Active Directory BDC/slave role

A very bad scenario for a windows admin is when users cannot login in the morning because the DC is down and they have nothing to do except of calling in and asking when the problem is solved. This is the reason why admins like a second DC to just have logins working if the first DC fails.
So the little advantage to hotsync in this case is the automatic failover, possible because of the AD structure serving different logon servers.

You are right, it would make much more sense to have a full backup of all services, not only AD DC but it’s a single point of failure affecting all users and windows admins are used to it.

What about combining hotsync with read-only DC or make them work on the same server?

Could the read-only DC be a starting point to an AD migration scenario?

1 Like

Again, please do not talk of “read-only” DC: it’s confusing me :slight_smile: If we go with the Samba wiki sysvol replication method, based on rsync, we need to talk of “master” and “slaves”.

After reading a bit of the Samba-specific “RODC” deployment I understand it is not for us because it can’t do authentication (at the moment).

Apart from that, yes: any DC can be used as starting point to substitute another one. This is another story…

2 Likes

IMO the result of the effort should be to be able to have multiple DC’s in the network and be able to move FSMO roles from the first DC to any other DC. This is not only to have redundant DC functionality, but also a strong point when you have to migrate to other hardware without a HUGE backup/restore effort of your user and devices on your network.

scenario: you have an old server with DC role. You get a new server, also give it DC role by joining the same domain. Then transfer FSMO roles to the new DC. Install all services on the 2nd server that were done by the first server and finally demote the first server as DC. So you can safely remove an old server from the network.

6 Likes

Yes please… :+1:

I guess there is a good chance it happens. In this case, do the slaves take over?

That’s an interesting scenario. Is it doable with this feature @davidep?

Hopefully, yes :slight_smile:

1 Like

The other DCs take over and serve the logins if a DC goes down.

I could be wrong, but IIRC it’s up to the client to choose an alternative DC, by querying the DNS.

1 Like

That’s technically totally right, my version was very reduced.

1 Like

I’m not a windows sysadmin but if so, I guess it’s really important to configure the clients with more than one DNS otherwise the failover can’t work (if DNS=broken DC)… Can anybody confirm?

If i am right based on my NS7 AD config:
one server is serving DHCP and second one is AD, on DHCP server in DNS Server → Advanced options in “DNS Servers” field i have first server pointed to my AD controller, second for gateway.
If I am right if we put there: IP_of_1AD, IP_of_2AD it should work

Yes, if gateway is nethserver itself; not sure otherwise: because it must be configured to resolve AD DNS zones correctly

Yes it can work.

We must take into account also that the DHCP is not Nethserver in other scenarios.

I have got some WiFi routers which have different IP ranges but on them I have pointed at DHCP/DNS config to point at my NS7AD and it worked → I mean AD users could access their shared dirs etc. because Windows machines if they don’t find AD controller they allow user to logon but there is no shared dirs ( i have it configured via GPO ).

1 Like

Let’s bump this topic. Recently I saw similar requests in our forum. IMO it is time to start working on a real multi DC solution.

@davidep were you able to work on this more since okt last year? IMO as soon NethServer has this feature and it turns out to be stable, it would position NethServer not only in small environments but also in medium sized (2-20 servers) environments (and give immense options for NethServer)

3 Likes

PDC BDC Problem ist out of time mostly and there was no good solution in teh past i try it since 1998. Everytime a ba thing.

if you like too bee near to the old style of MS- Server you need PDC / BDC.

I like 2 move over to a other way. My AD is runing an a VM. To bee shure thats active everytime two severs build a HA cluster (I know the spilt brain probelm) but is better thean nothing.

A part of MS system is DNS/DHCP. You need it on the same masch9ine mostly ( in NETH it works fine the container is very near) I dont know why, but MS Windows starting with 7 loves IP6.

Samba 4 stores all the infomations in the own LDAP and that can be replicted but is tricky.

'I somebody need a complex AD infrastructure it is posibel you need a “bigger” samba AD installation than Nethserver. The Nethserver had to connect as a member of this AD structure.

If its not so complex it will be helpfull let DNS/DHCP incl IP6 running in neth with AD

I’m totally agree with you, with @davidep, @mrmarkuz and with anybody who think that a Master/Slave (PDC/BDC) implementation with NS will be a necessary and huge step forward for this project.
One observation after I re-read this topic.
Master/Slave (PDC/BDC) concept is mainly for Active Directory service and not for DNS and/or Gateway services.
The Slave (BDC) server is to let the users to authenticate in the domain to have access to the domain resources, if the Master (PDC) server is down, and not to find the hosts in the domain by FQDN, not by IP.
Usually, at least on Windows Server, when you install the AD service and promote that server as DC (or PDC), also the DNS service is configured on the same machine, but this is secondary.

No, I wasn’t!

Well, some people like you are interested in this feature, some are quite scared of it, especially those in the support field.

I think because the complexity of AD is not limited to the deployment of one or more DCs. In fact it extends to the network (AD sites) and clients configuration, making it an infrastructure for experts.

As said above, adding a DC wouldn’t automatically add redundancy to other services (i.e. Nextcloud, WebTop, SOGo…). We got Hotsync for that, though it may need to be improved further.

Therefore what could be the benefit of adding more DCs? Maybe a use case where it can help is the remote/branch office. Now we must connect remote offices with VPNs to a central DC. However, even by adding a DC for each remote office VPNs are still required to make DCs synchronize themselves. The pro is having a local DC (quicker connections, more responsive authentication service). The con is adding complexity.

Hence the size of the environment becomes the relevant condition. But as the size increases a native MS solution could become more affordable…

Before getting us to the multi-DC (complex) world, I’d try to reach a more concrete goal that deserves a separate topic: Cloning an existing DC. It would help the adoption of NethServer by easing the migration from other products.

1 Like

@davidep

One thing some of us are forgetting in this whole discussion:
Nethserver only allows authenticated access to shares with AD, not with LDAP.
Even without any Windows requirements, it would be a BIG help for anybody or any Organization using more than one site.
Say Main site has a NethServer for AD. FileServer is some NAS or other box using AD Integration to allow user access.
The second site also has a NAS using AD, and a local Nethserver running as a BDC.
This scenario would be covered in case of an Outage of the PDC.

For my clients, I often have a Windows Application Server for certain Apps (ERP, etx). This server is configured as a member server in the Nethserver AD. This works VERY well. But if the PDC Nethserver is down (For whatever reason) I’d have major problems without a BDC.

The BDC needs to run DNS also in Master/Slave mode, which DNS can easily provide…

The DHCP Server is usually a different problem. When one is running, most other DHCP Servers will stop themselves. When the PDC and main DHCP server goes down, the BDC should automatically activate the local DHCP, so all is covered.

This is NOT automatic on Windows either, afaik!

My 2 cents
Andy

5 Likes

Hello Andy

yozu are rigth :slight_smile: If you need any Windows Servers oder better Services than you need AD and AD infrastucture. But on the other hand it is LDAP too internal the Samba (4.x) AD uses his own LDAP Sever internal. Normaly you will use the same samba (4.x) version as a fileserver and this samba will be a member of your AD Infrastructur. But when it is not posibel to use AD in a service than you can use the internal Samba LDAP.

In the past samba (3.x) can be a member on a LDAP service and use as a PDC.
With the newer AD infrastrctur you dont need PDC and BDC constructioins.

thx

hello Dominik

you are rigth too :wink: but for professional Windows Clients you need Things like rouming profiles and this stuff.

Logon is a lill bit more than the “Logon and acessing shares”.
One part is authentification with things like singel sign on and automatic configuration of outlook, Thunderbird … , contacts, … calnders …
Next are the shares but only the normal shares , there are rouming profiles (it is a lill bit like you homedir on a server), printers and drivers.

If you dont need this things than like you say …