Active Directory BDC/slave role


(Davide Principi) #1

I was talking about the “BDC” concept with one of my business partners today. Samba needs the sysvol replication to get a multi-dc setup working out-of-the-box.

https://wiki.samba.org/index.php/SysVol_replication_(DFS-R)

What could be done at the moment is implementing the Samba DC role with a sysvol replication workaround. With a such new feature we can build an AD domain with one “master” DC (already implemented) and multiple, additional read-only “slave” DCs.

What do you think?


So, what are you working on? 6 Sep 2018
Cockpit preview
So, what are you working on? 17 Jan 2019
(Buck Jeffcott) #2

Sounds good on paper. :slight_smile:

Being read only, would clients be able to still authenticate properly, you mean they just wouldn’t be able to make changes? Or what else would be lacking from a read only DC?

Would you be able to promote such a slave to be a PDC in the event of a PDC failure? If not would you need to build a new PDC to replace the original PDC in the event the original PDC is broken? If the latter I could see HotSync being valuable for that, however the former would be more desirable in my opinion.


(Rob Bosch) #3

As i see it, a multiple DC situation should already be possible when reading the Samba4 wiki: https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory

In an Active Directory environment there is no such thing as BDC. All DC’s can write to the AD database. The only difference between the first DC and additional DC’s are the FSMO roles.

So, if there already is an option to add additional DC’s with Samba, what would be the problem implementing this in NethServer? Is that the sysvol replication you mentioned @davidep?
The workaround is in Samba wiki: https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory#Built-in_User_.26_Group_ID_Mappings

My concern with the workaround replciation methods would be if there were massive changes in AD, would this be accurate enough and keep up with the changes?


(Markus Neuberger) #4

In the meanwhile I got used to the single DC concept but it would be a great feature! With read-only “slave” DCs the replication workaround should be safe. Great idea!


(Derek Blechinger) #5

I consider this an essential feature for full Windows AD replacement. The stability and peace of mind that comes from having multiple DCs online in-case of PDC failure is second-to-none.

I’d be over the moon if this feature came to NethServer any time in the near future. :slight_smile:
I shied away from NethServer at first because the only semi-comparable feature was Hot-Sync. Having a true Primary/Read-Only configuration as a default feature would’ve made me choose NethServer instantly.


(Davide Principi) #6

Thank you all for your replies!

Absolutely true. Here I consider BDC all the DCs without FSMO “PDC emulator role”.

Yes, clients authentication is a must-have so it must implement bi-directional synchronization of the LDAP DB. What actually requires a one-way replication schema (thus, read-only) is the Sysvol volume. The Samba Wiki proposes some solutions where the “primary/master” is always a Samba DC and the “slaves” are both Windows (MS-Robocopy) and Samba (Rsync) nodes.

At the beginning, I was thinking about the Samba AD specific RODC role, which I didn’t experiment yet. However it seems to have still some issues to solve.

Deploying a “normal” DC (not-RODC) has also the advantage of the promotion. There we could implement a good rsync-based solution for NethServer DCs. I guess the AD DNS has enough information to discover the domain “PDC” role by itself. I suppose RSAT tools uses this method by default, as Samba Wiki suggests.

One of the main objection to this feature is that with Hot-Sync, in case of fault, one can restore ALL services, not just DC. Think about a DC with Mail and Groupware… Or a DC with Gateway services.

So, does it make sense to add redundancy to the DC service only? Do you think a NethServer installation that runs only the (B)DC service is useful?

Would you choose NethServer for just running the (B)DC role?


Links to past discussions:


(Rob Bosch) #7

Just to put the presure on: here is what the competition made public today:


(Dominik) #8

I think this could be a great feature. I am still facing a problem how to setup one NS AD between 3 of my company locations - i know that i can connect them to the main AD but what would happen if there would be for example no internet connection on main place?
If the NS could work as secondary ADC and when the internet will start working on main place it should sync with it.
Another feature wish “competition” had in earlier version (don’t know it they have it on the newest version) is a user quota which also in my opinion could be usefull.

My 3 cents…


(fpausp) #9

By the way, maybe we should, if it is not already done, start a comparison of features with Nethserver and other Distribiutions, to get an overview. What do you think ?


(Rob Bosch) #10

@fausp i think there is already a comparison between NethsServer and Zentyal, but this is not with the latest versions of both distro’s. 7.5 for Nethserver and 5.1 for Zentyal.
I think it would be great to have a renewed comparison between the 2.

Would you be able to (time/able to/ willing) to compare them (functionality, ease of use, etc)


(fpausp) #11

I am afraid I am not able to do it at the moment. I am in education, i want to start studying, next year…


(Rob Bosch) #12

No problem, maybe someone else can pick this up. I currently am quite busy too, but it still would be nice to have an up-to-date comparison between NethServer and Zentyal. (or more extensive and have other distro’s compared too like ClearOS and Univention.


(fpausp) #13

:+1::+1::+1:


(Daniele Pallotta) #14

That would bè great…


(fpausp) #15

Found this: Zentyal vs NethServer comparison matrix

Zentyal Server - Full technical features

Perhaps we should start a new Thread ?


(Rob Bosch) #16

Thank you for the find! And having a look at the google doc, it confirms there is a need for a renewed comparison.
Downloading Zentyal 5.1 development edition, ClearOS7.5 community edition and Univention 4.3-2
This probably will take some time to create a complete comparison… When I am ready I will create a new topic for it.


(Davide Principi) #17

Client and services relying on Active Directory would still work, BUT what about (for instance) a groupware? or a web server with Nextcloud? Does it make sense to work on AD redundancy only?

Back to my question:


(Rob Bosch) #18

This depends on the options you have when setting up an ICT environment. IF there is the option to fully virtualize all servers, I would say: YES
In such a situation I would definately separate the DC role (and gateway role) from all other roles. I even would go with a 2nd DC if possible.
But when you are on a limited budget and you do not have the option to implement a nice Virtualization cluster of 3 or more nodes, and there is no other way than installing everything on a single server…

Another situation would be when there are multiple locations. As soon there is a (relatively) slow WAN connection involved, it would be nice to have a local DC for authentication purposes. And in an ideal world you want to be able to schedule the replication between the 2 sites so you don’t have too much replication traffic when a lot of people are using the bandwidth for work. Only mandatory replication traffic should be allowed, and other changes should be replicated outside “office hours”, or at least at a time chosen by the sysadmin. Also in such cases a dedicated DC (per location) would be the most ideal option.

Now I re-read you question. Is it meant as NethServer as a DC role and something else for other roles or would you choose another flavor as (B)DC, or is it meant as: would you implement a dedicated DC in your network? I took it as the last interpretation since we are NethServer and wouldn’t consider another flavor to have a role in our network… wink wink
To avoid confusion, I would rephrase as:

Would you choose to have a server for just running the (B)DC role?


(Davide Principi) #19

Yes, that’s the point and I’m asking because I’m not a Windows sysadmin and need some feedback about it to decide how to prioritize the development effort of this feature. Thank you @robb.


(Rob Bosch) #20

To be clear: IF there is the option to have a dedicated DC, then yes, but we HAVE to take into consideration that not all sysadmins have the luxury of multiple servers or VM’s to run their ICT environment on and probably most Home and SOHO users only have a single device to install on a server distribution (either NS, Windows, or another all-in-one option).
Yes, in that case there is no need for a 2nd DC either, but IMO we can’t limit the use of the DC role to a single server.