Active Directory BDC/slave role

Thank you all for your replies!

Absolutely true. Here I consider BDC all the DCs without FSMO “PDC emulator role”.

Yes, clients authentication is a must-have so it must implement bi-directional synchronization of the LDAP DB. What actually requires a one-way replication schema (thus, read-only) is the Sysvol volume. The Samba Wiki proposes some solutions where the “primary/master” is always a Samba DC and the “slaves” are both Windows (MS-Robocopy) and Samba (Rsync) nodes.

At the beginning, I was thinking about the Samba AD specific RODC role, which I didn’t experiment yet. However it seems to have still some issues to solve.

Deploying a “normal” DC (not-RODC) has also the advantage of the promotion. There we could implement a good rsync-based solution for NethServer DCs. I guess the AD DNS has enough information to discover the domain “PDC” role by itself. I suppose RSAT tools uses this method by default, as Samba Wiki suggests.

One of the main objection to this feature is that with Hot-Sync, in case of fault, one can restore ALL services, not just DC. Think about a DC with Mail and Groupware… Or a DC with Gateway services.

So, does it make sense to add redundancy to the DC service only? Do you think a NethServer installation that runs only the (B)DC service is useful?

Would you choose NethServer for just running the (B)DC role?


Links to past discussions: