Thank you all for your replies!
Absolutely true. Here I consider BDC all the DCs without FSMO “PDC emulator role”.
Yes, clients authentication is a must-have so it must implement bi-directional synchronization of the LDAP DB. What actually requires a one-way replication schema (thus, read-only) is the Sysvol volume. The Samba Wiki proposes some solutions where the “primary/master” is always a Samba DC and the “slaves” are both Windows (MS-Robocopy) and Samba (Rsync) nodes.
At the beginning, I was thinking about the Samba AD specific RODC role, which I didn’t experiment yet. However it seems to have still some issues to solve.
Deploying a “normal” DC (not-RODC) has also the advantage of the promotion. There we could implement a good rsync-based solution for NethServer DCs. I guess the AD DNS has enough information to discover the domain “PDC” role by itself. I suppose RSAT tools uses this method by default, as Samba Wiki suggests.
One of the main objection to this feature is that with Hot-Sync, in case of fault, one can restore ALL services, not just DC. Think about a DC with Mail and Groupware… Or a DC with Gateway services.
So, does it make sense to add redundancy to the DC service only? Do you think a NethServer installation that runs only the (B)DC service is useful?
Would you choose NethServer for just running the (B)DC role?
Links to past discussions: