Any other suggestions? ideas?
OK, for a start, please stop calling them 'PDC' or 'BDC', they are all
just 'DCs', it is just that one or more of them hold FSMO roles (yes I
know that one of the FSMO roles is called 'PDC_Emulator' but it is
meaningless in AD).
I think you might understand your setup better in AD terms, if you stop
thinking about 'entities' and think in terms of 'Sites' and yes, you
really need at least one DC (more is better) in each 'site'.
You are quite correct, you shouldn't use a DC as a fileserver, while
you can get one to work as a fileserver, there are numerous reasons why
it isn't a good idea.
Turning to profiles, are you referring to Windows roaming profiles ? If
so, I would give up on that idea now, the profiles have to be stored on
a PC somewhere and dragged to the PC across the network, then put back
again. this is bad enough across a local network, but it is going to be
a lot worse from one site to another over the internet.
Please do not use the 'winbind enum' lines you do not need them, you
also do not need '--use-rfc2307' if you are going to use 'autorid' and
speaking of that, I personally would use the 'rid' idmap backend on
Unix domain members.
I cannot recommend using your registered dns domain (I take it that
'dom.lan' is your dns domain sanitised) for the AD dns domain, use a
subdomain instead e.g. 'ad.dom.lan'.
I think I hear more questions ;-)
Rowland
More information about the samba
mailing list